linux_wiki:spacewalk

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
linux_wiki:spacewalk [2015/12/21 23:05]
billdozor 		linux_wiki:spacewalk [2019/05/25 23:50] (current)
Line 4: Line 4:
  
 Spacewalk is a centralized system update and config server.\\ Spacewalk is a centralized system update and config server.\\
-Official Site: https://fedorahosted.org/spacewalk+  * Official Site: https://github.com/spacewalkproject/spacewalk
  
 **Checklist** **Checklist**
-  * Spacewalk server installed+  * Distro(s): Enterprise Linux 
 +  * Other: [[https://github.com/spacewalkproject/spacewalk/wiki/HowToInstall|Spacewalk server]] setup
  
 ---- ----
Line 31: Line 32:
   * Register system with the --force option<code bash>   * Register system with the --force option<code bash>
 sw_activation_key="1-my-system-key" sw_activation_key="1-my-system-key"
-rhnreg_ks --force --serverUrl=https://my-spacewalk-server.local/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=${sw_activation_key}+sw_server="my-spacewalk-server.local" 
 +rhnreg_ks --force --serverUrl=https://${sw_server}/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=${sw_activation_key}
 </code> </code>
  
 ---- ----
  
-====== rhn_check ======+====== Client Check Ins ======
  
-By default, a system checks into Spacewalk via rhn_check every 4 hours. +  * rhnsd => By default, a system will run the rhnsd daemon. 
- +    * This daemon checks into Spacewalk via rhn_check every 240 mins (4 hours)It is tunable down to minimum of 60 mins (1 hour). 
-If systems are not picking up the scheduled action from the Spacewalk portal in timely manner with the osad (such as config deploy, package upgrade, etc), you can force a group of systems to check in by running the "rhn_checkcommand locally on that system.+  * cron => An alternative is to create cron job to execute every 30 mins and run rhn_check. 
 +    * If you do this, you can disable rhnsd, as it provides no other functionality than to run "run_check"
 +  * osad => Using osad on the client and osa-dispatcher on the server (with a jabberd daemon as well) is also available. 
 +    * **This setup is fragile and not recommended**.
  
 +If you do not want to wait for the next automatic check in (via rhnsd or cron), you can force a group of systems to check in by running the "rhn_check" command locally on that system.\\
 To loop through a group of systems and have them check in: To loop through a group of systems and have them check in:
  
Line 48: Line 54:
 for NODE in $(spacecmd group_listsystems dev); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /usr/sbin/rhn_check"; done for NODE in $(spacecmd group_listsystems dev); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /usr/sbin/rhn_check"; done
 </code> </code>
 +
 +----
 +
 +===== rhnsd config =====
 +
 +rhnsd is a daemon that will run rhn_check every 240 mins (by default).
 +
 +Configure: /etc/sysconfig/rhn/rhnsd
 +<code bash>
 +INTERVAL=240
 +</code>
 +  * Change INTERVAL time to check in time in minutes.
 +
 +Ensure it is enabled and started
 +  * EL7<code bash>systemctl enable rhnsd
 +systemctl start rhnsd</code>
 +  * EL6<code bash>chkconfig rhnsd on
 +service rhnsd start</code>
 +
 +----
 +
 +===== rhn_check Cron Job =====
 +
 +The alternative to using rhnsd (if you do not want a daemon running or desire more frequent check ins) is a cron job.
 +
 +Configure: /etc/cron.d/spacewalk-checkin
 +<code bash>
 +# Do not e-mail root/anyone about this job
 +MAILTO=""
 +
 +# .---------------- minute (0 - 59)
 +# |  .------------- hour (0 - 23)
 +# |  |  .---------- day of month (1 - 31)
 +# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
 +# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
 +# |  |  |  |  |
 +# *  *  *  *  * user-name  command to be executed
 +# Check in every 30 mins
 +*/30 * * * * root /usr/sbin/rhn_check
 +</code>
 +
 +Optional: Disable rhnsd
 +  * EL7<code bash>systemctl disable rhnsd
 +systemctl stop rhnsd</code>
 +  * EL6<code bash>chkconfig rhnsd off
 +service rhnsd stop</code>
 +
 +----
 +
 +===== osad =====
 +
 +Another option for client communication is using the osad daemon (xmpp/jabber) on the client and osa-dispatcher on the server.
 +
 +  * This type of setup is very fragile and needs constant babysitting.
 +  * The amount of administration overhead and how often it breaks is not worth the effort for faster execution of scheduled jobs.
 +  * **It is HIGHLY recommended to not go this route** and the rest of this documentation assumes rhnsd or the cron job with rhn_check.
  
 ---- ----
Line 90: Line 152:
 ===== Errata Setup ===== ===== Errata Setup =====
  
-As of 12/15/2015, CentOS does not generate an "updateinfo.xml" file in their repodata directories. This file is responsible for the package to errata mappings. (RHEL, Fedora, EPEL, and supposedly Oracle all do this)+As of 12/15/2015, CentOS does not generate an "updateinfo.xml" file in their repodata directories. This file is responsible for the package to errata mappings. (RHEL, Fedora, EPEL, and Oracle all do this)
  
 For a workaround, use a script to scrape the CentOS mailing archive lists for the errata. For a workaround, use a script to scrape the CentOS mailing archive lists for the errata.
Line 225: Line 287:
 ====== Server Services ====== ====== Server Services ======
  
-Normal Status of Spacewalk Services+Spacewalk server services. 
 + 
 +===== Removing osa/jabber ===== 
 + 
 +We won't be using osa-dispatcher or jabberd services, so these can safely be disabled. 
 +  * EL7<code bash>systemctl disable osa-dispatcher 
 +systemctl disable jabberd 
 +systemctl stop osa-dispatcher 
 +systemctl stop jabberd</code> 
 +  * EL6<code bash>chkconfig osa-dispatcher off 
 +chkconfig jabberd off 
 +service osa-dispatcher stop 
 +service jabberd stop</code> 
 + 
 +Remove osa and jabber from the main spacewalk-service script. 
 +  * Edit the script: vim /usr/sbin/spacewalk-service 
 +  * Find the variable "SERVICES=" and remove "osa-dispatcher" and "jabberd" 
 + 
 +---- 
 + 
 +===== Normal Status of Spacewalk Services ===== 
 + 
 +After removing osa-dispatcher and jabberd, the status output looks like this:
 <code bash> <code bash>
 /usr/sbin/spacewalk-service status /usr/sbin/spacewalk-service status
  
 postmaster (pid  29875) is running... postmaster (pid  29875) is running...
-router (pid 31614) is running... 
-sm (pid 31622) is running... 
-c2s (pid 31630) is running... 
-s2s (pid 31638) is running... 
 tomcat6 (pid 29992) is running...                          [  OK  ] tomcat6 (pid 29992) is running...                          [  OK  ]
 httpd (pid  30115) is running... httpd (pid  30115) is running...
-osa-dispatcher (pid  31659) is running... 
 rhn-search is running (30168). rhn-search is running (30168).
 cobblerd (pid 30204) is running... cobblerd (pid 30204) is running...
Line 242: Line 321:
 </code> </code>
  
----- +  * postmaster => Spacewalk Postgres Database 
- +  * tomcat6 =Spacewalk application 
-===== osa-dispatcher dead but pid file exists ===== +  * httpd =Spacewalk portal website 
- +  rhn-search =Searching functionality within the portal 
-If osa-dispatcher shows the following: +  * cobblerd => Provisioning capability 
-<code bash+  * RHN Taskomatic =Scheduled jobs viewable in the Spacewalk portal
-/etc/init.d/osa-dispatcher status +
- +
-osa-dispatcher dead but pid file exists +
-</code+
- +
-And the following error messages are in its log file: +
-<code bash+
-tail /var/log/rhn/osa-dispatcher.log +
- +
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.__init__ +
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.setup_connection('Connected to jabber server', 'my-spacewalk-server.local'+
-2015/11/03 07:38:05 -05:00 30144 0.0.0.0: osad/jabber_lib.register('ERROR', 'Invalid password'+
-</code> +
- +
-Fix this by stopping jabberd and osa-dispatcher (osa-dispatcher will probably show "Failed"): +
-<code bash> +
-service jabberd stop +
-service osa-dispatcher stop +
-</code> +
- +
-Remove jabberd database files: +
-<code bash> +
-rm -rf /var/lib/jabberd/db/+
-</code> +
- +
-Start jabberd and osa-dispatcher +
-<code bash> +
-service jabberd start +
-service osa-dispatcher start +
-</code> +
- +
-Logs should now show the "Connected to jabber server" message: +
-<code bash> +
-tail /var/log/rhn/osa-dispatcher.log +
- +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.__init__ +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.setup_connection('Connected to jabber server', 'my-spacewalk-server.local'+
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/osa_dispatcher.fix_connection('Upstream notification server started on port', 1290) +
-2015/11/03 08:19:43 -05:00 31657 0.0.0.0: osad/jabber_lib.process_forever +
-</code> +
- +
-**Warning** +
-  * After recovering the jabberdb in this way, the osad clients on each system need to re-establish a connection. This is done by stopping the osad service on the clients, removing the osad-auth.conf file and starting osad again. +
-  * From a system that has spacecmd installed:<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code>+
  
 ---- ----
Line 297: Line 332:
 ====== Spacewalk SSL Certificates ====== ====== Spacewalk SSL Certificates ======
  
-Updating the SSL Certificates on the Spacewalk server is more complex than just updating Apache, as the SSL certs are used for:+The SSL Certificates on the Spacewalk server is used for:
   * Spacewalk Portal (Apache httpd server)   * Spacewalk Portal (Apache httpd server)
-  * Jabber local daemon components communication 
-  * Jabber Spacewalk client to Spacewalk server communication 
- 
-Using the following RPM method will allow you to update all applications correctly at the same time. 
  
 **Before manipulating either client or CA cert** **Before manipulating either client or CA cert**
Line 313: Line 344:
 ===== Client Certificate ===== ===== Client Certificate =====
  
-Client Certificate locations:+Client Certificate default locations:
   * /etc/httpd/conf/ssl.crt/server.crt   * /etc/httpd/conf/ssl.crt/server.crt
   * /etc/httpd/conf/ssl.csr/server.csr   * /etc/httpd/conf/ssl.csr/server.csr
Line 337: Line 368:
   * Install new SSL key pair package   * Install new SSL key pair package
     * <code bash>rpm -ivh /root/ssl-build/my-spacewalk-server/rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-2.noarch.rpm</code>     * <code bash>rpm -ivh /root/ssl-build/my-spacewalk-server/rhn-org-httpd-ssl-key-pair-my-spacewalk-server-1.0-2.noarch.rpm</code>
-  * Stop Spacewalk services, clear jabberd's scratch database, start the services +  * Restart Spacewalk services 
-    * <code bash>spacewalk-service stop +    * <code bash>spacewalk-service restart</code>
-rm -rf /var/lib/jabberd/db/+
-spacewalk-service start</code> +
-  * Force an OSAD client re-authentication on each client<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code>+
  
 ---- ----
Line 382: Line 410:
   * Update the database   * Update the database
     * <code bash>rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT</code>     * <code bash>rhn-ssl-dbstore -vvv --ca-cert /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT</code>
-  * Stop the Spacewalk services, clear the jabberd scratch database, start services +  * Restart the Spacewalk services 
-    * <code bash>spacewalk-service stop +    * <code bash>spacewalk-service restart</code>
-rm -rf /var/lib/jabberd/db/+
-spacewalk-service start</code>+
   * **Login to each client and update the CA chain**   * **Login to each client and update the CA chain**
     * <code bash>rpm -ivh https://my-spacewalk-server.local/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm</code>     * <code bash>rpm -ivh https://my-spacewalk-server.local/pub/rhn-org-trusted-ssl-cert-1.0-2.noarch.rpm</code>
       * Each client will have no communication to the Spacewalk server until this is complete.       * Each client will have no communication to the Spacewalk server until this is complete.
-  * Force an OSAD client re-authentication on each client<code bash>for NODE in $(spacecmd system_list); do echo "=>${NODE}"; ssh -qt ${NODE} "sudo /sbin/service osad stop; sudo rm -vf /etc/sysconfig/rhn/osad-auth.conf; sudo /sbin/service osad start"; done</code> 
  
 ---- ----
  
  • linux_wiki/spacewalk.1450757113.txt.gz
  • Last modified: 2019/05/25 23:50
  • (external edit)