Spacewalk

Spacewalk is the upstream community project from which the Red Hat Network Satellite product is derived. It provides a management interface for software content across registered servers and desktops.

1. References

This howto is based on the documents which can be found at the Spacewalk official website, to create a basic walkthrough for CentOS users.

Spacewalk official website
Official documentation
Screenshots and overview of the Spacewalk project

2. Server requirements

TIP: The author recommends using CentOS 5 i386 since most of the benefits of the x86_64 architecture are lost by the limitations in the Oracle XE database server.

3. SELinux

The Oracle database server required by the Spacewalk server has been integrated, and DOES 'play well' with SELinux. Edit /etc/sysconfig/selinux and set SELinux in enforcing mode:

SELINUX=enforcing 

Restarting the server is probably the fastest way to apply this change.

4. Firewall

The following inbound TCP ports should be open on the Spacewalk server:

5. Oracle Database

In this guide Spacewalk will be installed with an Oracle 10g database server; supporting PostgreSQL as backend is a work in progress and we will update here whenever will be a viable option. Oracle Express Edition server works fine even if it has some limitations:

5.1. Installation

To run with SELinux enabled, the oracle user uid must be below 500. The following two commands create the group and user for the oracle user prior to the installation of the oracle-xe-univ package:

/usr/sbin/groupadd -r dba
/usr/sbin/useradd -r -M -g dba -d /usr/lib/oracle/xe -s /bin/bash oracle 

On x86_64 systems: beware that you will need a lot of i386 compatibility packages so you need not to have:

exclude = *.i386

in /etc/yum.conf; if you have this line Oracle XE installation will fail in a subtle way

The following packages are required by the Oracle database. This will install bc, plus glibc and libaio in 32bit variant which is required even on the x86_64 architecture:

yum install bc glibc.i686 libaio.i386 

Download Oracle XE from the Oracle website. You will need to register in order to download the RPMS. Choose the Oracle Database 10g Express Edition (Universal):

You will also need a client to access the database. Download the Oracle Instant Client: i386 client or x86_64 according to the architecture of your server. Download the following two (2) RPM packages:

ATTENTION: Spacewalk version 1.4 is known to work correctly with version 11.2.0.2.0 of the Oracle Instant Client.

Install the downloaded RPM on the Spacewalk server:

rpm -Uvh oracle-xe-univ-10.2.0.1-1.0.i386.rpm
rpm -Uvh oracle-instantclient11.2-basic-11.2.0.2.0.*.rpm 
rpm -Uvh oracle-instantclient11.2-sqlplus-11.2.0.2.0.*.rpm 

Before configuring the Oracle database, we need to pull some packages from the Spacewalk Yum repository. So we nedd to install the repo files:

rpm -Uhv http://spacewalk.redhat.com/yum/1.4/RHEL/5/x86_64/spacewalk-client-repo-1.4-1.el5.noarch.rpm
rpm -Uhv http://spacewalk.redhat.com/yum/1.4/RHEL/5/x86_64/spacewalk-repo-1.4-1.el5.noarch.rpm

Install the following packages from the Spacewalk repository:

yum install oracle-lib-compat
yum install oracle-xe-selinux oracle-instantclient-selinux oracle-instantclient-sqlplus-selinux 

Configure the Oracle database:

/etc/init.d/oracle-xe configure 

The default values are fine except for the HTTP port. Use 9055 instead of 8080.

ATTENTION: To modify the configuration values, uninstall and reinstall the RPMS.

5.2. Client configuration

We need to configure the tns names entry for our database. Edit /etc/tnsnames.ora:

XE =
    (DESCRIPTION =
       (ADDRESS_LIST =
          (ADDRESS = (PROTOCOL = TCP)(HOST = localhost)(PORT = 1521))
       )
       (CONNECT_DATA =
          (SERVICE_NAME = xe)
       )
    ) 

Restore file default SELinux security contexts:

/sbin/restorecon -v /etc/tnsnames.ora 

Test the connection with the Oracle database server:

sqlplus system@xe 

Enter the password for the system user when prompted. You should see the following message:

SQL*Plus: Release 10.2.0.1.0 - Production on Wed Dec 17 09:41:18 2008
Copyright (c) 1982, 2005, Oracle.  All rights reserved.
Connected to:
Oracle Database 10g Express Edition Release 10.2.0.1.0 - Production
SQL> 

Type "quit" to exit the client interface.

5.3. Creating the spacewalk database user

Create the spacewalk database user with the sqlplus command-line interface:

sqlplus 'sys@xe as sysdba'
SQL> create user spacewalk identified by spacewalk default tablespace users;
User created.
SQL> grant dba to spacewalk;
Grant succeeded.
SQL> PASSWORD spacewalk;
Changing password for spacewalk
New password: 
Retype new password: 
Password changed
SQL> quit 

5.4. Additional configuration

Spacewalk needs more simultaneous connections to its database than what are allowed by default (40). The recommended setting by the Spacewalk developers is 400. Also, a bug in Oracle XE might cause Internal Server Error (500) in Spacewalk. The following configuration changes will address these issues:

sqlplus spacewalk/spacewalk@xe
SQL> alter system set processes = 400 scope=spfile;
System altered.
SQL> alter system set "_optimizer_filter_pred_pullup"=false scope=spfile;
System altered.
SQL> alter system set "_optimizer_cost_based_transformation"=off scope=spfile;
System altered.
SQL> quit 

Restart the Oracle database:

/etc/init.d/oracle-xe restart 

6. Yum

6.1. EPEL

Spacewalk requires packages available from the EPEL repository. Edit /etc/yum.repos.d/epel.repo:

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedora.redhat.com/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
gpgkey=http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
gpgcheck=1
enabled=1
includepkgs=bea-stax* cobbler editarea gc gc-devel git* jabberd jabberpy* jakarta-commons-cli jcommon   \
            jfreechart libapreq2 libgsasl* libntlm* libyaml perl-Algorithm-Diff perl-Apache-DBI         \
            perl-BerkeleyDB perl-Cache-Cache perl-Class-MethodMaker perl-Class-Singleton                \
            perl-Convert-BinHex perl-Config-IniFiles perl-Crypt-DES perl-Crypt-GeneratePassword         \
            perl-DateTime perl-DateTime-Format-Mail perl-DateTime-Format-W3CDTF perl-Error              \
            perl-FreezeThaw perl-Frontier-RPC perl-GD perl-Git perl-Math-FFT perl-HTML-TableExtract     \
            perl-IO-Capture perl-IO-stringy perl-IPC-ShareLite perl-libapreq2 perl-MIME-Lite            \
            perl-MIME-tools perl-Net-IPv4Addr perl-Net-SNMP perl-Params-Validate perl-Proc-Daemon       \
            perl-SOAP-Lite perl-TermReadKey perl-Text-Diff perl-Unix-Syslog perl-XML-RSS perl-version   \
            perlAlgorithm-Diff python-cheetah python-dmidecode python-hashlib python-netaddr PyYAML     \
            python-simplejson rhino tzdata-java udns*  

6.2. Spacewalk

The following yum repository contains the core components of Spacewalk version 1.4. The packages rhn-client-tools and rhnlib are needed by Spacewalk, but they were removed from CentOS as part of CentOS changed to the updater [to avoid an old upstream updater behaviour of un-configured CentOS units, that placed load on the upstream vendor due to some hard coded repository names]. To address this, install the Spacewalk Client repo too.

rpm -Uhv http://spacewalk.redhat.com/yum/1.4/RHEL/5/x86_64/spacewalk-client-repo-1.4-1.el5.noarch.rpm
rpm -Uhv http://spacewalk.redhat.com/yum/1.4/RHEL/5/x86_64/spacewalk-repo-1.4-1.el5.noarch.rpm

6.3. Partial yum repositories

If you want to use your Spacewalk server to manage partial yum repositories, we recommend to create a file named /etc/reposync.conf. Below is an example file used to manage both EPEL and RPMforge i386 repositories. We strongly recommend using the includepkgs directive to protect the base distro packages and limit the occupied disk space:

[epel32]
name=Extra Packages for Enterprise Linux 5 - i386
baseurl=http://download.fedora.redhat.com/pub/epel/5/i386
#mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=i386
failovermethod=priority
gpgkey=http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
gpgcheck=1
enabled=1
includepkgs=bea-stax* cobbler editarea gc gc-devel git* jabberd jabberpy* jakarta-commons-cli jcommon   \
            jfreechart libapreq2 libgsasl* libntlm* libyaml perl-Algorithm-Diff perl-Apache-DBI         \
            perl-BerkeleyDB perl-Cache-Cache perl-Class-MethodMaker perl-Class-Singleton                \
            perl-Convert-BinHex perl-Config-IniFiles perl-Crypt-DES perl-Crypt-GeneratePassword         \
            perl-DateTime perl-DateTime-Format-Mail perl-DateTime-Format-W3CDTF perl-Error              \
            perl-FreezeThaw perl-Frontier-RPC perl-GD perl-Git perl-Math-FFT perl-HTML-TableExtract     \
            perl-IO-Capture perl-IO-stringy perl-IPC-ShareLite perl-libapreq2 perl-MIME-Lite            \
            perl-MIME-tools perl-Net-IPv4Addr perl-Net-SNMP perl-Params-Validate perl-Proc-Daemon       \
            perl-SOAP-Lite perl-TermReadKey perl-Text-Diff perl-Unix-Syslog perl-XML-RSS perl-version   \
            perlAlgorithm-Diff python-cheetah python-dmidecode python-hashlib python-netaddr PyYAML     \
            python-simplejson rhino tzdata-java udns*

[rpmforge32]
name = RPMforge for Enterprise Linux 5 - i386
baseurl = http://apt.sw.be/redhat/el5/en/i386/dag
gpgkey = http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
gpgcheck=1
includepkgs=amavisd-new arc cabextract clamav* clamd freeze lha lzop nomarch perl-Archive-Zip perl-Convert-TNEF \
            perl-Convert-UUlib perl-MailTools perl-Net-Server ripole unarj zoo 

6.4. GPG keys

By default, Spacewalk will refuse to distribute unsigned RPMS or RPMS signed with an unknown key. We make sure we have all the relevant GPG keys installed:

wget http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
mv RPM-GPG-KEY-EPEL /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL
wget http://www.redhat.com/security/37017186.txt
mv 37017186.txt /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
wget http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
mv RPM-GPG-KEY-spacewalk /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-spacewalk
wget http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
mv RPM-GPG-KEY.dag.txt /etc/pki/rpm-gpg/RPM-GPG-KEY-dag
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-dag 

/!\ Of course this also means implicitly adding a trust relationship to each of those providers, as yum and rpm will trust any content signed by any of those keys. Particularly, the EPEL and dag archives do not issue coordinated updates to competing packages and this may result in some dependency solution problems. As these archives are NOT under CentOS management or control, please address requests for assistance to the approproate archives' support venues

7. Spacewalk Server

7.1. Installation

Remove the specspo package if present since it conflicts with Spacewalk.

rpm -e specspo 

Install the following package needed by Spacewalk but not present on its dependency listing:

yum install perl-XML-LibXML-Common 

We use yum to fetch the rather long list of dependencies for the Spacewalk software:

yum install spacewalk-oracle
yum update 

7.2. Configuration

Configure the Spacewalk application:

LANG=C; spacewalk-setup --disconnected
* Setting up Oracle environment.
* Setting up database.
** Database: Setting up database connection.
DB User? spacewalk
DB Password? 
DB SID? xe
DB hostname? localhost
DB port [1521]? 
DB protocol [TCP]? 
** Database: Testing database connection.
** Database: Populating database.
*** Progress: ##########################################################
* Setting up users and groups.
** GPG: Initializing GPG and importing key.
You must enter an email address.
Admin Email Address? webmaster@example.com
* Performing initial configuration.
* Activating Spacewalk.
** Loading Spacewalk Certificate.
** Verifying certificate locally.
** Activating Spacewalk.
* Enabling Monitoring.
* Configuring apache SSL virtual host.
Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? 
* Configuring jabberd.
* Creating SSL certificates.
CA certificate password? 
Re-enter CA certificate password? 
Organization? example.com
Organization Unit [spacewalk.example.com]?  
Email Address [webmaster@example.com]? 
City? Montreal
State? Quebec
Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? CA
** SSL: Generating CA certificate.
** SSL: Deploying CA certificate.
** SSL: Generating server certificate.
** SSL: Storing SSL certificates.
* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y/n]?
* Restarting services.
Installation complete.
Use a web browser to view https://spacewalk.example.com/ to create the Spacewalk administrator account. 

Enable monitoring with the following command:

/usr/share/spacewalk/setup/upgrade/rhn-enable-monitoring.pl 

Point your web browser at https://spacewalk.example.com to create the satellite administrator account [where example.com is the local DNS domain under your local control]

7.2.1. Activation Key

Using the Spacewalk web interface, create a default activation key to register your systems. Navigate to Systems -> Activation keys and click on "create new key".

7.2.2. Channel configuration

In order to use Spacewalk to manage CentOS servers and desktop, we need to configure and populate software channels. As of Spacewalk 1.0, it is now possible to directly fetch the content of yum repositories with the spacewalk-repo-sync utility. By default, packages are pushed to the /var/satellite directory. Navigate to Admin -> Spacewalk Configuration -> General if you want to change this value.

It is now time to create a channel inside the Spacewalk web interface. Navigate to Channels -> Manage Software Channels and click on "create new channel".

7.2.2.1. CentOS 5 Base for i386

Here is a configuration example for the CentOS 5 Base i386 channel:

Basic Channel Details
 * Channel Name: CentOS 5 Base - i386
 * Channel Label: centos5-base-i386
 * Parent Channel: None
 * Parent Channel Architecture: IA-32
 * Yum Repository Checksum Type: sha1
 * Channel Summary: CentOS 5 Base for i386 architecture
Associated yum repository
 * Repository URL: http://mirror.centos.org/centos/5/os/i386/
 * Label: centos5-base-i386
 * Sync Repo: enabled
Security: GPG
 * GPG key URL: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
 * GPG key ID: E8562897
 * GPG key Fingerprint: 473D 66D5 2122 71FD 51CC 17B1 A8A4 47DC E856 2897 

Edit /etc/cron.daily/spacewalk_sync.cron:

#!/bin/sh
# try to create the lock and check the outcome
LOCKFILE=/var/run/spacewalk_sync.lock
lockfile -r 0 ${LOCKFILE} 1>/dev/null 2>&1
status=$?
if [ ${status} -ne 0 ] ;then
        echo "Another instance already running. Aborting."
        exit 1
fi
trap "rm ${LOCKFILE}" EXIT
/usr/bin/spacewalk-repo-sync --channel centos5-base-i386 \
                             --url http://mirror.centos.org/centos/5/os/i386/ \
                             --type yum --label centos5-base-i386 > /dev/null

chmod 700 /etc/cron.daily/spacewalk_sync.cron
chown root:root /etc/cron.daily/spacewalk_sync.cron

TIP: The spacewalk-repo-sync command is used to synchronize the channel content with the relevant yum repository. At this time, only the 'yum' method is supported. Any repository URL supported by yum can be used (http://, file://, etc.). The whole content of the yum repository is transfered to the spacewalk server.

7.2.2.2. CentOS 5 Updates for i386

Here is a configuration example for the CentOS 5 Updates i386 channel:

Basic Channel Details
 * Channel Name: CentOS 5 Updates - i386
 * Channel Label: centos5-updates-i386
 * Parent Channel: CentOS 5 Base - i386
 * Parent Channel Architecture: IA-32
 * Yum Repository Checksum Type: sha1
 * Channel Summary: CentOS 5 Updates for i386 architecture
Associated yum repository
 * Repository URL: http://mirror.centos.org/centos/5/updates/i386/
 * Label: centos5-updates-i386
 * Sync Repo: enabled
Security: GPG
 * GPG key URL: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-5
 * GPG key ID: E8562897
 * GPG key Fingerprint: 473D 66D5 2122 71FD 51CC 17B1 A8A4 47DC E856 2897

Edit /etc/cron.daily/spacewalk_sync.cron and add these lines:

/usr/bin/spacewalk-repo-sync --channel centos5-updates-i386 \
                             --url http://mirror.centos.org/centos/5/updates/i386/ \
                             --type yum --label centos5-updates-i386 > /dev/null

7.2.2.3. Spacewalk Client for i386

Here is a configuration example for the Spacewalk Client i386 channel:

Basic Channel Details
 * Channel Name: Spacewalk Client - i386
 * Channel Label: spacewalk-client-i386
 * Parent Channel: CentOS 5 Base - i386
 * Parent Channel Architecture: IA-32
 * Yum Repository Checksum Type: sha1
 * Channel Summary: Spacewalk Client for i386 architecture
Associated yum repository
 * Repository URL: http://spacewalk.redhat.com/yum/1.0-client/RHEL/5/i386/
 * Label: spacewalk-client-i386
 * Sync Repo: enabled
Security: GPG
 * GPG key URL: http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
 * GPG key ID: 430A1C35
 * GPG key Fingerprint:

Edit /etc/cron.daily/spacewalk_sync.cron and add these lines:

/usr/bin/spacewalk-repo-sync --channel spacewalk-client-i386 \
                             --url http://spacewalk.redhat.com/yum/1.0-client/RHEL/5/i386/ \
                             --type yum --label spacewalk-client-i386 > /dev/null

7.2.2.4. Extra Packages Enterprise Linux 5 for i386

Here is a configuration example for the Extra Packages Enterprise Linux 5 i386 channel:

Basic Channel Details
 * Channel Name: EPEL5 - i386
 * Channel Label: epel5-i386
 * Parent Channel: CentOS 5 Base - i386
 * Parent Channel Architecture: IA-32
 * Yum Repository Checksum Type: sha1
 * Channel Summary: Extra Packages Enterprise Linux 5 for i386 architecture
Associated yum repository
 * Repository URL: http://download.fedora.redhat.com/pub/epel/5/i386/
 * Label: epel5-i386
 * Sync Repo: disabled
Security: GPG
 * GPG key URL: http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
 * GPG key ID: 217521F6
 * GPG key Fingerprint:

For this channel, we do not want to fetch the whole yum repository. Instead, we would like to fetch the packages listed in its yum configuration file under the 'includepkg' directive. To do so, we will need to use the reposync utility. With the reposync command, we will download the EPEL packages and create a local yum repository. The spacewalk-repo-sync command will then be used to fetch the packages from this local yum repository.

yum install yum-utils createrepo

Create the placeholder for the local yum repository:

mkdir -p /var/www/html/pub/CentOS5-i386

Edit /etc/cron.daily/spacewalk_sync.cron and add these lines:

reposync --repoid=epel32 -c /etc/reposync.conf -p /var/www/html/pub/CentOS5-i386 -d -l -g -n -q > /dev/null
cd /var/www/html/pub/CentOS5-i386/epel32
createrepo /var/www/html/pub/CentOS5-i386/epel32 > /dev/null
/usr/bin/spacewalk-repo-sync --channel epel5-i386 \
                             --url file:///var/www/html/pub/CentOS5-i386/epel32/ \
                             --type yum --label epel5-i386 > /dev/null

TIP: The reposync command will fetch the EPEL for i386 RPMS from the repository configured in the /etc/reposync.conf configuration file. Packages will be downloaded in the /var/www/html/pub/CentOS5-i386/epel32/ directory. We do not use the '--arch' option from reposync as it may not work correctly in certain cases. To debug this command, remove the "-q" option.

7.2.2.5. RPMforge Enterprise Linux 5 for i386

Here is a configuration example for the RPMforge Enterprise Linux 5 i386 channel:

Basic Channel Details
 * Channel Name: RPMforge EL5 - i386
 * Channel Label: rpmforge-el5-i386
 * Parent Channel: CentOS 5 Base - i386
 * Parent Channel Architecture: IA-32
 * Yum Repository Checksum Type: sha1
 * Channel Summary: RPMforge Enterprise Linux 5 for i386 architecture
Associated yum repository
 * Repository URL: http://apt.sw.be/redhat/el5/en/i386/dag/
 * Label: rpmforge-el5-i386
 * Sync Repo: disabled
Security: GPG
 * GPG key URL: http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
 * GPG key ID: 6B8D79E6
 * GPG key Fingerprint:

For this channel, we do not want to fetch the whole yum repository. Instead, we would like to fetch the packages listed in its yum configuration (/etc/reposync.conf) file under the 'includepkg' directive.

Edit /etc/cron.daily/spacewalk_sync.cron and add these lines:

reposync --repoid=rpmforge32 -c /etc/reposync.conf -p /var/www/html/pub/CentOS5-i386 -d -l -g -n -q > /dev/null
cd /var/www/html/pub/CentOS5-i386/rpmforge32
createrepo /var/www/html/pub/CentOS5-i386/rpmforge32 > /dev/null
/usr/bin/spacewalk-repo-sync --channel rpmforge-el5-i386 \
                             --url file:///var/www/html/pub/CentOS5-i386/rpmforge32/ \
                             --type yum --label rpmforge-el5-i386 > /dev/null

7.2.2.6. GPG keys

For Spacewalk clients convenience, we place all the public GPG keys of the managed packages on the web server. The keys will be available from http://spacewalk.example.com/pub .

cp /etc/pki/rpm-gpg/RPM-GPG-KEY-* /var/www/html/pub/

7.3. Upgrade

You will need to update the yum configuration file /etc/yum.repos.d/spacewalk.repo and the cron script /etc/cron.daily/spacewalk_sync.cron in order to upgrade from a previous version of Spacewalk.

TIP: Before launching the yum update command, follow instructions at https://fedorahosted.org/spacewalk/wiki/HowToUpgrade.

8. Spacewalk Client (simple configuration)

Each client must be configured to use the Spacewalk server as its source for RPM packages. We temporarily configure EPEL repository on the client machine to fetch the required packages. Edit /etc/yum.repos.d/epel.repo:

[epel]
name=Extra Packages for Enterprise Linux 5 - $basearch
#baseurl=http://download.fedora.redhat.com/pub/epel/5/$basearch
mirrorlist=http://mirrors.fedoraproject.org/mirrorlist?repo=epel-5&arch=$basearch
failovermethod=priority
gpgkey=http://download.fedora.redhat.com/pub/epel/RPM-GPG-KEY-EPEL
gpgcheck=1
enabled=1
includepkgs=bea-stax* cobbler editarea gc gc-devel git* jabberd jabberpy* jakarta-commons-cli jcommon   \
            jfreechart libapreq2 libgsasl* libntlm* libyaml perl-Algorithm-Diff perl-Apache-DBI         \
            perl-BerkeleyDB perl-Cache-Cache perl-Class-MethodMaker perl-Class-Singleton                \
            perl-Convert-BinHex perl-Config-IniFiles perl-Crypt-DES perl-Crypt-GeneratePassword         \
            perl-DateTime perl-DateTime-Format-Mail perl-DateTime-Format-W3CDTF perl-Error              \
            perl-FreezeThaw perl-Frontier-RPC perl-GD perl-Git perl-Math-FFT perl-HTML-TableExtract     \
            perl-IO-Capture perl-IO-stringy perl-IPC-ShareLite perl-libapreq2 perl-MIME-Lite            \
            perl-MIME-tools perl-Net-IPv4Addr perl-Net-SNMP perl-Params-Validate perl-Proc-Daemon       \
            perl-SOAP-Lite perl-TermReadKey perl-Text-Diff perl-Unix-Syslog perl-XML-RSS perl-version   \
            perlAlgorithm-Diff python-cheetah python-dmidecode python-hashlib python-netaddr PyYAML     \
            python-simplejson rhino tzdata-java udns*

Install the Spacewalk repo:

rpm -Uhv http://spacewalk.redhat.com/yum/1.4/RHEL/5/x86_64/spacewalk-client-repo-1.4-1.el5.noarch.rpm

We are now ready to download the required packages:

yum install rhn-setup yum-rhn-plugin python-dmidecode

We now register the client to the Spacewalk server:

ATTENTION: Remember to ALWAYS use the FQDN of your Spacewalk server.

rhnreg_ks --serverUrl=http://spacewalk.example.com/XMLRPC --activationkey=<default-activation-key>

TIP: Navigate to Systems -> Activation Keys on the web interface of your Spacewalk server to retreive your default activation key.

On the Spacewalk web interface, navigate to Systems -> Overview. Your client system should now be present in the list. Select it and click on "Alter Channel Subscriptions" link below the "System Info" section. In the "Base Software Channel" section, select the CentOS 5 Base - i386 channel and click on the Confirm button. You can subscribe your system to child channels once you are back to the Software Channel management page.

You can now safely disable your locally configured yum repositories if a corresponding Spacewalk channel has been configured. Edit repo files in /etc/yum.repos.d and make sure relevant sections contain the string:

enabled=0

9. Using Cobbler to manage Spacewalk Clients

Cobbler is bundled in Spacewalk since version 0.4. Cobbler is an installation service and is used to simplify server provisioning tasks. We will demonstrate how you can use Cobbler inside Spacewalk to provision a new server into your existing network.

In the previous steps, we outlined how to create a CentOS 5 - i386 distribution. We will now explain how to use Cobbler for provisioning a new server with CentOS 5 - i386.

9.1. Populating the distribution tree

The Spacewalk server must contain the entire kickstart tree for the distribution. This tree includes the kernel, initrd, and repo information. This directory should be readable by the apache and tomcat users.

mkdir -p /var/iso-images /var/distro-trees

Download the first binary ISO image of the distribution as /var/iso-images/CentOS-5-i386-bin-1.iso. This file contains the required files.

mount -o loop /var/iso-images/CentOS-5-i386-bin-1.iso /var/distro-trees/CentOS-5-i386

We also edit /etc/fstab to automatically mount the ISO image at boot time:

/var/iso-images/CentOS-5-i386-bin-1.iso  /var/distro-trees/CentOS-5-i386 iso9660  rw,loop=/dev/loop0 0 0

TIP: To keep your distribution tree updated, download the latest version of the CentOS 5 ISO image on a regular basis. You will also need to unmount and remount the ISO image every time a new CentOS 5 ISO image is released.

9.2. Create a new distribution

Navigate in the Spacewalk interface and select Systems -> Kickstart -> Distributions. Click on the 'create a new distribution' link.

Distribution Label: CentOS-5-i386
Tree Path: /var/distro-trees/CentOS-5-i386
Base Channel: CentOS 5 Base - i386
Installer Generation: Red Hat Enterprise Linux 5

Click on the 'Create Kickstart Distribution' button.

9.3. Create a new kickstart profile

In order to successfully install our distribution, we need a kickstart file. This is a simple text file containing a list of items, each identified by a keyword, that answers the questions from the anaconda installer.

Navigate in the Spacewalk interface and select Systems -> Kickstart. Click on the 'create a new kickstart profile' link.

Label: CentOS-5-i386
Channel Base: CentOS 5 Base - i386
Kickstartable Tree: CentOS-5-i386
Virtualization Type: None

Click on the 'Next' button.

On the next screens, leave the default download location and pick a password for the root user.

Navigate in the Spacewalk interface and select Systems -> Kickstart -> Profiles. Select the 'CentOS-5-i386' profile. Under the 'Operating System' tab, activate both 'centos5-updates-i386' and 'spacewalk-client-i386' channels. Other child channels can be activated too.

9.4. TFTP server

The kickstart profile is exposed to the network via TFTP. Make sure the xinetd service is running:

/etc/init.d/xinetd status

The TFTP port (69) on your Spacewalk server will need to accept connections from the network.

9.5. Network configuration

You need a DHCP server that sets filename and next-server variables correctly. If you are using the dhcp daemon, edit /etc/dhcpd.conf and add these options to your configuration:

        filename "pxelinux.0";
        next-server <spacewalk server IP address>;

You will need to reload the DHCP service to enforce this change.

The servers you are provisionning should be able to resolve the hostname of your Spacewalk server. Make sure there is an entry for your Spacewalk server hostname in the relevant DNS server(s).

9.6. Client server

While a server without an OS will cycle through the possible ways to boot until it reaches the PXE boot method, a server with an already installed OS may not reach the PXE boot method. Place the PXE boot method at the top of the list of boot methods in the server BIOS to make sure the server will have the opportunity to be controlled via PXE.

Upon booting, the client server will be presented with a screen where the 'CentOS-5-i386' option is presented. Select it to start the automated installation of the client server.

ATTENTION: The client server disks will be reformated and CentOS 5 - i386 will be reinstalled on the client server.

After the client server installation, log into the server with the root password you configured previously. Disable your locally configured yum repositories by editing the repo files in /etc/yum.repos.d. Make sure relevant sections contains the string:

enabled=0

Then, navigate in the Spacewalk interface and select Systems. Pick the newly installed client server. In the Details -> Overview screen, click on the 'Alter Channel Subscriptions' link. Set the appropriate channels for your newly managed server.

10. Using Spacewalk to manage configuration files

You can use Spacewalk to manage configuration files. All you need is a config channel and one or more files/directories on it.

10.1. Creating a new config channel

First you need to create a configuration channel. Navigate in the Spacewalk interface and select Configuration -> Configuration Channels. Click on the 'create new config channel' link.

Here's a example:

Name*:  SSH Keys
Label*: ssh-keys
Description*: Channel to manage ~/.ssh/authorized_keys 

With the channel created you can add one or more files/directories to it. Go to Configuration -> Configuration Channels and select the channel you created before. Now click on 'Create new configuration file or directory' and edit the fields accordingly.

10.2. Allowing systems to have files managed via Spacewalk

You created the configuration channel and added files to it. Now you need too allow your systems to have files managed via Spacewalk. Navigate to 'Configuration -> Systems -> Target Systems' and you will see all systems registered with Spacewalk.

Select the system that you want to enable configuration management and click on 'Enable Spacewalk Configuration Management'. Spacewalk will try to add the provisioning entitlement and install all necessary packages on the system.

Attention: If you see the error 'Could not subscribe to the Spacewalk Tools channel.' then you will have to install all necessary packages by hand.

Login to the client system and run the following command:

yum install rhncfg rhncfg-actions rhncfg-client

Now allow installation of configuration files from the central repository on the system running:

rhn-actions-control --enable-deploy

Your system is now ready. Go back to the Spacewalk interface and you will see the system on 'Configuration -> Systems -> Managed Systems'

11. OSAD Setup (Running updates instantly)

With OSAD the updates made by the Spacewalk interface with run almost instantly on the clients. It also serves to all other Spacewalk's functions. Thus, you do not need to wait the schedule made by the Spacewalk.

11.1. Client Setup

Install the 'osad' package:

yum install osad

Open /etc/sysconfig/rhn/osad.conf and change the line starting with osa_ssl_cert to:

osa_ssl_cert = /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT

Download the trusted cert:

cd /usr/share/rhn/
wget http://spacewalk.example.com/pub/RHN-ORG-TRUSTED-SSL-CERT

ATTENTION: Remember to ALWAYS use the FQDN of your Spacewalk server.

To start osad you probably need to install python-hashlib:

yum install python-hashlib

Now you just need to start the 'osad' daemon:

service osad start

TIP: You can force Spacewalk to recognize the OSA status of a client. To do this, go to the web interface and browse to the host overview page of the client. On the right side of the page, you will see a section displaying the OSA status of the client. Sending a ping to the client will update its status to 'online'.

From now on your updates are going to run almost instantly.

12. Script to sync repos

Davidson Paulo <davidsonpaulo AT gmail.com> did a better script to manage and sync the repos (thanks for the great work :). It looks for a configuration file and syncs all the mirros listed there.

To use this script you need:

12.1. Configuration file

The configuration file (/etc/sysconfig/spacewalk-repo-sync) uses this syntax:

[Channel Name] [Repository URL] [Method]

Here's a working sample:

centos-5-updates-i386 http://mirror.centos.org/centos/5/updates/i386/ yum
centos-5-extras-i386 http://mirror.centos.org/centos/5/extras/i386/ yum
centos-5-base-i386 http://mirror.centos.org/centos/5/os/i386/ yum
epel-5-i386 http://download.fedora.redhat.com/pub/epel/5/i386/ yum

12.2. Script

And here's the script that does the hard work (i will replace the old one with this soon):

#!/bin/bash
#
# spacewalk-repo-sync
# Repository synchronization utility for Spacewalk
#
# Authors: Davidson Paulo <davidsonpaulo AT gmail.com>
#
# This is free software. You are free to use it and distribute it under
# the terms of the GNU General Public License v3+

## Variables
config=/etc/sysconfig/spacewalk-repo-sync
log=/var/log/spacewalk-repo-sync
lockfile=/var/run/spacewalk-repo-sync.lock

## Functions
syncrepo() {
  echo "/usr/bin/spacewalk-repo-sync --channel $1 --url $2 --type $3"
  /usr/bin/spacewalk-repo-sync --channel $1 --url $2 --type $3
}

## Main routine
# try to create the lock and check the outcome
lockfile -r 0 ${lockfile} 1>/dev/null 2>&1
status=$?

if [ ${status} -ne 0 ] ; then
        echo "Another instance already running. Aborting."
        exit 1
fi

# Remove $lockfile when Ctrl+C is pressed
trap "rm ${lockfile}" EXIT

# Read $config and execute /usr/bin/spacewalk-repo-sync for each repository
if [ -f $config ] ; then
  while read line ; do
    syncrepo $line
  done < <(egrep -v '^([[:space:]#]+|$)' $config)
else
  echo "Config file $config does not exist."
  exit 1
fi | tee -a $log

exit 0

Save it as /usr/bin/spacewalk-repo-sync, for example, and do:

$ chmod +x /usr/bin/spacewalk-repo-sync

Now, every time you need to sync your repos just run this script. You can also add it to cron.

ATTENTION: This script works fine and it's easier to manage than the previous way described on this guide. I do intend to replace some parts of this guide with this script. I just need some feedback first. So, please, let me know if you find a problem.

HowTos/PackageManagement/Spacewalk (last edited 2012-06-20 14:14:04 by RussHerrold)