General Information
Spacewalk is a centralized system update and config server.
Checklist
Spacecmd is the command line interface to Spacewalk.
Details here: Spacecmd
A Spacewalk registration script has been created to ease registration.
If you need to re-register a client for any reason, you need the “–force” option when executing rhnreg_ks.
spacecmd system_delete <SYSTEM>
sw_activation_key="1-my-system-key" sw_server="my-spacewalk-server.local" rhnreg_ks --force --serverUrl=https://${sw_server}/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=${sw_activation_key}
If you do not want to wait for the next automatic check in (via rhnsd or cron), you can force a group of systems to check in by running the “rhn_check” command locally on that system.
To loop through a group of systems and have them check in:
Example: Loop through the dev system group and have them check in
for NODE in $(spacecmd group_listsystems dev); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /usr/sbin/rhn_check"; done
rhnsd is a daemon that will run rhn_check every 240 mins (by default).
Configure: /etc/sysconfig/rhn/rhnsd
INTERVAL=240
Ensure it is enabled and started
systemctl enable rhnsd
systemctl start rhnsd
chkconfig rhnsd on service rhnsd start
The alternative to using rhnsd (if you do not want a daemon running or desire more frequent check ins) is a cron job.
Configure: /etc/cron.d/spacewalk-checkin
# Do not e-mail root/anyone about this job MAILTO="" # .---------------- minute (0 - 59) # | .------------- hour (0 - 23) # | | .---------- day of month (1 - 31) # | | | .------- month (1 - 12) OR jan,feb,mar,apr ... # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat # | | | | | # * * * * * user-name command to be executed # Check in every 30 mins */30 * * * * root /usr/sbin/rhn_check
Optional: Disable rhnsd
systemctl disable rhnsd systemctl stop rhnsd
chkconfig rhnsd off service rhnsd stop
Another option for client communication is using the osad daemon (xmpp/jabber) on the client and osa-dispatcher on the server.
About Channels
In order to facilitate the same updates being applied to the Development, System Test, and the Production environments, it is necessary to clone the original Channels.
This creates a “snapshot in time” of the available packages/errata on the date of clone.
Note: This copies metadata of the Channel and does not duplicate repo packages
To Clone an entire Channel tree:
spacecmd softwarechannel_clonetree centos6_x86-64_base --prefix "ss-20151103_" --gpg-copy
spacecmd {SSM:0}> softwarechannel_clonetree Source Channels: centos6_x86-64_base centos7_x86-64_base Select source channel: centos6_x86-64_base Prefix: ss-20151215_ Copy source channel GPG details? [y/N]: y Original State (No Errata) [y/N]: N
As of 12/15/2015, CentOS does not generate an “updateinfo.xml” file in their repodata directories. This file is responsible for the package to errata mappings. (RHEL, Fedora, EPEL, and Oracle all do this)
For a workaround, use a script to scrape the CentOS mailing archive lists for the errata.
The “spacewalk-centos-errata” project is installed to:
MAILTO="" 00 01 * * * root /bin/bash /opt/spacewalk-centos-errata/errata-sync.sh 2>&1 > /opt/spacewalk-centos-errata/errata.log
A system is automatically subscribed to the proper configuration channels when it is registered via its Activation Key.
To compare the centrally managed files to a system's local config files:
The various ways to download config files while on the client system.
Download all config files, from all subscribed config channels
rhncfg-client get
Download a specific managed config file
rhncfg-client get /etc/resolv.conf
Download all config files from a specific Config Channel ID
for FILE in $(rhncfg-client list | awk /config-channel-id/'{print $3}'); do rhncfg-client get ${FILE}; done
To deploy configs from the server to a client.
List config channels a system is subscribed to
spacecmd system_listconfigchannels
List config files that a system is subscribed to
spacecmd system_listconfigfiles
Deploy all of those config files
spacecmd system_deployconfigfiles <SYSTEMS>
Some systems will need to have different config files than the centrally managed ones.
To create exceptions, or local managed overrides:
On the system's Details > Overview page:
Spacewalk server services.
We won't be using osa-dispatcher or jabberd services, so these can safely be disabled.
systemctl disable osa-dispatcher systemctl disable jabberd systemctl stop osa-dispatcher systemctl stop jabberd
chkconfig osa-dispatcher off chkconfig jabberd off service osa-dispatcher stop service jabberd stop
Remove osa and jabber from the main spacewalk-service script.
After removing osa-dispatcher and jabberd, the status output looks like this:
/usr/sbin/spacewalk-service status postmaster (pid 29875) is running... tomcat6 (pid 29992) is running... [ OK ] httpd (pid 30115) is running... rhn-search is running (30168). cobblerd (pid 30204) is running... RHN Taskomatic is running (30236).
The SSL Certificates on the Spacewalk server is used for:
Before manipulating either client or CA cert
cp -R /root/ssl-build /root/ssl-build.bak
Client Certificate default locations:
Client Certificate Update Procedure
cp /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/
cp server.crt /root/ssl-build/my-spacewalk-server/
cp /etc/httpd/conf/ssl.key/server.key /root/ssl-build/my-spacewalk-server/ cp /etc/httpd/conf/ssl.csr/server.csr /root/ssl-build/my-spacewalk-server/
openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/my-spacewalk-server/server.crt
rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build
rpm -e rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-1.noarch
rpm -ivh /root/ssl-build/my-spacewalk-server/rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-2.noarch.rpm
spacewalk-service restart
CA Chain Certificate locations
Updating the CA certificate will not have to be done very often; only when:
WARNING
CA Certificate Update Procedure
cp RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/my-spacewalk-server/server.crt
rhn-ssl-tool --gen-ca --rpm-only --dir /root/ssl-build
cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/ cp ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm /var/www/html/pub/
rpm -ivh /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm
rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
spacewalk-service restart
rpm -ivh https://my-spacewalk-server.local/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm