Chapter 2 Installing and Upgrading Spacewalk Proxies

A Spacewalk proxy acts as an intermediary between Spacewalk clients and a Spacewalk server. The main purposes of a Spacewalk proxy are to mitigate the loading on the Spacewalk server and reduce the download times for Spacewalk clients.

This chapter describes how to install or upgrade a Spacewalk proxy.

2.1 Spacewalk Proxy Requirements

Oracle supports Spacewalk proxies that are running on Oracle Linux 6 (x86_64) or Oracle Linux 7 (x86_64). Oracle recommends that you update Oracle Linux with the latest packages that are available on the Oracle Linux yum server.

Note

Do not register a Spacewalk proxy with ULN. You can register a Spacewalk proxy as a client of itself or as a client of a Spacewalk server to receive updates.

Note the following additional requirements:

  • You can install Oracle Linux 6 or Oracle Linux 7 by using the Minimal or Basic Server software set. If you select additional package groups during installation, remove the jta package before installing Spacewalk, as this package causes Spacewalk services to fail to start.

  • Install Spacewalk by using only those packages that are provided by Oracle from the Oracle Linux yum server at https://yum.oracle.com.

  • No third-party package repositories are required to install Spacewalk on Oracle Linux 6 or Oracle Linux 7. All of the required packages are available in the Spacewalk repository on the Oracle Linux yum server.

2.2 Storage Requirements for a Spacewalk Proxy

The following are the storage requirements for a Spacewalk proxy:

  • A Spacewalk proxy should have a minimum of 4 GB of memory.

  • Typically, the proxy cache requires 10 GB of storage for each combination of Oracle Linux release and architecture.

  • By default, a Spacewalk proxy caches packages under the /var/spool/squid directory hierarchy and is limited to using up to 60% of the free space in the file system that contains this directory hierarchy.

2.3 Networking Requirements for a Spacewalk Proxy

The following are the networking requirements for a Spacewalk proxy:

  • Configure a fully qualified domain name

    You must configure a fully qualified domain name (FQDN) for the Spacewalk proxy. Spacewalk does not consider .local and .localdomain to be valid domain names. Spacewalk clients must be able to resolve the Spacewalk proxy's FQDN for both forward and reverse lookups in DNS. If these conditions are not met, certificate validation and PXE booting do not work and clients cannot register with the Spacewalk server.

    Verify that the host name returned by the hostname command and the value of HOSTNAME defined in /etc/sysconfig/network are identical and that this host name is consistent with the FQDN defined for the system in DNS for both forward and reverse lookups, as shown in the following example 

    # hostname
swkproxy.us.mydom.com
# grep HOSTNAME /etc/sysconfig/network
HOSTNAME=swkproxy.us.mydom.com

    For Oracle Linux 6, you can also use the host command to verify this information: 

    # host swkproxy.us.mydom.com
swkproxy.us.mydom.com has address 10.0.0.24
# host 10.0.0.24
24.0.0.10.in-addr.arpa domain name pointer swkproxy.us.mydom.com.

    Edit the /etc/hosts file and configure the actual IP address for the FQDN and host name and not the loopback address (127.0.0.1), as shown in the following example: 

    127.0.0.1      localhost localhost.localdomain localhost4 localhost4.localdomain4
::1            localhost localhost.localdomain localhost6 localhost6.localdomain6
10.0.0.24      swkproxy.us.mydom.com swkproxy

  • Port numbers for a Spacewalk proxy

    The following table describes the network ports that a Spacewalk proxy uses, depending on its configuration.

    Port/Protocol

    		Direction

    Purpose

    80/tcp

    Inbound and outbound

    HTTP access

    443/tcp

    Inbound and outbound

    HTTPS access

    5222/tcp

    Inbound

    Push support to Spacewalk clients (if required)

    5269/tcp

    Inbound

    Push support to Spacewalk proxies (if required)

  • Configure a web proxy

    If the Spacewalk proxy needs to connect though a web proxy, you can configure the web proxy during installation.

  • Configure network time synchronization

    Configure the Spacewalk server, proxies, and clients to NTP or PTP. Spacewalk requires that the system time on these systems are consistent to within 120 seconds in order to establish an SSL-based connection.

2.4 Installing a Spacewalk Proxy

Note

A Spacewalk Proxy should be configured with the full Spacewalk client and be registered to the Spacewalk server.

Install the Spacewalk Proxy software as follows:

  1. Ensure that the jta package is not installed and prevent it from being installed when you install Spacewalk.

    Check whether the jta package is installed: 

    # yum list installed | grep jta

    Remove the jta package: 

    # yum remove jta

    To prevent the jta package from being installed later, either disable the Oracle Linux 6 or Oracle Linux 7 Add-ons channel ([ol6_addons] or [ol7_addons]), or add the jta package to the exclude directive in the yum configuration file, /etc/yum.conf, for example: 

    exclude=jta*

  2. Configure the system firewall.

    The following example shows how you would configure the system firewall for Oracle Linux 6: 

    # iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5222 -j ACCEPT
# iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5269 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
# iptables -I OUTPUT -p tcp -m state --state NEW -m tcp --dport 4545 -j ACCEPT
# service iptables save

    For Oracle Linux 7, you would configure the system firewall as follows: 

    # firewall-cmd --permanent --add-port=80/tcp
# firewall-cmd --permanent --add-port=443/tcp
# firewall-cmd --permanent --add-port=5222/tcp
# firewall-cmd --permanent --add-port=5269/tcp
# systemctl reload firewalld

  3. If not already present on the Spacewalk server, create software channels for the Spacewalk Client and the Spacewalk Server, then subscribe the Spacewalk proxy system to these channels as follows:

    1. Create a Spacewalk Client channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel, for the installed version of Oracle Linux.

    2. Create a Spacewalk Client repository that accesses the appropriate Spacewalk Client channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk27/client/x86_64/ or https://yum.oracle.com/repo/OracleLinux/OL7/spacewalk27/client/x86_64/) by using the same GPG settings as for Oracle Linux 6 or Oracle Linux 7.

    3. Associate the Spacewalk Client repository with the Spacewalk Client channel and synchronize the repository's packages from the Oracle Linux yum server.

    4. Create a Spacewalk Server channel as a child of either the Oracle Linux 6 or Oracle Linux 7 base channel, as appropriate, to the installed version of Oracle Linux.

    5. Create a Spacewalk Server repository that accesses the appropriate Spacewalk Server channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk27/server/x86_64/ or https://yum.oracle.com/repo/OracleLinux/OL7/spacewalk27/server/x86_64/), by using the same GPG settings as the settings for Oracle Linux 6 or Oracle Linux 7.

    6. Associate the Spacewalk Server repository with the Spacewalk Server channel and synchronize the repository's packages from the Oracle Linux yum server.

    7. Change the channel subscription of the Spacewalk server in Spacewalk from the previous version to the Spacewalk Server channel for Release 2.7.

    8. Subscribe the Spacewalk Proxy to the Spacewalk Client and Server channels.

  4. Install the Spacewalk Client software and the openssh-clients packages. 

    # yum install rhn-client-tools rhn-check rhn-setup rhnsd \
m2crypto yum-rhn-plugin openssh-clients

  5. Register the system as a client of the Spacewalk server for which it will act as a Spacewalk proxy.

    Note

    Before you can register a server, you must have already created a client activation key. If enabled, a universal default key can be used. However, using a specific activation key is better.

    The following steps use SSL to encrypt all communication between the client and the Spacewalk server. This configuration is mandatory. The Proxy must use SSL to communicate to the server. Otherwise, jabberd will not work.

    1. Download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to the server.

      In a browser tab, navigate to http://swksvr_FQDN/pub, where swksvr_FQDN is the fully qualified domain name of the Spacewalk server, and download the CA certificate file RHN-ORG-TRUSTED-SSL-CERT to /usr/share/rhn.

      Alternatively, you can use wget from the command line, for example: 

      # wget -q -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
http://swksvr_FQDN/pub/RHN-ORG-TRUSTED-SSL-CERT

    2. Register the system with Spacewalk by using the rhnreg_ks command, with the --sslCACert option to specify the path of the CA certificate. 

      # rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
--serverUrl=https://swksvr_FQDN/XMLRPC --activationkey=activation_key

      Specify the Spacewalk server or proxy by its fully qualified domain name.

    3. Verify that the settings in the /etc/sysconfig/rhn/up2date file that are used to access the Spacewalk server are correct.

      1. Verify that serverURL is set to the Spacewalk server's URL, for example https://swksvr.mydom.com/XMLRPC: 

        # grep ^serverURL= /etc/sysconfig/rhn/up2date 
serverURL=https://swksvr.mydom.com/XMLRPC

      2. Verify that sslCACert is set to the correct CA certificate file, for example /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT: 

        # grep ^sslCACert= /etc/sysconfig/rhn/up2date 
sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
      Note

      If the settings are not correct, you most likely made a mistake when registering the system by using the rhnreg_ks command. Run the rhnreg_ks command again, checking that you correctly specify the path of the CA certificate and the Spacewalk server's URL. Also, make sure to specify the --force option to override the previous settings.

  6. Install the Spacewalk Proxy installer package. 

    # yum -y install spacewalk-proxy-installer

  7. Create the /root/ssl-build directory. 

    # mkdir /root/ssl-build

  8. Copy the Spacewalk server's CA key and public certificate files to /root/ssl-build. 

    # scp 'root@spacewalk_server:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,\
RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' /root/ssl-build
RHN-ORG-PRIVATE-SSL-KEY                       100% 1751 1.7KB/s   00:00
RHN-ORG-TRUSTED-SSL-CERT                      100% 5316 5.2KB/s   00:00
rhn-ca-openssl.cnf                            100% 2186 2.1KB/s   00:00

  9. Configure the Spacewalk proxy by running the /usr/sbin/configure-proxy.sh script.

    The following example shows an interactive configuration: 

    # /usr/sbin/configure-proxy.sh
Using RHN parent (from /etc/sysconfig/rhn/up2date): swksvr.mydom.com
Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP Proxy []: [Enter]
Proxy version to activate [2.7]: [Enter]
Traceback email []: my.email@mydom.com
Use SSL [Y/n]: Y
Regardless of whether you enabled SSL for the connection to the Spacewalk Parent
Server, you will be prompted to generate an SSL certificate.
This SSL certificate will allow client systems to connect to this Spacewalk Proxy
securely. Refer to the Spacewalk Proxy Installation Guide for more information.
Organization []: Company Demo
Organization Unit [swkproxy.us.mydom.com]: [Enter]
Common Name [swkproxy.us.mydom.com]: [Enter]
City []: Redwood Shores
State []: CA
Country code []: US
Email [my.email@mydom.com]: [Enter]
Cname aliases (separated by space) []: [Enter]
Spacewalk Proxy successfully activated.
Loaded plugins: rhnplugin
This system is receiving updates from RHN Classic or Red Hat Satellite.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package spacewalk-proxy-management.noarch... will be installed
...
Transaction Summary
================================================================================
Install      42 Package(s)

Total download size: 13 M
Installed size: 32 M
Is this ok [y/N]: y
Downloading Packages:
(1/42): apr...                     | 122 kB     00:00
...
Using CA key at /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY.
Generating distributable RPM for CA public certificate:
Copying CA public certificate to /var/www/html/pub for distribution to clients:
Generating SSL key and public certificate:
CA password: cert_passwd
Installing SSL certificate for Apache and Jabberd:
Preparing packages for installation...
rhn-org-httpd-ssl-key-pair-swkproxy-1.0-1
Create and populate configuration channel rhn_proxy_config_1000010000? [Y/n]: Y
Spacewalk username: []: sw_user
Password: sw_passwd
Using server name swksvr.mydom.com
Creating config channel rhn_proxy_config_1000010000
Config channel rhn_proxy_config_1000010000 created
Using server name swksvr.mydom.com
Pushing to channel rhn_proxy_config_1000010000:
Local file /etc/httpd/conf.d/ssl.conf -> remote file /etc/httpd/conf.d/ssl.conf
Local file /etc/rhn/rhn.conf -> remote file /etc/rhn/rhn.conf
Local file /etc/squid/squid.conf -> remote file /etc/squid/squid.conf
Local file /etc/httpd/conf.d/cobbler-proxy.conf -> remote file /etc/httpd/conf.d/cobbler-proxy.conf
Local file /etc/httpd/conf/httpd.conf -> remote file /etc/httpd/conf/httpd.conf
Local file /etc/jabberd/c2s.xml -> remote file /etc/jabberd/c2s.xml
Local file /etc/jabberd/sm.xml -> remote file /etc/jabberd/sm.xml
Enabling Spacewalk Proxy.
Shutting down rhn-proxy...
Terminating jabberd processes ...
Stopping s2s:                                              [FAILED]
Stopping c2s:                                              [FAILED]
Stopping sm:                                               [FAILED]
Stopping router:                                           [FAILED]
Stopping httpd:                                            [FAILED]
Stopping squid:                                            [FAILED]
Done.
Starting rhn-proxy...
init_cache_dir /var/spool/squid... Starting squid: .       [  OK  ]
Starting httpd:                                            [  OK  ]
Initializing jabberd processes ...
Starting router:                                           [  OK  ]
Starting sm:                                               [  OK  ]
Starting c2s:                                              [  OK  ]
Starting s2s:                                              [  OK  ]
Done.
There were some answers you had to enter manually.
Would you like to have written those into file
formatted as answers file? [Y/n]: Y
Writing proxy-answers.txt.NtM1Y

    The Spacewalk user name and password (sw_user and sw_passwd) are the Spacewalk server administrator's user name and password.

    Note

    The information that you provide is optionally recorded in a file named proxy-answers.txt.UID, where UID is a unique identifier. You can use this file to automate the configuration of a Spacewalk proxy, as shown in the following example: 

    # configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y

  10. If you want to use third-party CA-signed SSL certificate instead of the self-signed SSL certificate, follow the procedure described in Section 1.6.1, “Replacing a Self-Signed SSL Certificate”.

    Note

    Oracle recommends that you replace the self-signed SSL certificate before registering any clients. Otherwise, you must log on separately to each existing client and configure it to use the new SSL certificate. You cannot do this from the Spacewalk server.

  11. To check that the Spacewalk proxy is running correctly, specify the URL of the proxy when registering a Spacewalk client, as shown in the following example 

     rhnreg_ks --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
  --serverUrl=https://swkproxy_FQDN/XMLRPC --activationkey=activation_key

    After registering the client, subscribe it to software channels on the server and verify that you can update packages from the client.

2.5 Upgrading a Spacewalk Proxy

Upgrade a Spacewalk proxy as follows:

  1. If not already present on the Spacewalk server, create software channels for the Spacewalk Client and the Spacewalk Server for Release 2.7, then subscribe the Spacewalk proxy system to these channels as follows:

    1. Create a Spacewalk Client channel as a child of either the Oracle Linux 6 base channel.

    2. Create a Spacewalk Client repository that accesses the Spacewalk Client channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk27/client/x86_64/), using the same GPG settings as for Oracle Linux 6.

    3. Associate the Spacewalk Client repository with the Spacewalk Client channel and synchronize the repository's packages from the Oracle Linux yum server.

    4. Create a Spacewalk Server channel as a child of the Oracle Linux 6 base channel.

    5. Create a Spacewalk Server repository that accesses the Spacewalk Server channel on the Oracle Linux yum server (https://yum.oracle.com/repo/OracleLinux/OL6/spacewalk27/server/x86_64/), using the same GPG settings as for Oracle Linux 6.

    6. Associate the Spacewalk Server repository with the Spacewalk Server channel and synchronize the repository's packages from the Oracle Linux yum server.

    7. Change the channel subscription of the Spacewalk server in Spacewalk from the previous release to the Spacewalk server channel for Release 2.7.

    8. Subscribe the Spacewalk proxy to the Spacewalk Client and Spacewalk Server channels for Release 2.7 instead of the Spacewalk Server and Client channels for Release 2.6.

  2. Back up the CA key, SSL certificate and the openSSL configuration file in /root/ssl-build.

    For example, you could use the tar command as follows to create a backup: 

    # cd /root/ssl-build
# tar -cvf /tmp/sslcerts.tar RHN-ORG-PRIVATE-SSL-KEY RHN-ORG-TRUSTED-SSL-CERT rhn-ca-openssl.cnf

  3. Run the yum update command to update all of the packages on the system. 

    # yum update

  4. If necessary, extract the CA key, SSL certificate, and openSSL configuration file from your backup file to /root/ssl-build: 

    # cd /root/ssl-build
# tar -xvf /tmp/sslcerts.tar

  5. Configure the Spacewalk proxy by running the configure-proxy.sh script.

    The following example uses the proxy-answers.txt.UID file that was saved from a previous installation to perform the configuration: 

    # configure-proxy.sh --non-interactive --answer-file=proxy-answers.txt.NtM1Y

    You can also run this command interactively by omitting any command-line options.

2.6 Troubleshooting Spacewalk Proxy Installation Problems

The following information describes how to diagnose and fix problems that you might encounter on a Spacewalk proxy.

For information about other known issues and possible workarounds, see Spacewalk for Oracle® Linux: Release Notes for Release 2.7.

Use the rhn-proxy status command to find out which Spacewalk proxy services are not running correctly. If a service does not start correctly, the problem is usually caused by incorrect configuration information being provided during installation.

Verify that the /etc/sysconfig/rhn/systemid file is owned by root:apache and that its mode is set to 640.

Check the following log files for errors:

/var/log/httpd/*

Are the httpd service log files.

/var/log/rhn/rhn_proxy_broker.log

Is the proxy brokering service log file.

/var/log/rhn/rhn_proxy_redirect.log

Is the proxy SSL redirection service log file.

/var/log/squid/*

Are the squid proxy log files.

/var/log/yum.log

Is the yum log file.

2.6.1 Clearing the Proxy Cache

If required to clear up package provisioning problems, you can clear the proxy cache as follows:

  1. Stop the httpd and squid services.

    For Oracle Linux 6, type the following commands: 

    # service httpd stop
# service squid stop

    For Oracle Linux 7, type the following commands: 

    # systemctl stop httpd
# systemctl stop squid

  2. Delete the contents of the cache as follows: 

    # rm -Rf /var/cache/rhn/*

  3. Restart the squid and httpd services.

    For Oracle Linux 6, type the following commands: 

    # service squid start
# service httpd start

    For Oracle Linux 7, type the following commands: 

    # systemctl start squid
# systemctl start httpd

Copyright © 2018, 2021, Oracle and/or its affiliates. Legal Notices