Monday Apr 29, 2013

Installing Spacewalk to manage Oracle Linux

Spacewalk is a popular Linux management tool that can be used to manage several operating systems, including the Red Hat Enterprise Linux derivatives like CentOS and Scientific Linux, Debian and even Solaris.

While the Spacewalk installation instructions are very thorough, here is a brief guide to installing Spacewalk on Oracle Linux 6. It is possible to install on Oracle Linux 5, but it requires a lot more manual intervention as the Unbreakable Linux Network packages installed on Oracle Linux 5 conflict with some Spacewalk packages. You should use both the Spacewalk installation instructions in combination with this guide to install Spacewalk.

Pre-requisites

This guide assumes that you are familiar with the Oracle Linux 6 installation process, as well as basic system administration tasks, including registering with the Unbreakable Linux Network (ULN) or configuring YUM to use public-yum.oracle.com.  The Oracle Linux 6 Administrator's Solutions Guide provides more information on these tasks.

Oracle Linux 6 Installation

This guide uses Oracle Linux 6.4 (x86_64). Download Oracle Linux 6.4 from the Oracle Software Delivery Cloud or one of the mirrors. You can choose either to do a "Basic Server" install, or a "Minimal" install. I recommend performing a "Basic Server" install as this provides basic system administration tools. If you are using a previous version of Oracle Linux 6, please ensure it is either registered with the Unbreakable Linux Network or is configured to use public-yum.oracle.com for updates.

You should assign both a fixed hostname as well as a fixed IP address for your Spacewalk server. The hostname should be resolvable via DNS on your network.

Pre-Requisite Installation

Binary packages of Spacewalk are available through YUM repositories at ‚Äčhttp://yum.spacewalkproject.org/. To use this repository, install the spacewalk-repo package with commands below:

# rpm -Uvh http://yum.spacewalkproject.org/1.9/RHEL/6/x86_64/spacewalk-repo-1.9-1.el6.noarch.rpm

Additional repositories and packages

For Spacewalk on Oracle Linux 6, additional dependencies are needed from JPackage. Please configure the following yum repository before beginning your Spacewalk installation:

cat > /etc/yum.repos.d/jpackage-generic.repo << EOF
[jpackage-generic]
name=JPackage generic
#baseurl=http://mirrors.dotsrc.org/pub/jpackage/5.0/generic/free/
mirrorlist=http://www.jpackage.org/mirrorlist.php?dist=generic&type=free&release=5.0
enabled=1
gpgcheck=1
gpgkey=http://www.jpackage.org/jpackage.asc
EOF 

We specifically want the 5.0 generic directory in the above URL.

Spacewalk requires additional dependencies from the Enterprise Packages for Enterprise Linux (EPEL) repository. To enable this repository run the following command:

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm 

Database Server

Spacewalk supports either Oracle Database 10g or higher or PostgreSQL 8.4 or higher to store its primary data. While Oracle Database XE is supported by Spacewalk, it is not supported by Oracle. Therefore, we recommend either using an existing Oracle Database Standard or Enterprise Edition server or using PostgreSQL. 

Oracle Database Setup

Installation of an Oracle Database server is outside the scope of this walk-through. We assume you have an existing Oracle Database server installed and available. The spacewalk user needs to have the CONNECT and RESOURCE roles as well as the ALTER SESSION, CREATE SYNONYM,CREATE TABLE and CREATE VIEW system privileges.

You will also need to make the following code change on your Spacewalk server, after you have installed the Spacewalk software:

# diff -u /etc/sysconfig/rhn/oracle/main.sql-20110504 /etc/sysconfig/rhn/oracle/main.sql
--- main.sql-20110504	2011-04-08 21:40:53.000000000 +0200
+++ main.sql	2011-05-04 14:20:24.000000000 +0200
@@ -38940,6 +38940,12 @@
 
 
 -- Source: data/common/rhnPackageSyncBlacklist.sql
+
+select lookup_package_name('gpg-pubkey') from dual;
+
+select lookup_package_name('rhns-ca-cert') from dual;
+
+select lookup_package_name('rhn-org-trusted-ssl-cert') from dual;
     
 insert into rhnPackageSyncBlacklist (package_name_id)
 	values (lookup_package_name('gpg-pubkey')); 

Without this change, the Spacewalk installation fails with the following error in /var/log/rhn/populate_db.log:

ORA-02291: integrity constraint (SPACEWALK.RHN_PACKAGESYNCBL_PNID_FK) violated - parent key not found 

The Oracle Instant Client packages can be installed from ULN by subscribing to the Oracle Software channel and running the following command:

# yum install oracle-instantclient11.2-basic oracle-instantclient11.2-sqlplus

If you are not subscribed to ULN, you can download the Oracle Instant Client RPMs from the Oracle Technology Network and install them manually.

Once the Oracle Instant Client has been installed, you need to add the library path to ldconfig:

# echo /usr/lib/oracle/11.2/client64/lib > /etc/ld.so.conf.d/oracle-instantclient11.2-basic.conf
# ldconfig

Spacewalk Installation

If you want to use the PostgreSQL embedded backend on the same server as Spacewalk:

# yum install spacewalk-setup-embedded-postgresql 
# yum install spacewalk-postgresql

If you want to use an Oracle Database backend:

# yum install spacewalk-oracle 

The rest of this guide uses an Oracle Database backend. Don't forget to make the code change listed under Oracle Database Setup before continuing!

The Spacewalk binary packages are missing a dependency on the geronimo-jta-1.1-api RPM, so install it manually:

# yum install geronimo-jta-1.1-api

Configuring Spacewalk

Your Spacewalk server should have a resolvable FQDN such as 'hostname.domain.com'. If the installer complains that the hostname is not the FQDN, do not use the --skip-fqdn-test flag to skip.

If you installed spacewalk-setup-embedded-postgresql above, run

# spacewalk-setup --disconnected

If you set up the database server manually (either on the same or on a different machine), run

# spacewalk-setup --disconnected --external-db

A sample interactive install:

 # spacewalk-setup --disconnected --external-db
* Setting up Oracle environment.
* Setting up database.
** Database: Setting up database connection for Oracle backend.
Database service name (SID)? orcl.domain.com
Database hostname [localhost]? spacewalk-db.domain.com
Username? spacewalk
Password?
** Database: Testing database connection.
** Database: Populating database.
*** Progress: ############################################################
* Setting up users and groups.
** GPG: Initializing GPG and importing key.
** GPG: Creating /root/.gnupg directory
You must enter an email address.
Admin Email Address? your.email@domain.com
* Performing initial configuration.
* Activating Spacewalk.
** Loading Spacewalk Certificate.
** Verifying certificate locally.
** Activating Spacewalk.
* Enabling Monitoring.
* Configuring apache SSL virtual host.
Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]?
** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave
* Configuring tomcat.
** /etc/sysconfig//tomcat6 has been backed up to tomcat6-swsave
** /etc/tomcat6//server.xml has been backed up to server.xml-swsave
** /etc/tomcat6//web.xml has been backed up to web.xml-swsave
* Configuring jabberd.
* Creating SSL certificates.
CA certificate password?
Re-enter CA certificate password?
Organization? Oracle Demo
Organization Unit [spacewalk.domain.com]?
Email Address [your.email@domain.com]?
City? Redwood Shores
State? CA
Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? US
** SSL: Generating CA certificate.
** SSL: Deploying CA certificate.
** SSL: Generating server certificate.
** SSL: Storing SSL certificates.
* Deploying configuration files.
* Update configuration in database.
* Setting up Cobbler..
Processing /etc/cobbler/modules.conf
`/etc/cobbler/modules.conf' -> `/etc/cobbler/modules.conf-swsave'
Processing /etc/cobbler/settings
`/etc/cobbler/settings' -> `/etc/cobbler/settings-swsave'
cobblerd does not appear to be running/accessible
Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]?
cobblerd does not appear to be running/accessible
* Restarting services.
Installation complete.
Visit https://spacewalk.domain.com to create the Spacewalk administrator account.

Once your install is complete, visit https://spacewalk.domain.com to create the initial Spacewalk administrator account. Documentation on using Spacewalk can be found on the Spacewalk wiki

Oracle Linux YUM Repositories

The following channels on public-yum.oracle.com  contain errata information that can be ingested by Spacewalk: 

  • ol5_i386_latest
  • ol5_x86_64_latest
  • ol6_i386_latest
  • ol6_x86_64_latest

Each repository stores ALL packages released since the first Generally Available (GA) release of each version. This means the storage requirements for each of these repositories is between 20GB-30GB each. Care should be taken to ensure you have enough disk space to mirror each repository.

Adding the Oracle Linux 6 (x86_64) Latest channel

Goto Channels -> Manage Software Channels -> Manage Repositories. Click "create new repository" and provide the following configuration:

  • Repository Label: External yum repo - Oracle Linux 6 (x86_64)
  • Repository URL: http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/

Then click "create repository".

After creating the repository, you need to link it to one or more Software Channels. Goto: Channels -> Manage Software Channels. Click "create new channel" and provide the following configuration:

  • Channel Name: Oracle Linux 6 (x86_64)
  • Channel Label: oraclelinux6-x86_64
  • Architecture: x86_64
  • Yum Repository Checksum Type: sha256
  • Channel Summary: Oracle Linux 6 (x86_64)
Then click "create channel". Once the channel is created, click the "Repositories" tab that appears and select the "External yum repo - Oracle Linux 6 x86_64" repository and click "Update Repositories". Once you've enabled the repository, click the "Sync" tab and either click the "Sync Now" button to trigger an immediate sync, or schedule a sync. Note that the initial repository sync can take 2-3 days to complete for each repository.

Updates to errata on ULN and public-yum.oracle.com

The Unbreakable Linux Network (ULN) team have been hard at work updating the errata metadata that is delivered on ULN and public-yum.oracle.com. The changes provide more information about all errata, including security patches, bug fixes and feature enhancements. In addition, security fixes are listed by priority (important, moderate, low). This will allow Oracle Linux customers more flexibility when working with 3rd party Linux management tools like Spacewalk or SUSE Manager.

You can see some of the changes we've implemented using the yum-security plugin that's available as part of Oracle Linux:

 First, install the yum-security plugin: 

 # yum install yum-plugin-security

You can read all about the options available once you have the yum-security plugin installed by reading the man page:

# man yum-security 

Let's take it for a spin. First, let's list all the errata that are available for your system:

# yum updateinfo list
Loaded plugins: rhnplugin, security
ELBA-2012-1399 bug            device-mapper-libs-1.02.74-10.el6_3.2.x86_64
ELEA-2012-1574 enhancement    device-mapper-libs-1.02.74-10.el6_3.3.x86_64
ELSA-2012-1141 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2013-0504 Low/Sec.       dhclient-12:4.1.1-34.P1.0.1.el6.x86_64
ELSA-2012-1141 Moderate/Sec.  dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2013-0504 Low/Sec.       dhcp-common-12:4.1.1-34.P1.0.1.el6.x86_64
...

This command lists all the errata that are available for your system by errata ID. It also specifies whether it's a security patch (Moderate/Sec.), bugfix (bug) or feature enhancement (enhancement).  

You could also narrow your search to just the CVEs, i.e. security patches:

# yum updateinfo list cves
CVE-2012-3954 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3571 Moderate/Sec.  dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
CVE-2012-3955 Low/Sec.       dhclient-12:4.1.1-34.P1.0.1.el6.x86_64 

This provides the CVE ID instead of the errata ID so that you can correlate a published CVE with a particular errata:

# yum updateinfo list --cve CVE-2012-3954
Loaded plugins: rhnplugin, security
ELSA-2012-1141 Moderate/Sec. dhclient-12:4.1.1-31.P1.0.1.el6_3.1.x86_64
ELSA-2012-1141 Moderate/Sec. dhcp-common-12:4.1.1-31.P1.0.1.el6_3.1.x86_64

Or see additional information about that particular errata or CVE:

# yum updateinfo info --cve CVE-2012-3954
Loaded plugins: rhnplugin, security
===============================================================================
   dhcp security update
===============================================================================
  Update ID : ELSA-2012-1141
    Release : Oracle Linux 6
       Type : security
     Status : final
     Issued : 2012-08-02
       CVEs : CVE-2012-3954
	    : CVE-2012-3571
Description : [12:4.1.1-31.P1.0.1.el6_3.1]
            : - Added oracle-errwarn-message.patch
            :
            : [12:4.1.1-31.P1.1]
            : - An error in the handling of malformed client
            :   identifiers can cause a denial-of-service
            :   condition in affected servers. (CVE-2012-3571,
            :   #843120)
            : - Memory Leaks Found In ISC DHCP (CVE-2012-3954,
            :   #843120)
   Severity : Moderate
updateinfo info done

For more information on using the yum tool, see the Oracle Linux 6 Administration Guide

Updating Oracle Linux by Errata or CVE

The yum-security plugin also allows you to narrow the yum tool to only update security fixes. Instead of running a generic update command, you can leverage the additional errata metadata and tell yum to only apply security patches:

# yum --security update

Alternatively, you can target a specific errata or CVE:

# yum update --cve CVE-2012-3954 

Or

# yum update --advisory ELSA-2012-1141

3rd-Party Linux management tools

Oracle Enterprise Manager 12c Cloud Control has always been able to extract and display errata information for Oracle Linux.  

Now, tools like Red Hat Satellite, Spacewalk, Katello/Pulp and SUSE Manager are all able to ingest the errata information and provide that information via their UI tools. 

For example, here's a snippet from  Spacewalk showing the Oracle Linux 6 (i386) Latest channel from public-yum.oracle.com:

Spacewalk errata list

If you click on a particular advisory, you can see information for that advisory:

You can also see the packages affected by an advisory:

Stay tuned for a future blog post that goes through how to setup Spacewalk to mirror the public-yum.oracle.com  repositories. 

About

Get the latest updates on strategy, products, events, news, customers, partners and all things Oracle Linux! Connect with Oracle's Linux experts.

Stay Connected

Twitter


Facebook

Search

Archives
« April 2013 »
SunMonTueWedThuFriSat
 
3
4
6
7
8
11
12
13
14
15
16
17
18
19
20
21
22
24
25
26
27
28
30
    
       
Today