SpaceWalk 1.5 Basic Installation for Package Management

SpaceWalk is the upstream open source project for the Red Hat Satellite Server for system management. The project is licensed under the GPLv2. The main function of the project is software content management for Red Hat derived distributions such as Fedora, CentOS, and Scientific Linux in your environment. Debian and Solaris support are in experimental mode at the moment. It also allows us to kickstart systems, as well as manage and deploy configuration files. Spacewalk's monitoring feature allow us to view monitoring status for your systems alongside their software update status. Spacewalk also has virtualization capabilities to enable us to provision, control, manage, and monitor virtual Xen guests.It also provides a proxy server for synching files to geographically distributed sites from a central location. This blog post will cover the basic setup of the server and the software channels to start managing software updates in a CentOS environment.

Configuring the Environment for Installing Spacewalk

Test that name resolution is working properly.

ping -c 3 `hostname`

The pings should be successful.

Install the spacewalk repository so it will be available when using yum for installing packages:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/x86_64/spacewalk-repo-1.5-1.el6.noarch.rpm

Set the jpackage repository, specifically for version 5.0

cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF

For CentOS 6 there is a specific version of selinux that is needed so the CR(Continous Release) Repository must be used

cat > /etc/yum.repos.d/cr.repo << EOF
[CR-repository]
name=CR Repository
baseurl=http://mirror.centos.org/centos/\$releasever/cr/\$basearch/
enabled=1
gpgcheck=1
EOF

Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater. The EPEL Repository contains a version of the openjdk that works with Spacewalk. Other dependencies can get installed from EPEL as well. To get packages from EPEL just install this RPM:

rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

At the time of this writing there is a bug with cobbler-web being installed in a Spacewalk server so to make sure it does not get installed it is set as an excluded package in the yum.conf file:

echo "exclude=cobbler-web" >> /etc/yum.conf

Installing Spacewalk

The version of Spacewalk we will be installing is the PostgreSQL version. For this we will need to install PostgreSQL Server and configure it.

Installing and Configuring PostgreSQL

We will use yum to install the database server:

yum install postgresql-server

Initialize the system master database:

service postgresql initdb

Start the service so we can connect to the server and configure it:

service postgresql start

Ensure that PostgresSQL server will start with the server when it is rebooted:

 chkconfig postgresql on

Create database, user, and plpgsql language there (Change the password variable to a secure one):

su - postgres -c 'PGPASSWORD=spacepw; createdb spaceschema ; createlang plpgsql spaceschema ; yes $PGPASSWORD | createuser -P -sDR spaceuser'

We configure the user to use md5 password to connect to that database. Put the lines like following to /var/lib/pgsql/data/pg_hba.conf before the all statements

local spaceschema spaceuser md5
host  spaceschema spaceuser 127.0.0.1/8 md5
host  spaceschema spaceuser ::1/128 md5

Then we reload PostgreSQL:

service postgresql reload

Configuring Firewall

We must configure the system firewall to allow connection to the necessary ports used by the different services used by Spacewalk.

  • Port 80 and 443 for connection to Web Interface and client connections to the server.
  • port 4545 for Spacewalk monitoring
  • Port 5222 for push actions to client machines.
  • Port 5269 for push actions to a Spacewalk Proxy.
  • Port 69 UDP for TFTP if provisioning will be used.

The commands to configure the firewall are:

iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4545 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart

Installing the Spacewalk Package

Once all dependencies have been configured we can install the spacewalk package issuing the yum command to install the PostgreSQL version, during installation we will have to accept several GPG keys for the repositories that where configured to meet the dependencies:

yum -y install spacewalk-postgresql

Initial Spacewalk Configuration

The best way to configure spacewalk is thru the use of a configuration file. The following is an example that can be modified for initial configuration (Make the necessary changes for your environment):

admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y

Connect to the server to create the administrator account for the default organization.

Use Firefox, for some reason Internet Explorer and Google Chrome have problems when login in to the server with the created administrator account for the first time.

After we have created this account, the server is ready to be used for administering hosts.

Setting Software Channels

Once the first organization is created one can decide on a model of a centralized or decentralized organization. Red Hat has a great white paper for this RHN SATELLITE: BEST PRACTICES FOR MULTIPLE ORGANIZATIONS

The first step is to set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:

  1. Click on Channels
  2. Click on Manage Software Channels
  3. Click on Manage Repositories
  4. Click on Create New Repository

GPG Key import

Before we start one thing to alway keep in mind is that the Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:

mkdir repo_keys
cd repo_keys
curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

Now that we have the key imported we can use the ID shown in the output to list the key fingerprint to add to the channel definition, also it is advised that we do an import from rpm. Create one channel per set of repositories so it is easier to manage the key:

gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6

We will follow these steps for the creation of all repositories for which we will crate a channel of.

Creating Repositories

We will create 2 Repositories for CentOS 6 the first one will be the base repository for CentOS the second will be the Updates. For the base system repository enter:

  • Repository Labe - CentOS6-i386-Base
  • Repository URL - http://mirror.facebook.net/centos/6/os/i386/
  • Then click on Create Repository

For the updates repository enter:

  • Repository Labe - CentOS6-i386-Updates
  • Repository URL - http://mirror.facebook.net/centos/6/updates/i386/
  • Then click on Create Repository

For the Spacewalk Client repository enter:

  • Repository Labe - spacewalk-client-rhel6-i386
  • Repository URL - http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/
  • Then click on Create Repository

Lets create a repository for VMWare Tools for vSphere 5 if you are using VMWare for running Virtual Machines:

  • Repository Labe - VMware-Tools-ESX-5.0-RHL6
  • Repository URL - http://packages.vmware.com/tools/esx/5.0/rhel6/i386/index.html
  • Then click on Create Repository

Creating Channels

We will create a new channel that will use both Repositories:

  1. Click on Channels
  2. Click on Manage Software Channels
  3. Click on Create New Channel

Enter the Following Parameters:

  • Channel Name - CentOS 6 32-bit
  • Channel Label - centos6-i386
  • Parent Channel - none
  • Parent Channel Architecture - IA-33
  • Yum Repository Checksum Type - sha256
  • Channel Summary - 32-bit CentOS 6 channel
  • Under Channel Access Control Select:
    • All users within your organization may subscribe to this channel.
    • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
  • GPG key URL - http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
  • GPG key ID - C105B9DE
  • GPG key Fingerprint - C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
  • Click on Create Channel

Assign the Repositories to the Channel:

  • Click on Channels
  • Click on Manage Software Channels
  • Click on the name of the channel that was just created
  • Click on Repositories
  • Select the Repositories to be linked to the channel (CentOS6-i386-Base and CentOS6-i386-Updates)
  • Click on Update Repositories

To Sync the repositories

  • Click on Repositories under in the channel settings
  • Click on Sync
  • Click on Sync Now to start the synching process
  • Select a scheduling option and interval and click on Schedule

The initial sync can take hours depending on the size of the repository and internet connection speed. Packages will begin to appear slowly on the channel package list as they are downloaded and synched.

Repeat the steps for the Spacewalk Client and the VMware Tools using the settings shown bellow.

SpaceWalk Client:

  • Channel Name - Spacewalk Client 32bit RHL6
  • Channel Label - spacewalk-client-32bit-rhl6
  • Parent Channel - CentOS 6 32-bit
  • Parent Channel Architecture - IA-33
  • Yum Repository Checksum Type - sha1
  • Channel Summary - Spacewalk Client 32bit for RHL6
  • Under Channel Access Control Select:
    • All users within your organization may subscribe to this channel.
    • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
  • GPG key URL - http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk
  • GPG key ID - 430A1C35
  • GPG key Fingerprint - B6F4 CBE4 8B8F 45E1 85F8 34B2 9542 3D4E 430A 1C35

Assign the repository spacewalk-client-rhel6-i386 to the channel and set a sync schedule

VMWare Tools:

  • Channel Name - VMware Tools RHL6 32bit ESX5
  • Channel Label - rhl6-vm-32bit-esx5
  • Parent Channel - CentOS 6 32-bit
  • Parent Channel Architecture - IA-33
  • Yum Repository Checksum Type - sha1
  • Channel Summary - VMware Tools RHL6 32bit ESX5
  • Under Channel Access Control Select:
    • All users within your organization may subscribe to this channel.
    • This channel is public and may be accessed by any of the trusted organizations trusted by this organization.
  • GPG key URL - http://packages.vmware.com/tools/VMWARE-PACKAGING-GPG-KEY.pub
  • GPG key ID - 66FD4949
  • GPG key Fingerprint - 36E4 7E1C C4DC C5E8 152D 115C C0B5 E0AB 66FD 4949

Assign the repository Vmware-Tools-ESX-5.0-RHL6 to the channel and set a sync schedule

For more information on creating repos and synching them do take a look at: Uploading Content

Enable the OSA Dispatcher so we can push jobs imediatly to registered systems:

chkconfig osa-dispatcher on
service osa-dispatcher start

Connecting a CentOS 6 System

Before connecting to a CentOS 6 System you need to create an activation key to use for registering the systems and assign a software channel to it. To create an Activation Key we do the following:

  • Click on Systems
  • Click on Activation Keys
  • Click on Create New Key
  • Enter the Following Information
    • Description - CentOS 6 i386 Systems
    • key - centos6-32bit
    • Base Channels - *CentOS 6 32-bit *
    • Add-On Entitlements - Select Monitoring and Provisioning (You can also choose the Virtualization Entitlements if you wish to use them)
  • Click on Create Activation Key

The key is now ready to use.

To connect the system the appropriate client software must be installed on the system

We start by installing the appropriate repository for the spacewalk client software:

rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/spacewalk-client-repo-1.5-1.el6.noarch.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm

Install the necessary client software:

yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad

We can register the CentOS system to Spacewalk using the activation key we created earlier:

rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=1-centos6-32bit

We need to configure OSAD so we can push actions to this system, we start by downloading the certificate and setting the certificate in the configuration file for OSAD:

cd /usr/share/rhn/
curl -O http://yourspacewalk.example.org/pub/RHN-ORG-TRUSTED-SSL-CERT
/usr/bin/perl -p -i -e "s/osa_ssl_cert =/osa_ssl_cert = \/usr\/share\/rhn\/RHN-ORG-TRUSTED-SSL-CERT/g" /etc/sysconfig/rhn/osad.conf

We can now set the service:

chkconfig osad on
service osad start

For information on connecting other systems do take a loot at Registering Clients

Caveats

At the moment of this writing in version 1.5 of Spacewalk Errata is only imported from Fedora Channels and not all errata is process. CentOS has not distributed any errata for the version 6.x of CentOS so automating the import of errata is not possible. For previous versions of CentOS the following blog post Blog shows a way to automate the import of the errata information.