Features Spacewalk © patrimonio designs patrimonio © Managing Linux systems with Spacewalk Moon Landing When your system landscape reaches a certain size, managing Linux systems manually is time-consuming and impractical. Enter Spacewalk: an open source tool that takes the footwork out of network management.

By Thorsten Scherf

Spacewalk [1] is the open source first has to register with the server. nels. The base channel contains the derivative of the popular Red Hat Net- Registration can be based either on RPM-based operating system, such work Satellite Server. Red Hat pub- a username/​password combination as Red Hat Enterprise Linux, Fedora, lished the source code for the server or an activation key that is pregener- or CentOS. The subchannels contain in the summer of 2008, and the com- ated by the Spacewalk server. After additional software packages that are munity has now released version 1.0. registration, the system appears in the independent of the operating system, The application’s core tasks include server’s web GUI. such as the Red Hat Cluster Suite or RPM package software provisioning, If the server has more resources, you the 389 Directory Server. managing configuration files, and can assign them to the system at this Spacewalk can clone existing chan- kickstart trees, thus supporting the point. Resources include software nels and create new channels from installation of bare-metal systems. packages or configuration files that scratch. This feature gives you full The approach that Spacewalk uses are normally organized in channels. control of the software stack that you is quite simple: Before a system can A system always has exactly one provide via Spacewalk. Configura- access Spacewalk’s resources, it base channel with optional subchan- tion channels help you distribute the

2 Issue 01-2010 Admin Spacewalk Features

configuration files for the software command centrally on the Spacewalk [4], or CentOS [3] Linux. Note that packages. Spacewalk also keeps older server. Spacewalk does need a current Java versions of the files to let you roll Installing new systems is also quite Runtime Version 1.6.0 or newer. You back to a previous version at any time simple. Spacewalk has the installation can use the Open JDK for this; Fedora if the need arises. files you need in the form of kickstart includes it out of the box. Admins The software packages or configura- trees. The installation candidate uses on RHEL or CentOS can retrieve the tion files can be installed either via a boot medium such as a CD, a USB package via the additional EPEL (Ex- the target system or centrally in the stick, or a PXE-capable network card tra Packages for Enterprise Linux) Spacewalk web front end. To avoid to contact the server. The First-Stage software repository. spending too much time on the instal- Installer, which is part of the instal- Besides the Java package, an Oracle lation of a large number of systems, lation medium, defines which server 10g database is also required for you can assign systems to logical will handle the installation. installing Spacewalk. Oracle XE pro- groups and apply the installation of The remaining installation steps are vides a free version of the database. a resource to a group. For example, it handled by the Second-Stage Installer, The developers are currently working might make sense to assign all your located on the Spacewalk server and hard on implementing support for an web servers to a WWW-Server group transferred to the client system when open source database after identify- in Spacewalk. When a new version of the installation starts. If you want to ing PostgreSQL as the best alterna- the web server software is released, automate the installation fully, define tive to Oracle. As of this writing it is you would simply tell Spacewalk to the kickstart file location in the boot hard to say when official support for apply the update to the group, au- medium. The kickstart file is a kind of PostgreSQL will be available, but it tomatically updating all the systems answer file that describes the proper- makes sense to check the roadmap belonging to the group. ties of the installation candidate, such [5] or the mailing lists [6] at regular The installation uses polling by as partitioning, software, language, intervals. default; in other words, the client and firewall settings. Of course, you systems query the server at a pre- can create a kickstart file on the Oracle XE defined interval (which defaults to Spacewalk server and just include a four hours) to see if new actions have link to the file on the boot medium. After installing the repository RPM been defined since the last poll. If so, Spacewalk can manage any RPM- for your distribution, the first step is Spacewalk then runs these actions. based distribution. You even have to install Oracle Express, which you As an alternative, you can trigger the the option of operating client systems can download for free [7]. You will installation of software packages and across multiple organizations. Using need version 10.2.0.1. Besides the other actions using a push approach. the web interface, the administrator database, you also need the oracle‑in- The client system and the Spacewalk creates various organizations and as- stantclient‑basic and oracle‑instant- server talk to each other constantly signs a certain number of system en- client‑sqlplus, which you can then using the Jabber protocol. Any new titlements to them. Entitlements are install with Yum: actions you define are immediately linked to certificates that Spacewalk yum localinstall ‑‑nogpgcheck U run on the client by Spacewalk. automatically generates during the in- oracle‑xe‑univ*.rpm stallation. You can then add users to oracle‑instantclient‑basic*.rpm Ground Control the organizations. oracle‑instantclient‑sqlplus*.rpm If a client is registered with a user Communications are always from the account from a specific organiza- Before configuring the database, you client to the server; this is important tion, the system is assigned to this should make sure that your hostname with respect to firewall rules. A list organization. When users from the points to the correct IP address in of the network ports you need to en- organization logs into the Spacewalk your /etc/hosts to avoid problems able can be found online [2]. Besides server, they will only see the systems software package or configuration in their own organization. This fea- Listing 1: Oracle Listener Configuration file installation, actions can also run ture is useful if you manage multiple cat >> /etc/tnsnames.ora << 'EOF' arbitrary commands on the individual departments and prefer to manage the XE = systems via the Spacewalk server. systems in the individual departments (DESCRIPTION = For example, after creating a new separately. You just assign them to (ADDRESS_LIST = (ADDRESS = (PROTOCOL = TCP)(HOST = localhost) configuration file for your web serv- different organizations, which, of (PORT = 1521)) ers and distributing it to the systems, course, you need to create up front. ) you need to restart the web server (CONNECT_DATA = process to parse the new configura- Installation (SERVICE_NAME = xe) tion instructions. Instead of logging ) in to each individual system or using Spacewalk can be installed on Red ) a for loop, simply issue the restart Hat Enterprise (RHEL) [3], Fedora EOF

Admin Issue 01-2010 3 Features Spacewalk

with the Oracle Listener configuration the appropriate repository in /etc/ you can set up subchannels for the later on. Use the following parameters yum.repos.d/. The following com- base channel and assign the subchan- for the configuration: mand starts the installation: nels to clients as needed. After doing so, you can use the subchannels to HTTP port for Oracle Application U yum install spacewalk‑oracle distribute more RPM packages to the Express: 9055 Database listener port: 1521 Because this package depends on all systems. The packages can be your Password for SYS/SYSTEM: Password the other Spacewalk packages, the own creations or RPMs from other Start at boot: y package manager will automatically repositories. The default HTTP port for the Oracle download and install the dependen- The easiest approach to setting up a Express application (8080) is already cies in the next step. Then you can software channel is to use the web in- occupied by the Tomcat application configure the application interactively terface (Channels | Manage Software server, so you need to choose an al- with the setup tool or with the use of Channels | Create; Figure 1). Thanks ternative port to avoid conflicts. an answer file (Listing 4). to the Spacewalk API, you can also To talk to the database, you need to Pass the file in to the setup tool as script this process [8]. Call the script configure the listener in the /etc/ follows: as follows: tnsnames.ora file (Listing 1). spacewalk‑setup ‑‑disconnected U create_channel.py ‑‑label=fedora‑12‑i386 U Now you just need to make a few ‑‑answer‑file=answerfile ‑‑name "Fedora 12 32‑bit" U changes to the database. To do this, ‑‑summary "32‑bit Fedora 12 channel" log in to the database with sqlplus The configuration can take some time and create a spacewalk user, to which to complete as the process sets up In the script, you need to provide you could assign a password of the database tables. The setup tool the Fully Qualified Domain Name spacewalk (Listing 2). then launches all the required ser- (FQDN) for the Spacewalk server The standard configuration of Oracle vices. You can manually restart using and the user account for creating Express supports a maximum of 40 the /usr/sbin/rhn‑satellite tool. the channels, such as the Spacewalk simultaneous connections, which is To configure the system, launch the administrator account created previ- not enough for Spacewalk operations. Spacewalk web interface via its URL ously. The Users tab also gives you The instructions in Listing 3 change (http://​spacewalk.server.tld). Besides the option of creating more users with the limit to a maximum of 400 con- contact information, you can also set specific privileges (Figure 2). nections. the password for the Spacewalk ad- The channel you set up should now Now you need to restart the database ministrator here. be visible in the Channels tab of the by giving the /sbin/service oracle‑ web interface but will not contain xe command. Software Channels any software packages. Although you can upload software packages to the Spacewalk Setup The next step is to set up an initial server in several ways, the method software channel for the client sys- you choose will depend on whether The next step is to install the Space- tems. When you register a client, you the packages are available locally walk server. To do so, you need to must specify exactly one base channel (e.g., DVD) or you want to synchro- include the Spacewalk repository as for the client; it will use this channel nize a remote Yum repository with described previously. You should have to retrieve its operating system pack- the Spacewalk server. If you choose a spacewalk.repo file that points to ages and their updates. Of course, the local upload, you can use the

Listing 2: Creating the Spacewalk User sqlplus 'sys@xe as sysdba' SQL> create user spacewalk identified by spacewalk default tablespace users; SQL> grant dba to spacewalk; SQL> quit

Listing 3: Oracle Tuning sqlplus spacewalk/spacewalk@xe

SQL> alter system set processes = 400 scope=spfile;

SQL> alter system set "_optimizer_filter_pred_pullup"

=false scope=spfile;

SQL> alter system set "_optimizer_cost_based_

transformation"=off scope=spfile;

SQL> quit Figure 1: The easiest approach to setting up a software channel is to use the web graphical interface.

4 Issue 01-2010 Admin Spacewalk Features

them with the Spacewalk server. Start by installing the Spacewalk Cli- ent Repository RPM on the clients. Fedora 12 systems have a matching RPM [10], as do RHEL5 and CentOS5 [11]. On RHEL and CentOS, you also need to install the RPM for the EPEL repository [12] because the client tool dependencies might not resolve cor- rectly otherwise. The following com- mand installs the Yum file on a 32-bit Figure 2: Assigning individual users different privileges on the Spacewalk server. Fedora 12 system:

rpm ‑Uvh http://spacewalk.redhat.com/ U rhnpush tool, which you launch as too. Note that any RPM packages yum/1.0/Fedora/12/i386/spacewalk‑ U follows: you build yourself must be digitally client‑repo‑1.0‑2.fc12.noarch.rpm signed. Both the Spacewalk server rhnpush ‑v ‑‑channel=fedora‑13‑i386 U and the Yum client application will Then, use Yum to install the client ‑‑server=http://localhost/APP U ‑‑dir=/path/to/the/packages reject unsigned packages by default. tools: Although you can disable this feature, yum install rhn‑client‑tools U To synchronize with a remote soft- it makes more sense to work with rhn‑check rhn‑setup rhnsd m2crypto U ware repository, you simply need to digital signatures for security reasons. yum‑rhn‑plugin specify the URL for the remote reposi- The rpm ‑‑resign RPM package com- tory in the software channel proper- mand will sign the package for you; The easiest approach to registering ties in the web interface (Channels | you must have GPG keys in place for a system on the server is to run the Manage Software Channels | Fedora the RPM tool. The ~/.rpmmacros file rhnreg_ks tool, which expects a reg- 12 32-bit). Synchronization can take tells you the name and location of the istration key. You need to create the a while to happen. Your other op- key (Listing 5). key up front on the Spacewalk server tion here is the spacewalk‑repo‑sync To allow client systems to verify pack- (Systems | Activation Key | Create command-line tool that downloads ages signed with this key, you need to Key). When you create a key, you can software packages from a Yum reposi- deposit the public key on the Space- bind various resources to it, such as tory to your own Spacewalk server. walk server, preferably in /var/www/ the Fedora 12 software channel just To keep the server up to date, you can html/pub, which any client can ac- created here, or various configuration use cron to run a script [9] at regular cess. The following command exports channels, if you have created some intervals. This script will check your the public key from the GPG keyring: (Figure 3). Also, you can assign sys- configured software sources and au- tem groups to the key. Systems that tomatically download any new pack- gpg ‑‑armor ‑‑export [email protected] > U use this key to register are granted ages. This approach removes the need /var/www/html/pub/rpm‑gpg‑key access to the associated resources. for manual synchronization. To allow the existing client systems To do so, specify the key you created Incidentally, you can use the method to access the software packages you during the registration process: discussed here to set up subchannels, just uploaded, you need to register Listing 4: Answer File

admin‑email = root@localhost ssl‑set‑org = Tuxgeek Org ssl‑set‑org‑unit = Tuxgeek OU ssl‑set‑city = Essen ssl‑set‑state = NRW ssl‑set‑country = DE ssl‑password = spacewalk ssl‑set‑email = root@localhost ssl‑config‑sslvhost = Y db‑backend=oracle db‑user=spacewalk db‑password=spacewalk db‑sid=xe db‑host=localhost db‑port=1521 Figure 3: Various resources can be bound to the registration key. Systems that use the key are given access db‑protocol=TCP to the associated resources. enable‑tftp=Y

Admin Issue 01-2010 5 Features Spacewalk

rhnreg_ks ‑‑serverUrl=U

http://spacewalk.server.tld/XMLRPC U

‑‑activationkey=key If all of this worked correctly, you will see the system in the Systems tab of the server web interface. Viewing the system’s properties should also show you the configured software chan- nel. The easiest approach to check- ing whether access to the channel is working is to install a package from the channel. If this doesn’t work, one possible issue could be that the client system is not using the Spacewalk server’s CA certificate. The certificate is stored in http://spacewalk.server. Figure 4: After completing the registration, the system appears in the Spacewalk server’s web interface. tld/pub/ on the server and must be stored in /usr/share/rhn on the cli- you want to install, such as Fedora distro‑trees/Fedora‑12 directory. If ent side. The /etc/sysconfig/rhn/ 12, but the basic installation files, like all of this works out, just point to the up2date file needs a reference to the the Anaconda tool. distribution you created when you certificate. The software repositories you syn- made the kickstart file. When a cli- As before, you need to enter the chronized earlier will not normally ent system is installed from scratch, name of the Spacewalk server. You provide a kickstart distribution, and it will automatically pick up the right only need to perform these steps on this means creating the distribution files from this source. systems you have already installed. on the Spacewalk server. Again, just Although there are a number of ways Any that you install from scratch via navigate to Systems | Kickstart | Dis- to install a Fedora 12 system from the Spacewalk server are automati- tributions in the web interface and scratch, the easiest approach is to cally registered with the server as part point to the required files. The easiest point any client PXE requests by your of the installation process and can way to provide the files is to mount clients to the Spacewalk server with thus access the server immediately an installation CD/​DVD for your pre- the next‑server command. Thanks to (Figure 4). ferred distribution via the loopback Cobbler [13] integration, the Space- device: walk server has a TFTP server and Kickstart Installation any kickstart profiles that you have mount ‑o loop U set up. To confirm this, you can type To automate the installation of new /var/iso‑images/Fedora‑23‑i386‑DVD.iso U cobbler profile list at the com- client systems, you need two pieces /var/distro‑trees/Fedora‑12 mand line. of information on the Spacewalk When you create a Fedora 12 kick- When you boot a client system via a server. One of them is a kickstart file start distribution, you simply point PXE-capable network card, you will with details of how to install the new the Spacewalk server to the /var/ automatically see a list of the existing system, including partitioning, the software selection, and other settings that you would need to provide for a manual install. The easiest way to create a kickstart file is to select Sys- tems | Kickstart | Profiles in the web front end. After checking out the overview of existing profiles, you can also create a new profile. The kickstart distribution must be specified as part of the pro- file file. This does not mean the RPM files that belong to the distribution

Listing 5: GPG Configuration for RPM cat .rpmmacros %_signature gpg Figure 5: The system properties give you a neat option for handling a variety of administrative tasks for a %_gpg_name Thorsten Scherf system via the Spacewalk server.

6 Issue 01-2010 Admin Spacewalk Features

kickstart profiles. To install the cli- number of systems. The rhnsd service before rolling it out to your produc- ent, simply select the required profile on the systems queries the Spacewalk tion systems. Thanks to the compre- from the list. The client is then auto- server at predefined intervals to check hensive API, many tasks can also be matically registered on the Spacewalk for new actions, such as software in- scripted. n server. Existing systems can easily be stallations. reinstalled using: When a system finds an action, it then executes it. If the osad service Info koan ‑‑replace‑self U is enabled on the system, you can [1] Spacewalk project homepage: ‑‑server=Spacewalk‑Server U ‑‑profile=Kickstart‑Profile even run actions immediately with- [https://​­fedorahosted.​­org/​­spacewalk] out waiting for the polling interval to [2] Spacewalk network ports: This creates an entry in the system’s elapse. The client and the server then [http://​­magazine.​­redhat.​­com/​­2008/​­09/​ bootloader menu and automatically use the Jabber protocol for a continu- ­30/​­tips‑and‑tricks‑what‑tcpip‑ports‑are‑r selects the entry when the system ous exchange. equired‑to‑be‑open‑on‑an‑rhn‑satellite‑pr reboots. Finally, don’t forget the feature-rich oxy‑or‑client‑system/] Spacewalk API, which is accessible at [3] RHEL5, CentOS5 Spacewalk Server Repos‑ System Management http://Servername/rhn/apidoc/index. itory RPM: [http://​­spacewalk.​­redhat.​­com/​ jsp on the installed server. This tool ­yum/​­1.​­0/​­RHEL/​­5/​­i386/​­spacewalk‑repo‑1.​ All of the systems registered on the gives you access to a plethora of func- ­0‑2.​­el5.​­noarch.​­rpm] Spacewalk server retrieve their soft- tions that are not available in the web [4] Fedora12 Spacewalk Server Repository ware packages from this source, with interface. RPM: [http://​­spacewalk.​­redhat.​­com/​­yum/​ no need to access external reposito- The API can be accessed with XML- ­1.​­0/​­Fedora/​­12/​­i386/​­spacewalk‑repo‑1.​­0‑2.​ ries. This method not only improves RPC, which makes it perfect for your ­fc12.​­noarch.​­rpm] your security posture but also saves own Perl or Python scripts. A Python [5] Spacewalk Roadmap: [http://​ network bandwidth. With a registered script [8] for creating a software ­fedorahosted.​­org/​­spacewalk/​­roadmap] system, you can customize various channel is just one example of access- [6] Spacewalk mailing list: settings in the System Properties sec- ing the Spacewalk server via the API [http://​­www.​­redhat.​­com/​­spacewalk/​ tion (Figure 5). (Figure 6). ­communicate.​­html#​­lists] For example, you can assign new [7] Oracle XE: [http://​­www.​­oracle.​­com/​ software or configuration channels, Conclusions ­technology/​­software/​­products/​­database/​ compare the installed software with ­xe/​­htdocs/​­102xelinsoft.​­html] profiles on other systems, or create Spacewalk gives administrators a very [8] Spacewalk API script for creating a snapshots as a backup that you can powerful tool for managing large- software channel: [http://​­fedorahosted.​ roll back later. Additionally, you can scale Linux landscapes. It facilitates ­org/​­spacewalk/​­attachment/​­wiki/​ install new software or distribute many daily tasks, such as the instal- ­UploadFedoraContent/​­create_channel.​­py] configuration files from a centralized lation of software updates or upload- [9] Repository sync: [http://​­fedorahosted.​ location. ing of configuration files. Advanced ­org/​­spacewalk/​­attachment/​­wiki/​ Thanks to the ability to assign reg- features, such as channel cloning, ­UploadFedoraContent/​­sync_repos.​­py] istered systems to groups, you can make it possible to put any software [10] Fedora12 Spacewalk Client Reposi‑ point and click to do this for a large through a quality assurance process tory RPM: [http://​­spacewalk.​­redhat.​ ­com/​­yum/​­1.​­0/​­Fedora/​­12/​­i386/​ ­spacewalk‑client‑repo‑1.​­0‑2.​­fc12.​­noarch.​ ­rpm] [11] RHEL5 and CentOS5 Client Repository RPM: [http://​­spacewalk.​­redhat.​­com/​­yum/​ ­1.​­0/​­RHEL/​­5/​­i386/​­spacewalk‑client‑repo‑1.​ ­0‑2.​­el5.​­noarch.​­rpm] [12] EPEL Repository: [http://​­download.​ ­fedora.​­redhat.​­com/​­pub/​­epel/​­5/​­i386/​ ­epel‑release‑5‑3.​­noarch.​­rpm] [13] Cobbler: [https://​­fedorahosted.​­org/​­cobbler/]

The Author Thorsten Scherf is a Senior Consultant for Red Hat EMEA. You can meet him as a speaker at Figure 6: An XMPRPM interface opens up a huge selection of Spacewalk server functions via the conferences. He is also a keen marathon runner programmable API. whenever time permits.

Admin Issue 01-2010 7