Installing Spacewalk on CentOS 6
Contents
- 1 THIS PAGE IS A WORK IN PROGRESS.
- 2 Installing CentOS 6.5
- 3 Selinux Considerations
- 4 Installing Spacewalk 2.2
- 5 Configuring Your Spacewalk Environment
- 6 Configure Spacewalk Repositories
- 7 Configure Spacewalk Channels
- 8 Configure Spacewalk Configuration Channels
- 9 Configure Spacewalk Activation Keys
- 10 Register an Existing Server as a Spacewalk Client
- 11 Creating Kickstart Distributions
- 12 Creating Kickstart Profiles
THIS PAGE IS A WORK IN PROGRESS.
When this text is removed this HowTo article is ready for prime time.
Installing CentOS 6.5
Preparing your System
Things to consider as you prepare your system:
- 1) The repositories that spacewalk are going to download are going to consume quite a bit of space. I create a dedicate partition of /opt/data for this, mine is 75GB of data with CentOS 6.5, 7.0, and Fedora 20
- 2) PostgreSQL database will get fairly large too, so I have a dedicated partition for this as well, /opt/postgres, 16GB.
- 3) PostgreSQL will be configured to dump database every night, so a dedicated partition for this too, /opt/dbdump, 8GB
I used a minimal installation. I added wget, net-snmp, ntp, logwatch, and parted. Apply all available updates to your system, run the command:
yum update
Optional: my personal preference is to remove RedHat Graphical Boot, and set the vga console to 1024x768. In the file /boot/grub/grub.conf Set up your config files as appropriate to your network. Mine look like this:
title CentOS (2.6.32-358.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-358.el6.x86_64 ro root=/dev/mapper/vg00-lv_root rd_LVM_LV=vg00/lv_swap rd_NO_LUKS rd_LVM_LV=vg00/lv_root rd_NO_MD crashkernel=auto vga=791 SYSFONT=latarcyrheb-sun16 KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM LANG=en_US.UTF-8 initrd /initramfs-2.6.32-358.el6.x86_64.img
Note above, on the "kernel" line, the lack of "rhgb quiet" and the addition of "vga=791". As noted, this step is purely optional, but i prefer to see all messages during boot up, and i like the smaller font (thus, a larger screen).
Configuring your System
Setup IPtables to allow the systems to talk to SpaceWalk. You can copy the iptables to a backup file before you edit this, just in case you need to roll back.
cp /etc/sysconfig/iptables /etc/sysconfig/iptables.orig
All the lines below with "-A INPUT -s" are lines I added. All other lines are the default config. This is what we are adding to the config, to allow network traffic on:
- 1) Allow all of our network 10.23.94.0/24 to TCP ports 80,443,5222,4545,67,69
- 2) Allow all of our network 10.23.94.0/24 to UDP ports 67,69
- 3) Allow just the IP 10.23.96.23 (/32 means just this one IP) to access port 4545. 10.23.96.23 is the IP of this spacewalk server we are configuring... yes we have to allow it to access its own IP.
# cat /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -s 10.23.94.0/24 -p tcp -m state --state NEW -m tcp --match multiport --dports 80,443,5222,4545,67,69 -j ACCEPT -A INPUT -s 10.23.94.0/24 -p udp -m state --state NEW -m udp --match multiport --dports 67,69 -j ACCEPT -A INPUT -s 10.23.96.23/32 -p tcp -m state --state NEW -m tcp --dport 4545 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
After you save the /etc/sysconfig/iptables file, restart iptables.
/etc/init.d/iptables restart # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22 ACCEPT tcp -- 10.23.94.0/24 0.0.0.0/0 state NEW tcp multiport dports 80,443,5222,4545,67,69 ACCEPT udp -- 10.23.94.0/24 0.0.0.0/0 state NEW udp multiport dports 67,69 ACCEPT tcp -- 10.23.96.23 0.0.0.0/0 state NEW tcp dpt:4545 REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination
At this point, reboot, and enable the new kernel that was installed with the yum update command above.
Setting Up Alternate Yum Repositories
We will need to add some other repositories that will be required for the packages needed for Spacewalk. Start by installing EPEL:
yum install http://mirror.umd.edu/fedora/epel/6/i386/epel-release-6-8.noarch.rpm
And then the Spacewalk Repository:
yum install http://yum.spacewalkproject.org/2.2/RHEL/6/x86_64/spacewalk-repo-2.2-1.el6.noarch.rpm
And then the JPackage Repository:
wget http://www.jpackage.org/jpackage50.repo -P /etc/yum.repos.d/
Verify we have all the repositories we need:
# yum repolist Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.lstn.net * epel: kdeforge2.unl.edu * extras: dist1.800hosting.com * jpackage-generic: mirror.ibcp.fr * jpackage-generic-updates: mirror.ibcp.fr * updates: mirrordenver.fdcservers.net jpackage-generic | 951 B 00:00 jpackage-generic/primary | 811 kB 00:01 jpackage-generic 3307/3307 jpackage-generic-updates | 951 B 00:00 jpackage-generic-updates/primary | 7.7 kB 00:00 jpackage-generic-updates 29/29 spacewalk | 2.1 kB 00:00 spacewalk/primary_db | 138 kB 00:00 repo id repo name status base CentOS-6 - Base 6,367 epel Extra Packages for Enterprise Linux 6 - x86_64 11,125 extras CentOS-6 - Extras 15 jpackage-generic JPackage (free), generic 3,307 jpackage-generic-updates JPackage (free), generic 29 spacewalk Spacewalk 155 updates CentOS-6 - Updates 1,608 repolist: 22,606
Selinux Considerations
Its now time to decide if you will use Selinux or not. I use it, but i will say that at all my professional jobs I have never encountered an enterprise that uses selinux... its always disabled. Why?? Because it takes time... sometimes a lot of time to get it configured right. And in the professional world, time is money.
I personally always use it on systems I build for myself, and systems I build on consulting jobs. I will say, that with as many spacewalk installs as i have done:
- 1) i dont use the standard file paths, i move all the data out of /var/satellite into /opt/satellite and this is a source of lots of selinux configuration
- 2) you can avoid a lot of hassle right now by disabling selinux. but i recommend you dont.
That said, here are your choices:
- disable selinux by changing SELINUX=enforcing to SELINUX=disabled in /etc/selinux/config, and rebooting
or
- install setroubleshootd that will help us fix selinux:
yum install setroubleshootd setroubleshootd
and verify its running:
# ps maux|grep setroubleshoot root 1566 48.0 2.4 330140 46432 ? - 10:00 0:00 /usr/bin/python -Es /usr/sbin/setroubleshootd
Installing Spacewalk 2.2
Package Setup
Its time to pull down our first set of packages, and there will be a considerable amount of dependencies. Thankfully, yum works this all out for us.
yum install spacewalk-setup-postgresql spacewalk-postgresql
Steps to configure PostgreSQL
We will relocate the pgsql database location, taking care not to break the selinux context. Frist, stop the database.
# /etc/init.d/postgresql stop Stopping postgresql service: [ OK ]
Now copy the postgresql files to /opt/postgres:
chown postgres:postgres /opt/postgres cp -vpRP --preserve=context /var/lib/pgsql /opt/postgres
Preserve the original, reset selinux context, and symlink to the new location:
# cd /var/lib/ # mv pgsql pgsql.old # ln -s /opt/postgres/pgsql/ # semanage fcontext -a -t postgresql_db_t "/opt/postgres(/.*)?" # restorecon -R -v /opt/postgres # semanage fcontext -a -t postgresql_db_t '/var/lib/pgsql' # restorecon -v '/var/lib/pgsql'
Verify:
# ll pgsql lrwxrwxrwx. 1 root root 20 Oct 23 10:17 pgsql -> /opt/postgres/pgsql/
Ensure the postgres user has ownership of the dbdump location:
chown postgres:root /opt/dbdump/
Setup our crontab for backups and directory maintenance:
touch /var/spool/cron/postgres chown postgres:postgres /var/spool/cron/ echo "50 21 * * * /bin/find /opt/dbdump/ -type f -mtime +6 -exec rm {} \;" >> /var/spool/cron/root echo "0 5 * * * /var/lib/pgsql/postgresqlbackup.sh" >> /var/spool/cron/postgres
Setup the backup script:
touch /var/lib/pgsql/postgresqlbackup.sh
The Script should contain:
#!/bin/bash ARCHIVE=/opt/dbdump DATE=$(date +%Y%m%d%H%M) /usr/bin/pg_dumpall -g -U postgres -f $ARCHIVE/globals-${DATE}-$HOSTNAME.dump /usr/bin/pg_dump -Fc -U postgres -v -f $ARCHIVE/rhnschema-${DATE}-$HOSTNAME.dump rhnschema &> $ARCHIVE/rhnschema-${DATE}-$HOSTNAME.log
Chown and chmod it for postgres user:
chown postgres:postgres /var/lib/pgsql/postgresqlbackup.sh chmod +x /var/lib/pgsql/postgresqlbackup.sh
Now it finally time to configure Spacewalk. It is CRITICAL that you temporarily rename your system to what your spacewalk DNS name will be. During setup may SSL certs are created for different jobs, and they all use the current hostname as the ORG unit. There isnt a viable way to re-configure them all at the web interface, and its even worse if you already have many systems connected and you want to reconfigure the SSL certs. Its easiest just to give the server a temporary name change, then change it back to the correct hostname later. Unless your server is already named "spacewalk.yourdomain.com" :)
#hostname spacewalk.yourdomain.com
I highly recommend using an answer file.
admin-email = spacewalk@yourdomain.com ssl-set-org = YOURORG ssl-set-org-unit = spacewalk.yourdomain.com ssl-set-city = Yourcity ssl-set-state = Yourstate ssl-set-country = US ssl-password = Yourpass ssl-set-email = spacewalk@yourdomain.com ssl-config-sslvhost = Y db-backend=postgresql enable-tftp=Y
Run the configuration like this:
# spacewalk-setup --disconnected --answer-file=spacewalk-answerfile
Finally, install the Spacewalk Client:
yum install http://yum.spacewalkproject.org/2.2-client/RHEL/6/x86_64/spacewalk-client-repo-2.2-1.el6.noarch.rpm yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin rhncfg-actions osad
Configuring Your Spacewalk Environment
Initial Setup
The ending of the configuration step above should have told you:
Installation complete. Visit https://spacewalk.yourdomain.com to create the Spacewalk administrator account.
Log in to the above, and do the initial login creation. This will be the super-user of the whole organization, and he will be a member of DefaultSpacewalkOrganization.
The first thing we want to do, is setup our new organization so we dont have to use the DefaultSpacewalkOrganization. On the Overview page, under Tasks, click "Manage Spacewalk Organizations".
In the upper right of Organizations, click "+create new organization". Enter some info in the fields:
Oraganization Name: YOUR-ORG Desired Login: yourname Desired Password: yourpass Confirm Password: againyourpass Email: youremail@yourdomain.com First Name: firstname Last Name: lastname
... and click the green "Create Organization: button.
Clicking the "Create Organization" button then forwards you to the Subscription\System Entitlements page. Here, we need to assign some of the entitlements from DefaultSpacewalkOrganization to YOUR-ORG. If you dont do this step, your new org will be useless. (but you can fix it later, but its best to just do it now).
I assigned 100 Entitlements from each type (Management, Monitoring, Provisioning, Virtualization, Virtualization Platform), and click "Update Organization".
Now, you can log out of the DefaultSpacewalkOrganization super-user, and log back in with your new account that goes to your new YOUR-ORG.
Configure Spacewalk Repositories
We need to now configure some channels. When creating channels of existing repos, sometimes you can get hints about where source directories are out on the internet by taking a look at some .repo files in your /etc/yum.repos.
For CentOS, we will focus on building these spacewalk channels:
CentOS 6.5 Base CentOS 6 Updates EPEL 6 SpaceWalk Client
Each channel also has a corresponding repository configuration. I find its easier to create the repositories first, because its overall less clicks to complete a channel setup. To get started, click "Channels" along the top, then down the left side click Manage Software Channels\Manage Repositories. Click "+create new repository" in the upper right.
In the fields, populate like this:
Repository Label: centos-6.5-x86_64-base Repository URL: http://mirror.raystedman.net/centos/6.5/os/x86_64/
(You should actually pick a mirror that is geographically close to you, from this list: http://www.centos.org/download/mirrors/ )
Click "Create Repository", then on the left side click Manage Repositories again. Again, click "+create repository", and now create one for CentOS 6 updates:
Repository Label: centos-6-x86_64-updates Repository URL: http://mirror.raystedman.net/centos/6/updates/x86_64/
Click Update Repository, and Repeat process to create EPEL 6 and Spacewalk Client repositories:
Repository Label: epel-el6-x86_64 Repository URL: http://dl.fedoraproject.org/pub/epel/6/x86_64/
and
Repository Label: spacewalk-client-2.2-el6-x86_64 Repository URL: http://spacewalk.redhat.com/yum/2.2-client/RHEL/6/x86_64/
Lets for a moment go back to the epel-el6-x86_64 repository. EPEL as you may already know, contains many many packages from as many projects. You have some options, you can just install the epel-release-6.8 (as we did above) and be done with it, or you can syncronize the EPEL repository packages to your own spacewalk server. I chose the latter, but with the stipulation that i dont need all the EPEL packages. The way you solve this is with the Filters field on the repository configuration page. Myself, in my network at home, i use Nagios, Cacti, Bacula, and a few other odds and ends from EPEL. Thus, I use a filter like this on my epel-el6-x86_64 repository:
+lfc-python,PyYAML,dojo,fping,jabberd,jabberpy,jakarta-commons-cli,jcommon,jettison,libapreq2,libyaml,nagios*,nrpe,perl*,python*,koan*,udns,xpp3*,cacti,fail2ban,gsoap*,iftop,iperf,libmcrypt,php*,qstat,qtsoap*,spacecmd
The above reduces from probably over 20,000 packages, to about 2500, which is much more reasonable for me. Tweak this to match what you need, or leave it off, and sync the entire thing, its up to you :)
Configure Spacewalk Channels
Now we move to configure the Channels that we mentioned above. Click Channels\Manage Software Channels, and you will be at the page titled "Software Channel Management". Click "+create new channel" in the upper right, and populate these fields:
Channel Name: CentOS 6.5 x86_64 Base Channel Label: centos-6.5-x86_64-base Parent Channel: [none for CentOS 6.5 Base Channel] Architecture: x86_64 Yum Repository Checksum: sha1 Channel Summary: CentOS 6.5 x86_64 Base GPG key URL: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 GPG key ID: C105B9DE GPG key Fingerprint: C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
BTW, the gpg id and fingerprint are found by the gpg command run against the RPM-GPG-KEY file. Example:
# gpg --with-fingerprint RPM-GPG-KEY-CentOS-6 pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org> Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
Save your channel by clicking "Create Channel" at the bottom of the page. Back to the top of this page, click Repositories, select the corresponding repository that we already created with a check mark, (centos-6.5-x86_64-base), and click "Update Repositories" button at the bottom.
Now, click back to Manage Software Channels again, click create new channel again, and lets create the CentOS 6 Updates channel. This time, we will select the option for "child channel":
Channel Name: CentOS 6 x86_64 Updates Channel Label: centos-6-x86_64-updates Parent Channel: CentOS 6.5 x86_64 Base Architecture: x86_64 Yum Repository Checksum: sha1 Channel Summary: CentOS 6 x86_64 Updates GPG key URL: http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-6 GPG key ID: C105B9DE GPG key Fingerprint: C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
Click Create Channel, then repeat the process to select the appropriate repository by clicking Repositories at the top, selecting the "centos-6-x86_64-updates" repository, and click "Update Repository" at the bottom.
Repeat the same process for the EPEL-6 and Spacewalk Client Channels, also selecting the proper repo to go along with the channel after you click "create channel".
Channel Name: SpaceWalk 2.2 Client EL6 x86_64 for CentOS Channel Label: spacewalk-client-2.2-el6-x86_64-centos Parent Channel: CentOS 6.5 x86_64 Base Architecture: x86_64 Yum Repository Checksum: sha1 Channel Summary: SpaceWalk 2.2 Client EL6 x86_64 for CentOS GPG key URL: http://spacewalk.redhat.com/yum/RPM-GPG-KEY-spacewalk-2012 GPG key ID: 863A853D GPG key Fingerprint: 8F85 8A91 03E3 3965 6BE9 64D0 0E64 6F68 863A 853D
Channel Name: EPEL 6 x86_64 CentOS Channel Label: epel-6-x86_64-centos Parent Channel: CentOS 6.5 x86_64 Base Architecture: x86_64 Yum Repository Checksum: sha1 Channel Summary: Extra Packages for Enterprise Linux 6 GPG key URL: https://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL GPG key ID: 0608B895 GPG key Fingerprint: 8C3B E96A F230 9184 DA5C 0DAE 3B49 DF2A 0608 B895
Before we get started with syncronizing channels, we need to relocate the folders where this data is stored, because the /var partition will fill up fast. If you installed your system with one giant / partition, then you can skip this step.
cd /var cp -vpRP --preserve=context satellite/ spacewalk/ /opt/data/ mv spacewalk spacewalk.old mv satellite satellite.old ln -s /opt/data/spacewalk ln -s /opt/data/satellite
Now there are a couple ways to synchronize packages to the channels. First, is in the web gui (and this is not the method i use). At the top of the page, click Channels, then click Manage Software Channels, and then click on a channel you have created. From there, click on repositories, then click the Sync tab. There is a check box for "Create kickstartable tree", and on the base channel, we need this. The green "Sync Now" will start the synchronization. to see the activity as its happening, tail the log:
# tail -f /var/log/rhn/reposync/centos-6.5-x86_64-base
... and you will see all the activity as its happening. I much prefer to do this from the command line, because you can also sync all child channels in the same command. Start with listing out our currently configured channels:
# spacewalk-repo-sync --list ====================================== | Channel Label | Repository | ====================================== postgresql-9.3-x86_64-el6-centos | http://yum.postgresql.org/9.3/redhat/rhel-6-x86_64/ spacewalk-client-2.2-el6-x86_64-centos | http://spacewalk.redhat.com/yum/2.2-client/RHEL/6/x86_64/ centos-6.5-x86_64-base | http://mirror.raystedman.net/centos/6.5/os/x86_64/ centos-6-x86_64-updates | http://mirror.raystedman.net/centos/6/updates/x86_64/ mysql-5.6-el6-x86_64-centos | http://repo.mysql.com/yum/mysql-5.6-community/el/6/x86_64/ epel-6-x86_64-centos | http://dl.fedoraproject.org/pub/epel/6/x86_64/
The equivelent of the "Sync Now" button that we saw before, is:
spacewalk-repo-sync --channel=centos-6.5-x86_64-base --sync-kickstart
And the above will pull down the whole installation as well as the kickstartable pieces so you can perform network installs. Synchronizing the tree can take quite a while (like, a day or more, sometimes), so i like to ensure spacewalk will work all the channels in one string. So, in my opinion, this is ideal:
# screen (yum install screen, if you dont have screen) # spacewalk-repo-sync --parent-channel=centos-6.5-x86_64-base --sync-kickstart
... and then sit back and enjoy the rest of your day.
Configure Spacewalk Configuration Channels
Back on the Overview page, click Configuration, then click "create new config channel". Usually you would have different config channels for your Production servers from your Development servers. You can name your configuration channel to what ever is appropriate to your org layout. I called mine CentOS65-Production:
Name: CentOS65-Production Label: centos65-production Description: CentOS65-Production
Configure Spacewalk Activation Keys
We now go back to the Overview page, and click on "Manage Activation Keys". These will allow newly registered systems to automatically subscribe to the channels that we want them to have. You have have different activation keys automatically subscribe to different sets of channels, its all up to you.
In Activation Keys, click "+create new key". Fill in the blanks as such: (note that on the key field, the 1- or 2- is pre-populated, and represents the organization you are working with and of which this activation key will belong)
Description: centos-6.5-x86_64-base Key: 2-centos-6.5-x86_64-base Base Channels: CentOS 6.5 x86_64 Base Add-On Entitlements: (check Monitoring, Provisioning)
The click "Create Activation Key" Now, at the top, click the Child Channels tab, and use ctrl-click to select the child-channels we need to automatically subscribe to when this key is used by a newly registered system:
CentOS 6 x86_64 Updates EPEL 6 x86_64 CentOS SpaceWalk 2.2 Client EL6 x86_64 for CentOS
Also, click the Configuration Tab, then click Subscribe to Channels. Below, you will see the channel you created above (mine, called CentOS65-Production). Check the box, and click Continue, and you will then be forwarded to the "List/Unsubscribe from Channels" tab.
At this point, we have to wait for our --parent-channel synchronization to complete, because we will be moving on to setting up Kickstart Profiles.
Register an Existing Server as a Spacewalk Client
At this point in the game, you should be ready add your first client. Let's register the spacewalk server unto itself, so it can manage it's own package updates:
Clients that were not originally built from this spacewalk server (chicken / egg problem here), must have the SSL cert of this server manually installed first.
yum install http://spacewalk.yourdomain.com/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm rhnreg_ks --serverUrl=https://spacewalk.yourdomain.com/XMLRPC --activationkey=2-centos-6.5-x86_64-base /etc/init.d/osad restart # rhn-actions-control --enable-all
Verify that the server connected by going to the Systems link at the top. You should see the server name populated in there. Click on the server name, and verify that "OSA Status" is something other than "unknown".
Verify that the server can accept and process a remote command. while on the Details\Overview page of the server, click Remote Command. In the script section, put something simple like:
#!/bin/sh # Add your shell script below date
...Click Schedule. If you get an error about the system is not configured to accept remote comands, refer back to the 'rhn-actions-control' command above. Now, click the Events tab. The OSAD service causes server commands to be picked up very quickly, without OSAD running it can take several hours for a server to check back in to see if it has any commands queued up. If your 'date' command is still showing on the Pending tab, click the Pending tab again, it should clear pretty quickly. Next, click on History tab, and the status of the command should be there. You should see "Run an arbitrary script scheduled by YOU", and the date/time it was completed. click "Run an arbitrary script scheduled by YOU", and it will show you the exact output of what happened when the server ran the script.
System History Event Summary: Run an arbitrary script scheduled by jhorne Details: This action will be executed after 10/23/14 2:15:00 PM CDT This action's status is: Completed. The client picked up this action on 10/23/14 2:16 PM The client completed this action on 10/23/14 2:16 PM Client execution returned "Script executed" (code 0) Run as: root:root Timeout: 600 seconds Script contents: #!/bin/sh # Add your shell script below date Start Date: 10/23/14 2:16 PM End Date: 10/23/14 2:16 PM Return Code: 0 Raw Output: view/download raw script output Filtered Output: Thu Oct 23 14:16:12 CDT 2014 Time: 10/23/14 2:15:00 PM CDT
And for even more verbose and raw output, you can click the link for "Raw Output: view/download raw script output".
For other CentOS 6.x servers in your environment, i made a cscript like this to handle the registration to the server:
yum -y install http://yum.spacewalkproject.org/2.2-client/RHEL/6/x86_64/spacewalk-client-repo-2.2-1.el6.noarch.rpm yum -y install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin rhncfg-actions osad yum install http://spacewalk.yourdomain.com/pub/rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm -y rhnreg_ks --serverUrl=https://spacewalk.yourdomain.com/XMLRPC --activationkey=2-centos-6.5-x86_64-base rhn-actions-control --enable-all /etc/init.d/osad start rm -rf /etc/yum.repos.d/CentOS-* /etc/yum.repos.d/epel* yum remove -y spacewalk-client-repo yum clean all yum repolist
At this point, we have to wait for our --parent-channel synchronization to complete, because we will be moving on to setting up Kickstart Profiles.
Creating Kickstart Distributions
We relocated the physical file repository to /opt/data/satellite, but the system still thinks its /var/satellite because we used a symlink to link it back to its original location. This might cause an SELinux error when we update the Kickstart Distribution. For example you might see this error:
Oct 24 00:21:14 SPACEWALKSERVER setroubleshoot: SELinux is preventing /usr/bin/python from read access on the lnk_file satellite. For complete SELinux messages. run sealert -l f6625397-fc2e-4cbf-8b79-1497099d4c95
To resolve this issue, we install setroubleshoot.
yum install setroubleshoot
then start setroubleshoot and restart auditd
# setroubleshootd # /etc/init.d/auditd restart
Now, if we run:
tail -f/var/log/messages
... while we attempt to update the Kickstart Distribution, we will see an error such as the above. From there its simple to resolve the issue, do exactly as the error message says. In my case, I ran:
# sealert -l f6625397-fc2e-4cbf-8b79-1497099d4c95 SELinux is preventing /usr/bin/python from read access on the lnk_file satellite. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow python to have read access on the satellite lnk_file Then you need to change the label on satellite Do # semanage fcontext -a -t FILE_TYPE 'satellite' where FILE_TYPE is one of the following: usr_t, etc_t, proc_t, cobblerd_t, iso9660_t, abrt_t, configfile, lib_t, device_t, root_t, usr_t, etc_t, ld_so_t, proc_t, sysfs_t, etc_runtime_t, public_content_t, textrel_shlib_t, public_content_rw_t, rpm_script_tmp_t, cobbler_var_lib_t, bin_t, configfile, device_t, locale_t, device_t. Then execute: restorecon -v 'satellite' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that python should be allowed read access on the satellite lnk_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp # grep cobblerd /var/log/audit/audit.log | audit2allow -M mypol ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i mypol.pp # semodule -i mypol.pp #
I then saved the Kickstart Distribution again, and this time it was successful.
Creating Kickstart Profiles
Initial Profile Creation
A Kickstart Profile allows you to boot from network and perform operating system installs without the use of any physical media. Get started by clicking at the top Systems, then down the left side click Kickstart\Profiles. Click on "+create new kickstart profile". On the Create Kickstart Profile page, fill in the values. There are multiple steps. For example step 1:
Label: CentOS65-Base Base Channel: CentOS 6.5 x86_64 Base Kickstartable Tree: centos-6.5-x86_64-base Always use the newest tree: [check yes]
Then click NEXT. Step 2, no changes should be necessary, the default location should already be selected.
Step 3, assign a root password to the profile. All systems that install using this profile will inherit this root password. This can be changed later as time passes to comply with security policies. Click Finish, and you're ready. Now you are forwarded to the management page for the profile you just created. We have a lot of settings to configure in here too.
Profile Customization
On the Details page, I advise to put checkmarks in these 3 boxes. These will leave behind some logs in the /root/ directory that will help with troubleshooting if need be.
Log custom post scripts: [check yes] Log custom pre scripts: [check yes] Preserve ks.cfg: [check yes]
On the Operating System page, add your child channels so they will be available to the installer.
centos-6-x86_64-updates: [check yes] spacewalk-client-2.2-el6-x86_64-centos: [check yes] epel-6-x86_64-centos: [check yes]
Click the Update Kickstart Button at the bottom.
The Variables page, you wont need to make any adjustments here.
The Advanced Options page has many things you can change. Here are some of my recommendations:
bootloader: --location mbr --append="crashkenel=auto vga=791" firewall: [remove checkmark] network: [remove checkmark] selinux: [change from --permissive to --enforcing timezone: [set to your timezone] custom options: %include /tmp/network.ks
Click the Update Kickstart Button at the bottom.
Now we move to the next main tab, System Details. Under Spacewalk Preferences, add check marks for:
Enable Spacewalk Configuration Management: [check yes] Enable Spacewalk Remote Commands: [check yes]
Click Update System Details.
The Locale page should already be set after we made changes on the Advanced Options page, so no change should be necessary here, but you can change it at any time if you like.
The Partitioning tab allows you to specify how the partitions will be setup on the system. There is a default volume group set up, i personally replace it with a seperate-partitions scheme. You can set this however work best for you. Mine looks like this:
part /boot --fstype ext4 --size 500 --asprimary part pv.01 --size=1 --grow volgroup vg00 pv.01 logvol / --vgname=vg00 --size=2048 --name=lv_root logvol swap --vgname=vg00 --size=2048 --name=lv_swap logvol /tmp --vgname=vg00 --size=1024 --name=lv_tmp logvol /usr --vgname=vg00 --size=6144 --name=lv_usr logvol /var --vgname=vg00 --size=4096 --name=lv_var logvol /opt --vgname=vg00 --size=2048 --name=lv_opt logvol /home --vgname=vg00 --size=4096 --name=lv_home
Above, i specify the volume group on the first disk on the system will be called vg00, and each file system will be a logical volume inside vg00 (with exception of /boot).