在CentOS 6上设置Spacewalk 2.4
时间:2020-03-21 11:47:10 来源:igfitidea点击:
Spacewalk是一个开源Linux系统管理解决方案。
这是上游社区项目,是Red Hat Satellite产品的来源。
系统设置
- CentOS 6(x86_64)最低,完全最新,
- “ /”上有10GB的可用磁盘空间,其中包括
- “/var/satellite”安装在具有50GB磁盘空间的专用逻辑卷上,并且
- 将'/var/lib/pgsql'安装在具有5GB磁盘空间的专用逻辑卷上,
- SELinux设置为强制模式,
- 开启iptables,并为Spacewalk WebUI打开了入站TCP端口80和443,
- 完全限定域名(FQDN)spacewalk.igi.local。
使用PostgreSQL后端设置Spacewalk Server
配置存储库
配置Spacewalk所需的存储库。
依赖项(jabberd,dojo等)需要EPEL。
# yum install http://yum.spacewalkproject.org/2.4/RHEL/6/x86_64/spacewalk-repo-2.4-3.el6.noarch.rpm # yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
导入Spacewalk的公钥:
# rpm --import http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2014
jpackage需要其他依赖项。
# cat << EOL >/etc/yum.repos.d/jpackage-generic.repo [jpackage-generic] name=JPackage generic mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0 enabled=1 gpgcheck=1 gpgkey=http://www.jpackage.org/jpackage.asc EOL
建议使JPackage Project GPG密钥可用于RPM:
# rpm --import http://www.jpackage.org/jpackage.asc
安装Spacewalk软件包
# yum install -y spacewalk-setup-postgresql spacewalk-postgresql
配置PostgreSQL服务器
我们将运行spacewalk-setup-postgresql来配置PostgreSQL服务器。
我们将使用以下数据来配置数据库服务器:
- 数据库名称:spaceschema
- 数据库用户名:spaceuser
- 数据库用户密码:changeme
如果偏执(高度可选):
# unset HISTFILE
通过命令行传递的数据库参数(根据需要更改):
# DBNAME=spaceschema; DBUSER=spaceuser; DBPASSWORD=changeme
配置Spacewalk数据库:
# spacewalk-setup-postgresql create \ --db $DBNAME \ --user $DBUSER \ --password $DBPASSWORD
如果在设置时出现以下错误:
createdb: database creation failed: ERROR: new encoding (UTF8) is incompatible with the encoding of the template database (SQL_ASCII)
打开“/usr/bin/spacewalk-setup-postgresql”文件进行编辑,将包含UTF8的行更改为SQL_ASCII:
runuser - postgres -c "createdb -E UTF8 '$PGNAME'"
然后再次运行数据库设置。
完成后,测试数据库连接:
# PGPASSWORD=changeme psql -a -U spaceuser spaceschema psql (8.4.20) Type "help" for help. spaceschema=# \q
# PGPASSWORD=changeme psql -h localhost -a -U spaceuser spaceschema psql (8.4.20) Type "help" for help. spaceschema=# \q
设置太空漫步
设置Spacewalk,但跳过嵌入式数据库安装:
# spacewalk-setup --disconnected --skip-db-install * Setting up SELinux.. ** Database: Setting up database connection for PostgreSQL backend. ** Database: Embedded database installation SKIPPED. Could not connect to the database. Your connection information Jan be incorrect. Hostname (leave empty for local)? Database? spaceschema Username? spaceuser Password? ** ** Database: Populating database. *** Progress: ############################# * Configuring tomcat. * Setting up users and groups. ** GPG: Initializing GPG and importing key. ** GPG: Creating /root/.gnupg directory You must enter an email address. Admin Email Address? Hyman@theitroad * Performing initial configuration. * Activating Spacewalk. ** Loading Spacewalk Certificate. ** Verifying certificate locally. ** Activating Spacewalk. * Configuring apache SSL virtual host. Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave * Configuring jabberd. * Creating SSL certificates. CA certificate password? ** Re-enter CA certificate password? ** Organization? CentOS6 Organization Unit [spacewalk.igi.local]? Spacewalk Email Address [Hyman@theitroad]? City? Birmingham State? West Midlands Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? GB ** SSL: Generating CA certificate. ** SSL: Deploying CA certificate. ** SSL: Generating server certificate. ** SSL: Storing SSL certificates. * Deploying configuration files. * Update configuration in database. * Setting up Cobbler.. Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? * Restarting services. Installation complete. Visit https://spacewalk.igi.local to create the Spacewalk administrator account.
启用并重新启动Spacewalk服务:
# /usr/sbin/spacewalk-service enable ;\ /usr/sbin/spacewalk-service restart
我们希望将RPM-GPG-KEY-spacewalk-2014密钥提供给无法访问Internet的客户:
# wget http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2014 \ -O /var/www/html/pub/RPM-GPG-KEY-spacewalk-2014
具有仅LAN访问权限的Spacewalk客户端可以从https://spacewalk.igi.local/pub/RPM-GPG-KEY-spacewalk-2014下载密钥。
检查Spacewalk服务状态,确保一切都在运行:
# /usr/sbin/spacewalk-service status postmaster (pid 1371) is running... router (pid 1615) is running... sm (pid 1623) is running... c2s (pid 1631) is running... s2s (pid 1639) is running... tomcat6 (pid 1570) is running... [ OK ] httpd (pid 1585) is running... osa-dispatcher (pid 1655) is running... rhn-search is running (1685). cobblerd (pid 1740) is running... RHN Taskomatic is running (1771).
故障排除
更改spacewalk用户的postgresql密码时,请不要忘记使用新凭据更新'/etc/rhn/rhn.conf'文件,因为Spacewalk后端可能无法成功连接到数据库:
在执行模式下,在带有SELinux的专用逻辑卷上使用'/var/lib/pgsql'时,我们可能会收到以下错误:
postmaster cannot access the server configuration file "/var/lib/pgsql/data/postgresql.conf": Permission denied
检查SELinux日志以确认:
# grep postgres /var/log/audit/audit.log|grep denied|tail
要解决此问题,请添加SELinux上下文映射并将其应用于正在运行的系统:
# yum -y install policycoreutils-python # semanage fcontext -a -t postgresql_db_t "/var/lib/pgsql(/.*)?" # restorecon -Rv /var/lib/pgsql
检查日志:
# tail /var/log/messages # tail /var/log/rhn/*.log
太空漫步仓库和渠道
创建一个CentOS基本存储库
转到频道->管理软件频道->管理存储库->创建存储库。
建立上层频道
转到频道->管理软件频道->创建频道。
为CentOS Base创建一个子频道
转到频道->管理软件频道->创建频道。
将CentOS基本存储库关联到子频道
转到频道->管理软件频道->选择创建的频道->存储库->选择先前创建的存储库->更新存储库。
更新后,单击“同步”选项卡,然后单击“立即同步”按钮以从上游服务器开始包同步。
程序包同步完成后,我们应该会看到许多可用的程序包。
以下是我们已配置的频道的完整列表:
# spacewalk-repo-sync --list ====================================== | Channel Label | Repository | ====================================== epel-x86_64 | http://dl.fedoraproject.org/pub/epel/6/x86_64/ centos-6-os-x86_64 | http://mirror.centos.org/centos/6/os/x86_64/ spacewalk-latest-x86_64 | http://yum.spacewalkproject.org/latest/RHEL/6/x86_64/ puppetlabs-el6-x86_64 | http://yum.puppetlabs.com/el/6/products/x86_64/ elasticsearch-1.7 | http://packages.elastic.co/elasticsearch/1.7/centos mongo-stable-x86_64 | http://repo.mongodb.org/yum/redhat/6/mongodb-org/stable/x86_64/ centos-6-updates-x86_64 | http://mirror.centos.org/centos/6/updates/x86_64/ puppetlabs-dep-el6-x86_64 | http://yum.puppetlabs.com/el/6/dependencies/x86_64/ spacewalk-client-latest-x86_64 | http://yum.spacewalkproject.org/latest-client/RHEL/6/x86_64/ centos-6-parent-x86_64 | No repository set
例如,要从命令行同步epel频道,请执行以下操作:
# spacewalk-repo-sync --channel epel-x86_64 --type yum
一个简单的脚本来一个个同步所有频道:
# cat << EOL > /usr/local/bin/spacewalk-sync.sh #!/bin/bash CMD="/usr/bin/spacewalk-repo-sync "; SYNC_DIR="/var/satellite"; # A dirty way of getting volume space usage usage=$(df "$SYNC_DIR"|grep satellite|grep -o "...%"|cut -b1-3); if [ "$usage" -gt "90" ]; then echo "WARNING: "$SYNC_DIR" usage is "$usage"%."; echo "This does not prevent the script from running."; else echo ""$SYNC_DIR" usage looks OK "$usage"%."; fi # Low capacity repositories at the top $CMD -c elasticsearch-1.7 -t yum; $CMD -c spacewalk-client-latest-x86_64 -t yum; $CMD -c mongo-stable-x86_64 -t yum; $CMD -c puppetlabs-dep-el6-x86_64 -t yum; $CMD -c spacewalk-latest-x86_64 -t yum; $CMD -c centos-6-updates-x86_64 -t yum; $CMD -c puppetlabs-el6-x86_64 -t yum; $CMD -c centos-6-os-x86_64 -t yum; $CMD -c epel-x86_64 -t yum; exit 0; EOL
Spacewalk激活密钥
转到系统->激活密钥->创建密钥。
创建密钥后,转到“子频道”选项卡并勾选所有频道。
使用此激活密钥注册的任何系统都将订阅所选的子频道。
将RPM软件包上传到Spacewalk
在某些情况下,我们可能需要将一两个自定义的RPM推送到Spacewalk。
可以使用rhnpush来完成此操作,方法是指定软件包需要进入的频道,例如:
# rhnpush -v --channel=checkinstall-el6 --server=http://localhost/APP --dir=packages Connecting to http://localhost/APP Username: admin Password: Package /root/packages/checkinstall-1.6.2-20.2.x86_64.rpm Not Found on RHN Server -- Uploading Uploading package /root/packages/checkinstall-1.6.2-20.2.x86_64.rpm Using POST request
设置Spacewalk客户端
添加用于Spacewalk的yum存储库以及匹配的EPEL存储库:
# rpm -Uvh http://yum.spacewalkproject.org/2.4-client/RHEL/6/x86_64/spacewalk-client-repo-2.4-3.el6.noarch.rpm # rpm -Uvh http://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
安装Spacewalk客户端软件包:
# yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto yum-rhn-plugin
在服务器上安装Spacewalk的CA证书以启用SSL通信:
# wget -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT http://spacewalk.igi.local/pub/RHN-ORG-TRUSTED-SSL-CERT
使用我们之前创建的激活密钥向Spacewalk注册客户端系统:
# cat /usr/local/bin/spacewalk-register.sh
#!/bin/bash
if [[ $# -gt 0 ]]; then
reg_opts="$*"
fi
if [[ $reg_opts =~ --(activationkey|profilename) ]]; then
echo "usage: ##代码## "
echo " are passed as is to rhnreg_ks"
echo " do not use profile name or activationkey opts these are"
echo " hardcoded into the script"
exit 1
fi
read -p "Enter profile name: " profile
echo "Registering system as: ${profile}"
rhnreg_ks --force --activationkey="1-centos6-custom-spacewalk-key" \
--serverUrl=http://spacewalk.igi.local/XMLRPC \
--sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT \
--profilename=${profile} ${reg_opts}
