SpaceWalk is the upstream open source project for the Red Hat Satellite Server for system management. The project is licensed under the GPLv2. The main function of the project is software content management for Red Hat derived distributions such as Fedora, CentOS, and Scientific Linux in your environment. Debian and Solaris support are in experimental mode at the moment. It also allows us to kickstart systems, as well as manage and deploy configuration files. Spacewalk's monitoring feature allow us to view monitoring status for your systems alongside their software update status. Spacewalk also has virtualization capabilities to enable us to provision, control, manage, and monitor virtual Xen guests.It also provides a proxy server for synching files to geographically distributed sites from a central location. This blog post will cover the basic setup of the server and the software channels to start managing software updates in a CentOS environment.
Test that name resolution is working properly.
ping -c 3 `hostname`
The pings should be successful.
Install the spacewalk repository so it will be available when using yum for installing packages:
rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/x86_64/spacewalk-repo-1.5-1.el6.noarch.rpm
Set the jpackage repository, specifically for version 5.0
cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF
For CentOS 6 there is a specific version of selinux that is needed so the CR(Continous Release) Repository must be used
cat > /etc/yum.repos.d/cr.repo << EOF
[CR-repository]
name=CR Repository
baseurl=http://mirror.centos.org/centos/\$releasever/cr/\$basearch/
enabled=1
gpgcheck=1
EOF
Spacewalk requires a Java Virtual Machine with version 1.6.0 or greater. The EPEL Repository contains a version of the openjdk that works with Spacewalk. Other dependencies can get installed from EPEL as well. To get packages from EPEL just install this RPM:
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
At the time of this writing there is a bug with cobbler-web being installed in a Spacewalk server so to make sure it does not get installed it is set as an excluded package in the yum.conf file:
echo "exclude=cobbler-web" >> /etc/yum.conf
The version of Spacewalk we will be installing is the PostgreSQL version. For this we will need to install PostgreSQL Server and configure it.
We will use yum to install the database server:
yum install postgresql-server
Initialize the system master database:
service postgresql initdb
Start the service so we can connect to the server and configure it:
service postgresql start
Ensure that PostgresSQL server will start with the server when it is rebooted:
chkconfig postgresql on
Create database, user, and plpgsql language there (Change the password variable to a secure one):
su - postgres -c 'PGPASSWORD=spacepw; createdb spaceschema ; createlang plpgsql spaceschema ; yes $PGPASSWORD | createuser -P -sDR spaceuser'
We configure the user to use md5 password to connect to that database. Put the lines like following to /var/lib/pgsql/data/pg_hba.conf before the all statements
local spaceschema spaceuser md5
host spaceschema spaceuser 127.0.0.1/8 md5
host spaceschema spaceuser ::1/128 md5
Then we reload PostgreSQL:
service postgresql reload
We must configure the system firewall to allow connection to the necessary ports used by the different services used by Spacewalk.
The commands to configure the firewall are:
iptables -D INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 4545 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT
iptables -A INPUT -p tcp -m udp --dport 69 -j ACCEPT
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
service iptables save
service iptables restart
Once all dependencies have been configured we can install the spacewalk package issuing the yum command to install the PostgreSQL version, during installation we will have to accept several GPG keys for the repositories that where configured to meet the dependencies:
yum -y install spacewalk-postgresql
The best way to configure spacewalk is thru the use of a configuration file. The following is an example that can be modified for initial configuration (Make the necessary changes for your environment):
admin-email = root@localhost
ssl-set-org = Spacewalk Org
ssl-set-org-unit = spacewalk
ssl-set-city = My City
ssl-set-state = My State
ssl-set-country = US
ssl-password = spacewalk
ssl-set-email = root@localhost
ssl-config-sslvhost = Y
db-backend=postgresql
db-name=spaceschema
db-user=spaceuser
db-password=spacepw
db-host=localhost
db-port=5432
enable-tftp=Y
Connect to the server to create the administrator account for the default organization.
Use Firefox, for some reason Internet Explorer and Google Chrome have problems when login in to the server with the created administrator account for the first time.
After we have created this account, the server is ready to be used for administering hosts.
Once the first organization is created one can decide on a model of a centralized or decentralized organization. Red Hat has a great white paper for this RHN SATELLITE: BEST PRACTICES FOR MULTIPLE ORGANIZATIONS
The first step is to set a Base channel this channel will contain all base packages for a system. The first Base Channel that we will set will be the one for CentOS 6.0 the version of CentOS used for the Spacewalk Server. Follow this steps one logged in:
Before we start one thing to alway keep in mind is that the Spacewalk Server will not deploy packages from any repository for which it does not have the GPG Public key used to sign the packages. These keys are placed in the root of the version of the repository that one will use. First we need to download these keys import them so as to get the key ID and Fingerprint for when setting the channel and they should also be imported using rpm on the Spacewalk server. For the base CentOS repository we download the keys to import them with GPG to get the key information:
mkdir repo_keys
cd repo_keys
curl -O http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
Now that we have the key imported we can use the ID shown in the output to list the key fingerprint to add to the channel definition, also it is advised that we do an import from rpm. Create one channel per set of repositories so it is easier to manage the key:
gpg --list-keys --fingerprint C105B9DE
rpm --import http://mirror.facebook.net/centos/6/os/i386/RPM-GPG-KEY-CentOS-6
We will follow these steps for the creation of all repositories for which we will crate a channel of.
We will create 2 Repositories for CentOS 6 the first one will be the base repository for CentOS the second will be the Updates. For the base system repository enter:
For the updates repository enter:
For the Spacewalk Client repository enter:
Lets create a repository for VMWare Tools for vSphere 5 if you are using VMWare for running Virtual Machines:
We will create a new channel that will use both Repositories:
Enter the Following Parameters:
Assign the Repositories to the Channel:
To Sync the repositories
The initial sync can take hours depending on the size of the repository and internet connection speed. Packages will begin to appear slowly on the channel package list as they are downloaded and synched.
Repeat the steps for the Spacewalk Client and the VMware Tools using the settings shown bellow.
SpaceWalk Client:
Assign the repository spacewalk-client-rhel6-i386 to the channel and set a sync schedule
VMWare Tools:
Assign the repository Vmware-Tools-ESX-5.0-RHL6 to the channel and set a sync schedule
For more information on creating repos and synching them do take a look at: Uploading Content
Enable the OSA Dispatcher so we can push jobs imediatly to registered systems:
chkconfig osa-dispatcher on
service osa-dispatcher start
Before connecting to a CentOS 6 System you need to create an activation key to use for registering the systems and assign a software channel to it. To create an Activation Key we do the following:
The key is now ready to use.
To connect the system the appropriate client software must be installed on the system
We start by installing the appropriate repository for the spacewalk client software:
rpm -Uvh http://spacewalk.redhat.com/yum/1.5/RHEL/6/i386/spacewalk-client-repo-1.5-1.el6.noarch.rpm
rpm -Uvh http://download.fedora.redhat.com/pub/epel/6/i386/epel-release-6-5.noarch.rpm
Install the necessary client software:
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin osad
We can register the CentOS system to Spacewalk using the activation key we created earlier:
rhnreg_ks --serverUrl=http://YourSpacewalk.example.org/XMLRPC --activationkey=1-centos6-32bit
We need to configure OSAD so we can push actions to this system, we start by downloading the certificate and setting the certificate in the configuration file for OSAD:
cd /usr/share/rhn/
curl -O http://yourspacewalk.example.org/pub/RHN-ORG-TRUSTED-SSL-CERT
/usr/bin/perl -p -i -e "s/osa_ssl_cert =/osa_ssl_cert = \/usr\/share\/rhn\/RHN-ORG-TRUSTED-SSL-CERT/g" /etc/sysconfig/rhn/osad.conf
We can now set the service:
chkconfig osad on
service osad start
For information on connecting other systems do take a loot at Registering Clients
At the moment of this writing in version 1.5 of Spacewalk Errata is only imported from Fedora Channels and not all errata is process. CentOS has not distributed any errata for the version 6.x of CentOS so automating the import of errata is not possible. For previous versions of CentOS the following blog post Blog shows a way to automate the import of the errata information.