The software described in this documentation is either no longer supported or is in extended support.
Oracle recommends that you upgrade to a current supported release.
The following procedure assumes that you are installing and configuring a Spacewalk proxy on an Oracle Linux 7 Update 1 or later system or an Oracle Linux 6 Update 7 or later system. You do not need to install the Spacewalk client software before registering a Spacewalk proxy system with the Spacewalk server.
Install the Spacewalk Proxy software as follows:
Ensure that the
jta
package is not installed and prevent it from being installed when you install Spacewalk.Check whether the
jta
package is installed:#
yum list installed | grep jta
Remove the
jta
package:#
yum remove jta
To prevent the
jta
package from being installed, either disable the Oracle Linux 6 or Oracle Linux 7 Add-ons channel ([ol6_addons]
or[ol7_addons]
), or add thejta
package to theexclude
directive in the yum configuration file/etc/yum.conf
, for example:exclude=jta*
Configure the system firewall.
The following example shows how you might configure the system firewall for Oracle Linux 6:
#
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
#iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
#iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
#iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
#iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 4545 -j ACCEPT
#service iptables save
For Oracle Linux 7, you would configure the system firewall as follows:
#
firewall-cmd --permanent --add-port=80/tcp
#firewall-cmd --permanent --add-port=443/tcp
#firewall-cmd --permanent --add-port=5222/tcp
#firewall-cmd --permanent --add-port=5269/tcp
#systemctl reload firewalld
Register the system as a client of the Spacewalk server for which it will act as a Spacewalk proxy:
NoteBefore you can register a server, you must have already created a client activation key. If enabled, a universal default key can be used. However, using a specific activation key is better.
The following steps use SSL to encrypt all communication between the client and the Spacewalk server (the recommended configuration).
Download the CA certificate file
RHN-ORG-TRUSTED-SSL-CERT
to the server.In a browser tab, navigate to
http://
, whereswksvr_FQDN
/pubswksvr_FQDN
is the fully qualified domain name of the Spacewalk server, and download the CA certificate fileRHN-ORG-TRUSTED-SSL-CERT
to/usr/share/rhn
.Alternatively, you can use wget from the command line, for example:
#
wget -q -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
\http://
swksvr_FQDN
/pub/RHN-ORG-TRUSTED-SSL-CERTRegister the system with Spacewalk by using the rhnreg_ks command, specifying the --sslCACert option to specify the path of the CA certificate.
#
rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
\--serverUrl=https://
swksvr_FQDN
/XMLRPC --activationkey=activation_key
Specify the Spacewalk server or proxy by its fully qualified domain name.
Verify that the settings in the
/etc/sysconfig/rhn/up2date
file that are used to access the Spacewalk server are correct:Verify that
serverURL
is set to the Spacewalk server's URL, for examplehttps://swksvr.mydom.com/XMLRPC
:#
grep ^serverURL= /etc/sysconfig/rhn/up2date
serverURL=https://swksvr.mydom.com/XMLRPCVerify that
sslCACert
is set to the correct CA certificate file, for example/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
:#
grep ^sslCACert= /etc/sysconfig/rhn/up2date
sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
NoteIf the settings are not correct, you probably made a mistake when you used rhnreg_ks to register the system. Run the rhnreg_ks command again, checking that you correctly specify the path of the CA certificate and the Spacewalk server's URL, and specifying the --force option to override the previous settings.
If not already present on the Spacewalk server, create software channels for Spacewalk 2.4 Client and Spacewalk Server 2.4, subscribe the Spacewalk proxy system to these channels and enable Provisioning entitlements for the Spacewalk proxy:
Create a Spacewalk Client 2.4 channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel as appropriate to the installed version of Oracle Linux.
Create a Spacewalk Client 2.4 repository that accesses the appropriate Spacewalk Client 2.4 channel on the Oracle Linux yum server (
https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk24/client/x86_64/
orhttps://yum.oracle.com/repo/OracleLinux/OL7/spacewalk24/client/x86_64/
) by using the same GPG settings as for Oracle Linux 6 or Oracle Linux 7.Associate the Spacewalk Client 2.4 repository with the Spacewalk Client 2.4 channel and synchronize the repository's packages from the Oracle Linux yum server.
Create a Spacewalk Server 2.4 channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel as appropriate to the installed version of Oracle Linux.
Create a Spacewalk Server 2.4 repository that accesses the appropriate Spacewalk Server 2.4 channel on the Oracle Linux yum server (
https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk24/server/x86_64/
orhttps://yum.oracle.com/repo/OracleLinux/OL7/spacewalk24/server/x86_64/
) by using the same GPG settings as for Oracle Linux 6 or Oracle Linux 7.Associate the Spacewalk Server 2.4 repository with the Spacewalk Server 2.4 channel and synchronize the repository's packages from the Oracle Linux yum server.
Change the channel subscription of the Spacewalk server in Spacewalk from the Spacewalk Server 2.0 or 2.2 channel to the Spacewalk Server 2.4 channel.
Subscribe the Spacewalk proxy to the Spacewalk Client 2.4 and Spacewalk Server 2.4 channels.
Enable Provisioning entitlements for the Spacewalk proxy.
Install the Spacewalk Client software and
openssh-clients
packages:#
yum install rhn-client-tools rhn-check rhn-setup rhnsd
\m2crypto yum-rhn-plugin openssh-clients
Install the Spacewalk Proxy installer package.
#
yum -y install spacewalk-proxy-installer
Create the
/root/ssl-build
directory.#
mkdir /root/ssl-build
Copy the Spacewalk server's CA key and public certificate files to
/root/ssl-build
. For example:#
scp 'root@
\spacewalk_server
:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build
RHN-ORG-PRIVATE-SSL-KEY 100% 1751 1.7KB/s 00:00 RHN-ORG-TRUSTED-SSL-CERT 100% 5316 5.2KB/s 00:00 rhn-ca-openssl.cnf 100% 2186 2.1KB/s 00:00Configure the Spacewalk proxy by running the /usr/sbin/configure-proxy.sh script.
The following example shows an interactive configuration:
#
/usr/sbin/configure-proxy.sh
Using RHN parent (from /etc/sysconfig/rhn/up2date): swksvr.mydom.com Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT HTTP Proxy []:[Enter]
Proxy version to activate [2.4]:[Enter]
Traceback email []:my.email@mydom.com
Use SSL [Y/n]:Y
Regardless of whether you enabled SSL for the connection to the Spacewalk Parent Server, you will be prompted to generate an SSL certificate. This SSL certificate will allow client systems to connect to this Spacewalk Proxy securely. Refer to the Spacewalk Proxy Installation Guide for more information. Organization []:Oracle Demo
Organization Unit [swkproxy.us.mydom.com]:[Enter]
Common Name [swkproxy.us.mydom.com]:[Enter]
City []:Redwood Shores
State []:CA
Country code []:US
Email [my.email@mydom.com]:[Enter]
Cname aliases (separated by space) []:[Enter]
Spacewalk Proxy successfully activated. Loaded plugins: rhnplugin This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package spacewalk-proxy-management.noarch... will be installed ... Transaction Summary ================================================================================ Install 42 Package(s) Total download size: 13 M Installed size: 32 M Is this ok [y/N]:y
Downloading Packages: (1/42): apr... | 122 kB 00:00 ... Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY. Generating distributable RPM for CA public certificate: Copying CA public certificate to /var/www/html/pub for distribution to clients: Generating SSL key and public certificate: CA password:
Installing SSL certificate for Apache and Jabberd: Preparing packages for installation... rhn-org-httpd-ssl-key-pair-swkproxy-1.0-1 Create and populate configuration channel rhn_proxy_config_1000010000? [Y/n]:cert_passwd
Y
Spacewalk username: []:
Password:swadmin
Using server name swksvr.mydom.com Creating config channel rhn_proxy_config_1000010000 Config channel rhn_proxy_config_1000010000 created Using server name swksvr.mydom.com Pushing to channel rhn_proxy_config_1000010000: Local file /etc/httpd/conf.d/ssl.conf -> remote file /etc/httpd/conf.d/ssl.conf Local file /etc/rhn/rhn.conf -> remote file /etc/rhn/rhn.conf Local file /etc/squid/squid.conf -> remote file /etc/squid/squid.conf Local file /etc/httpd/conf.d/cobbler-proxy.conf -> remote file /etc/httpd/conf.d/cobbler-proxy.conf Local file /etc/httpd/conf/httpd.conf -> remote file /etc/httpd/conf/httpd.conf Local file /etc/jabberd/c2s.xml -> remote file /etc/jabberd/c2s.xml Local file /etc/jabberd/sm.xml -> remote file /etc/jabberd/sm.xml Enabling Spacewalk Proxy. Shutting down rhn-proxy... Terminating jabberd processes ... Stopping s2s: [FAILED] Stopping c2s: [FAILED] Stopping sm: [FAILED] Stopping router: [FAILED] Stopping httpd: [FAILED] Stopping squid: [FAILED] Done. Starting rhn-proxy... init_cache_dir /var/spool/squid... Starting squid: . [ OK ] Starting httpd: [ OK ] Initializing jabberd processes ... Starting router: [ OK ] Starting sm: [ OK ] Starting c2s: [ OK ] Starting s2s: [ OK ] Done. There were some answers you had to enter manually. Would you like to have written those into file formatted as answers file? [Y/n]:swadmin_passwd
Y
Writing proxy-answers.txt.NtM1YThe Spacewalk user name and password (
swadmin
andswadmin_passwd
) are the Spacewalk server administrator's user name and password.NoteThe information that you provide is optionally recorded in a file named
proxy-answers.txt.
, whereUID
UID
is a unique identifier. You can use this file to automate the configuration of a Spacewalk proxy, as shown in the following example:#
configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y
If you want to use third-party CA-signed SSL certificate instead of the self-signed SSL certificate, follow the procedure described in Chapter 3, Replacing SSL Certificates on Spacewalk Servers or Spacewalk Proxies.
NoteOracle recommends that you replace the self-signed SSL certificate before registering any clients. Otherwise, you must log on separately to each existing client and configure it to use the new SSL certificate. You cannot do this from the Spacewalk server.
To check that the Spacewalk proxy is running correctly, specify the URL of the proxy when registering a Spacewalk client, as shown in the following example
rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
\--serverUrl=https://
swkproxy_FQDN
/XMLRPC --activationkey=activation_key
After registering the client, subscribe it to software channels on the server and verify that you can update packages from the client.