Hands-on Lab: System Management with Spacewalk 2.6

Version 2

    Introduction

     

    In this Hands-on Lab, you will learn the basics of systems management using Spacewalk 2.6:

     

    • initial Repository and Software Channel creation
    • syncing Software Channels with upstream repository sources
    • creating and configuring a Spacewalk activation key
    • registering an Oracle Linux server to Spacewalk
    • running yum commands
    • installing and testing the Spacewalk OSAD client
    • installation and configuration the Spacewalk Configuration client
    • creating a configuration channel in Spacewalk and deploying configuration files
    • running an OpenSCAP-based audit

     

    Spacewalk is an open source systems management solution for Linux. It manages software content updates for Linux distributions derived from Red Hat Enterprise Linux including Oracle Linux, CentOS, Scientific Linux and Fedora. It allows you to synchronize updates from upstream sources, then store and deploy those updates to your local servers.

     

    You can stage software content, including updates and configuration files through different environments. The deployment of updates to registered servers is centrally controlled and the Spacewalk web interface shows a unified view of all registered servers and their associated software update status. You can also trigger software updates and remote actions via the web interface.

     

    In addition, Spacewalk provides entire lifecycle management functionality via bare-metal and virtual server provisioning using the standard PXE and Kickstart tools. Servers that are provisioned using Spacewalk are automatically registered and monitored after installation.

     

    To support very large enterprise deployments, you can connect multiple Spacewalk servers together using Inter-Spacewalk Sync (ISS). Spacewalk also provides the Spacewalk Proxy server to support geographically-distributed client servers. Spacewalk Proxy servers cache and distribute content, reducing the load on the central Spacewalk servers and improving download times for local servers.

     

    For more information on Spacewalk, visit the Spacewalk community website.

     

    Requirements

     

    Unbreakable Linux Network Access

     

    This lab is designed to sync content from the Unbreakable Linux Network. You will need an Oracle Single Sign-On account with ULN access to complete this lab.

     

    Virtual machine requirements

     

    If you're attending the Hands-On Lab at Oracle OpenWorld 2017, your laptop has already been setup and configured. Otherwise, download the virtual machine template from here: Oracle Linux VM Images for Hands-On Lab.

     

    This lab is designed to synchronize packages from both the Oracle Unbreakable Linux Network (ULN) as well as Oracle's Public Yum Repository. The lab does not include installation of Spacewalk itself as this is covered in the Spacewalk 2.6 for Oracle Linux 7 Installation Guide.

     

    Pre-requisite knowledge

     

    Attendees are expected to have basic Oracle Linux system administration skills, particularly regarding package management using RPM and yum.

     

    You should be familiar with the following Linux concepts and commands:

     

    • using the Linux terminal
    • using sudo to run commands as root
    • using the yum package management tool
    • using vi or nano to edit configuration files

     

    Lab structure

     

    As many activities in the lab are performed using the Spacewalk web interface, screenshots are provided for the initial exercises to assist with navigation and configuration.

     

    Once the initial exercises are completed, screenshots will no longer be provided as the content will change over time and static screenshots could be misleading.

     

    Initial login

     

    You should log into the virtual machine as the HOL User (holuser) using the password oracle.

     

    Next, open a Terminal session from Application -> System Tools -> Terminal and have the Firefox web browser open as well. As the lab instructions are web-based, it is recommended to have multiple Firefox windows or tabs open so that you can follow the instructions.

     

    Navigate to the Spacewalk web interface in Firefox: https://spacewalk.oracleworld.com.

     

    spacewalk-login-screen.png

     

    You should see the initial login screen. Use the following credentials to login into Spacewalk:

     

    • Username: admin
    • Password: Oracle123

     

    After successfully logging in, Spacewalk displays the Overview page.

     

    spacewalk-overview.png

     

    Exercise: Create repositories and software channels

     

    Spacewalk requires all packages and metadata to be stored and managed locally, so the initial step is to configure upstream sources for package updates. These upstream sources can be the Oracle Unbreakable Linux Network (ULN), the Oracle Yum Server or any 3rd-party yum repository.

     

    Spacewalk uses the concept of Software Channels and Repositories to store packages and metadata. Client systems subscribe to Software Channels, while Software Channels themselves can be subscribed to one or more Repositories. In this way, you can create local channels that provide packages from a combination of sources. Care should be taken to ensure that the upstream repositories do not contain the same packages to reduce deployment complexity and confusion. It is recommended to connect a software channel to a single repository for simplicity.

     

    Spacewalk Software Channels are hierarchical: each client server is registered with a single base channel and can be subscribed to multiple child channels. A client can only subscribe to the child channels of its base channel.

     

    In this exercise, you will create repositories for the following ULN channels:

     

    • Oracle Linux 7 Update 4 Installation media set (x86_64)
    • Oracle Linux 7 Update 4 Patches (x86_64)
    • Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 (x86_64)

     

    You will also create a Spacewalk repository for the following Yum repository:

     

    • Spacewalk Client 2.6 for Oracle Linux 7 (x86_64)

     

    Once these repositories are created, the following Software Channel hierarchy will be created:

     

    • Oracle Linux 7 Update 4 Installation media set (x86_64)
      • Oracle Linux 7 Update 4 Patches (x86_64)
      • Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 (x86_64)
      • Spacewalk Client 2.6 for Oracle Linux 7 (x86_64)

     

    This will allow clients to subscribe to the Installation media set base channel as well as the individual child channels.

     

    Create the repositories

     

    Navigate to the Manage Repositories screen in the Spacewalk web interface by clicking on Channels (in the main menu bar), then Manage Software Channels in the left-hand menu and finally Manage Repositories. There are no repositories configured by default.

     

    spacewalk-manage-repos-empty.png

     

    Click Create Repository to start the creation process. The first repository you will create is the Oracle Linux 7 Update 4 Installation media set. Provide the following information:

     

    • Repository label: Oracle Linux 7 Update 4 installation media copy x86_64
    • Repository URL: uln:///ol7_x86_64_u4_base
    • Repository Type: uln

     

    spacewalk-create-repo-ol7u4-base.png

     

    ULN-based repositories use the uln:///<ULN_channel_label> syntax and the three / characters are intentional. You can find a list of channel labels via the ULN interface.

     

    Click the create repository button. Spacewalk will create the repository and return you to the repository edit screen. Click Manage Repositories to return to the list of repositories to see the newly created repository.

     

    Follow the above procedure to create the following ULN-based repositories:

     

    1. Oracle Linux 7 Update 4 Patches x86_64 with the ULN channel label ol7_x86_64_u4_patch
    2. UEK Release 4 for Oracle Linux 7 x86_64 with the ULN channel label ol7_x86_64_UEKR4

     

    spacewalk-repos-created.png

     

    Once all three ULN-based repositories are created, you can create the Yum-based repository for the Spacewalk 2.4 Client. The process is almost identical, except you use an http-based repository URL.

     

    spacewalk-create-sw26client-repo.png

     

     

    In production, you should only use yum repositories hosted on the Oracle Yum Server or trusted 3rd-party repositories.

     

    Once you have all four repositories created, you can being to create the associated Software Channels.

     

    Create the base and child software channels

     

    As mentioned previously, Spacewalk uses a parent/child relationship for Software Channels. Client servers can only subscribe to a single base channel and can only subscribe to child channels of the selected base channel. In this exercise, we will create a single base channel and three child channels.

     

    Click Manage Software Channels in the left-hand menu. By default, there are no software channels configured in Spacewalk.

     

    spacewalk-manage-channels-empty.png

     

    Click Create Channel to start the process. We will begin by creating the base channel using the following details:

     

    • Channel Name: Oracle Linux 7 Update 4 installation media copy x86_64
    • Channel Label: ol7_x86_64_u4_base
    • Parent Channel: none
    • Architecture: x86_64
    • Yum Repository Checksum Type: sha256
    • Channel Summary: Oracle Linux 7 Update 4 installation media copy x86_64
    • Channel Description: All packages released on the Oracle Linux 7 Update 4 (x86_64) installation media. This channel does not contain updates.

     

    spacewalk-ol7u4-base-channel-top.png

     

    Ensure that you set the architecture field correctly, otherwise the channel will not be visible to the client you will register later in the lab. The architecture must match the architecture of the client.

     

    You can fill your own (or dummy) information in the Contact/Support Information section. This information is displayed in the Spacewalk UI so that other users know who to contact if they have issues with the software contained in this channel.

     

    For the purposes of the lab, you do not need to make any changes to the Channel Access Control section. For production Spacewalk deployments, this section is used to determine who is permitted to use this channel and which organizations can access the channel. Multi-user and multi-organization deployment of Spacewalk is beyond the scope of this lab.

     

    It is strongly recommended that you configure the Security: GPG section in production to ensure that packages that are downloaded during the Spacewalk synchronization process have a valid security signature. You should configure the section using the following:

     

    • GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY
    • GPG key ID: EC551F03
    • GPG key Fingerprint: 4214 4123 FECF C55B 9086  313D 72F9 7B74 EC55 1F03

     

    spacewalk-create-channel-ol7u4-base-gpgkeys.png

     

    You can find the GPG key ID and fingerprint for each Oracle Linux major version on the Oracle Yum Server. Note that the GPG key ID and Fingerprint is identical for Oracle Linux 6 and 7. Oracle Linux installs the key itself by default at /etc/pki/rpm-gpg/RPM-GPG-KEY and for security purposes, it is recommended that you use the installed key instead of downloading a new one.

     

    Click the Create Channel button once you have completed all the required fields. Spacewalk will create the channel and return you to the channel edit screen for the newly created channel. Click Manage Software Channels in the left-hand menu to return to the Software Channel list.

     

    You will now create your first child channel. Click the create new channel link and enter the following details:

     

    • Channel Name: Oracle Linux 7 Update 4 Patch x86_64
    • Channel Label: ol7_x86_64_u4_patch
    • Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64
      • You will notice that when you select a parent channel, the Architecture and Yum Repository Checksum Type are automatically selected.
    • Channel Summary: Oracle Linux 7 Update 4 Patch x86_64
    • Channel Description: Updated packages published after the release of Oracle Linux 7 Update 4 (x86_64).

     

    Use the same Security: GPG settings as the Installation media set channel.

     

    spacewalk-create-channel-ol7u4-patch.png

     

    Repeat the above procedure for the remaining software channels:

     

    • Channel Name and Channel Summary: Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 x86_64
    • Channel Label: ol7_x86_64_uekr4
    • Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64

     

    Note that Spacewalk channel labels can only contain lowercase letters, so this channel label differs from its upstream repository label.

     

    • Channel Name and Channel Summary: Spacewalk Client 2.6 for Oracle Linux 7 x86_64
    • Channel Label: ol7_x86_64_spacewalk26_client
    • Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64

     

    Once a channel is created, you cannot change whether it is a base or child channel. If you forget to select the correct parent channel, you will need to delete and recreate the channel. Once you have completed this exercise, you should have all four channels created, with a single base and three child channels as shown in the following screenshot:

     

    spacewalk-channels-created.png

     

    Do not continue the lab until your software channel list matches the example.

     

    Exercise: Configure ULN credentials

     

    Before you can synchronize with ULN, you need to configure the credentials that  Spacewalk should use when connecting. These credentials are stored in a file that is only readable by the root user. You should ensure that this file is suitably protected by setting the permissions accordingly:

     

    Using a text editor, open /etc/rhn/spacewalk-repo-sync/uln.conf:

     

    [holuser@spacewalk ~] $ sudo vim /etc/rhn/spacewalk-repo-sync/uln.conf
    [main]
    username = <Oracle SSO email address>
    password = <Password>
                    

     

    Replace the placeholders in this file with your real ULN credentials before continuing. This file is set read-only (umask 0400) by default, so you will need to force save the file as root using the :wq! command.

    Exercise: Trigger the initial sync of the software channels

     

    Now that your software channels are created, we need to link them to the appropriate repository and trigger the initial sync. Spacewalk should be configured in production to sync on a regular basis. As the Spacewalk web interface does not provide any progress information during a sync, you should have a Terminal window open to monitor the sync logs during this exercise.

     

    In the Terminal, use sudo su - to become the root user and change directory to /var/log/rhn/reposync. The sync logs are contained in this directory. The OpenWorld virtual machine already contains log files, as the Spacewalk instance was pre-seeded with packages for performance reasons.

     

    Tail the ol7_x86_64_u4_base.log file:

     

    [root@spacewalk ~]# tail -F /var/log/rhn/reposync/ol7_x86_64_u4_base.log

     

    The time for initial sync outside of this lab environment is dependent on network bandwidth and server resources and can take anywhere from several hours to several days.

     

    Switch back to Firefox to continue the exercise.

     

    From Manage Software Channels, click the Oracle Linux 7 Update 4 installation media copy x86_64 channel and navigate to the Repositories tab.

     

    spacewalk-base-channel-enable-repo.png

     

    Click the checkbox next to Oracle Linux 7 Update 4 installation media copy x86_64 and then click the Update Repositories button. This associates the repository with the software channel, so when a sync is triggered, the contents of the repository are added to this software channel. It's possible to enable multiple repositories in a single software channel, but this requires advanced knowledge of yum dependency analysis and is not recommended.

     

    Once you have saved the repository selection, click the Sync tab. This screen allows you to trigger an immediate sync or schedule a task to sync the repository. For the purposes of the lab, check the Sync only latest packages checkbox, then click the Sync Now button. In production you should schedule regular synchronization of the Oracle Linux repositories on a daily basis. If you have multiple repositories, you should offset the schedule time.

     

    spacewalk-base-channel-sync.png

     

    After clicking the Sync Now button, switch back to your terminal to monitor the sync activity. Spacewalk will connect to ULN to retrieve the list of packages and then start downloading each package. In this exercise, we have pre-seeded the packages in the virtual machine to reduce the download time as much as possible. Spacewalk also displays a progress bar within the web UI.

     

    Wait for the Sync completed. message to appear in the log before continuing.

     

    Repeat this process for the remaining three software channels. Note that the Oracle Linux 7 Update 4 Patches channel will take the longest to complete as new packages will have been published between the time the virtual machine image was created and now. It could take between 15-25 minutes or longer for this process to complete. Ensure that the Sync only latest packages checkbox is checked for all channels to reduce the overall time required to sync from ULN.

     

    Spacewalk will only sync a single software channel at a time, so wait for each channel to complete before moving onto the next channel.

     

    Exercise: Creating and configuring an activation key

     

    Once you have completed the initial sync of all four channels, you can create an activation key. An activation key is used by the Spacewalk client to register a server with Spacewalk. An activation key is tied to a specific base channel (and optional child channels) and is used to determine channel subscription during activation. For example, you can have multiple activation keys with the same base channel, but specify different child channel subscriptions.

     

    Navigate to the Activation Keys page by clicking on the Systems tab and selecting Activation Keys in the left-hand menu. There are no activation keys created by default. Click Create Key to begin the process.

     

    spacewalk-create-activation-key.png

     

    Use the following details to complete the activation key fields:

     

    • Description: Oracle Linux 7 Update 4 (x86_64)
    • Key: oraclelinux7-u4-x86_64

     

    Spacewalk can automatically generate keys, but it is recommended to use a particular key name for ease of identification later.

     

    • Usage: -- blank --
    • Base Channels: Oracle Linux 7 Update 4 installation media copy x86_64
    • Add-on Entitlements-- unchecked --
    • Universal default: -- unchecked --

     

    In Spacewalk 2.6 there is only the Virtualization entitlement available. Enabling this entitlement tells Spacewalk to install additional packages onto any server registered with this key to allow Spacewalk to enumerate any guest virtual machines that may be running on that server. This is useful for machines that host KVM-based virtual machines.

     

    Once you have provided the details above, click the Create Activation Key button to complete the process. Once the key has been created, click the Child Channels tab. This screen determines which (if any) of the child channels should be subscribed during activation of a system using this activation key. Select all three available channels and click the Update Key button.

     

    spacewalk-activation-key-child-channels.png

     

    An activation key is not mandatory in order to register clients to Spacewalk, but it does make the process much simpler. Activation keys can also trigger automatic package installation when used to register a server. Now that you have created an activation key, we can register a client.

     

    Exercise: Registering a client server

     

    Registration to Spacewalk can be done manually or via the provisioning process. In this lab, we will perform a manual registration, as the virtual machine has already been provisioned.

     

    Switch to the Terminal and use sudo to become root (if not already root):

     

    [holuser@spacewalk ~]$ sudo su -
    Last login: Fri Sep  1 06:54:45 AEST 2017 on pts/2
    [root@spacewalk ~]#
    

     

    Run the following command:

     

    [root@spacewalk ~]# rhnreg_ks --serverUrl=https://spacewalk.oracleworld.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-oraclelinux7-u4-x86_64

     

    The activation process can take several minutes as the local software inventory is collected and sent to Spacewalk. Once the prompt returns, switch back to Firefox and click the Systems tab. You should now see the VM listed. Notice that there are updates available for the server. We will demonstrate several patching mechanisms in upcoming exercises to deploy those updates to the server.

     

    Exercise: Running yum commands manually on the client

     

    Once the client is successfully registered to Spacewalk, you are able to run the yum tool to perform actions using the packages available via Spacewalk.

     

    List all the subscribed channels

     

    Run the following yum command:

     

    [root@spacewalk ~]# yum repolist
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
    repo id                                                            repo name                                                                                              status
    ol7_x86_64_spacewalk26_client                                      Spacewalk Client 2.6 for Oracle Linux 7 x86_64                                                            28
    ol7_x86_64_u4_base                                                 Oracle Linux 7 Update 4 installation media copy x86_64                                                 5,010
    ol7_x86_64_u4_patch                                                Oracle Linux 7 Update 4 Patch x86_64                                                                     147
    ol7_x86_64_uekr4                                                   Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 x86_64                                         72
    repolist: 5,257
    

     

    List all available updates

     

    Run the following yum command:

     

    [root@spacewalk ~]# yum list updates
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
    Updated Packages
    bind-libs.x86_64                                                                         32:9.9.4-51.el7                                                     ol7_x86_64_u4_patch
    bind-libs-lite.x86_64                                                                    32:9.9.4-51.el7                                                     ol7_x86_64_u4_patch
    bind-license.noarch                                                                      32:9.9.4-51.el7                                                     ol7_x86_64_u4_patch
    bind-utils.x86_64                                                                        32:9.9.4-51.el7                                                     ol7_x86_64_u4_patch
    evince.x86_64                                                                            3.22.1-5.2.el7_4                                                    ol7_x86_64_u4_patch
    evince-libs.x86_64                                                                       3.22.1-5.2.el7_4                                                    ol7_x86_64_u4_patch
    evince-nautilus.x86_64                                                                   3.22.1-5.2.el7_4                                                    ol7_x86_64_u4_patch
    firefox.x86_64                                                                           52.3.0-2.0.1.el7_4                                                  ol7_x86_64_u4_patch
    gdm.x86_64                                                                               1:3.22.3-12.el7                                                     ol7_x86_64_u4_patch
    java-1.8.0-openjdk.x86_64                                                                1:1.8.0.141-2.b16.el7_4                                             ol7_x86_64_u4_patch
    java-1.8.0-openjdk-headless.x86_64                                                       1:1.8.0.141-2.b16.el7_4                                             ol7_x86_64_u4_patch
    kernel.x86_64                                                                            3.10.0-693.1.1.el7                                                  ol7_x86_64_u4_patch
    ...
    qemu-img.x86_64                                                                          10:1.5.3-141.el7_4.1                                                ol7_x86_64_u4_patch
    qemu-kvm.x86_64                                                                          10:1.5.3-141.el7_4.1                                                ol7_x86_64_u4_patch
    qemu-kvm-common.x86_64                                                                   10:1.5.3-141.el7_4.1                                                ol7_x86_64_u4_patch
    sos.noarch                                                                               3.4-6.0.1.el7                                                       ol7_x86_64_u4_patch
    spice-server.x86_64                                                                      0.12.8-2.el7.1                                                      ol7_x86_64_u4_patch
    xmlsec1.x86_64                                                                           1.2.20-7.el7_4                                                      ol7_x86_64_u4_patch
    xmlsec1-openssl.x86_64                                                                   1.2.20-7.el7_4                                                      ol7_x86_64_u4_patch
    

    List all available security updates

     

    Run the following yum command:

     

    [root@spacewalk ~]# yum --security list updates
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
     --> spacewalk-oscap-2.6.1-1.el7.noarch from ol7_x86_64_spacewalk26_client excluded (updateinfo)
     --> spacewalk-koan-2.6.1-1.el7.noarch from ol7_x86_64_spacewalk26_client excluded (updateinfo)
    ...
     --> dtrace-modules-4.1.12-37.3.1.el7uek-0.5.2-1.el7.x86_64 from ol7_x86_64_uekr4 excluded (updateinfo)
     --> dtrace-modules-4.1.12-37.4.1.el7uek-0.5.2-1.el7.x86_64 from ol7_x86_64_uekr4 excluded (updateinfo)
    18 package(s) needed for security, out of 50 available
    Updated Packages
    evince.x86_64                                                                    3.22.1-5.2.el7_4                                                            ol7_x86_64_u4_patch
    evince-libs.x86_64                                                               3.22.1-5.2.el7_4                                                            ol7_x86_64_u4_patch
    evince-nautilus.x86_64                                                           3.22.1-5.2.el7_4                                                            ol7_x86_64_u4_patch
    firefox.x86_64                                                                   52.3.0-2.0.1.el7_4                                                          ol7_x86_64_u4_patch
    kernel.x86_64                                                                    3.10.0-693.1.1.el7                                                          ol7_x86_64_u4_patch
    ...
    qemu-kvm.x86_64                                                                  10:1.5.3-141.el7_4.1                                                        ol7_x86_64_u4_patch
    qemu-kvm-common.x86_64                                                           10:1.5.3-141.el7_4.1                                                        ol7_x86_64_u4_patch
    spice-server.x86_64                                                              0.12.8-2.el7.1                                                              ol7_x86_64_u4_patch
    xmlsec1.x86_64                                                                   1.2.20-7.el7_4                                                              ol7_x86_64_u4_patch
    xmlsec1-openssl.x86_64                                                           1.2.20-7.el7_4                                                              ol7_x86_64_u4_patch
    

    List CVEs fixed by available updates

     

    Run the following yum command:

     

    [root@spacewalk ~]# yum updateinfo list cves
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
     CVE-2017-1000083 security evince-3.22.1-5.2.el7_4.x86_64
     CVE-2017-1000083 security evince-libs-3.22.1-5.2.el7_4.x86_64
     CVE-2017-1000083 security evince-nautilus-3.22.1-5.2.el7_4.x86_64
     CVE-2017-7779    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7753    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7800    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7809    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7787    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7786    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7785    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7784    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7807    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7801    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7802    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7803    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7791    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7792    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7798    security firefox-52.3.0-2.0.1.el7_4.x86_64
     CVE-2017-7533    security kernel-3.10.0-693.1.1.el7.x86_64
     CVE-2017-7533    security kernel-tools-3.10.0-693.1.1.el7.x86_64
     CVE-2017-7533    security kernel-tools-libs-3.10.0-693.1.1.el7.x86_64
     CVE-2017-12134   security kernel-uek-4.1.12-103.3.8.el7uek.x86_64
     CVE-2017-1000365 security kernel-uek-4.1.12-103.3.8.el7uek.x86_64
     CVE-2017-12134   security kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64
     CVE-2017-1000365 security kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64
     CVE-2017-12134   security kernel-uek-firmware-4.1.12-103.3.8.el7uek.noarch
     CVE-2017-1000365 security kernel-uek-firmware-4.1.12-103.3.8.el7uek.noarch
     CVE-2017-2885    security libsoup-2.56.0-4.el7_4.x86_64
     CVE-2017-7533    security python-perf-3.10.0-693.1.1.el7.x86_64
     CVE-2017-10664   security qemu-img-10:1.5.3-141.el7_4.1.x86_64
     CVE-2017-10664   security qemu-kvm-10:1.5.3-141.el7_4.1.x86_64
     CVE-2017-10664   security qemu-kvm-common-10:1.5.3-141.el7_4.1.x86_64
     CVE-2017-7506    security spice-server-0.12.8-2.el7.1.x86_64
     CVE-2017-1000061 security xmlsec1-1.2.20-7.el7_4.x86_64
     CVE-2017-1000061 security xmlsec1-openssl-1.2.20-7.el7_4.x86_64
    updateinfo list done
    

     

    Install patches required to fix a particular CVE

     

    Run the following yum command using a CVE chosen from the list generated in the previous example:

     

    [root@spacewalk ~]# yum -y --cve=CVE-2017-7533 update
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
     --> evince-3.22.1-5.2.el7_4.x86_64 from ol7_x86_64_u4_patch removed (updateinfo)
     --> libvirt-daemon-config-network-3.2.0-14.el7_4.2.x86_64 from ol7_x86_64_u4_patch removed (updateinfo)
    ...
     --> kernel-uek-4.1.12-103.3.8.el7uek.x86_64 from ol7_x86_64_uekr4 removed (updateinfo)
     --> kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64 from ol7_x86_64_uekr4 removed (updateinfo)
    4 package(s) needed (+0 related) for security, out of 50 available
    Resolving Dependencies
    --> Running transaction check
    ---> Package kernel.x86_64 0:3.10.0-693.1.1.el7 will be installed
    ---> Package kernel-tools.x86_64 0:3.10.0-693.el7 will be updated
    ---> Package kernel-tools.x86_64 0:3.10.0-693.1.1.el7 will be an update
    ---> Package kernel-tools-libs.x86_64 0:3.10.0-693.el7 will be updated
    ---> Package kernel-tools-libs.x86_64 0:3.10.0-693.1.1.el7 will be an update
    ---> Package python-perf.x86_64 0:3.10.0-693.el7 will be updated
    ---> Package python-perf.x86_64 0:3.10.0-693.1.1.el7 will be an update
    --> Finished Dependency Resolution
    
    
    Dependencies Resolved
    
    
    ================================================================================================================================================================================
     Package                                     Arch                             Version                                       Repository                                     Size
    ================================================================================================================================================================================
    Installing:
     kernel                                      x86_64                           3.10.0-693.1.1.el7                            ol7_x86_64_u4_patch                            43 M
    Updating:
     kernel-tools                                x86_64                           3.10.0-693.1.1.el7                            ol7_x86_64_u4_patch                           5.1 M
     kernel-tools-libs                           x86_64                           3.10.0-693.1.1.el7                            ol7_x86_64_u4_patch                           5.0 M
     python-perf                                 x86_64                           3.10.0-693.1.1.el7                            ol7_x86_64_u4_patch                           5.1 M
    
    
    Transaction Summary
    ================================================================================================================================================================================
    Install  1 Package
    Upgrade  3 Packages
    
    
    Total download size: 58 M
    Downloading packages:
    No Presto metadata available for ol7_x86_64_u4_patch
    (1/4): kernel-3.10.0-693.1.1.el7.x86_64.rpm                                                                                                              |  43 MB  00:00:00     
    (2/4): kernel-tools-3.10.0-693.1.1.el7.x86_64.rpm                                                                                                        | 5.1 MB  00:00:00     
    (3/4): kernel-tools-libs-3.10.0-693.1.1.el7.x86_64.rpm                                                                                                   | 5.0 MB  00:00:00     
    (4/4): python-perf-3.10.0-693.1.1.el7.x86_64.rpm                                                                                                         | 5.1 MB  00:00:00     
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                            75 MB/s |  58 MB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Updating   : kernel-tools-libs-3.10.0-693.1.1.el7.x86_64                                                                                                                  1/7 
      Updating   : kernel-tools-3.10.0-693.1.1.el7.x86_64                                                                                                                       2/7 
      Installing : kernel-3.10.0-693.1.1.el7.x86_64                                                                                                                             3/7 
      Updating   : python-perf-3.10.0-693.1.1.el7.x86_64                                                                                                                        4/7 
      Cleanup    : kernel-tools-3.10.0-693.el7.x86_64                                                                                                                           5/7 
      Cleanup    : kernel-tools-libs-3.10.0-693.el7.x86_64                                                                                                                      6/7 
      Cleanup    : python-perf-3.10.0-693.el7.x86_64                                                                                                                            7/7 
      Verifying  : python-perf-3.10.0-693.1.1.el7.x86_64                                                                                                                        1/7 
      Verifying  : kernel-tools-3.10.0-693.1.1.el7.x86_64                                                                                                                       2/7 
      Verifying  : kernel-tools-libs-3.10.0-693.1.1.el7.x86_64                                                                                                                  3/7 
      Verifying  : kernel-3.10.0-693.1.1.el7.x86_64                                                                                                                             4/7 
      Verifying  : kernel-tools-libs-3.10.0-693.el7.x86_64                                                                                                                      5/7 
      Verifying  : kernel-tools-3.10.0-693.el7.x86_64                                                                                                                           6/7 
      Verifying  : python-perf-3.10.0-693.el7.x86_64                                                                                                                            7/7 
    
    
    Installed:
      kernel.x86_64 0:3.10.0-693.1.1.el7                                                                                                                                            
    
    
    Updated:
      kernel-tools.x86_64 0:3.10.0-693.1.1.el7                 kernel-tools-libs.x86_64 0:3.10.0-693.1.1.el7                 python-perf.x86_64 0:3.10.0-693.1.1.el7                
    
    
    Complete!
    

     

    Section 2.4 of the Oracle Linux 7 Administrator's Guide lists all the Yum commands that are available and provides more detailed explanations of each command.

     

    Exercise: Installing the OSA daemon

     

    By default, the rhnsd daemon on the client connects to Spacewalk every 4 hours to look for scheduled updates or actions. However, Spacewalk includes the OSA daemon which allows Spacewalk to trigger actions immediately on a client. We will install this daemon now so that the following exercises that use the Spacewalk web interface will occur immediately.

     

    From the Terminal, run the following command to install the OSAD daemon:

     

    [root@spacewalk ~]# yum -y install osad
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
    Resolving Dependencies
    --> Running transaction check
    ---> Package osad.noarch 0:5.11.74-1.el7 will be installed
    --> Finished Dependency Resolution
    
    
    Dependencies Resolved
    
    
    ================================================================================================================================================================================
     Package                          Arch                               Version                                    Repository                                                 Size
    ================================================================================================================================================================================
    Installing:
     osad                             noarch                             5.11.74-1.el7                              ol7_x86_64_spacewalk26_client                              46 k
    
    
    Transaction Summary
    ================================================================================================================================================================================
    Install  1 Package
    
    
    Total download size: 46 k
    Installed size: 95 k
    Downloading packages:
    osad-5.11.74-1.el7.noarch.rpm                                                                                                                            |  46 kB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : osad-5.11.74-1.el7.noarch                                                                                                                                    1/1 
      Verifying  : osad-5.11.74-1.el7.noarch                                                                                                                                    1/1 
    
    
    Installed:
      osad.noarch 0:5.11.74-1.el7                                                                                                                                                   
    
    
    Complete!
    

     

    Enable the OSA daemon on startup:

     

    [root@spacewalk ~]# systemctl enable osad
    Created symlink from /etc/systemd/system/multi-user.target.wants/osad.service to /usr/lib/systemd/system/osad.service.
    

     

    And then manually start it immediately:

     

    [root@spacewalk ~]# systemctl start osad
    

     

    Switch back to Firefox and click the spacewalk.oracleworld.com server to view its Details screen. On the right-hand side, in the OSA Status box, you should see "online as of unknown". This indicates that the OSA daemon is running. Click Ping System to trigger a ping of the OSA daemon. If you wait a few moment and then refresh the Details tab, the OSA Status should update to indicate how long the OSA daemon has been running.

     

    Once the OSA daemon is confirmed as running, you can move on to the following exercises.

     

    Exercise: Updating packages on the client from Spacewalk

     

    If you're following from the previous exercise, click the Software tab under the spacewalk.oracleworld.com heading. Otherwise, navigate to the System tab and click the spacewalk.oracleworld.com server first.

     

    The software tab allows you to list, remove, upgrade, install and verify software packages. You can also see the errata that are applicable to this server. First, we will manually upgrade an existing package.

     

    Click Upgrade Packages. In the list that appears, select a few packages to upgrade. Once you have selected some packages, click the Upgrade Packages button at the bottom of the page. A confirmation page will appear listing the packages scheduled for update. You can chose whether to perform the upgrade as soon as possible, or after a specific time.

     

    Keep in mind that if the OSA daemon is not running on the client server, rhnsd only checks in every 4 hours by default. This means that without the OSA daemon working, some actions could take up to 4 hours to be triggered.

     

    Once you are happy with the package selection, click the Confirm button. You will receive a message indicating that package updates have been scheduled. Click scheduled in the alert message to view the scheduled action. You can monitor this page until the action is completed. Once it has completed, navigate back to the system detail view to confirm that the packages are no longer visible in the list of packages available for upgrade.

     

    Exercise: Updating packages based on an errata notification

     

    An alternative upgrade mechanism is to upgrade packages that resolve specific errata. From the Software tab within the system detail view, click the Errata tab to view the available errata information for this server. This list will display all available errata, but can be filtered to only display security, bug fixes or enhancements.

     

    Use the drop-down box to filter the list to only show security advisories. Enter "critical" into the Filter by Synopsis field and click the "eye" icon to view only the critical security errata. Click on an errata to view the details. You can also click on the CVE link to go to the Mitre website for information about the particular CVE resolved by this errata. Navigate to the Affected Systems tab to see all the servers that are affected by this advisory. In production, you may have several servers affected by a single advisory and this screen allows you to schedule the patching of multiple servers at once.

     

    In the list, click the checkbox next to the server name and then click Apply Errata. The same confirmation screen appears asking whether to schedule the action for as soon as possible or for some time in the future. Click Confirm to apply the errata as soon as possible.

     

    You can navigate to the Schedule tab on the main menu to monitor the action. While the action is active, it will appear in the Pending Actions list. Once it has completed, it will appear in the Completed Actions list. When the action has completed, navigate back to the errata view under the system details to confirm the errata no longer appears as available for the system.

     

    Exercise: Running a command on the client from Spacewalk

     

    Spacewalk is also capable of running remote commands from the web interface as well as deploying configuration files stored in a central repository. In order to enable this functionality, we need to install the rhncfg client.

     

    To install the rhncfg client, run the following command via the Terminal or click the Install New Packages link within the Software section of an individual system within the web interface to select and deploy the required packages:

     

    [root@spacewalk ~]# yum -y install 'rhncfg*'
    Loaded plugins: langpacks, rhnplugin
    This system is receiving updates from Spacewalk server.
    Resolving Dependencies
    --> Running transaction check
    ---> Package rhncfg.noarch 0:5.10.99-1.el7 will be installed
    ---> Package rhncfg-actions.noarch 0:5.10.99-1.el7 will be installed
    ---> Package rhncfg-client.noarch 0:5.10.99-1.el7 will be installed
    ---> Package rhncfg-management.noarch 0:5.10.99-1.el7 will be installed
    --> Finished Dependency Resolution
    
    
    Dependencies Resolved
    
    
    ================================================================================================================================================================================
     Package                                    Arch                            Version                                Repository                                              Size
    ================================================================================================================================================================================
    Installing:
     rhncfg                                     noarch                          5.10.99-1.el7                          ol7_x86_64_spacewalk26_client                           74 k
     rhncfg-actions                             noarch                          5.10.99-1.el7                          ol7_x86_64_spacewalk26_client                           46 k
     rhncfg-client                              noarch                          5.10.99-1.el7                          ol7_x86_64_spacewalk26_client                           43 k
     rhncfg-management                          noarch                          5.10.99-1.el7                          ol7_x86_64_spacewalk26_client                           52 k
    
    
    Transaction Summary
    ================================================================================================================================================================================
    Install  4 Packages
    
    
    Total download size: 215 k
    Installed size: 420 k
    Downloading packages:
    (1/4): rhncfg-5.10.99-1.el7.noarch.rpm                                                                                                                   |  74 kB  00:00:00     
    (2/4): rhncfg-actions-5.10.99-1.el7.noarch.rpm                                                                                                           |  46 kB  00:00:00     
    (3/4): rhncfg-client-5.10.99-1.el7.noarch.rpm                                                                                                            |  43 kB  00:00:00     
    (4/4): rhncfg-management-5.10.99-1.el7.noarch.rpm                                                                                                        |  52 kB  00:00:00     
    --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    Total                                                                                                                                           1.0 MB/s | 215 kB  00:00:00     
    Running transaction check
    Running transaction test
    Transaction test succeeded
    Running transaction
      Installing : rhncfg-5.10.99-1.el7.noarch                                                                                                                                  1/4 
      Installing : rhncfg-client-5.10.99-1.el7.noarch                                                                                                                           2/4 
      Installing : rhncfg-actions-5.10.99-1.el7.noarch                                                                                                                          3/4 
      Installing : rhncfg-management-5.10.99-1.el7.noarch                                                                                                                       4/4 
      Verifying  : rhncfg-actions-5.10.99-1.el7.noarch                                                                                                                          1/4 
      Verifying  : rhncfg-client-5.10.99-1.el7.noarch                                                                                                                           2/4 
      Verifying  : rhncfg-management-5.10.99-1.el7.noarch                                                                                                                       3/4 
      Verifying  : rhncfg-5.10.99-1.el7.noarch                                                                                                                                  4/4 
    
    
    Installed:
      rhncfg.noarch 0:5.10.99-1.el7        rhncfg-actions.noarch 0:5.10.99-1.el7        rhncfg-client.noarch 0:5.10.99-1.el7        rhncfg-management.noarch 0:5.10.99-1.el7       
    
    
    Complete!
    

     

    Once the rhncfg client is installed, we need to manually configure what actions are permitted to be performed remotely. The following actions are possible:

     

    • deploy a file
    • diff a file
    • upload a file
    • modify the  mtime of a file (modified time)
    • execute remote scripts

     

    For the purposes of the lab, we will enable all actions:

     

    [root@spacewalk ~]# rhn-actions-control --enable-all

     

    You can view the currently enabled actions:

     

    [root@spacewalk ~]# rhn-actions-control --report 
    deploy is enabled 
    diff is enabled 
    upload is enabled 
    mtime_upload is enabled 
    run is enabled

     

    Now that rhncfg is installed and all actions are enabled, we can trigger a remote action from the web interface. Switch back to Firefox and navigate to the Details tab of the server details view, then click the Remote Command tab.

     

    In the script box, enter the following:

     

    #!/bin/sh 
    # Add your shell script below 
    uptime 
    uname -a

     

    Then click the Schedule button. Remote commands use the same scheduling mechanism as package updates, so without the OSA daemon running, it could take up to 4 hours to complete the remote command action. Navigate to the Events tab to view the pending events. If the action does not appear in the pending list, click the History tab. The action should appear at the top of the System History list. Click the action name to view the script and the output.

     

    Exercise: Creating a configuration channel in Spacewalk

     

    Another feature of the rhncfg client is the ability to deploy configuration files from Spacewalk to multiple servers. This requires the creation of one or more configuration channels and configuration files. In this exercise, we will create a configuration channel, a configuration file and deploy it to our client.

     

    Creating a configuration channel and file

     

    First, navigate to the Configuration tab in the main menu, then select Configuration Channels in the left-hand menu. There are no configuration channels created by default. Click Create Config Channel to start the creation process.

     

    Create a new configuration channel using the following details:

     

    • Name: Generic Configuration
    • Label: ol7_generic_config
    • Description: Generic configuration files for Oracle Linux 7

     

    Click the Create Config Channel button to complete the creation process. After the channel has been created, we can add a file. Click the Add Files tab to start the process.

     

    You can add a file in three ways: uploading a file from your workstation, importing a file from a registered client system that has the upload action allowed or by creating a file directly in the interface. In this exercise, we will create a file directly in the interface, so click the Create File tab.

     

    Create a new configuration file using the following details:

     

    • File Type: Text File
    • Filename/Path: /etc/motd
    • Ownership User name: root
    • Ownership Group name: root
    • File Permissions Mode: 644
    • Macro Delimiters: Start Delimiter is {| and End Delimiter is |}
    • File contents: This server is {|rhn.system.hostname|} and it is managed by Spacewalk.

     

    Note that we have used the rhn.system.hostname macro in the configuration file contents. This macro will be replaced by the name of the target server when the configuration file is deployed. Click the Create Configuration File button once you are happy with the settings and content.

     

    Associate the configuration channel with a client server

     

    Navigate to the system detail view by clicking on the spacewalk.oracleworld.com server, then select the Configuration tab, Manage Configuration Channels tab then the Subscribe to Channels tab. Click the checkbox next to the Generic Configuration channel in the list, then click Continue. If you have multiple configuration channels in your production environment, you can rank the channels in order of priority. This allows you to have generic configuration files as well as more specific versions. As we only have a single configuration channel in this exercise, click the Update Channel Rankings button to confirm the subscription. The Generic Configuration channel should now appear in the list of Configuration Channels for this server.

     

    Deploying a configuration file to the client

     

    Switch to the Deploy Files tab to list the available files. Select the checkbox next to the /etc/motd file and click the Deploy Files button. On the confirmation screen, ensure it's scheduled to deploy as soon as possible then click the Schedule Deploy button.

     

    To confirm that file has been deployed successfully and that the macro has been replaced properly during the deployment, run the following command via a Terminal:

     

    [root@spacewalk ~]# cat /etc/motd  
    This server is spacewalk.oracleworld.com and it is managed by Spacewalk.

     

    Exercise: Run OpenSCAP auditing via Spacewalk

     

    The final exercise is to configure and run an audit using the OpenSCAP tools. This example uses the scap-security-guide provided with Oracle Linux. You can use any OpenSCAP compliant XCCDF and OVAL files in your own environment.

     

    To begin the auditing process, navigate to the Audit tab of the system detail view, then click the *Schedule* tab. Spacewalk will inform you that in order to run OpenSCAP scans, the spacewalk-oscap package needs to be installed. Using what you've learnt in previous exercises, install the spacewalk-oscap and scap-security-guide packages either using yum or via the Spacewalk web interface.

     

    Once the spacewalk-oscap and scap-security-guide packages and their dependencies are installed, refresh the Schedule New XCCDF Scan page in Firefox. You should now be able to schedule a scan using the following parameters:

     

    • Command-line Arguments: --profile standard --cpe /usr/share/xml/scap/ssg/content/ssg-rhel7-cpe-dictionary.xml
    • Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

     

    Click the Schedule button once you're completed the fields. It can take between fifteen and twenty minutes to complete the scan. Navigate to the List Scans tab to view the completed scans. You can then review the results and filter on pass or failed results. You can also schedule regular scans to ensure that no security regressions occur. Note that the virtual machine used by this hands-on lab is not configured according to best security practice for a production deployment and will fail many of the OpenSCAP tests.