Spacewalk for Christmas

Hi, Habr!

Shortly before the arrival of Christmas, in the IT department it was decided to study Spacewalk, this is the Red Hat system, a free analogue of the Satellite, for centralized configuration management, system updates, and convenient support for the entire server fleet.

In view of the fact that the documentation available on the official website is rather scarce for additional comments of various kinds of troubleshooting, the task was to study the product for the gradual introduction of it first on test servers, and subsequently on products.
')
The main idea of ​​the introduction of Spacewalk was not only centralization and simplification of control, but also that playful pens no one independently made updates on the servers of the new project, since the precedents already occurred.

After two weeks of work, all the knowledge I gained was entered into the internal analogue of Confluence, and a free holiday pushed me to write an article on Habr.

Before I begin, I would like to briefly highlight what was and was not affected, so as not to claim a full manual for working with Spacewalk:

+ Installation and configuration of server / client
+ Setting up the system in the GUI
+ Tracking installation / update packages, work with configurations
+ Errata (collection of information about critical updates, vulnerabilities, etc.)

- Proxy (need disappeared, after rejection of HA)
- Cobbler / kickstart
- OpenSCAP

System requirements

Due to the fact that the entire infrastructure is running on VMWare, then the work was carried out on VMs running CentOS 7. The recommended system requirements from the developer are:

• 4GB RAM
• 6GB of free space for / var / satellite /
• 12GB for db

I used:

• 6GB RAM
• 4 CPU (s)
• 40GB HDD

I also advise you to disable SELinux and, if not, use firewalld. Or add http service to exceptions.

Note: at the end of the article there will be playbooks for Ansible, both for the client and for the server part, as well as bash scripts. With their help, you can deploy the entire infrastructure in a couple of minutes.

Installation

The installation itself is described both in the official documentation and on several sites, but for the integrity of the article I will allow myself to mention this point here.

Spacewalk works with two DBMS: PostgreSQL and Oracle RDBMS. I have experience with the first, and I will use it now.

There are two installation options: via the automatic installer from Spacewalk, which installs and configures itself and the database, however, on the same server, and installs manually, where you can install the DB and the application on different servers. I will consider both options, start with a separate installation.

PostgreSQL

yum install -y postgresql-server 

You also need to connect PL / Tcl modules for PG:

 yum install -y postgresql-pltcl postgresql-setup initdb systemctl start postgresql 

Create a database, user, and connect the module:

 su - postgres -c 'PGPASSWORD=verystrong; createdb spcwlkdb ; createlang plpgsql spcwlkdb ; createlang pltclu spcwlkdb ; yes $PGPASSWORD | createuser -P -sDR spcwlkuser' 

In order to avoid connection problems, you should change /var/lib/pgsql/data/pg_hba.conf , adding the lines BEFORE the all line:

 local spcwlkdb spcwlkuser md5 host spcwlkdb spcwlkuser 127.0.0.1/8 md5 local spcwlkdb postgres ident 

Restart all:

 systemctl restart postgresql 

If you are going to install the application and the database on different servers, make sure that the postgresql-contrib package is installed on the database server.

Spacewalk

We connect repositories:

 rpm -Uvh https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/spacewalk-2.8/epel-7-x86_64/00736372-spacewalk-repo/spacewalk-repo-2.8-11.el7.centos.noarch.rpm 

Also connect epel:

 rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm 

Java:

 (cd /etc/yum.repos.d && curl -O https://copr.fedorainfracloud.org/coprs/g/spacewalkproject/java-packages/repo/epel-7/group_spacewalkproject-java-packages-epel-7.repo) 

Now directly the installer for Spacewalk-postgres:

 yum -y install spacewalk-setup-postgresql 

Connect to our database:

 spacewalk-setup-postgresql create --db spcwlkdb --user spcwlkuser --password verystrong 

In that case, if you use the separate database / application method, then you will need to add the --standalone flag and specify the IP address of the database server, also remember to open port 5432.

Note: I advise you to tune the database in accordance with your hardware for more productive work of the entire system.

Now we will install Spacewalk itself and launch the installation:

 yum -y install spacewalk-postgresql spacewalk-setup --external-postgresql 

Next will be asked a few questions, both for the SSL certificate and for the database. You can enter all values ​​manually, or you can use the --answer-file flag, and specify the path to the file with answers to automate the installation in the future:

 admin-email = root@localhost ssl-set-cnames = spcwlkserver ssl-set-org = Unicorn ssl-set-org-unit = EOH ssl-set-city = Prague ssl-set-state = HMP ssl-set-country = CZ ssl-password = verystrong ssl-set-email = root@localhost ssl-config-sslvhost = Y db-backend=postgresql db-name=spcwlkdb db-user=spcwlkuser db-password=verystrong db-host=localhost db-port=5432 enable-tftp=Y 

To control the application directly, you should use:

 /usr/sbin/spacewalk-service [stop|start|restart] 

To display all the third-party services that contribute to the application:

 spacewalk-service status 

Option Two, automatic installation

After connecting the repositories, we put the setup, and run:

 yum -y install spacewalk-setup-postgresql yum -y install spacewalk-postgresql spacewalk-setup 

Again, questions regarding the database and SSL will be asked, using the --answer-file key and the path to the file with answers.

Base & Child Channels, Repos

To manage client stations, Spacewalk uses a system of so-called channels, which can be both primary (Base) and child (Child), each channel is assigned a repository that you need, as well as a key — through which the client is paired with server.

As a result, the repositories are synchronized with the channels, which, in turn, are connected with the customers, and Spacewalk works in a general way. It is also worth mentioning the errata, which can be tied to the channels, which simplifies the update and control packages.

All clients can be combined into groups according to different signs, and with both the same and different channels or repositories, it is possible to work with a large number of clients at times, which greatly helps to make updates on 100+ servers.

A list of all installed packages is available, and after synchronization of repositories and possible ones for installation. Some items are intuitive, and there is no point in considering each item line by line.

All actions in Spacewalk occur on schedule (Schedule), almost any action can be customized to the time that is most convenient for you.

After installation, you can go to the address of your server, further configuration is carried out through the graphical interface:



Enter the password, administrator name, organization name (which is also one of the ways to manage clients), and go to the start panel.

For now, you can either study the available options on your own, or we’ll proceed to creating channels

Channels - Manage Software Channels - Create Channel:



I recommend setting the channel names according to the types and type of OS that will be associated with this channel, for example, CentOS_7_x86_64 , you can safely choose sha256 as a check, the Channell Summary field is intended for a small description of the channel. Also, you can optionally provide additional information.

Now we will create a child channel and link it to the main one. We are going in the same way as creating the main channel, only in the Parent Channel field we indicate the channel that has already been created.

We tie the repositories to the main and daughter channels.
Channels - Manage Repositories



For main channels I use Base Resources, for children I use Updates.

After creating the repositories, you need to connect them to the channels.
Channels - Manage Software Channels , open your main channel, open the Repositories section.



There will be all created repositories, select the one you need, check, and click on Update Resources.

Further open the subsection Sync:



Where you can synchronize the repository and the channel, set up a schedule for synchronization.

Note: in my case of playful hands, I had to delete the standard repository from the client system.

Client installation, client pairing with the server, key management, configuration channel setup

As I mentioned earlier, Spacewalk uses the key system from Red Hat Network, through which pairing and management takes place.

To create a key, go to Systems - Activation Keys - Create Key:



It's all very simple, is it worth mentioning that the key itself you can set yourself, its format will always be 1-XXXXX , and also, each key is tied to the channel. The Universal Default flag causes new systems to pick up key parameters.

Client installation

We will connect the client repository and install the necessary packages:

 rpm -Uvh https://copr-be.cloud.fedoraproject.org/results/@spacewalkproject/spacewalk-2.8-client/epel-7-x86_64/00742644-spacewalk-repo/spacewalk-client-repo-2.8-11.el7.centos.noarch.rpm yum -y install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin rhncfg-actions deltarpm 

Note: rhncfg-actions and deltarpm are needed for correct configurations and remote control.

Spacewalk uses rhn_check to synchronize a client server that runs every 4 hours. This value can be reduced to 60 minutes, but for me neither one nor the other options were optimal, therefore there are two options: use osad, which comes with Spacewalk, or simply add a cronjob for rhn_check, for example, for every minute while we we test the system, then the value can be changed as you please.

 crontab -e * * * * * /usr/sbin/rhn_check 

It would also be useful to add / usr / bin / rhn-actions-control --enable-all to Kron, too, it is used for deploying configurations, and sometimes tupit.

Go back to key management, and copy the key ID that we created, and execute:

 rhnreg_ks --serverUrl=http://your-server-ip/XMLRPC --activationkey=1-YOURKEY --force 

Just do not forget to change the values ​​of IP and key on your own. Again, I advise you to use the --force flag, since I noticed problems without using this flag.

We return to Systems - All , satisfied notice our system. It can now be opened and explored what and how is there, but for now I strongly recommend creating a group for more convenient system management.

Systems - System Goups - Create Group , fill in the name and description, save, open the newly created group, go to the Systems section and add the system to the group.

Now let's subscribe the system to the channel, Systems - Your system - Software folder - Software Channels subfolder:



Choose your channel and click on confirmation. It is possible to try to install the package for the sake of interest, Software Packages - Install .

Channel configurations

To manage configurations between the server client / local machine, as well as remote control, it is necessary to configure the configuration channel and link the system to it.
Go to Configuration - Configuration Channels - Create Config Channel , set the name, description, save, then in Configuration - Manage Configuration Channels - Subscribe to Channels and subscribe the configuration channel to the software channel and to the system.



Now we can deploy the configuration both from the server and from local machines, and create partitions.

Configuration - Add Files - Create File / Upload File:



We can also send remote commands in the form of a bash script:



I remind you that all actions pass through the schedule (Schedule), a list of all actions applied to this system can be viewed in the Events section:



Errata

One of the most important functions in Spacewalk is errata support, which is conveniently tied to channels and allows you to monitor the level of importance of the latest updates. This is configured directly on the server, in addition to the scripts, you need to download the necessary packages for Perl:

 yum -y install perl-Frontier-RPC perl-Text-Unidecode wget https://raw.githubusercontent.com/stevemeier/cefs/master/errata-import.pl chmod +x errata-import.pl 

Then we create the main update script and the errata collection, which will be stored in / etc / rhn /:

 #!/bin/bash cd /etc/rhn/ wget -N http://cefs.steve-meier.de/errata.latest.xml wget -N https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml export SPACEWALK_USER='root' export SPACEWALK_PASS='verystrong' ./errata-import.pl --server YourServerIPAddress --errata errata.latest.xml --rhsa-oval com.redhat.rhsa-all.xml --publish unset SPACEWALK_USER unset SPACEWALK_PASS 

In the export, enter the name and password of the Spacewalk administrator that you specified at the very beginning.

Make the script executable, and add it to Cron:

 chmod +x spcwlk_errata.sh crontab -e 0 2 * * 7 /usr/bin/sh /etc/rhn/spcwlk_errata.sh 

Run it right now to see the changes in the GUI. The execution will take some time.

Total

An important point, personally in my opinion, which I missed, is setting up and installing a proxy, as well as raising the entire system as HA. I had an idea to configure the application via pacemaker, and synchronize on the database. As a result, it was decided to abandon this idea, in view of the not very large server fleet of client stations. However, if the system in the next six months shows itself to be extremely useful, you may have to expand the original server.

Automation

Server:




Customer:



Thank you all for reading the article. Good luck!