Differences
This shows you the differences between two versions of the page.
linux_wiki:spacewalk [2018/03/06 10:19] billdozor [Spacewalk] |
linux_wiki:spacewalk [2019/05/25 23:50] |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== Spacewalk ====== | ||
- | |||
- | **General Information** | ||
- | |||
- | Spacewalk is a centralized system update and config server.\\ | ||
- | * Official Site: https:// | ||
- | |||
- | **Checklist** | ||
- | * Distro(s): Enterprise Linux | ||
- | * Other: [[https:// | ||
- | |||
- | ---- | ||
- | |||
- | ====== Spacecmd ====== | ||
- | |||
- | Spacecmd is the command line interface to Spacewalk.\\ | ||
- | Details here: [[https:// | ||
- | |||
- | ---- | ||
- | |||
- | ====== Register System with Spacewalk ====== | ||
- | |||
- | A [[linux_wiki: | ||
- | |||
- | ---- | ||
- | |||
- | ===== Re-Register ===== | ||
- | |||
- | If you need to re-register a client for any reason, you need the " | ||
- | |||
- | * Delete system from Spacewalk< | ||
- | * Register system with the --force option< | ||
- | sw_activation_key=" | ||
- | sw_server=" | ||
- | rhnreg_ks --force --serverUrl=https:// | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ====== Client Check Ins ====== | ||
- | |||
- | * rhnsd => By default, a system will run the rhnsd daemon. | ||
- | * This daemon checks into Spacewalk via rhn_check every 240 mins (4 hours). It is tunable down to a minimum of 60 mins (1 hour). | ||
- | * cron => An alternative is to create a cron job to execute every 30 mins and run rhn_check. | ||
- | * If you do this, you can disable rhnsd, as it provides no other functionality than to run " | ||
- | * osad => Using osad on the client and osa-dispatcher on the server (with a jabberd daemon as well) is also available. | ||
- | * **This setup is fragile and not recommended**. | ||
- | |||
- | If you do not want to wait for the next automatic check in (via rhnsd or cron), you can force a group of systems to check in by running the " | ||
- | To loop through a group of systems and have them check in: | ||
- | |||
- | Example: Loop through the dev system group and have them check in | ||
- | <code bash> | ||
- | for NODE in $(spacecmd group_listsystems dev); do echo " | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== rhnsd config ===== | ||
- | |||
- | rhnsd is a daemon that will run rhn_check every 240 mins (by default). | ||
- | |||
- | Configure: / | ||
- | <code bash> | ||
- | INTERVAL=240 | ||
- | </ | ||
- | * Change INTERVAL time to check in time in minutes. | ||
- | |||
- | Ensure it is enabled and started | ||
- | * EL7<code bash> | ||
- | systemctl start rhnsd</ | ||
- | * EL6<code bash> | ||
- | service rhnsd start</ | ||
- | |||
- | ---- | ||
- | |||
- | ===== rhn_check Cron Job ===== | ||
- | |||
- | The alternative to using rhnsd (if you do not want a daemon running or desire more frequent check ins) is a cron job. | ||
- | |||
- | Configure: / | ||
- | <code bash> | ||
- | # Do not e-mail root/anyone about this job | ||
- | MAILTO="" | ||
- | |||
- | # .---------------- minute (0 - 59) | ||
- | # | .------------- hour (0 - 23) | ||
- | # | | .---------- day of month (1 - 31) | ||
- | # | | | .------- month (1 - 12) OR jan, | ||
- | # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun, | ||
- | # | | | | | | ||
- | # * * * * * user-name | ||
- | # Check in every 30 mins | ||
- | */30 * * * * root / | ||
- | </ | ||
- | |||
- | Optional: Disable rhnsd | ||
- | * EL7<code bash> | ||
- | systemctl stop rhnsd</ | ||
- | * EL6<code bash> | ||
- | service rhnsd stop</ | ||
- | |||
- | ---- | ||
- | |||
- | ===== osad ===== | ||
- | |||
- | Another option for client communication is using the osad daemon (xmpp/ | ||
- | |||
- | * This type of setup is very fragile and needs constant babysitting. | ||
- | * The amount of administration overhead and how often it breaks is not worth the effort for faster execution of scheduled jobs. | ||
- | * **It is HIGHLY recommended to not go this route** and the rest of this documentation assumes rhnsd or the cron job with rhn_check. | ||
- | |||
- | ---- | ||
- | |||
- | ====== Channel Management ====== | ||
- | |||
- | About Channels | ||
- | * Systems are subscribed to " | ||
- | * Channel subscriptions can be changed at any time in the Spacewalk portal, across any amount of systems. | ||
- | * Channels have Repositories assigned to them | ||
- | * This allows for a single repo to back multiple channels | ||
- | |||
- | ---- | ||
- | |||
- | ===== Channel Freezing/ | ||
- | |||
- | In order to facilitate the same updates being applied to the Development, | ||
- | This creates a " | ||
- | **Note: This copies metadata of the Channel and does not duplicate repo packages** | ||
- | |||
- | To Clone an entire Channel tree: | ||
- | * Login to a system with spacecmd installed | ||
- | * Clone the original base tree to a " | ||
- | |||
- | * Clone can be performed with spacecmd in batch or interactive mode: | ||
- | * Batch Clone Example => Clone the CentOS 6 tree, giving it the prefix " | ||
- | * The above will clone the entire tree(base and child channels), give the shown prefix, copy gpg data, and copy errata data. | ||
- | * Interactive Clone Example< | ||
- | Source Channels: | ||
- | centos6_x86-64_base | ||
- | centos7_x86-64_base | ||
- | |||
- | Select source channel: centos6_x86-64_base | ||
- | Prefix: ss-20151215_ | ||
- | |||
- | Copy source channel GPG details? [y/N]: y | ||
- | |||
- | Original State (No Errata) [y/N]: N</ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Errata Setup ===== | ||
- | |||
- | As of 12/15/2015, CentOS does not generate an " | ||
- | |||
- | For a workaround, use a script to scrape the CentOS mailing archive lists for the errata. | ||
- | |||
- | * Git hub project: https:// | ||
- | * This is a bash based project that is a wrapper for the perl based project, making it easy to implement. | ||
- | * Original perl project' | ||
- | * Original perl project' | ||
- | |||
- | The " | ||
- | * Main Dir: / | ||
- | * com.redhat.rhsa-all.xml => File downloaded by the " | ||
- | * errata-import.pl => main perl script that does the work | ||
- | * errata.latest.xml => File downloaded by the " | ||
- | * **errata-sync.sh** => Configuration file and parent script that launches " | ||
- | * **Edit this file to make login credential changes or to include other channels for inclusion in errata scanning.** | ||
- | * install.sh => Downloads the latest " | ||
- | * Cron Job installed to: | ||
- | * / | ||
- | 00 01 * * * root /bin/bash / | ||
- | |||
- | ---- | ||
- | |||
- | ====== Config Management ====== | ||
- | |||
- | A system is automatically subscribed to the proper configuration channels when it is registered via its Activation Key. | ||
- | * Configuration is NOT pushed to the system automatically. | ||
- | * The config files can be deployed while on the client system or pushed to the client using the Spacewalk server portal or spacecmd. | ||
- | |||
- | ---- | ||
- | |||
- | ===== Compare Configs ===== | ||
- | |||
- | To compare the centrally managed files to a system' | ||
- | * Login to the Spacewalk Web Portal | ||
- | * Find the target system via one of these methods: | ||
- | * Searching in the top right | ||
- | * Browsing all systems by clicking " | ||
- | * Browsing system groups | ||
- | * Click the systems name | ||
- | * On the systems Overview page, click on the " | ||
- | * On the right under " | ||
- | * Click " | ||
- | * Refresh the Configuration Overview page or click on the systems " | ||
- | * On the systems Configuration > Overview page, at the bottom under " | ||
- | * Click the "View Details" | ||
- | * Under the Config Files list, click on the " | ||
- | |||
- | ---- | ||
- | |||
- | ===== Download (Pull) Configs ===== | ||
- | |||
- | The various ways to download config files while on the client system. | ||
- | |||
- | Download all config files, from all subscribed config channels | ||
- | <code bash> | ||
- | rhncfg-client get | ||
- | </ | ||
- | |||
- | Download a specific managed config file | ||
- | <code bash> | ||
- | rhncfg-client get / | ||
- | </ | ||
- | |||
- | Download all config files from a specific Config Channel ID | ||
- | <code bash> | ||
- | for FILE in $(rhncfg-client list | awk / | ||
- | </ | ||
- | |||
- | ---- | ||
- | |||
- | ===== Deploy (Push) Configs ===== | ||
- | |||
- | To deploy configs from the server to a client. | ||
- | |||
- | ==== Portal Deploy ==== | ||
- | |||
- | * Login to the Spacewalk Web Portal. | ||
- | * At the top, click on the " | ||
- | * Find the target system via one of these methods: | ||
- | * Searching in the top right | ||
- | * Browsing all systems by clicking " | ||
- | * Browsing system groups | ||
- | * Click the systems name | ||
- | * On the systems Overview page, click on the " | ||
- | * Click " | ||
- | * Check the config files to deploy, then click " | ||
- | * On the " | ||
- | |||
- | ==== Spacecmd Deploy ==== | ||
- | |||
- | List config channels a system is subscribed to | ||
- | <code bash> | ||
- | spacecmd system_listconfigchannels | ||
- | </ | ||
- | |||
- | List config files that a system is subscribed to | ||
- | <code bash> | ||
- | spacecmd system_listconfigfiles | ||
- | </ | ||
- | |||
- | Deploy all of those config files | ||
- | <code bash> | ||
- | spacecmd system_deployconfigfiles < | ||
- | </ | ||
- | * < | ||
- | * a single system name | ||
- | * multiple system names space separated | ||
- | * " | ||
- | |||
- | ---- | ||
- | |||
- | ===== Create a Local Managed File Override ===== | ||
- | |||
- | Some systems will need to have different config files than the centrally managed ones. | ||
- | \\ | ||
- | |||
- | To create exceptions, or local managed overrides: | ||
- | * Login to the Spacewalk Web Portal. | ||
- | * Find the system (Systems tab at the top) | ||
- | * Click on the system name to go to its Overview page. | ||
- | |||
- | On the system' | ||
- | * Click the " | ||
- | * To to right of the File Name to override, click " | ||
- | * Click " | ||
- | * Check the file to override that exists on the system, click " | ||
- | * After file has been successfully imported, click " | ||
- | * Check the file > click "Copy Latest to System Channel" | ||
- | * The file will now show up under " | ||
- | |||
- | ---- | ||
- | |||
- | ====== Server Services ====== | ||
- | |||
- | Spacewalk server services. | ||
- | |||
- | ===== Removing osa/jabber ===== | ||
- | |||
- | We won't be using osa-dispatcher or jabberd services, so these can safely be disabled. | ||
- | * EL7<code bash> | ||
- | systemctl disable jabberd | ||
- | systemctl stop osa-dispatcher | ||
- | systemctl stop jabberd</ | ||
- | * EL6<code bash> | ||
- | chkconfig jabberd off | ||
- | service osa-dispatcher stop | ||
- | service jabberd stop</ | ||
- | |||
- | Remove osa and jabber from the main spacewalk-service script. | ||
- | * Edit the script: vim / | ||
- | * Find the variable " | ||
- | |||
- | ---- | ||
- | |||
- | ===== Normal Status of Spacewalk Services ===== | ||
- | |||
- | After removing osa-dispatcher and jabberd, the status output looks like this: | ||
- | <code bash> | ||
- | / | ||
- | |||
- | postmaster (pid 29875) is running... | ||
- | tomcat6 (pid 29992) is running... | ||
- | httpd (pid 30115) is running... | ||
- | rhn-search is running (30168). | ||
- | cobblerd (pid 30204) is running... | ||
- | RHN Taskomatic is running (30236). | ||
- | </ | ||
- | |||
- | * postmaster => Spacewalk Postgres Database | ||
- | * tomcat6 => Spacewalk application | ||
- | * httpd => Spacewalk portal website | ||
- | * rhn-search => Searching functionality within the portal | ||
- | * cobblerd => Provisioning capability | ||
- | * RHN Taskomatic => Scheduled jobs viewable in the Spacewalk portal | ||
- | |||
- | ---- | ||
- | |||
- | ====== Spacewalk SSL Certificates ====== | ||
- | |||
- | The SSL Certificates on the Spacewalk server is used for: | ||
- | * Spacewalk Portal (Apache httpd server) | ||
- | |||
- | **Before manipulating either client or CA cert** | ||
- | * SSH to the Spacewalk server and switch to root | ||
- | * Backup the current ssl-build directory (if it exists already) | ||
- | * <code bash>cp -R / | ||
- | |||
- | ---- | ||
- | |||
- | ===== Client Certificate ===== | ||
- | |||
- | Client Certificate default locations: | ||
- | * / | ||
- | * / | ||
- | * / | ||
- | |||
- | Client Certificate Update Procedure | ||
- | * Order certificate renewal from certificate provider | ||
- | * Download certificate, | ||
- | * SSH to the Spacewalk server and switch to root | ||
- | * Copy the current CA cert in use to the ssl-build directory | ||
- | * <code bash>cp / | ||
- | * Copy NEW client certificate into ssl-build/ | ||
- | * <code bash>cp server.crt / | ||
- | * Copy existing client key and CSR into ssl-build/ | ||
- | * <code bash>cp / | ||
- | cp / | ||
- | * Verify that NEW client cert will work with CA cert | ||
- | * <code bash> | ||
- | * Generate the new client cert RPM | ||
- | * <code bash> | ||
- | * Remove old SSL key pair package | ||
- | * <code bash>rpm -e rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-1.noarch</ | ||
- | * Install new SSL key pair package | ||
- | * <code bash>rpm -ivh / | ||
- | * Restart Spacewalk services | ||
- | * <code bash> | ||
- | |||
- | ---- | ||
- | |||
- | ===== CA Certificate ===== | ||
- | |||
- | CA Chain Certificate locations | ||
- | * RPM build location: / | ||
- | * Locally installed location: / | ||
- | * Publicly available for clients to download: / | ||
- | * Also packaged in: / | ||
- | |||
- | Updating the CA certificate will not have to be done very often; only when: | ||
- | * CA cert expires | ||
- | * You change certificate providers | ||
- | |||
- | **WARNING** | ||
- | * Updating the CA certificate on the Spacewalk server will break all communication between the server and the clients. | ||
- | * Each client will need to update to the new CA cert individually before communication can be restored. | ||
- | |||
- | CA Certificate Update Procedure | ||
- | * Download the new single .pem file containing all the certs from the certificate provider. | ||
- | * Copy the PEM file to the Spacewalk server | ||
- | * SSH to the Spacewalk server and switch to root | ||
- | * Cat/view the contents of the PEM file | ||
- | * The top BEGIN/END block is the client cert (server.crt) | ||
- | * The rest is the certificate chain | ||
- | * Copy this into a new file; " | ||
- | * Copy into ssl-build directory | ||
- | * < | ||
- | * Verify CA cert with the server cert | ||
- | * <code bash> | ||
- | * Generate CA chain RPM | ||
- | * <code bash> | ||
- | * Copy new CA chain cert and RPM into Spacewalk' | ||
- | * <code bash>cp / | ||
- | cp ssl-build/ | ||
- | * Install new CA chain cert on the Spacewalk server | ||
- | * <code bash>rpm -ivh / | ||
- | * Update the database | ||
- | * <code bash> | ||
- | * Restart the Spacewalk services | ||
- | * <code bash> | ||
- | * **Login to each client and update the CA chain** | ||
- | * <code bash>rpm -ivh https:// | ||
- | * Each client will have no communication to the Spacewalk server until this is complete. | ||
- | |||
- | ---- | ||