Linux Management with Spacewalk
I recently built a Spacewalk 2.1 server to automate certain administration functions for my Linux machines. Installation was pretty straight forward as long as you don’t have any problems. However once I got it running it was really a great way to manage my systems. First let’s get a little info on the product.
Spacewalk is an open source Linux systems management solution. Spacewalk is the upstream community project from which the Red Hat Satellite product is derived. Spacewalk manages software content updates for Red Hat derived distributions such as Fedora, CentOS, and Scientific Linux, within your firewall. You can stage software content through different environments, managing the deployment of updates to systems and allowing you to view at which update level any given system is at across your deployment. A central web interface allows viewing of systems, their associated software update status, and initiating update actions. Spacewalk provides provisioning and monitoring capabilities, allowing you to manage your systems throughout their lifecycle. Via Provisioning, Spacewalk enables you to kickstart provision systems and manage and deploy configuration files. The monitoring feature allows you to view the status off your systems alongside their software update status.
Here is a pic of the WebUI.
With all of that out of the way I can talk about the installation process. You will need a base OS, for this I used CentOS 6 with no GUI. This help lower the overhead and you will not have much of a need for a GUI on the OS. However if you want one you can. Here is the link to the wiki that has the install information and any additional stuff you may need to research.
First you will need to add the Spacewalk and EPEL repos to the server. The Spacewalk repo is located at http://yum.spacewalkproject.org/ if you want to download the packages and do this manually. So to install the repo enter the following command.
rpm -Uvh http://yum.spacewalkproject.org/2.1/RHEL/6/x86_64/spacewalk-repo-2.1-2.el6.noarch.rpm
rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
You will also need to add the jpackage repo with the following command. The link to the repo is http://www.jpackage.org/mirroring.phpcat > /etc/yum.repos.d/jpackage-generic.repo << EOF [jpackage-generic] name=JPackage generic #baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/ mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0 enabled=1 gpgcheck=1 gpgkey=http://www.jpackage.org/jpackage.asc EOF
Now you need to decide what type of database you want to use. You can use Oracle XE or PostgreSQL. I have built this server using Oracle 11g and with PostgreSQL. If you use a separate Oracle server you need to make sure the database permissions are set just as Spacewalk says. If not you will run into all kinds of problems right from the get go. Oracle setup can be found at the following link: https://fedorahosted.org/spacewalk/wiki/FullOracleSetup. But for this we will use PostgreSQL because it is easier to setup and you can use yum without downloading the Oracle packages.
yum install spacewalk-setup-postgresql
Now that the database server is installed we can move on to installing Spacewalk itself. For PostgreSQL we will use the following command
yum install spacewalk-postgresql
This will install the Spacewalk packages and set it up to use PostgreSQL. Spacewalk will need to have a FQDN that resolves. So you can use the hosts file or DNS to accomplish this. Once this is complete you will need to start the Spacewalk install and configuration. Start by entering the following command.
You will see output similar to the following. However the example below used Oracle.* Setting up Oracle environment. * Setting up database. ** Database: Setting up database connection for Oracle backend. Database service name (SID)? XE Username? spacewalk Password? ** Database: Testing database connection. ** Database: Populating database. *** Progress: #### * Setting up users and groups. ** GPG: Initializing GPG and importing key. ** GPG: Creating /root/.gnupg directory You must enter an email address. Admin Email Address? root@localhost * Performing initial configuration. * Activating Spacewalk. ** Loading Spacewalk Certificate. ** Verifying certificate locally. ** Activating Spacewalk. * Enabling Monitoring. * Configuring apache SSL virtual host. Should setup configure apache’s default ssl server for you (saves original ssl.conf) [Y]? ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave * Configuring tomcat. ** /etc/tomcat5/tomcat5.conf has been backed up to tomcat5.conf-swsave ** /etc/tomcat5/server.xml has been backed up to server.xml-swsave ** /etc/tomcat5/web.xml has been backed up to web.xml-swsave * Configuring jabberd. * Creating SSL certificates. CA certificate password? Re-enter CA certificate password? Organization? Fedora Organization Unit [spacewalk.server.com]? Spacewalk Unit Email Address [root@localhost]? City? Brno State? CZ Country code (Examples: “US”, “JP”, “IN”, or type “?” to see a list)? CZ ** SSL: Generating CA certificate. ** SSL: Deploying CA certificate. ** SSL: Generating server certificate. ** SSL: Storing SSL certificates. * Deploying configuration files. * Update configuration in database. * Setting up Cobbler.. Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y/n]? cobblerd does not appear to be running/accessible * Restarting services. Installation complete. Visit https://spacewalk.server.com to create the Spacewalk administrator account. Once this is complete you will be able to access the Spacewalk web page. There is still some more stuff that needs to be done. One is setting up the iptables for the system, unless you decide to disable iptables altogether. Here is the commands you need to open the ports. iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 5222 -j ACCEPT iptables -A OUTPUT -m state –state NEW -m tcp -p tcp –dport 80 -j ACCEPT iptables -A OUTPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT iptables -A OUTPUT -m state –state NEW -m tcp -p tcp –dport 4545 -j ACCEPT iptables -A OUTPUT -m state –state NEW -m tcp -p tcp –dport 1521 -j ACCEPT iptables -A INPUT -m state –state NEW -m tcp -p tcp –dport 1521 -j ACCEPT iptables save
Outbound open ports 80, 443, 4545 (only if you want to enable monitoring) Inbound open ports 80, 443, 5222 (only if you want to push actions to client machines) and 5269 (only for push actions to a Spacewalk Proxy), 69 udp if you want to use tftp.
The server is functional but you will need to do several more things to make it useful. You will need to configure users that can be accomplished in the Users tab. Also you will need to create channels for the packages. Creating channels is easy, but you need to decide if you want repos for these channels. This is accomplished in the channels tab by going to Manage Software Channels. You will need to create at least one channel. However I would create a channel for each OS and architecture you will be managing. Then create repos for each mirror repo you plan to have on the server. Then you can click on the channel and assign the repos to the channels you want them attached to. This is done by clicking on the channel, go to repositories, and check the box. Then you can select sync and Spacewalk will download the packages for you. This will take some time depending on size of the repo and when Spacewalk picks up the task.
Another way you can upload packages is using the physical media or ISO of the OS. You would mount it to the operating system. Spacewalk will not connect directly to RedHat so if you manage RHEL systems you will have to upload packages using this method. So if my DVD is mounted in media and is RedHat 6 I would use the following command.
rhnpush -vvv –channel=rhel6_x86_64 –server=http://localhost –dir=/media/Packages
The only things you would change is the channel name and the exact directory the packages are located. The switch –vvv give you a very verbose execution and http://localhost is required to work correctly. This process will take a long time depending on the number of packages and speed of the system.
Now that we have packages and users we will want to register systems to the Spacewalk server. You will need to create an activation key using the Spacewalk WebUI. On the overview screen click on manage activation keys. Then create new key. You can have it auto generate or enter a string yourself. I would create your own and enter something simple. The auto generated key is a long alphanumeric string. Now we will install the Spacewalk client repo, install some packages, and register the systems. This is done with the following commands. Remember to change the link based on the type of OS you are using.
There are two dependancies that may or may not be present. They are jabberpy and python-hashlib for RHEL 5 based OSes and just jabberpy for RHEL 6 based systems. You can install them as part of the YUM entry if they are in a repo you have installed or as standalone RPM files. Enter the following command to install the client packages.
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad
Once the packages are installed you can register the system using the following command.
rhnreg_ks –serverUrl=http://<yourSpacewalkserveraddress>/XMLRPC –activationkey=1-<youractivationkey>
Then check in the Spacewalk WebUI to see if the system shows up.
We now have system and packages so you can try to install something to see if it is working. The following are some CLI commands that can be used to accomplish certain tasks.
Spacewalk-service — can be used with start|stop|status to control the Spacewalk service.
rhn_check — this command forces the OS to check in with the Spacewalk server. Spacewalk monitored systems check in around every 4 hours. So if you want something done know you need to run this command. Also using the –vvv switch will help you in troubleshooting any problems.
spacewalk-repo-sync –channel <yourchannel> –url <repo to sync to url> — This command will sync now instead of waiting for Spacewalk.
Rhnmd This command will force monitoring task to run now.
This is a good start for building your Spacewalk server. There are tons of features that can be added to make the server monitor systems resources, run Open SCAP scans on the systems, configuration management, and have Errata for different OSes. I had to stumble my way through a great deal of the setup because there is no show all document out there. So I hope this helps you on your way and good luck. I use this server every day and it makes takes so much easier. Good luck.