Skip to main content

Spacewalk setup


What is spacewalk? Spacewalk is a free version of Red Hat Satellite, a system nanagement solution.
What you can do with spacewalk:
- Kickstart Distributions
- Deploy updates on your systems using a centralized management solution
- Execute remote commands using rhncfg-actions
- Create local repositories

So let's get started.
First we have to install the spacewalk repo. We can do that by using the following command
 [archy@spacewalk ~]$ sudo rpm -Uvh http://yum.spacewalkproject.org/2.6/RHEL/7/x86_64/spacewalk-repo-2.6-0.el7.noarch.rpm
Also we will have to add the JPackage repository.
 [archy@spacewalk ~]$ sudo bash -c 'cat > /etc/yum.repos.d/jpackage-generic.repo << EOF  
 [jpackage-generic]  
 name=JPackage generic  
 baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/  
 #mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0  
 enabled=1  
 gpgcheck=1  
 gpgkey=http://www.jpackage.org/jpackage.asc  
 EOF'
The last repo we will add is the EPEL-Repo.
 [archy@spacewalk ~]$ sudo yum -y install epel-release.noarch
That's it for repositories.

Spacewalk uses a database to store its data. The databases that can be used are postgresql and oracle RDBMS. In this setup I'll be using postgresql which will run on the same server as the spacewalk service.

Install the spacewalk and the spacewalk-postgresql packages
 [archy@spacewalk ~]$ sudo yum -y install spacewalk-setup-postgresql spacewalk-postgresql
I've found out that without downgrading c3p0 the tomcat service will have problems starting on the initial setup.

So we'll downgrade it
 [archy@spacewalk ~]$ sudo yum -y downgrade c3p0
We can now setup the spacewalk service by using
 [archy@spacewalk ~]$ sudo spacewalk-setup
Output:
 * Setting up SELinux..  
 ** Database: Setting up database connection for PostgreSQL backend.  
 ** Database: Installing the database:  
 ** Database: This is a long process that is logged in:  
 ** Database:  /var/log/rhn/install_db.log  
 *** Progress: ####  
 ** Database: Installation complete.  
 ** Database: Populating database.  
 *** Progress: ###########################  
 * Configuring tomcat.  
 * Setting up users and groups.  
 ** GPG: Initializing GPG and importing key.  
 ** GPG: Creating /root/.gnupg directory  
 You must enter an email address.  
 Admin Email Address? archy@archyslife.lan  
 * Performing initial configuration.  
 * Configuring apache SSL virtual host.  
 Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? Y  
 ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave  
 * Configuring jabberd.  
 * Creating SSL certificates.  
 CA certificate password?  
 Re-enter CA certificate password?  
 Organization? archyslife.lan  
 Organization Unit [spacewalk.archyslife.lan]? Administration  
 Email Address [archy@archyslife.lan]? archy@archyslife.lan  
 City? Munich  
 State? Bavaria  
 Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? DE  
 ** SSL: Generating CA certificate.  
 ** SSL: Deploying CA certificate.  
 ** SSL: Generating server certificate.  
 ** SSL: Storing SSL certificates.  
 * Deploying configuration files.  
 * Update configuration in database.  
 * Setting up Cobbler..  
 Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? Y  
 * Restarting services.  
 Installation complete.  
 Visit https://spacewalk.archyslife.lan to create the Spacewalk administrator account.

Spacewalk is now ready to be accessed, but our server is not yet. We will first have to setup the firewall by adding the ports 80/tcp, 443/tcp, 5222/tcp, 5222/udp, and 69/udp to the firewall.
 [archy@spacewalk ~]$ sudo firewall-cmd --zone=internal --add-port={80/tcp,443/tcp,5222/tcp,5222/udp,69/udp} --permanent  
 [archy@spacewalk ~]$ sudo firewall-cmd --reload

Next we have to access the Server using the Webinterface In my case, I'll point my browser to https://spacewalk.archyslife.lan

 Before we continue to setup spacewalk, we will download a centos-7 ISO file and mount it to a folder. In order to do that, execute the following commands:
 [archy@spacewalk ~]$ sudo mkdir /iso && cd /iso  
 [archy@spacewalk ~]$ sudo wget http://centos.mirror.iphh.net/CentOS/7/isos/x86_64/CentOS-7-x86_64-Everything-1611.iso  
 [archy@spacewalk ~]$ sudo mkdir --parents /tftpboot/CentOS  
 [archy@spacewalk ~]$ sudo mount -o loop /iso/CentOS-7-x86_64-Everything-1611.iso /tftpboot/CentOS
To automate the mounting, add the following line to a /etc/fstab
 /iso/CentOS-7-x86_64-Everything-1611.iso    /tftpboot/CentOS    iso9660     defaults     0     0
We will have to create the organization for our spacewalk server.
If it was successfully created, you will be greeted by the welcome-screen
From there we navigate to 'Systems' --> 'Activation Keys' 
And create a new key.
The activation key will be needed when adding clients for example.

Next we setup some software channels. Therefore navigate to 'Channels' --> 'Manage Software Channels' and click 'Create Channel' which is in the upper right hand corner.

Here is a example of the data used for a software channel.
Important: Add the GPG Key from the Repo you are using to download your files. Otherwise you will get gpgcheck errors from yum.
To obtain this key, type 

 [root@spacewalk ~]$ gpg --with-fingerprint /tftpboot/CentOS/RPM-GPG-KEY-CentOS-7
Output:
 pub 4096R/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key <security@centos.org>  
 Key fingerprint = 6341 AB27 53D7 8A78 A7C2 7BB1 24C6 A8A7 F4A8 0EB5
Now that we've got a software channel, we also want to link a repository to it. To create a repository, we click on 'Channels' --> 'Manage Software Channels' --> 'Manage Repositories' and on 'Create Repository' which is again in the upper right hand corner.

Here is an example of the input
So far so good. Linking the repository to the channel can be done as follows.
Click on 'Channels' --> 'Manage Software Channels' and choose your software channel.
Click on your software channel and go to 'Repositories' and select your repository.
Finally click 'Update Repositories'.
That concludes the basic setup. You can now add clients using the following commands:

Populating the repository with data and packages can be done using the command:
 [root@spacewalk ~]$ spacewalk-repo-sync --channel centos-7-base --type yum

Adding a client to the spacewalk-server:

Step 1: Get the spacewalk-repo
 [archy@spacewalk ~]$ sudo rpm -Uvh http://yum.spacewalkproject.org/2.6-client/RHEL/7/x86_64/spacewalk-client-repo-2.6-0.el7.noarch.rpm
Step 2: Install the necessary packages
 [archy@spacewalk ~]$ sudo yum -y install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin rhncfg-actions
Step 3: Obtain the necessary certs package
 [archy@spacewalk ~]$ sudo rpm -Uvh http://spacewalk.archyslife.lan/pub/rhn-org-trusted-ssl-cert-1.0-4.noarch.rpm
Step 4: Register the client to your spacewalk-server
 [archy@spacewalk ~]$ sudo rhnreg_ks --serverUrl=https://spacewalk.archyslife.lan/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=your_activation_key

To use kickstart functionality, we will have to setup a kickstart-distribution and a kickstart-profile.
We'll start with the distribution. Click on 'Systems' --> 'Kickstart' --> 'Distributions' --> 'Create Distribution'
and fill in the data. Here is my example.
Click on 'Create Kickstart Distribution'. Now we have to setup the kickstart-profile
This can be achieved by clicking on 'Systems' --> 'Kickstart' --> 'Profiles' --> 'Create Kickstart Profile'
Fill in the Data, again here are my examples.


If you have a dhcp-server that hands out the spacewalk-server as option 66, you will be able to use PXE Boot in your network.

Feel free to comment and / or suggest a topic.
Labels:

Comments

Post a Comment

Popular posts from this blog

Dynamic DNS with BIND and ISC-DHCP

I personally prefer to work with hostnames instead of ip-addresses. If you have anything like freeipa or active directory, it will do that for you by registering the client you added to your realm to the managed dns and edit the records dynamically. We can achieve the same goal with just bind and isc-dhcp. I'll use a raspberry pi with raspbian 9 for this setup. So here is a quick tutorial on how to configure the isc-dhcp-server to dynamically update bind. First set a static ip to your server. [archy@ddns ~]$ sudo vim /etc/network/interfaces # interfaces(5) file used by ifup(8) and ifdown(8) # Please note that this file is written to be used with dhcpcd # For static IP, consult /etc/dhcpcd.conf and 'man dhcpcd.conf' # Include files from /etc/network/interfaces.d: source-directory /etc/network/interfaces.d auto eth0 iface eth0 inet static address 172.31.30.5 network 172.31.30.0 broadcast 172.31.30.255 netmask 255.255.255.0 ...
Post a Comment
Read more

LACP-Teaming on CentOS 7 / RHEL 7

What is teaming? Teaming or LACP (802.3ad) is a technique used to bond together multiple interfaces to achieve higher combined bandwith. NOTE: every clients speed can only be as high as the single link speed of one of the members. That means, if the interfaces I use in the bond have 1 Gigabit, every client will only have a maximum speed of 1 Gigabit. The advantage of teaming is, that it can handle multiple connections with 1 Gigabit. How many connections depends on the amount of your network cards. I'm using 2 network cards for this team on my server. That means I can handle 2 Gigabit connections at full rate on my server provided the rest of the hardware can deliver that speed. There also exists 'Bonding' in the Linux world. They both do the same in theory but  for a detailed comparison check out this  article about teaming in RHEL7 . To create a teaming-interface, we will first have to remove all the interface configurations we've done on the (soon to be) sla...
8 comments
Read more

Push logs and data into elasticsearch - Part 2 Mikrotik Logs

This is only about the setup of different logging, one being done with Filebeat and the other being done with sending logging to a dedicated port opened in Logstash using the TCP / UDP Inputs. Prerequesites: You'll need a working Elasticsearch Cluster with Logstash and Kibana. Start by getting the Log Data you want to structure parsed correctly. Mikrotik Logs are a bit difficult since they show you Data in the interface which is already enriched with Time / Date. That means a message that the remote logging will send to Logstash will look like this: firewall,info forward: in:lan out:wan, src-mac aa:bb:cc:dd:ee:ff, proto UDP, 172.31.100.154:57061->109.164.113.231:443, len 76 You can check them in the grok debugger and create your own filters and mapping. The following is my example which might not fit your needs. Here are some custom patterns I wrote for my pattern matching: MIKROTIK_DATE \b(?:jan(?:uary)?|feb(?:ruary)?|mar(?:ch)?|apr(?:il)?|may|jun(?:e)?|jul(?...
9 comments
Read more

FreeIPA - Integrating your DHCPD dynamic Updates into IPA

I recently went over my network configuration and noticed that the dhcp-leases were not pushed into the IPA-DNS yet. So I thought, why not do it now. The setup is very similar to setting it up on a single bind instance not managed by IPA (I've already written a guide about this here ). My setup is done with the following hosts: ipa01.archyslife.lan - 172.31.0.1 inf01.archyslife.lan - 172.31.0.5 First of all, create a rndc-key: [archy@ipa01 ~]$ sudo rndc-confgen -a -b 512 This will create the following file '/etc/rndc-key' [archy@ipa01 ~]$ sudo cat /etc/rndc.key key "rndc-key" { algorithm hmac-md5; secret "secret_key_here=="; }; We also need to make named aware of the rndc-key and allow our remote dhcp server to write dns entries: [archy@ipa01 ~]$ sudo vim /etc/named.conf ... include "/etc/rndc-key"; controls { inet 172.31.0.1 port 953 allow { 172.31.0.5; } keys ...
2 comments
Read more

SSSD - Debugging PAM permission denied

Sometimes there's weird errors in IT that occur on random chance. I've had such an encounter with SSSD in combination with IPA(+AD-Trust) recently, where only sometimes, a connection to one of the IPA-Servers would fail with this error: Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: pam_sss(sshd:account): Access denied for user runner: 4 (System error) Jul 13 13:36:42 ipa02.archyslife.lan sshd[3478]: fatal: Access denied for user runner by PAM account configuration [preauth] In my case, it was only happening sometimes when running a basic system setup role using ansible on every host in the entire environment. This way, there was no consistent pattern besides being the same host every time if it failed. First up, add the 'debug_level=X' to every section required in the /etc/sssd/sssd.conf where X is a number from 1 to 10 with 10 being the most verbose. Afterward, restart sssd and check the logs for any obvious problems. 1) If you are using local users, check the...
Post a Comment
Read more