Hands-on Lab: System Management with Spacewalk 2.2

Version 22

    Introduction

     

    In this Hands-on Lab, you will learn the basics of systems management using Spacewalk 2.2:

     

    • initial Repository and Software Channel creation
    • syncing Software Channels with upstream repository sources
    • creating and configuring a Spacewalk activation key
    • registering an Oracle Linux server to Spacewalk
    • running yum commands
    • installing and testing the Spacewalk OSAD client
    • installing and configuration the Spacewalk Configuration client
    • creating a configuration channel in Spacewalk and deploying configuration files
    • running an OpenSCAP-based audit

     

    Spacewalk is an Open Source Linux systems management solution. It manages software content updates for Linux distributions derived from Red Hat Enterprise Linux including Oracle Linux, CentOS, Scientific Linux and Fedora. It allows you to synchronize updates from upstream sources, then store and deploy those updates to your local servers.

     

    You can stage software content, including updates and configuration files through different environments. The deployment of updates to registered servers is centrally controlled and the Spacewalk web interface shows a unified view of all registered servers and their associated software update status. You can also trigger software updates and remote actions via the web interface.

     

    In addition, Spacewalk provides entire lifecycle management functionality via bare-metal and virtual server provisioning using the standard PXE and Kickstart tools. Servers that are provisioned using Spacewalk are automatically registered and monitored after installation.

     

    To support very large enterprise deployments, you can connect multiple Spacewalk servers together using Inter-Spacewalk Sync. Spacewalk also provides the Spacewalk Proxy server to support geographically-distributed client servers. Spacewalk Proxy servers cache and distribute content, reducing the load on the central Spacewalk servers and improving download times for local servers.

     

    For more information on Spacewalk, visit the Spacewalk community website.

     

    Requirements

     

    Unbreakable Linux Network Access

     

    This lab is designed to sync content from the Unbreakable Linux Network. You will need an Oracle Single Sign-On account with ULN access to complete this lab.

     

    Virtual machine requirements

     

    Download the virtual machine template from here: Oracle Linux VM Images for Hands-On Lab

     

    This lab is designed to synchronize packages from both the Oracle Unbreakable Linux Network (ULN) as well as Oracle's Public Yum Repository. The lab does not include installation of Spacewalk itself as this is covered in the Spacewalk 2.2 for Oracle Linux 6 Installation Guide.

     

    Pre-requisite knowledge

     

    Attendees are expected to have basic Oracle Linux system administration skills, particularly regarding package management using RPM and yum.

     

    You should be familiar with the following Linux concepts and commands:

     

    • using the Linux terminal
    • using sudo to run commands as root
    • using the yum package management tool
    • using vi or nano to edit configuration files

     

    Lab structure

     

    As many activities in the lab are performed using the Spacewalk web interface, screenshots are provided for the initial exercises to assist with navigation and configuration.

     

    Once the initial exercises are completed, screenshots will no longer be provided as the content will change over time and static screenshots could be misleading.

     

    Initial login

     

    You should log into the virtual machine as the HOL User (holuser) using the password oracle.

     

    Next, open a Terminal session from Application -> System Tools -> Terminal and have the Firefox web browser open as well. As the lab instructions are web-based, it is recommended to have multiple Firefox windows or tabs open so that you can follow the instructions.

     

    Navigate to the Spacewalk web interface in Firefox: https://hol10326.oracleworld.com

     

    Screenshot-Spacewalk - Sign In.png

     

    You should see the initial login screen. Use the following credentials to login into Spacewalk:

     

    • Username: admin
    • Password: Oracle123

     

    After successfully logging in, Spacewalk displays the Overview page.

     

    Screenshot-Spacewalk - Overview - Overview.png

     

    Exercise: Create repositories and software channels

     

    Spacewalk requires all packages and metadata to be stored and managed locally, so the initial step is to configure upstream sources for package updates. These upstream sources can be the Oracle Unbreakable Linux Network (ULN), the Oracle Public Yum Server or any 3rd-party yum repository.

     

    Spacewalk uses the concept of Software Channels and Repositories to store packages and metadata. Client systems subscribe to Software Channels, while Software Channels themselves can be subscribed to one or more Repositories. In this way, you can create local channels that provide packages from a combination of sources. Care should be taken to ensure that the upstream repositories do not contain the same packages to reduce deployment complexity and confusion. It is recommended to connect a software channel to a single repository for simplicity.

     

    Spacewalk Software Channels are hierarchical: each client server is registered with a single base channel and can be subscribed to multiple child channels. A client can only subscribe to the client channels of its base channel.

     

    In this exercise, you will create repositories for the following ULN channels:

     

    • Oracle Linux 6 Update 7 Installation media set (x86_64)
    • Oracle Linux 6 Update 7 Patches (x86_64)
    • Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64)

     

    You will also create a Spacewalk repository for the following Yum repository:

     

    • Spacewalk Client 2.2 for Oracle Linux 6 (x86_64)

     

    Once these repositories are created, the following Software Channel hierarchy will be created:

     

    • Oracle Linux 6 Update 5 Installation media set (x86_64)
      • Oracle Linux 6 Update 5 Patches (x86_64)
      • Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64)
      • Spacewalk Client 2.0 for Oracle Linux 6 (x86_64)

     

    This will allow clients to subscribe to the Installation media set base channel as well as the individual child channels.

     

    Create the repositories

     

    Navigate to the Manage Repositories screen in the Spacewalk web interface by clicking on Channels (in the main menu bar), then Manage Software Channels in the left-hand menu and finally Manage Repositories. There are no repositories configured by default.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Manage Repositories.png

     

    Click create new repository to start the creation process. The first repository you will create is the Oracle Linux 6 Update 7 Installation media set. Provide the following information:

     

    • Repository label: Oracle Linux 6 Update 7 installation media copy x86_64
    • Repository URL: uln:///ol6_u7_x86_64_base

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Manage Repositories - OL6U7 Base.png

     

    ULN-based repositories use the uln:///<ULN_channel_label> syntax and the three / characters are intentional. You can find a list of channel labels via the ULN interface.

     

    Click the create repository button. Spacewalk will create the repository and return you to the repository edit screen. Click Manage Repositories to return to the list of repositories to see the newly created repository.

     

    Follow the above procedure to create the following ULN-based repositories:

     

    1. Oracle Linux 6 Update 7 Patches x86_64 with the ULN channel label ol6_u7_x86_64_patch.
    2. UEK Release 3 for Oracle Linux 6 x86_64 with the ULN channel label ol6_x86_64_UEKR3_latest.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Manage Repositories - Repos Created.png

     

    Once all three ULN-based repositories are created, you can create the Yum-based repository for the Spacewalk 2.2 Client. The process is almost identical, except you use an http-based repository URL.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Manage Repositories - Spacewalk Client Repo.png

     

     

    In production, you should only use yum repositories hosted on the Oracle Public Yum server or trusted 3rd-party repositories.

     

    Once you have all four repositories created, you can being to create the associated Software Channels.

     

    Create the base and child software channels

     

    As mentioned previously, Spacewalk uses a parent/child relationship for Software Channels. Client servers can only subscribe to a single base channel and can only subscribe to child channels of the selected base channel. In this exercise, we will create a single base channel and three child channels.

     

    Click Manage Software Channels in the left-hand menu. By default, there are no software channels configured in Spacewalk.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Channel List Empty.png

     

    Click create new channel to start the process. We will begin by creating the base channel using the following details:

     

    • Channel Name: Oracle Linux 6 Update 7 installation media copy x86_64
    • Channel Label: ol6_u7_x86_64_base
    • Parent Channel: none
    • Architecture: x86_64
    • Yum Repository Checksum Type: sha256
    • Channel Summary: Oracle Linux 6 Update 7 installation media copy x86_64
    • Channel Description: All packages released on the Oracle Linux 6 Update 7 (x86_64) installation media. This channel does not contain updates.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - OL6U7 Base Basic Details.png

     

    Ensure that you set the architecture field correctly, otherwise the channel will not be visible to the client you will register later in the lab. The architecture must match the architecture of the client.

     

    You can fill your own (or dummy) information in the Contact/Support Information section. This information is displayed in the Spacewalk UI so that other users know who to contact if they have issues with the software contained in this channel.

     

    For the purposes of the lab, you do not need to make any changes to the Channel Access Control section. For production Spacewalk deployments, this section is used to determine who is permitted to use this channel and which organizations can access the channel. Multi-user and multi-organization deployment of Spacewalk is beyond the scope of this lab.

     

    It is strongly recommended that you configure the Security: GPG section in production to ensure that packages that are downloaded during the Spacewalk synchronization process have a valid security signature. You should configure the section using the following:

     

    • GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY
    • GPG key ID: EC551F03
    • GPG key Fingerprint: 4214 4123 FECF C55B 9086  313D 72F9 7B74 EC55 1F03

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - GPG Details.png

     

    You can find the GPG key ID and fingerprint for each Oracle Linux major version on the Oracle Public Yum server. Note that the GPG key ID and Fingerprint is identical for Oracle Linux 6 and 7. Oracle Linux installs the key itself by default at /etc/pki/rpm-gpg/RPM-GPG-KEY and for security purposes, it is recommended that you use the installed key instead of downloading a new one.

     

    Click the Create Channel button once you have completed all the required fields. Spacewalk will create the channel and return you to the channel edit screen for the newly created channel. Click Manage Software Channels in the left-hand menu to return to the Software Channel list.

     

    You will now create your first child channel. Click the create new channel link and enter the following details:

     

    • Channel Name: Oracle Linux 6 Update 7 Patch x86_64
    • Channel Label: ol6_u7_x86_64_patch
    • Parent Channel: Oracle Linux 6 Update 7 installation media copy x86_64
      • You will notice that when you select a parent channel, the Architecture and Yum Repository Checksum Type are automatically selected.
    • Channel Summary: Oracle Linux 6 Update 7 Patch x86_64
    • Channel Description: Updated packages published after the release of Oracle Linux 6 Update 7 (x86_64).

     

    Use the same Security: GPG settings as the Installation media set channel.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - OL6U7 Patch Base Details.png

     

    Repeat the above procedure for the remaining software channels:

     

    • Channel Name and Channel Summary: Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 x86_64
    • Channel Label: ol6_x86_64_uekr3_latest
    • Parent Channel: Oracle Linux 6 Update 7 installation media copy x86_64

     

    Note that Spacewalk channel labels can only contain lowercase letters, so this channel label differs from its upstream repository label.

     

    • Channel Name and Channel Summary: Spacewalk Client 2.2 for Oracle Linux 6 x86_64
    • Channel Label: ol6_x86_64_spacewalk22_client
    • Parent Channel: Oracle Linux 6 Update 7 installation media copy x86_64

     

    Once a channel is created, you cannot change whether it is a base or child channel. If you forget to select the correct parent channel, you will need to delete and recreate the channel. Once you have completed this exercise, you should have all four channels created, with a single base and three child channels as shown in the following screenshot:

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - All Software Channels.png

     

    Do not continue the lab until your software channel list matches the example.

     

    Exercise: Configure ULN credentials

     

    Before you can synchronize with ULN, you need to configure the credentials that  Spacewalk should use when connecting. These credentials are stored in a file that is only readable by the root user. You should ensure that this file is suitably protected by setting the permissions accordingly:

     

    Using a text editor, open /etc/rhn/spacewalk-repo-sync/uln.conf:

     

    [holuser@hol10326 ~] $ sudo vim /etc/rhn/spacewalk-repo-sync/uln.conf
    [main]
    username = <Oracle SSO email address>
    password = <Password>
      

     

    Replace the placeholders in this file with your real ULN credentials before continuing. This file is set read-only (umask 0400) by default, so you will need to force save the file as root using the :wq! command.

    Exercise: Trigger the initial sync of the software channels

     

    Now that your software channels are created, we need to link them to the appropriate repository and trigger the initial sync. Spacewalk should be configured in production to sync on a regular basis. As the Spacewalk web interface does not provide any progress information during a sync, you should have a Terminal window open to monitor the sync logs during this exercise.

     

    In the Terminal, use sudo to become the root user and change directory to /var/log/rhn/reposync. The sync logs are contained in this directory. The OpenWorld virtual machine already contains log files, as the Spacewalk instance was pre-seeded with packages for performance reasons.

     

    Tail the ol6_u7_x86_64_base.log file:

     

    [holuser@hol10326 ~]$ sudo tail -f /var/log/rhn/reposync/ol6_u7_x86_64_base.log

     

    The time for initial sync is dependent on network bandwidth and server resources and can take anywhere from several hours to several days.

     

    Switch back to Firefox to continue the exercise.

     

    From Manage Software Channels, click the Oracle Linux 6 Update 7 installation media copy x86_64 channel and navigate to the Repositories tab.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Repositories - OL6U7 Repo Selection.png

     

    Click the check box next to Oracle Linux 6 Update 7 installation media copy x86_64 and then click the Update Repositories button.

     

    Once you have saved the repository selection, click the Sync tab. This screen allows you to trigger an immediate sync or schedule a task to sync the repository. For the purposes of the lab, just click the Sync Now button, but in production you should schedule regular synchronization of the Oracle Linux repositories on a daily basis. If you have multiple repositories, you should offset the schedule time.

     

    Screenshot-Spacewalk - Channels - Manage Software Channels - Repositories - OL6U7 Base Sync.png

     

    After clicking the Sync Now button, switch back to your terminal to monitor the sync activity. Spacewalk will connect to ULN to retrieve the list of packages and then start downloading each package. In this exercise, we have pre-seeded the packages in the virtual machine to reduce the download time as much as possible.

     

    Wait for the Sync completed. message to appear in the log before continuing.

     

    Repeat this process for the remaining three software channels. Note that the Oracle Linux 6 Update 7 Patches channel will take the longest to complete as new packages will have been published between the time the virtual machine image was created and now. It could take between 15-25 minutes or longer for this process to complete.

     

    Spacewalk will only sync a single software channel at a time, so wait for each channel to complete before moving onto the next channel.

     

    Exercise: Creating and configuring an activation key

     

    Once you have completed the initial sync of all four channels, you can create an activation key. An activation key is used by the Spacewalk client to register a server with Spacewalk. An activation key is tied to a specific base channel (and optional child channels) and is used to determine channel subscription during activation. For example, you can have multiple activation keys with the same base channel, but specify different child channel subscriptions.

     

    Navigate to the Activation Keys page by clicking on the Systems tab and selecting Activation Keys in the left-hand menu. There are no activation keys created by default. Click create new key to begin the process.

     

    Screenshot-Spacewalk - Systems - Activation Keys.png

     

    Use the following details to complete the activation key fields:

     

    • Description: Oracle Linux 6 Update 7 (x86_64)
    • Key: oraclelinux6-u7-x86_64

     

    Spacewalk can automatically generate keys, but it is recommended to use a particular key name for ease of identification later.

     

    • Usage: -- blank --
    • Base Channels: Oracle Linux 6 Update 7 installation media copy x86_64
    • Add-on Entitlements: select Provisioning
    • Universal default: -- unchecked --

     

    Once the key is created, click the Child Channels tab. This screen determines which (if any) of the child channels should be subscribed during activation of a system using this activation key. Select all three available channels and click the Update Key button.

     

    Screenshot-Spacewalk - Systems - Activation Keys - Child Channels.png

     

    An activation key is mandatory to register clients to Spacewalk. Now that you have created an activation key, we can register a client.

     

    Exercise: Registering a client server

     

    Registration to Spacewalk can be done manually or via the provisioning process. In this lab, we will perform a manual registration, as the virtual machine has already been provisioned.

     

    Switch to the Terminal and use sudo to become root (if not already root).

     

    Run the following command:

     

    [holuser@hol10326 ~]# rhnreg_ks --serverUrl=https://hol10326.oracleworld.com/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-oraclelinux6-u7-x86_64

     

    The activation process can take several minutes as the local software inventory is collected and sent to Spacewalk. Once the prompt returns, switch back to Firefox and click the Systems tab. You should now see the VM listed. Notice that there are updates available for the server. We will demonstrate several patching mechanisms in upcoming exercises to deploy those updates to the server.

     

    Exercise: Running yum commands manually on the client

     

    Once the client is successfully registered to Spacewalk, you are able to run the yum tool to perform actions using the packages available via Spacewalk.

     

    List all the subscribed channels

     

    Run the following yum command:

     

    [root@hol10326 ~]# yum repolist Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. repo id                                                  repo name                                                                                     status ol6_u7_x86_64_base                                       Oracle Linux 6 Update 7 installation media copy x86_64                                        6,629 ol6_u7_x86_64_patch                                      Oracle Linux 6 Update 7 Patch x86_64                                                            264 ol6_x86_64_spacewalk22_client                            Spacewalk Client 2.2 for Oracle Linux 6 x86_64                                                   30 ol6_x86_64_uekr3_latest                                  Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 x86_64                               360 repolist: 7,283

     

    List all available updates

     

    Run the following yum command:

     

    [root@hol10326 ~]# yum list updates Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. Updated Packages bind-libs.x86_64                                                 32:9.8.2-0.37.rc1.el6_7.4                                      ol6_u7_x86_64_patch           bind-utils.x86_64                                                32:9.8.2-0.37.rc1.el6_7.4                                      ol6_u7_x86_64_patch           device-mapper.x86_64                                             1.02.95-3.el6_7.2                                              ol6_u7_x86_64_patch           device-mapper-event.x86_64                                       1.02.95-3.el6_7.2                                              ol6_u7_x86_64_patch           device-mapper-event-libs.x86_64                                  1.02.95-3.el6_7.2                                              ol6_u7_x86_64_patch           device-mapper-libs.x86_64                                        1.02.95-3.el6_7.2                                              ol6_u7_x86_64_patch           firefox.x86_64                                                   38.2.1-1.0.1.el6_7                                             ol6_u7_x86_64_patch           gdk-pixbuf2.x86_64                                               2.24.1-6.el6_7                                                 ol6_u7_x86_64_patch           glibc.x86_64                                                     2.12-1.166.el6_7.1                                             ol6_u7_x86_64_patch           glibc-common.x86_64                                              2.12-1.166.el6_7.1                                             ol6_u7_x86_64_patch           glibc-devel.x86_64                                               2.12-1.166.el6_7.1                                             ol6_u7_x86_64_patch           glibc-headers.x86_64                                             2.12-1.166.el6_7.1                                             ol6_u7_x86_64_patch           ...

     

    List all available security updates

     

    Run the following yum command:

     

    [root@hol10326 ~]# yum --security list updates Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. Limiting package lists to security relevant ones 18 package(s) needed for security, out of 42 available Updated Packages bind-libs.x86_64                                                      32:9.8.2-0.37.rc1.el6_7.4                                       ol6_u7_x86_64_patch     bind-utils.x86_64                                                     32:9.8.2-0.37.rc1.el6_7.4                                       ol6_u7_x86_64_patch     device-mapper.x86_64                                                  1.02.95-3.el6_7.1                                               ol6_u7_x86_64_patch     device-mapper-event.x86_64                                            1.02.95-3.el6_7.1                                               ol6_u7_x86_64_patch     device-mapper-event-libs.x86_64                                       1.02.95-3.el6_7.1                                               ol6_u7_x86_64_patch     device-mapper-libs.x86_64                                             1.02.95-3.el6_7.1                                               ol6_u7_x86_64_patch     firefox.x86_64                                                        38.2.1-1.0.1.el6_7                                              ol6_u7_x86_64_patch     gdk-pixbuf2.x86_64                                                    2.24.1-6.el6_7                                                  ol6_u7_x86_64_patch     glibc.i686                                                            2.12-1.166.el6_7.1                                              ol6_u7_x86_64_patch     glibc-devel.i686                                                      2.12-1.166.el6_7.1                                              ol6_u7_x86_64_patch     kernel.x86_64                                                         2.6.32-573.3.1.el6                                              ol6_u7_x86_64_patch     kernel-firmware.noarch                                                2.6.32-573.3.1.el6                                              ol6_u7_x86_64_patch     ...

     

    List CVEs fixed by available updates

     

    Run the following yum command:

     

    [root@hol10326 ~]# yum updateinfo list cves Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite.  CVE-2015-4620 security bind-libs-32:9.8.2-0.37.rc1.el6_7.1.x86_64  CVE-2015-5477 security bind-libs-32:9.8.2-0.37.rc1.el6_7.2.x86_64  CVE-2015-5722 security bind-libs-32:9.8.2-0.37.rc1.el6_7.4.x86_64  CVE-2015-4620 security bind-utils-32:9.8.2-0.37.rc1.el6_7.1.x86_64  CVE-2015-5477 security bind-utils-32:9.8.2-0.37.rc1.el6_7.2.x86_64  CVE-2015-5722 security bind-utils-32:9.8.2-0.37.rc1.el6_7.4.x86_64  CVE-2015-4495 security firefox-38.1.1-1.0.1.el6_7.x86_64  CVE-2015-4485 security firefox-38.2.0-4.0.1.el6_7.x86_64 ...  CVE-2015-3245 security libuser-0.56.13-8.el6_7.x86_64  CVE-2015-3246 security libuser-0.56.13-8.el6_7.x86_64  CVE-2015-3245 security libuser-python-0.56.13-8.el6_7.x86_64  CVE-2015-3246 security libuser-python-0.56.13-8.el6_7.x86_64  CVE-2015-5621 security net-snmp-libs-1:5.5-54.0.1.el6_7.1.x86_64  CVE-2015-2730 security nss-softokn-3.14.3-23.el6_7.x86_64  CVE-2015-2730 security nss-softokn-freebl-3.14.3-23.el6_7.x86_64  CVE-2015-3238 security pam-1.1.1-20.el6_7.1.x86_64  CVE-2015-3416 security sqlite-3.6.20-1.el6_7.2.x86_64 updateinfo list done

     

    Install patches required to fix a particular CVE

     

    Run the following yum command using a CVE chosen from the list generated in the previous example:

     

    [root@hol10326 ~]# yum -y --cve=CVE-2015-3238 update Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Update Process Resolving Dependencies Limiting packages to security relevant ones 1 package(s) needed (+0 related) for security, out of 41 available --> Running transaction check ---> Package pam.x86_64 0:1.1.1-20.el6 will be updated ---> Package pam.x86_64 0:1.1.1-20.el6_7.1 will be an update --> Finished Dependency Resolution  Dependencies Resolved  =============================================================================================================================================================  Package                      Arch                            Version                                     Repository                                    Size ============================================================================================================================================================= Updating:  pam                          x86_64                          1.1.1-20.el6_7.1                            ol6_u7_x86_64_patch                          658 k  Transaction Summary ============================================================================================================================================================= Upgrade       1 Package(s)  Total download size: 658 k Downloading Packages: pam-1.1.1-20.el6_7.1.x86_64.rpm                                                                                                       | 658 kB     00:00      Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum.   Updating   : pam-1.1.1-20.el6_7.1.x86_64                                                                                                               1/2    Cleanup    : pam-1.1.1-20.el6.x86_64                                                                                                                   2/2    Verifying  : pam-1.1.1-20.el6_7.1.x86_64                                                                                                               1/2    Verifying  : pam-1.1.1-20.el6.x86_64                                                                                                                   2/2   Updated:   pam.x86_64 0:1.1.1-20.el6_7.1                                                                                                                                Complete!

     

    Section 2.4 of the Oracle Linux 6 Administrator's Guide lists all the Yum commands that are available and provides more detailed explanations of each command.

     

    Exercise: Installing the OSA daemon

     

    By default, the rhnsd daemon on the client connects to Spacewalk every 4 hours to look for scheduled updates or actions. However, Spacewalk includes the OSA daemon which allows Spacewalk to trigger actions immediately on a client. We will install this daemon now so that the following exercises that use the Spacewalk web interface will occur immediately.

     

    From the Terminal, run the following command to install the OSAD daemon:

     

    [root@hol10326 ~]# yum -y install osad Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package osad.noarch 0:5.11.43-1.el6 will be installed --> Finished Dependency Resolution  Dependencies Resolved  =============================================================================================================================================================  Package                     Arch                          Version                                Repository                                            Size ============================================================================================================================================================= Installing:  osad                        noarch                        5.11.43-1.el6                          ol6_x86_64_spacewalk22_client                         76 k  Transaction Summary ============================================================================================================================================================= Install       1 Package(s)  Total download size: 76 k Installed size: 266 k Downloading Packages: osad-5.11.43-1.el6.noarch.rpm                                                                                                         |  76 kB     00:00      Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction   Installing : osad-5.11.43-1.el6.noarch                                                                                                                 1/1    Verifying  : osad-5.11.43-1.el6.noarch                                                                                                                 1/1   Installed:   osad.noarch 0:5.11.43-1.el6                                                                                                                                  Complete!

     

    Enable the OSA daemon on startup and manually start it now:

     

    [root@hol10326 ~]# chkconfig osad on [root@hol10326 ~]# service osad start Starting osad:                                             [  OK  ]

     

    Switch back to Firefox and click the hol10326.oracleworld.com server to view its Details screen. On the right-hand side, in the OSA Status box, you should see "online as of unknown". This indicates that the OSA daemon is running. Click Ping System to trigger a ping of the OSA daemon. If you wait a few moment and then refresh the Details tab, the OSA Status should update to indicate how long the OSA daemon has been running.

     

    Once the OSA daemon is confirmed as running, you can move on to the following exercises.

     

    Exercise: Updating packages on the client from Spacewalk

     

    If you're following from the previous exercise, click the Software tab under the hol10326.oracleworld.com heading. Otherwise, navigate to the System tab and click the hol10326.oracleworld.com server first.

     

    The software tab allows you to list, remove, upgrade, install and verify software packages. You can also see the errata that are applicable to this server. First, we will manually upgrade an existing package.

     

    Click Upgrade Packages. In the list that appears, select a few packages to upgrade. Once you have selected some packages, click the Upgrade Packages button at the bottom of the page. A confirmation page will appear listing the packages scheduled for update. You can chose whether to perform the upgrade as soon as possible, or after a specific time.

     

    Keep in mind that if the OSA daemon is not running on the client server, rhnsd only checks in every 4 hours by default. This means that without the OSA daemon working, some actions could take up to 4 hours to be triggered.

     

    Once you are happy with the package selection, click the Confirm button. You will receive a message indicating that package updates have been scheduled. Click scheduled in the alert message to view the scheduled action. You can monitor this page until the action is completed. Once it has completed, navigate back to the system detail view to confirm that the packages are no longer visible in the list of packages available for upgrade.

     

    Exercise: Updating packages based on an errata notification

     

    An alternative upgrade mechanism is to upgrade packages that resolve specific errata. From the Software tab within the system detail view, click the Errata tab to view the available errata information for this server. This list will display all available errata, but can be filtered to only display security, bug fixes or enhancements.

     

    Use the drop-down box to filter the list to only show security advisories. Enter "critical" into the Filter by Synopsis field and click Go to view only the critical security errata. Click on an errata to view the details. You can also click on the CVE link to go to the Mitre website for information about the particular CVE resolved by this errata. Navigate to the Affected Systems tab to see all the servers that are affected by this advisory. In production, you may have several servers affected by a single advisory and this screen allows you to schedule the patching of multiple servers at once.

     

    In the list, click the checkbox next to the server name and then click Apply Errata. The same confirmation screen appears asking whether to schedule the action for as soon as possible or for some time in the future. Click Confirm to apply the errata as soon as possible.

     

    You can navigate to the Schedule tab on the main menu to monitor the action. While the action is active, it will appear in the Pending Actions list. Once it has completed, it will appear in the Completed Actions list. When the action has completed, navigate back to the errata view under the system details to confirm the errata no longer appears as available for the system.

     

    Exercise: Running a command on the client from Spacewalk

     

    Spacewalk is also capable of running remote commands from the web interface as well as deploying configuration files stored in a central repository. In order to enable this functionality, we need to install the rhncfg client.

     

    To install the rhncfg client, run the following command via the Terminal or use the Install New Software page within the web interface to select and deploy the required packages:

     

    [root@hol10326 ~]# yum install -y rhncfg* Loaded plugins: refresh-packagekit, rhnplugin, security, ulninfo This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package rhncfg.noarch 0:5.10.73-1.el6 will be installed ---> Package rhncfg-actions.noarch 0:5.10.73-1.el6 will be installed ---> Package rhncfg-client.noarch 0:5.10.73-1.el6 will be installed ---> Package rhncfg-management.noarch 0:5.10.73-1.el6 will be installed --> Finished Dependency Resolution  Dependencies Resolved  =============================================================================================================================================================  Package                               Arch                       Version                            Repository                                         Size ============================================================================================================================================================= Installing:  rhncfg                                noarch                     5.10.73-1.el6                      ol6_x86_64_spacewalk22_client                      69 k  rhncfg-actions                        noarch                     5.10.73-1.el6                      ol6_x86_64_spacewalk22_client                      42 k  rhncfg-client                         noarch                     5.10.73-1.el6                      ol6_x86_64_spacewalk22_client                      39 k  rhncfg-management                     noarch                     5.10.73-1.el6                      ol6_x86_64_spacewalk22_client                      48 k  Transaction Summary ============================================================================================================================================================= Install       4 Package(s)  Total download size: 198 k Installed size: 407 k Downloading Packages: (1/4): rhncfg-5.10.73-1.el6.noarch.rpm                                                                                                |  69 kB     00:00      (2/4): rhncfg-actions-5.10.73-1.el6.noarch.rpm                                                                                        |  42 kB     00:00      (3/4): rhncfg-client-5.10.73-1.el6.noarch.rpm                                                                                         |  39 kB     00:00      (4/4): rhncfg-management-5.10.73-1.el6.noarch.rpm                                                                                     |  48 kB     00:00      ------------------------------------------------------------------------------------------------------------------------------------------------------------- Total                                                                                                                        5.7 MB/s | 198 kB     00:00      Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction   Installing : rhncfg-5.10.73-1.el6.noarch                                                                                                               1/4    Installing : rhncfg-client-5.10.73-1.el6.noarch                                                                                                        2/4    Installing : rhncfg-actions-5.10.73-1.el6.noarch                                                                                                       3/4    Installing : rhncfg-management-5.10.73-1.el6.noarch                                                                                                    4/4    Verifying  : rhncfg-management-5.10.73-1.el6.noarch                                                                                                    1/4    Verifying  : rhncfg-5.10.73-1.el6.noarch                                                                                                               2/4    Verifying  : rhncfg-client-5.10.73-1.el6.noarch                                                                                                        3/4    Verifying  : rhncfg-actions-5.10.73-1.el6.noarch                                                                                                       4/4   Installed:   rhncfg.noarch 0:5.10.73-1.el6   rhncfg-actions.noarch 0:5.10.73-1.el6   rhncfg-client.noarch 0:5.10.73-1.el6   rhncfg-management.noarch 0:5.10.73-1.el6    Complete!

     

    Once the rhncfg client is installed, we need to manually configure what actions are permitted to be performed remotely. The following actions are possible:

     

    • deploy a file
    • diff a file
    • upload a file
    • modify the  mtime of a file (modified time)
    • execute remote scripts

     

    For the purposes of the lab, we will enable all actions:

     

    [root@hol10326 ~]# rhn-actions-control --enable-all

     

    You can view the currently enabled actions:

     

    [root@hol10326 ~]# rhn-actions-control --report deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is enabled

     

    Now that rhncfg is installed and all actions are enabled, we can trigger a remote action from the web interface. Switch back to Firefox and navigate to the Details tab of the server details view, then click the Remote Command tab.

     

    In the script box, enter the following:

     

    #!/bin/sh # Add your shell script below uptime uname -a

     

    Then click the Schedule Remote Command button. Remote commands use the same scheduling mechanism as package updates, so without the OSA daemon running, it could take up to 4 hours to complete the remote command action. Navigate to the Events tab to view the pending events. If the action does not appear in the pending list, click the History tab. The action should appear at the top of the System History list. Click the action name to view the script and the output.

     

    Exercise: Creating a configuration channel in Spacewalk

     

    Another feature of the rhncfg client is the ability to deploy configuration files from Spacewalk to multiple servers. This requires the creation of one or more configuration channels and configuration files. In this exercise, we will create a configuration channel, a configuration file and deploy it to our client.

     

    Creating a configuration channel and file

     

    First, navigate to the Configuration tab in the main menu, then select Configuration Channels in the left-hand menu. There are no configuration channels created by default. Click create new config channel to start the creation process.

     

    Create a new configuration channel using the following details:

     

    • Name: Generic Configuration
    • Label: ol6_generic_config
    • Description: Generic configuration files for Oracle Linux 6

     

    Once the configuration channel is created, we can add a file. Click the Add Files tab to start the process.

     

    You can add a file in three ways: uploading a file from your workstation, importing a file from a registered client system that has the upload action allowed or by creating a file directly in the interface. In this exercise, we will create a file directly in the interface, so click the Create File tab.

     

    Create a new configuration file using the following details:

     

    • File Type: Text File
    • Filename/Path: /etc/motd
    • Ownership User name: root
    • Ownership Group name: root
    • File Permissions Mode: 644
    • Macro Delimiters: Start Delimiter is {| and End Delimiter is |}
    • File contents: This server is {|rhn.system.hostname|} and it is managed by Spacewalk.

     

    Note that we have used the rhn.system.hostname macro in the configuration file contents. This macro will be replaced by the name of the target server when the configuration file is deployed. Click the Create Configuration File button once you are happy with the settings and content.

     

    Associate the configuration channel with a client server

     

    Navigate to the system detail view, then select the Configuration tab, Manage Configuration Channels tab then the Subscribe to Channels tab. Click the checkbox next to the Generic Configuration channel in the list, then click Continue. If you have multiple configuration channels in your production environment, you can rank the channels in order of priority. This allows you to have generic configuration files as well as more specific versions. As we only have a single configuration channel in this exercise, click the Update Channel Rankings button to confirm the subscription. The Generic Configuration channel should now appear in the list of Configuration Channels for this server.

     

    Deploying a configuration file to the client

     

    Switch to the Deploy Files tab to list the available files. Select the checkbox next to the /etc/motd file and click the Deploy Files button. On the confirmation screen, ensure it's scheduled to deploy as soon as possible then click the Schedule Deploy button.

     

    To confirm that file has been deployed successfully and that the macro has been replaced properly during the deployment, run the following command via a Terminal:

     

    [root@hol10326 ~]# cat /etc/motd  This server is hol10326.oracleworld.com and it is managed by Spacewalk.

     

    Exercise: Run OpenSCAP auditing via Spacewalk

     

    The final exercise is to configure and run an audit using the OpenSCAP tools. This example uses the scap-security-guide provided with Oracle Linux. You can use any OpenSCAP compliant XCCDF and OVAL files in your own environment.

     

    To begin the auditing process, navigate to the Audit tab of the system detail view, then click the *Schedule* tab. Spacewalk will inform you that in order to run OpenSCAP scans, the spacewalk-oscap package needs to be installed. Using what you've learnt in previous exercises, install the spacewalk-oscap and scap-security-guide packages either using yum or via the Spacewalk web interface.

     

    Once the spacewalk-oscap and scap-security-guide packages and their dependencies are installed, refresh the Schedule New XCCDF Scan page in Firefox. You should now be able to schedule a scan using the following parameters:

     

    • Command-line Arguments: --profile server --cpe /usr/share/xml/scap/ssg/content/ssg-rhel6-cpe-dictionary.xml
    • Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml

     

    Click the Schedule button once you're completed the fields. It can take several minutes to complete the scan. Navigate to the List Scans tab to view the completed scans. You can then review the results and filter on pass or failed results. You can also schedule regular scans to ensure that no security regressions occur.