1 Installing and Upgrading Oracle Linux Manager Servers
This chapter describes how to install and upgrade Oracle Linux Manager servers.
For information about the types of support that Oracle provides for Oracle Linux Manager 2.10, refer to the About Oracle Linux Manager Server and Client Support section of the Oracle Linux Manager: Release Notes for Release 2.10 .
Oracle Linux Manager Server Requirements
As the primary component in the entire setup, Oracle Linux Manager sever has different sets of requirements to efficiently manage client systems that are registered to the server.
Oracle Linux Requirements
Complete the following requirements for the designated Oracle Linux Manager server:
-
Install Oracle Linux 7 by using either the Minimal or Basic Server profile.
-
Before installing Oracle Linux Manager, remove the
jta
package which prevents Oracle Linux Manager services from starting. -
Use only those packages that are provided by Oracle from the Oracle Linux yum server at https://yum.oracle.com. No third-party package repositories are required.
-
Update your system with the latest packages from the Oracle Linux yum server.
-
Do not register an Oracle Linux Manager 2.10 server or client with ULN. Instead, register an Oracle Linux Manager 2.10 server as a client of itself to receive updates.
Memory Requirements
An Oracle Linux Manager server should have a minimum of 8 GB of memory. If the server also runs the database that stores the Oracle Linux Manager repository, this memory requirement is in addition to what is required to run the database.
In large deployments where Oracle Linux Manager server services and maintains a large number of clients, custom channels, and so on, consider installing 16 GB of RAM. Increasing RAM improves performance in operations such as building repositories, which requires sizeable amounts of memory. See Memory Considerations When Building Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
Storage Requirements
To preserve errata mapping, by default, Oracle Linux Manager maintains all of the available versions of available packages in each software channel that you configure. As a result, the storage requirements for an Oracle Linux Manager server can be significant, depending on the number of major versions and architectures that you choose to support. Typically, the Oracle Linux binary repositories require approximately 60 GB for each combination of Oracle Linux release and architecture. An extra 40 GB is required for source packages and 80 GB is required for Ksplice updates for each combination of Oracle Linux release and architecture.
With Oracle Linux Manager 2.10, you can reduce the storage requirements considerably by using the following command when synchronizing packages:
sudo spacewalk-repo-sync --latest
The server then synchronizes only the latest packages that are available at the time of synchronization. It does not remove older packages from the channel.
Caution:
If the synchronization interval is large, you might miss a particular version of a package. Errata handling, which manages errata that are associated with specific package versions, would be affected. If errata consistency is important to you, Oracle recommends that you do not use the --latest option. However, using the option with a Ksplice channel is an exception because its packages are always cumulative.
Important:
DO NOT use the
--latest option when synchronizing
module-enabled channels such as
ol8_AppStream
. The mechanism that
underlies this option is not module-aware and if used, will
skip required packages.
An Oracle Linux Manager server stores the packages that it hosts under
the /var/satellite/redhat
directory
hierarchy. You should plan how to best configure the
/var
file system before installing
Oracle Linux Manager. For example, if you set up /var
as an ext4
or XFS
file
system by using Logical Volume Manager (LVM), you can expand
the storage when required.
Packages are never removed from Oracle Linux repositories. Thus, the space that is required for each repository always increases. You should actively monitor the available disk space on the server.
Networking Requirements
The following are network requirements to install an Oracle Linux Manager server:
-
Static IP address
-
Correctly configured forward and reverse DNS host name, with the following specifications:
Caution:
Noncompliance with these specifications for the server's host name can cause Oracle Linux Manager to fail in proxy communications, inter-server synchronization (ISS), certificate validation, and other areas of operation.
-
The host name of the server must not contain uppercase letters.
-
While the
/etc/hostname
file contains the short name of the host, the/etc/hosts
file must specify the host's FQDN, as shown in bold in the following example:cat /etc/hostname
olmsvr
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.3 olmsvr.mydom.com olmsvr
Note that Oracle Linux Manager does not consider
.local
and.localdomain
to be valid domain names.
-
-
Port numbers
The following table describes the network ports that an Oracle Linux Manager server uses, depending on its configuration.
Port/Protocol Direction Purpose 69
/udp
Inbound
TFTP (if PXE provisioning support is required)
80
/tcp
Inbound and outbound
HTTP access
443
/tcp
Inbound and outbound
HTTPS access
5222
/tcp
Inbound
Push support to Oracle Linux Manager clients (if required)
5269
/tcp
Inbound
Push support to Oracle Linux Manager proxies (if required)
-
Configured network time synchronization
Configure Oracle Linux Manager server, proxies, and clients to use a network time synchronization mechanism such as the Network Time Protocol (NTP) or the Precision Time Protocol (PTP). To establish a Secure Socket Layer (SSL) based connection, Oracle Linux Manager requires that the system times on server and client systems be consistent to within 120 seconds.
For more information, see Configuring Network Time in Oracle Linux 7: Setting Up Networking.
Database Requirements and Configuration Instructions
Oracle supports only Oracle Database for use with Oracle Linux Manager. Thus, while you can use PostgreSQL with the software, this setup is not covered by Oracle support. Additionally, Oracle does not provide any tools for migrating from an unsupported database.
In general, you should use supported Oracle databases when using Oracle Linux Manager 2.10. For specific supported versions, see Oracle Database Support in Oracle Linux Manager: Release Notes for Release 2.10 . Oracle provides a restricted-use license for the use of Oracle Database Enterprise Edition with Oracle Linux Manager 2.10 for Oracle Linux support customers.
For more information about Oracle licenses, see Oracle Linux 7: Licensing Information User Manual.
Important:
Providing comprehensive information about operating supported databases is outside the scope of this documentation. For any database operation such as installation, configuration, upgrade, and other related tasks, consult your Oracle Database administrator and the Oracle Database documentation at https://docs.oracle.com/en/database/database.html.
Oracle Database Installation Requirements
Prior to installing Oracle Linux Manager server, you must install an Oracle Database server, make this server available, and ensure that it is operational.
You can download Oracle database software from Oracle at https://www.oracle.com/database/technologies/oracle-database-software-downloads.html.
The following database installation requirements apply to Oracle Linux Manager server installations:
-
For fresh installations of the server, use Oracle Database Enterprise edition 19c or Oracle Database Enterprise edition 12c.
-
For upgrades to the server, Oracle strongly suggests that you use Oracle Database Enterprise edition 19c.
Database Sizing Requirements
When determining the amount of space Oracle Linux Manager database requires, be sure to include sizing estimates in your overall calculation for the following:
-
Number of client systems that will be served by the server (typically, 250 KiB per client system).
-
Number of channels allocated to each client system (about 500 KiB per channel).
-
Number of packages that each channel will contain (approximately 230 KiB per package in the channel. A channel with 5000 packages would require 1.1 GiB).
For example, if you have a large Oracle Linux Manager server that is serving 10,000 systems, and each system has four channels containing 12,000 packages per-channel, then 2.5 GiB would be required for the clients, and 11 GiB would be required for the channels.
Oracle Database Configuration
The following are general guidelines for configuring Oracle Database. You can perform these steps during or after the database installation. Always consult with your Oracle database administrator for matters related to installing or configuring the database for your particular environment.
-
The database must use the
AL32UTF8
character set that supports Unicode. -
The database must have an Oracle Linux Manager user.
For every Oracle Linux Manager server that shares the same database server, you must create a separate Oracle Linux Manager user.
-
The Oracle Linux Manager user must be assigned the
CONNECT
andRESOURCE
roles. -
The Oracle Linux Manager user must have the following system privileges:
-
ALTER SESSION
-
CREATE SYNONYM
-
CREATE TABLE
-
CREATE TRIGGER
-
CREATE VIEW
-
UNLIMITED TABLESPACE
-
SELECT ON V_$PARAMETER
-
Creating an Oracle Linux Manager User on an On-Premise Database
The steps to follow depend on whether you connect to the container database first or directly to the pluggable database.
For all cases, you must log in to your Oracle account first before performing these steps.
-
If you are connecting to the container database first, choose one of the following methods:
-
Running the ALTER SESSION command before creating the user
-
Log in to the container database as a database administrator (typically,
SYS
orSYSDBA
).cd $ORACLE_HOME/bin sqlplus / as SYSDBA
-
Type the following command:
SQL> ALTER SESSION SET CONTAINER = DEVPDB;
-
For each Oracle Linux Manager user that you need to set up, run the following commands:
SQL> create user olm_user identified by olm_passwd; SQL> grant connect,resource to olm_user; SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user; SQL> grant select on v_$parameter to olm_user SQL> grant unlimited tablespace to olm_user;
-
-
Creating the user directly
-
Log in to the container database as a database administrator (typically,
SYS
orSYSDBA
).cd $ORACLE_HOME/bin sqlplus / as SYSDBA
-
For each Oracle Linux Manager user that you need to set up, run the following commands:
Important:
Make sure to use the required
c##
prefix for the user name.SQL> create user c##olm_user identified by olm_passwd; SQL> grant connect,resource to c##olm_user; SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user; SQL> grant select on v_$parameter to olm_user SQL> grant unlimited tablespace to c##olm_user;
-
-
-
If you are connecting directly to the pluggable database:
-
Log in to the PDB as a database administrator (typically,
SYS
orSYSDBA
).cd $ORACLE_HOME/bin sqlplus / as SYSDBA
-
For each Oracle Linux Manager user that you need to set up, run the following commands:
SQL> create user olm_user identified by olm_passwd; SQL> grant connect,resource to olm_user; SQL> grant alter session, create synonym, create table, create trigger, create view to olm_user; SQL> grant select on v_$parameter to olm_user SQL> grant unlimited tablespace to olm_user;
-
Installing Oracle Linux Manager Server
Follow these steps to install Oracle Linux Manager server software:
-
Ensure that the Oracle Database is running.
-
Install Oracle Instant Client.
-
Download the latest 18.5 release of the following Instant Client RPM packages.
-
Instant Client Package (Basic)
-
Instant Client Package (SQL*Plus)
The packages can be downloaded from https://www.oracle.com/database/technologies/instant-client.html.
-
-
Install the Instant Client packages.
sudo yum install oracle-instantclient18.5-basic-18.5.0.0.0-3.x86_64.rpm oracle-instantclient18.5-sqlplus-18.5.0.0.0-3.x86_64.rpm
-
Add the library path to ldconfig.
echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf sudo ldconfig
-
-
Ensure that the
jta
package is not installed.-
Remove the
jta
package if it is installed on the system.sudo yum list installed | grep jta sudo yum remove jta
-
To prevent any future accidental installation of the package, do one of the following:
-
Add the
jta
package to theexclude
directive in the/etc/yum.conf
file as follows:exclude=jta*
-
Disable the Oracle Linux 7
addons
channel ([ol7_addons]
).sudo yum-config-manager --disable ol7_addons
-
-
-
Configure the system firewall.
sudo firewall-cmd --permanent --add-port=69/udp sudo firewall-cmd --permanent --add-port=80/tcp sudo firewall-cmd --permanent --add-port=443/tcp sudo firewall-cmd --permanent --add-port=5222/tcp sudo firewall-cmd --permanent --add-port=5269/tcp sudo systemctl reload firewalld
-
Install the latest
oracle-release-el7
package.sudo yum install oracle-release-el7
If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration.
sudo /usr/bin/ol_yum_configure.sh
-
Install and enable the Oracle Linux Manager yum repository.
sudo yum install oracle-linux-manager-server-release-el7 sudo yum-config-manager --enable ol7_optional_latest
-
Install the following packages for enabling Oracle Linux Manager server to use Oracle Database.
sudo yum install spacewalk-oracle spacecmd spacewalk-utils
Note:
As part of Oracle Linux Manager installation process, all of the Oracle Linux yum server configuration, as well as ULN configuration, are disabled. After the installation, Oracle Linux Manager handles this configuration henceforth.
If you need to re-enable yum repository configuration after an installation, but before you have configured any repositories in Oracle Linux Manager, you can temporarily rename any affected yum repository configuration files to enable them again, for example:
sudo mv /etc/yum.repos.d/oracle-linux-ol7.repo.rpmsave /etc/yum.repos.d/oracle-linux-ol7.repo
Remember to disable the yum repository configuration files again after you have configured repositories within Oracle Linux Manager.
-
Configure Oracle Linux Manager to use the Oracle Database.
sudo spacewalk-setup --external-oracle
The command initiates an interactive session that prompts you for information about your current database.
- Global Database Name or SID
-
Name of the database when it was set up. If necessary, inquire with your database administrator for the information.
- Database hostname [localhost]
-
FQDN of the database system if that system is separate from Oracle Linux Manager server. Otherwise, this prompt is skipped.
- Username and Password
-
Credentials of the database Oracle Linux Manager user.
Caution:
The user name you specify must match the name you previously created when following the steps in Oracle Database Configuration. For example, if the name has the
c##
prefix, that name must also be specified here. - Admin Email Address
-
Email address of the Oracle Linux Manager administrator.
- Organization
-
Name of your Oracle Linux Manager organization.
- Organization Unit
-
Oracle Linux Manager server's FQDN.
- Email address
-
Email address of person managing the certificates, if different from the Admin Email Address.
- Location prompts
-
Information identifying the location of Oracle Linux Manager server.
The following is an example of the interactive session:
sudo spacewalk-setup --external-oracle
* Setting up SELinux.. * Setting up Oracle environment. * Setting up database. ** Database: Setting up database connection for Oracle backend. Global Database Name or SID (requires tnsnames.ora)? company.mydom.com Database hostname [localhost]? olmmanager-db.mydom.com Username? olm_user Password? olm_passwd ** Database: Testing database connection. ** Database: Populating database. *** Progress: ############################################################ * Configuring tomcat. * Setting up users and groups. ** GPG: Initializing GPG and importing key. ** GPG: Creating /root/.gnupg directory You must enter an email address. Admin Email Address? my.email@mydom.com * Performing initial configuration. ** Package installation: Locking required rpm versions. * Configuring apache SSL virtual host. Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? y ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave * Configuring jabberd. * Creating SSL certificates. CA certificate password? cert_passwd Re-enter CA certificate password? cert_passwd Cname alias of the machine (comma separated)? Organization? Company Demo Organization Unit [olmsvr.mydom.com]? olmsvr.mydom.com Email Address [your.email@domain.com]? my.email@mydom.com City? city State? state Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? country ** SSL: Generating CA certificate. ** SSL: Deploying CA certificate. ** SSL: Generating server certificate. ** SSL: Storing SSL certificates. * Deploying configuration files. * Update configuration in database. * Setting up Cobbler.. Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? y * Restarting services. Installation complete. Visit https://olmsvr.mydom.com to create the Oracle Linux Manager administrator account.
-
Verify that Oracle Linux Manager services are running.
In the following example, the status is displayed in bold.
sudo /usr/sbin/spacewalk-service status
● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-01-16 22:37:14 UTC; 18h ago Main PID: 29861 (java) CGroup: /system.slice/tomcat.service └─29861 /usr/lib/jvm/jre/bin/java -ea -Xms256m -Xmx256m -Djava.awt.headless=true -Dorg.xml.sax.driver=org.apache.xerces.parsers.SAXParser - ... ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago Docs: man:httpd(8) man:apachectl(8) Main PID: 30034 (httpd) Status: "Total requests: 2504; Current requests/sec: 0; Current traffic: 0 B/sec" CGroup: /system.slice/httpd.service ├─30034 /usr/sbin/httpd -DFOREGROUND ├─30036 /usr/sbin/httpd -DFOREGROUND ... ● rhn-search.service - Oracle Linux Manager search engine Loaded: loaded (/usr/lib/systemd/system/rhn-search.service; enabled; vendor preset: disabled) Active: inactive (dead) since Thu 2020-01-16 22:37:32 UTC; 18h ago Process: 30181 ExecStop=/usr/sbin/rhn-search stop (code=exited, status=0/SUCCESS) Process: 30040 ExecStart=/usr/sbin/rhn-search start (code=exited, status=0/SUCCESS) Main PID: 30073 (code=exited, status=0/SUCCESS) ● cobblerd.service - Cobbler daemon Loaded: loaded (/usr/lib/systemd/system/cobblerd.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-01-16 22:37:28 UTC; 18h ago Main PID: 30038 (cobblerd) CGroup: /system.slice/cobblerd.service └─30038 /usr/bin/python2 -s /usr/bin/cobblerd --no-daemonize ...
-
At the completion of the installation, ensure that only the following repositories are enabled on the system:
-
UEKR5
orUEKR6
-
ol7_latest
-
ol7_optional_latest
-
ol7_oraclelinuxmanager210_client
-
ol7_oraclelinuxmanager210_server
You can verify enabled repositories by running the following command:
sudo yum repolist
-
Configuring a Newly Installed Oracle Linux Manager Server
Of the configuration tasks described in this section, configuring the initial organization and the Oracle Linux Manager administrator is mandatory. The other tasks are optional but recommended.
Creating the Initial Organization and Oracle Linux Manager Administrator Account
After completing the installation, you must create an initial organization and the main Oracle Linux Manageradministrator account.
For more information about the concept of organization, see Oracle Linux Manager: Concepts Guide for Release 2.10 .
-
Open a browser and access Oracle Linux Manager server's URL, which is the server's FQDN, such as
https://olmsvr.mydom.com
. -
If prompted, select to trust the SSL certificate.
The Create Organization page opens automatically.
-
Enter the required values in the appropriate fields to create the organization and its administrator.
-
Click Create Organization.
The administrator you created is automatically logged in and the Overview page is displayed.
Use the web interface to perform additional configuration tasks. For example, see Setting Up Primary-Worker Configurations With Oracle Linux Manager Web Interface as well as Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
Replacing a Self-Signed SSL Certificate
You can use certificates for individual Oracle Linux Manager servers or proxies. Alternatively, you can also use wildcard certificates for all Oracle Linux Manager servers or proxies in the domains that the wildcard certificates cover.
The following procedure describes how to replace self-signed certificates or expired CA-signed certificates with certificates that have been signed by a Certificate Authority (CA).
-
Create a backup of the system's existing SSL configuration.
sudo tar -cvf SSLconfig.tar /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub
-
Obtain a server certificate by using one of the following methods:
-
Obtain a server certificate from a CA and install this certificate in the SSL build hierarchy on the system:
-
Send the Certificate Signing Request (CSR) file
/root/ssl-build/olmsvr/server.csr
to the CA, where olmsvr is the simple name, not the FQDN, of Oracle Linux Manager server or the proxy.After validating your request, the CA returns a signed server certificate file.
-
Create a backup of the signed server certificate file.
-
If necessary, convert the certificate to a Privacy Enhanced Mail (PEM) format.
-
If your certificate is DER-formatted, convert it to PEM format.
sudo openssl x509 -inform der -text -in certificate_file Readable content sudo openssl x509 -inform der -in server.cer -out server.pem
-
If a PEM-formatted certificate is not generated from a Linux or UNIX based system, remove
^M
characters that might exist in that certificate.sudo sed -i -e 's/\r//' server.pem
As an alternative, you can also run the following command, provided you installed the
dos2unix
package:sudo dos2unix server.pem
-
-
Copy the PEM-formatted server certificate file to
/root/ssl-build/olmsvr/server.crt
.sudo cp server.pem /root/ssl-build/olmsvr/server.crt
This command overwrites the original file in that destination directory.
-
-
Obtain a server certificate using an external tool:
-
Obtain both the private key and the signed certificate from the external tool in PEM format, then copy both to
/root/ssl-build/olmsvr
. -
If the private key has an existing password, replace that key as follows:
sudo openssl rsa -in keyfilewithpasswd.key -out /root/ssl-build/olmsvr/server.key
This step ensures that Oracle Linux Manager services can start unattended.
-
-
-
Add the CA public certificate to the
/root/ssl-build
directory as theRHN-ORG-TRUSTED-SSL-CERT
file by using one of the following methods:-
If available, obtain the CA chain certificate from the CA that issued the server certificate. Copy this certificate file to
/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
:sudo cp ca_chain.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
-
If the CA chain certificate is not available from the issuing CA, create the CA chain certificate as follows:
-
Obtain the root CA public certificate and the intermediate CA public certificates from the issuing CA.
-
Concateneate the two certificates you just downloaded to
/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
.Use the followng command exactly as shown:
sudo cat intermediate_ca.pem root_ca.pem > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
-
intermediate_ca.pem: intermediate public certificate file of the CA that issued your server certificate
-
root_ca.pem: public certificate file of the root CA
In the the chain certificate, the intermediate certificate must precede the certificate of the root CA. The CA chain certificate does not work if its component certificates are not in the correct order.
Note:
In the rare case where a root CA signed the server certificate directly, then only the root_ca.pem would be contained in the chain certificate:
sudo cp root_ca.pem /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
-
-
-
-
Validate the server certificate against the CA public certificate.
sudo openssl verify -CAfile /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/olmsvr/server.crt
If the command returns an error, verify that you correctly created
RHN-ORG-TRUSTED-SSL-CERT
and also verify that the date and time on the server are configured correctly. -
Store the CA public certificate in the Oracle Linux Manager database so that it is available for provisioning client systems.
sudo rhn-ssl-dbstore -v --ca-cert=/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
If the command returns an error, run the command again, specifying a higher level of debugging, such as -vvv, to gather more information about the problem.
-
Prepare the web server SSL package for installation:
-
Generate the web server SSL package., for example:
sudo rhn-ssl-tool --gen-server --rpm-only --dir /root/ssl-build
...working... Generating web server's SSL key pair/set RPM: /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm The most current Oracle Linux Manager Proxy Server installation process against RHN hosted requires the upload of an SSL tar archive that contains the CA SSL public certificate and the web server's key set. Generating the web server's SSL key set and CA SSL public certificate archive: /root/ssl-build/olmsvr/rhn-org-httpd-ssl-archive-olmsvr-1.0-rev.tar Deploy the server's SSL key pair/set RPM: (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.) The "noarch" RPM needs to be deployed to the machine working as a web server, or Red Hat Satellite, or Oracle Linux Manager Proxy. Presumably 'olmsvr.mydom.com'.
-
(Optional) List the files that the packages install.
See the following two examples:
sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.src.rpm
rhn-org-httpd-ssl-key-pair-olmsvr-1.0.tar.gz rhn-org-httpd-ssl-key-pair-olmsvr.spec
sudo rpm -qlp /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm
/etc/httpd/conf/ssl.crt/server.crt /etc/httpd/conf/ssl.csr/server.csr /etc/httpd/conf/ssl.key/server.key /etc/pki/spacewalk/jabberd/server.pem
-
Install the web server SSL
noarch
package.sudo yum install /root/ssl-build/olmsvr/rhn-org-httpd-ssl-key-pair-olmsvr-1.0-rev.noarch.rpm
-
-
Generate the public CA certificate package and make both the package and the CA public certificate file available to clients.
-
Generate the public CA certificate package, for example:
sudo rhn-ssl-tool --gen-ca --dir=/root/ssl-build --rpm-only
...working... Generating CA public certificate RPM: /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm Make the public CA certificate publicly available: (NOTE: the Red Hat Satellite or Proxy installers may do this step for you.) The "noarch" RPM and raw CA certificate can be made publicly accessible by copying it to the /var/www/html/pub directory of your Red Hat Satellite or Proxy server.
-
(Optional) List the files that the packages install.
The following are two examples:
sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.src.rpm
rhn-org-trusted-ssl-cert-1.0.tar.gz rhn-org-trusted-ssl-cert.spec
sudo rpm -qlp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
-
If an Oracle Linux Manager server or proxy is also configured as a client, install the public CA certificate
noarch
package on this system.sudo yum install /root/ssl-build/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
The public CA certificate is installed as
/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
. -
Copy the
rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
package and CA public certificate file to/var/www/html/pub
for access by clients.sudo cp /root/ssl-build/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm /var/www/html/pub sudo cp /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub
-
Verify that the installed copies of
RHN-ORG-TRUSTED-SSL-CERT
digest in the different locations are identical. The locations are/root/ssl-build
,/usr/share
, and/var/www/html/pub
, for example:sudo sha1sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
74380a372bfa55d8ab7579bf01502c874b8aae84 /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT 74380a372bfa55d8ab7579bf01502c874b8aae84 /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT 74380a372bfa55d8ab7579bf01502c874b8aae84 /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
-
-
On an Oracle Linux Manager server, stop Oracle Linux Manager services, clear the
jabberd
database, then restart the services.sudo /usr/sbin/spacewalk-service stop sudo rm -Rf /var/lib/jabberd/db/* sudo /usr/sbin/spacewalk-service start
-
On Oracle Linux Manager proxies, restart the proxy services.
sudo /usr/sbin/rhn-proxy restart
-
On the remaining Oracle Linux Manager clients, download and install the public CA certificate package.
sudo wget https://olmsvr/pub/rhn-org-trusted-ssl-cert-1.0-rev.noarch.rpm
Note:
If you subsequently replace the server certificate because it is revoked or expired, you do not need to update the public CA certificate on the clients unless you change the CA that signs the server certificate.
Configuring a Web Proxy for an Oracle Linux Manager Server
If needed, configure the web proxy by using one of the following methods after you have installed Oracle Linux Manager:
-
Edit the
/etc/rhn/rhn.conf
file and configure the specific web proxy parameters as shown by the settings in bold:server.satellite.http_proxy = webproxy.mydom.com:80 server.satellite.http_proxy_username = proxy-username server.satellite.http_proxy_password = proxy-password
-
In the Oracle Linux Manager web interface, select the Admin tab, then Oracle Linux Manager Configuration, and enter the appropriate values to the HTTP proxy fields.
Upgrading to Oracle Linux Manager Server
This section provides information for upgrading Spacewalk 2.7 server to Oracle Linux Manager 2.10.
Attention:
If you are currently running earlier Spacewalk versions, such as Spacewalk 2.4 or Spacewalk 2.6, you must first upgrade to Spacewalk 2.7 before proceeding with the steps in this section. For instructions, see Upgrading a Spacewalk Server in Spacewalk for Oracle® Linux: Installation Guide for Release 2.7.
Preparing to Upgrade
You must use Oracle databases that are supported in Oracle Linux Manager. For a list of supported databases in Oracle Linux Manager 2.10, see Oracle Database Support in Oracle Linux Manager: Release Notes for Release 2.10 .
Before you upgrade, check the following elements in their respective XML files:
-
<driver>
in the/etc/jabberd/sm.xml
file -
<module>
in the/etc/jabberd/c2s.xml
file
If both elements in the two files specify
sqlite
, you can proceed to
Performing the Upgrade. If not, then complete the
following steps:
-
Stop the
osa-dispatcher
andjabberd
services.sudo systemctl stop osa-dispatcher sudo systemctl stop jabberd
-
Specify
sqlite
for the<driver>
and<module>
elements in the files as shown:-
/etc/jabberd/sm.xml
:<driver>sqlite</driver>
. -
/etc/jabberd/c2s.xml
:<module>sqlite</module>
.
-
-
Create the SQLite database.
sudo sqlite3 /var/lib/jabberd/db/sqlite.db < /usr/share/jabberd/db-setup.sqlite sudo chown jabber:jabber /var/lib/jabberd/db/sqlite.db
-
Start the
jabberd
andosa-dispatcher
services.sudo systemctl start jabberd sudo systemctl start osa-dispatcher
-
Check
/var/log/messages
to ensure that SQLite is being used.sudo cat /var/log/messages | grep sqlite
-
On client servers, make the
osad
service re-authenticate tojabberd
.If you previously registered client servers on which you then installed the
osad
service, remove theosad-auth.conf
file first before restarting the service, as follows:sudo systemctl stop osad sudo rm -f /etc/sysconfig/rhn/osad-auth.conf sudo systemctl start osad
Performing the Upgrade
Note:
If your system is already running Spacewalk 2.10, see Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10 for information to convert it to Oracle Linux Manager.
Upgrade to Oracle Linux Manager 2.10 as follows:
-
Backup all current configurations.
-
Back up all of the Spacewalk 2.7 configuration files in the following directories:
-
/etc/jabberd
-
/etc/rhn
-
/etc/sysconfig/rhn
-
/root/ssl-build
sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
-
-
Back up the Spacewalk 2.7 database.
This step is recommended as a precaution in case the upgrade does not complete successfully.
To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
-
-
Change the way the server that is currently running Spacewalk 2.7 Server obtains packages depending on the server's current configuration.
-
If the Spacewalk 2.7 server is registered as a client of itself:
-
Create an Oracle Linux Manager server channel as a child of the Oracle Linux 7 base channel.
For more information about configuring channels, see Creating Software Channels and Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
-
Create an Oracle Linux Manager server repository that accesses the corresponding server channel on the Oracle Linux yum server server (
https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64/
) , by using the same GPG settings as for Oracle Linux 7. -
Associate Oracle Linux Manager server repository with its corresponding server channel and synchronize the repository's packages from the Oracle Linux yum server.
-
Change the channel subscription from the Spacewalk server to Oracle Linux Manager server.
-
Configure and synchronize the following additional channels:
-
Oracle Linux 7 Server Latest
-
Oracle Linux 7 Server Optional Latest
-
Oracle Instant Client for Oracle Linux 7
-
Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7
-
Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7
-
-
-
If the Spacewalk 2.7 server obtains packages from the Oracle Linux yum server:
-
Disable the Spacewalk server repository for the Spacewalk 2.7 release in the Oracle Linux yum server repository configuration file.
Edit the configuration file and set
enabled=0
. Or, run the following command:sudo yum-config-manager --disable repository
-
Required: Install the latest
oracle-release-el7
package.Important:
You must run the following command even if you have recently updated the system, in order to successfully run the yum swap command later in this procedure.
sudo yum install oracle-release-el7
If your system is running an Oracle Linux release that is earlier than Oracle Linux 7 Update 7, run the following additional command to make the system use the modular yum repository configuration:
sudo /usr/bin/ol_yum_configure.sh
-
Install the
oracle-linux-manager-server-release-el7
package.sudo yum install oracle-linux-manager-server-release-el7
Note:
The command creates the file
/etc/yum.repos.d/oracle-linux-manager-server-ol7.repo
if that file does not exist.However, if the file already exists, then the command leaves that file unmodified and instead creates a new file
/etc/yum.repos.d/oracle-linux-manager-server-ol7.repo.rpmnew
that contains new repository entries for Oracle Linux Manager Server. Use the.rpmnew
file to guide you to make the necessary modifications to the existing.repo
file.
-
-
-
Verify that the correct Oracle Linux Manager repositories are enabled, and earlier Spacewalk versions are disabled.
The
/etc/yum.repos.d/oracle-linux-manager-server-ol7.repo
file should resemble the following example:[ol7_oraclelinux-manager210_server] name=Oracle Linux Manager Server 2.10 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=1 [ol7_oracle-linux-manager210_client] name=Oracle Linux Manager Client 2.10 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=1
The
/etc/yum.repos.d/oracle-spacewalk-server-ol7.repo
should resemble the following example:[ol7_spacewalk27_server] name=Spacewalk Server 2.7 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/server/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=0 [ol7_spacewalk26_server] name=Spacewalk Server 2.6 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/server/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=0 [ol7_spacewalk27_client] name=Spacewalk Client 2.7 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk27/client/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=0 [ol7_spacewalk26_client] name=Spacewalk Client 2.6 for Oracle Linux 7 ($basearch) baseurl=https://yum$ociregion.oracle.com/repo/OracleLinux/OL7/spacewalk26/client/$basearch/ gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-oracle gpgcheck=1 enabled=0
-
Check for any version-locked packages and delete them, for example:
sudo yum versionlock list sudo yum versionlock delete cglib c3p0
-
Upgrade the Instant Clients.
sudo yum swap -- remove oracle-instantclient11.2-basic oracle-instantclient11.2-sqlplus freemarker velocity-tools -- upgrade oracle-instantclient18.5-basic oracle-instantclient18.5-sqlplus spacewalk-oracle
Note:
The command might generate a
No match for argument
message with references tofreemarker
andveolcity-tools
. These packages might have existed in the system from an earlier Spacewalk 2.6 installation, but which are no longer required by Oracle Linux Manager 2.10. Thus, in this case, you can ignore the message. -
Add the library path to ldconfig.
echo "/usr/lib/oracle/18.5/client64/lib" | sudo tee /etc/ld.so.conf.d/oracle-instantclient18.5.conf sudo ldconfig
-
Upgrade all the packages.
sudo yum upgrade
-
Stop Oracle Linux Manager services.
sudo /sbin/spacewalk-service stop
You can safely ignore any SELinux
restorecon
messages that are displayed when the packages are installed. -
Upgrade Oracle Linux Manager's database schema.
sudo /usr/bin/spacewalk-schema-upgrade
The process requires intervention at some point in order to continue, as shown in bold in the following example:
sudo /usr/bin/spacewalk-schema-upgrade
Please make sure all Oracle Linux Manager services apart from database are stopped. ... Schema upgrade: [spacewalk-schema-2.7.28-1.0.2.el7] -> [spacewalk-schema-2.9.11-1.el7] Searching for upgrade path: [spacewalk-schema-2.7.28-1.0.2] -> [spacewalk-schema-2.9.11-1] Searching for upgrade path: [spacewalk-schema-2.7.28] -> [spacewalk-schema-2.9.11] Searching for upgrade path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.9] The path: [spacewalk-schema-2.7] -> [spacewalk-schema-2.8] -> [spacewalk-schema-2.9] Planning to run spacewalk-sql with [/var/log/spacewalk/schema-upgrade/20200123-165929-script.sql] Please make sure you have a valid backup of your database before continuing. Hit Enter to continue or Ctrl+C to interrupt: Executing spacewalk-sql, the log is in [/var/log/spacewalk/schema-upgrade/20200406-174429-to-spacewalk-schema-2.10.log]. The database schema was upgraded to version [spacewalk-schema-2.10.11-1.el7].
In the event of a failure, do the following:
-
Check the log files in the
/var/log/spacewalk/schema-upgrade
directory to determine the cause. -
Restore the database from backup.
-
Fix the cause of the problem, for example, by extending the tablespaces if there is insufficient space.
-
Upgrade the database schema.
-
-
Upgrade Oracle Linux Manager's configuration for the Oracle Database.
sudo spacewalk-setup --external-oracle --upgrade
The command initiates an interactive session that prompts you for information about your current database.
-
Restart Oracle Linux Manager services.
sudo /sbin/spacewalk-service start
-
Perform any necessary postinstallation tasks.
Review the information in Configuring a Newly Installed Oracle Linux Manager Server.
-
If necessary, upgrade your Oracle database.
-
Back up the Oracle Linux Manager database again.
This step is recommended as a precaution in case the following step to upgrade the database does not complete successfully.
To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
-
Upgrade the Oracle database.
As indicated in the Oracle Linux Manager: Release Notes for Release 2.10 , Oracle Linux Manager 2.10 supports only Oracle Database Enterprise edition 12c and Oracle Database Enterprise edition 19c. Oracle strongly recommends that you use Oracle Database Enterprise edition 19c.
Important:
If you are upgrading your Oracle database, do not use the RPM version of the Oracle Database Enterprise edition 19c release. Upgrading an OUI-installed Oracle database with the RPM version is not supported.
For this step, consult your database administrator and follow the instructions in your database documentation.
-
-
Upgrade the Spacewalk Client to Oracle Linux Manager 2.10 Client.
For instructions, refer to the appropriate section in the chapter Registering Client Systems With Oracle Linux Manager in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
Switching From Spacewalk 2.10 to Oracle Linux Manager 2.10
If you are already using Spacewalk 2.10, you should convert to Oracle Linux Manager 2.10 as the Spacewalk 2.10 repositories are scheduled to be retired. For details, see Oracle Linux Manager: Release Notes for Release 2.10 .
To switch a Spacewalk 2.10 server to Oracle Linux Manager:
-
Backup all current configurations.
-
Back up all of the Spacewalk 2.10 configuration files in the following directories:
-
/etc/jabberd
-
/etc/rhn
-
/etc/sysconfig/rhn
-
/root/ssl-build
sudo tar -cvf preSWupgrade.tar /etc/jabberd /etc/rhn /etc/sysconfig/rhn /root/ssl-build
-
-
Back up the Spacewalk 2.10 database.
This step is recommended as a precaution in case the switch does not complete successfully.
To use the Recovery Manager (RMAN) to create a backup, refer to your database version's Backup and Recovery User's Guide in https://docs.oracle.com/en/database/oracle/oracle-database/index.html.
-
-
Change the way the server that is currently running Spacewalk 2.10 Server obtains packages depending on the server's current configuration.
-
If the Spacewalk 2.10 server obtains packages from the Oracle Linux yum server, install the
oracle-linux-manager-server-release-el7
package.sudo yum install oracle-linux-manager-server-release-el7
-
If the Spacewalk 2.10 server is registered as a client of itself, update the existing Spacewalk server and client repository URLs to Oracle Linux Manager as follows:
Oracle Linux Manager Server
-
Server Repository Label:
ol7_oraclelinuxmanager210_server
-
Server Repository Name: Oracle Linux Manager (formerly Spacewalk) Server 2.10 for Oracle Linux 7
-
Yum URL:
https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/server/x86_64
Oracle Linux Manager Client (Oracle Linux 7)
-
Client Repository Label:
ol7_oraclelinuxmanager210_client
-
Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 7
-
Yum URL:
https://yum.oracle.com/repo/OracleLinux/OL7/oraclelinuxmanager210/client/x86_64
Oracle Linux Manager Client (Oracle Linux 8)
-
Client Repository Label:
ol8_oraclelinuxmanager210_client
-
Client Repository Name: Oracle Linux Manager (formerly Spacewalk) Client 2.10 for Oracle Linux 8
-
Yum URL:
https://yum.oracle.com/repo/OracleLinux/OL8/oraclelinuxmanager210/client/x86_64
For more information about configuring channels and repositories, see Creating Software Channels and Repositories in Oracle Linux Manager: Client Life Cycle Management Guide for Release 2.10 .
-
-
-
Upgrade all the packages.
sudo yum upgrade