Deploying a Spacewalk Server

/, Linux, Management, Monitoring, Scripts, Security/Deploying a Spacewalk Server
This article is about how to deploy a Spacewalk Server v2.7 from scratch.

If you work at an enterprise-level company where IT infrastructure contains a lot of Linux machines, you definitely encounter with the questions: how to manage all Linux systems centrally, be aware of the current state of the entire infrastructure, provide the high level of security, and reduce maintenance efforts. The most common day-to-day tasks in server maintenance are software updates and the flexible management of a unified configuration.

The main supported Linux distributions by most software vendors for Enterprise are Red Hat Enterprise Linux (RHEL), SUSE Linux Enterprise Server (SLES), CentOS, Oracle Linux, Debian, and Ubuntu.

Unfortunately, a native centralised patch management system for Debian and its derivatives does not exist, therefore you should consider replacing all those systems with Red Hat or its derivatives before deploying management systems. Despite the fact that the listed below management systems formally support Debian and Ubuntu clients to be registered with and managed, there are a lot of limitations and additional efforts to make them work properly, so they can not be considered as native solutions for Debian systems.

Product Highlights
SUSE Manager
  • $10,000 per year for Unlimited Managed Linux Instances / $2,500 for proxy
  • Best suitable for SUSE, RHEL, CentOS, Oracle Linux, etc.
  • Provides integration with Microsoft SCCM
Red Hat Satellite
  • $10,000 per year for Unlimited Managed Linux Instances / $2,500 for proxy
  • Best suitable for RHEL, CentOS, Oracle Linux, etc.
  • Does not officially support SLES
  • Free & Open Source Systems Management
  • Community version of Red Hat Satellite
  • Best suitable for CentOS, Oracle Linux, etc.
  • Does not officially support RHEL and SLES
Satellite Overview
  • Systems Inventory (Hardware and Software)
  • System Software Installation and Updates
  • Collation and Distribution of Custom Software Packages into Manageable Groups
  • System provisioning (via Kickstart)
  • Management and deployment of configuration files
  • Provision of virtual Guests
  • Start/Stop/Configuration of virtual guests
  • OpenSCAP Auditing of client systems
  • Options for geographically remote proxy servers

Note: All of the above-mentioned systems are based on the same engine and the distinction only in the WebGUI and a set of additional features. In addition, the installation and configuration process is almost the same.


Fresh Installation of CentOS

The following virtual server configuration was used for this article: CPU 2×2 (4 cores) / RAM 24GB / HDD 150GB x 2.

  1. Download the last version of CentOS using official CentOS download page.
  2. Start your server and wait for the CentOS installation menu to appear:
    CentOS Installation Menu
  3. Press the ESCAPE button to start unattended installation:
    boot: linux ks=
  4. After completing the installation (takes up to 10 minutes), log in on the server using a terminal client (for example, ssh, PuTTy, MobaXTerm, etc.) and check current disk space:
    [root@spacewalk ~]# df -h | grep map
    /dev/mapper/vg00-lv_root  2.0G  1.1G  725M  61% /
    /dev/mapper/vg00-lv_var   9.8G  101M  9.2G   2% /var
    /dev/mapper/vg00-lv_tmp   488M  840K  452M   1% /tmp
    /dev/mapper/vg00-lv_home  976M  2.6M  907M   1% /home
    [root@spacewalk ~]# vgs
      VG   #PV #LV #SN Attr   VSize    VFree
      vg00   1   5   0 wz--n- <149.51g <132.01g
    [root@spacewalk ~]# fdisk -l | grep sd
    Disk /dev/sda: 161.1 GB, 161061273600 bytes, 314572800 sectors
    /dev/sda1   *        2048     1026047      512000   83  Linux
    /dev/sda2         1026048   314572799   156773376   8e  Linux LVM
    Disk /dev/sdb: 161.1 GB, 161061273600 bytes, 314572800 sectors
    [root@spacewalk ~]#
  5. Extend current partitions and mount the second disk for storing repositories:
    ### Extend current partitions
    lvextend -L+3.1G /dev/vg00/lv_root
    lvextend -L+40.2G /dev/vg00/lv_var
    resize2fs /dev/vg00/lv_root
    resize2fs /dev/vg00/lv_var
    ### Rescan for new SCSI controllers (after adding a new 150GB disk to the virtual machine)
    echo "1" > /sys/bus/pci/rescan
    ### Rescan SCSI bus for new disks
    for i in $(ls /sys/class/scsi_host/); do echo "- - -" > /sys/class/scsi_host/$i/scan; done
    ### Create a partition for LVM
    echo -e "n\np\n1\n\n\nt\n8e\nw\n" | fdisk /dev/sdb
    ### Create a new volume group/logical volume
    pvcreate /dev/sdb1
    vgcreate vg01 /dev/sdb1
    lvcreate -L120G -n lv_satellite vg01
    mkfs.xfs /dev/vg01/lv_satellite
    mkdir -p /var/satellite
    chmod 777 /var/satellite
    NL="/dev/mapper/vg01-lv_satellite /var/satellite           xfs     defaults        1 2"
    sed -i "/swap/i $NL" /etc/fstab
    mount -a

    Check what you have now:

    [root@spacewalk ~]# df -h | grep map
    /dev/mapper/vg00-lv_root       5.0G  1.1G  3.7G  23% /
    /dev/mapper/vg00-lv_var         50G  117M   48G   1% /var
    /dev/mapper/vg00-lv_tmp        488M  840K  452M   1% /tmp
    /dev/mapper/vg00-lv_home       976M  2.6M  907M   1% /home
    /dev/mapper/vg01-lv_satellite  120G   33M  120G   1% /var/satellite
    [root@spacewalk ~]# vgs
      VG   #PV #LV #SN Attr   VSize    VFree
      vg00   1   5   0 wz--n- <149.51g  88.70g
      vg01   1   1   0 wz--n- <150.00g <30.00g
  6. Set the static network settings and the FQDN (replace values with yours):
    ### Static IP
    sed -i 's/BOOTPROTO.*/BOOTPROTO="static"/' ${F}
    cat >> ${F} <<EOF
    ### FQDN
    echo 'spacewalk.svelab.local' > /etc/hostname
    echo '   spacewalk.svelab.local spacewalk' >> /etc/hosts
  7. Apply all available patches, disable IPv6, and reboot the server:
    yum -y update && yum upgrade
    echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/noipv6.conf

Spacewalk Installation

  1. Set up Spacewalk repositories:
    rpm -Uvh
    rpm -Uvh
    (cd /etc/yum.repos.d && curl -O
    yum clean all
    rm -rf /var/cache/yum
    yum repolist
  2. Install PostgreSQL and Spacewalk
    yum -y install spacewalk-setup-postgresql spacewalk-postgresql spacewalk-utils
    ### workaround for a bug in spacewalk 2.7:
    rpm -Uvh

    Initial settings (replace values with yours):

    [root@spacewalk ~]# spacewalk-setup
    * Setting up SELinux..
    ** Database: Setting up database connection for PostgreSQL backend.
    ** Database: Installing the database:
    ** Database: This is a long process that is logged in:
    ** Database:   /var/log/rhn/install_db.log
    *** Progress: ##
    ** Database: Installation complete.
    ** Database: Populating database.
    *** Progress: ##########################
    * Configuring tomcat.
    * Setting up users and groups.
    ** GPG: Initializing GPG and importing key.
    ** GPG: Creating /root/.gnupg directory
    You must enter an email address.
    Admin Email Address?
    * Performing initial configuration.
    * Configuring apache SSL virtual host.
    Should setup configure apache's default ssl server for you (saves original ssl.conf) [Y]? Y
    ** /etc/httpd/conf.d/ssl.conf has been backed up to ssl.conf-swsave
    * Configuring jabberd.
    * Creating SSL certificates.
    CA certificate password? pa$$w0rd
    Re-enter CA certificate password? pa$$w0rd
    Cname alias of the machine (comma seperated)? spacewalk
    Organization? SVELAB
    Organization Unit [spacewalk.svelab.local]? IT
    Email Address []?
    City? Sydney
    State? NSW
    Country code (Examples: "US", "JP", "IN", or type "?" to see a list)? AU
    ** SSL: Generating CA certificate.
    ** SSL: Deploying CA certificate.
    ** SSL: Generating server certificate.
    ** SSL: Storing SSL certificates.
    * Deploying configuration files.
    * Update configuration in database.
    * Setting up Cobbler..
    Cobbler requires tftp and xinetd services be turned on for PXE provisioning functionality. Enable these services [Y]? N
    * Restarting services.
    Tomcat failed to start properly or the installer ran out of tries.  Please check /var/log/tomcat6/catalina.out or /var/log/tomcat/catalina.$(date +%Y-%m-%d).log for errors.

    Note: Ignore the tomcat error message, because this is the result of minor errors in the Spacewalk installation scripts. In fact, Tomcat is up and running.

  3. Configure the firewall:
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --permanent --add-port=5222/tcp
    firewall-cmd --permanent --add-port=5269/tcp
    firewall-cmd --reload


    [root@spacewalk ~]# firewall-cmd --permanent --list-all | grep -E '(services| ports)'
      services: ssh dhcpv6-client http https
      ports: 5222/tcp 5269/tcp
  4. Create organization and the local administrator account. Go to https://spacewalk.svelab.local:
    Spacewalk Initial Setup
  5. Configure proxy settings if your Spacewalk instance does not have direct Internet access:
    Spacewalk Setup - Proxy

Replace self-signed certificates

  1. Backup existing keys/certificates:
    cd /root
    tar -zcvf SSL_configs_$(date +"%Y%m%d").tgz /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub 
  2. Get the Certificate Signing Request (CSR):
    [root@spacewalk ~]# cat /root/ssl-build/$(hostname -s)/server.csr | awk '/BEGIN/ {seen=1} seen {print}'
  3. Sign the CSR with your local Microsoft Certificate Authority:
    Spacewalk SSL CertSubmit the request and download the certificate chain in the Base64 encoded format (the filename will be certnew.p7b):
    Spacewalk - Download SSL Cert
  4. Upload the saved certificate chain (certnew.p7b) onto the server in /tmp and replace the self-signed one:
    ### replace the current certificate
    cat /tmp/certnew.p7b | openssl pkcs7 -print_certs > /root/ssl-build/$(hostname -s)/server.crt
    ### remove the ^M symbol
    sed -i -e 's/\r//' /root/ssl-build/$(hostname -s)/server.crt
  5. Combine all third-party root and intermediate CA certificates (replace values in bold with yours):
    wget --no-proxy --no-check-certificate --user=sve --ask-password 'https://labdc01.svelab.local/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64' -O /root/certs/local_root_ca.p7b
    sed -i -e 's/\r//' /root/certs/local_root_ca.p7b
    cat /root/certs/local_root_ca.p7b | openssl pkcs7 -print_certs > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT


    [root@spacewalk tmp]# openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/$(hostname -s)/server.crt
    /root/ssl-build/spacewalk/server.crt: OK
  6. Create an RPM package with SSL certificates:
    cd /root
    rhn-ssl-tool --gen-server --rpm-only
    rpm -Uvh /root/ssl-build/$(hostname -s)/$(grep noarch /root/ssl-build/$(hostname -s)/latest.txt)
    rhn-ssl-dbstore -vvv --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  7. Update the rhn-org-trusted-ssl-cert rpm:
    cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
    cp $(ls /root/ssl-build/rhn-org-trusted-ssl-cert*.noarch.rpm | sort | tail -n1) /var/www/html/pub/
  8. Update the Jabber server.pem file:
    cat /root/ssl-build/$(hostname -s)/server.pem > /etc/pki/spacewalk/jabberd/server.pem
    chown jabber.jabber /etc/pki/spacewalk/jabberd/server.pem
    chmod 600 /etc/pki/spacewalk/jabberd/server.pem


    ### certificates
    [root@spacewalk ~]# md5sum /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build/$(hostname -s)/server.pem
    832074c7295049e71ed0293ee6134afe  /etc/pki/spacewalk/jabberd/server.pem
    832074c7295049e71ed0293ee6134afe  /root/ssl-build/spacewalk/server.pem
    [root@spacewalk ~]# md5sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    ### configs
    [root@spacewalk ~]# grep require-starttls /etc/jabberd/c2s.xml | grep pemfile
        <id require-starttls="false" pemfile="/etc/pki/spacewalk/jabberd/server.pem" realm="" register-enable="true">spacewalk.svelab.local</id>
    [root@spacewalk ~]# grep '<id>' /etc/jabberd/sm.xml
    [root@spacewalk ~]# grep osa-dispatcher /etc/rhn/rhn.conf
    osa-dispatcher.jabber_server = spacewalk.svelab.local
    osa-dispatcher.osa_ssl_cert = /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
  9. Restart Spacewalk:
    [root@spacewalk ~]# spacewalk-service restart
    Shutting down spacewalk services...
    Starting spacewalk services...

    Check (you should get the similar output as below):

    [root@spacewalk ~]# systemctl status osa-dispatcher | tail -n2
    Jan 14 20:44:42 spacewalk.svelab.local systemd[1]: Starting OSA Dispatcher daemon...
    Jan 14 20:44:43 spacewalk.svelab.local systemd[1]: Started OSA Dispatcher daemon.
    [root@spacewalk ~]# tail -n3 /var/log/rhn/osa-dispatcher.log
    2018/01/14 20:44:43 +11:00 52542 osad/jabber_lib.__init__
    2018/01/14 20:44:43 +11:00 52542 osad/jabber_lib.setup_connection('Connected to jabber server', 'spacewalk.svelab.local')
    2018/01/14 20:44:43 +11:00 52542 osad/jabber_lib.process_forever

    Now the connection to Spacewalk is ‘green’ (secure):
    Spacewalk - Trusted SSL Cert

  10. Put the /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT of Spacewalk into the GPG config channel to update certificates on target systems.
  11. If you want to regenerate SSL keys and CA certificates (for example, if you forget the CA password):

    cd /root
    tar -zcvf SSL_configs_$(date +"%Y%m%d").tgz /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub
    rm -fR /root/ssl-build/
    mkdir /root/ssl-build/
    rhn-ssl-tool --gen-ca
    rm -f /var/www/html/pub/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm}
    cp ssl-build/{RHN-ORG-TRUSTED-SSL-CERT,rhn-org-trusted-ssl-cert-1.0-1.noarch.rpm} /var/www/html/pub/
    rhn-ssl-dbstore --ca-cert=/var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-server --set-hostname=$(hostname -f) --set-country=AU --set-state=NSW \
    --set-city=Sydney --set-org=SVELAB --set-org-unit=IT
    rpm -e rhn-org-httpd-ssl-key-pair-$(hostname -s)
    rpm -Uvh /root/ssl-build/$(hostname -s)/$(grep noarch /root/ssl-build/$(hostname -s)/latest.txt)
    ### repeat steps 1-10

Active Directory Integration

  1. Install required packages:
    yum -y install samba samba-common samba-client samba-libs samba-winbind samba-winbind-clients krb5-workstation pam_krb5
  2. Generate the configs by copying and pasting the text below into the console (replace values in bold with yours):

    File /etc/samba/smb.conf

    myhost=$(hostname -s)
    dc_realm=$(printf "%s" ${dc_domain} | tr '[a-z]' '[A-Z]')
    cat > /etc/samba/smb.conf <<EOF
    # testparm
    #======================= Global Settings =======================
        ### General ###
        workgroup = ${dc_netbios}
        netbios name = ${myhost}
        server string = %h SMB Server
        local master = no
        prefered master = no
        domain master = no
        os level = 0
        machine password timeout = 0
        ### Active Directory Integration ###
        password server = *
        realm = ${dc_realm}
        security = ads
        idmap config ${dc_netbios} : backend = rid
        idmap config ${dc_netbios} : range = 10000000-33554431
        idmap config * : backend = tdb
        idmap config * : range = 1000000000-1999999999
        encrypt passwords = yes
        winbind use default domain = yes
        winbind offline logon = no
        winbind enum groups = yes
        winbind enum users = yes
        winbind nested groups = yes
        #winbind separator = \\\\
        #winbind cache time = 3600
        ### Misc ###
        wins support = no
        dns proxy = no
        #### Networking ####
        #interfaces = eth0
        #bind interfaces only = yes
        #### Debugging/Accounting ####
        log file = /var/log/samba/samba.log
        log level = 1
        max log size = 1024
        panic action = /usr/share/samba/panic-action %d
        ### Authentication ###
        passdb backend = tdbsam
        obey pam restrictions = yes
        map to guest = bad user
        guest account = nobody
        restrict anonymous = 2
        server signing = auto
        ### misc ###
        usershare path =
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes
        create mask = 0777
        directory mask = 0777

    File /etc/krb5.conf

    cat > /etc/krb5.conf <<EOF
     default = FILE:/var/log/krb5libs.log
     kdc = FILE:/var/log/krb5kdc.log
     admin_server = FILE:/var/log/kadmind.log
     default_realm = ${dc_realm}
     default_ccache_name = KEYRING:persistent:%{uid}
     dns_lookup_realm = true
     dns_lookup_kdc = true
     ticket_lifetime = 24h
     renew_lifetime = 7d
     forwardable = true
     rdns = false
     ${dc_realm} = {
        kdc = labdc01.${dc_domain}
        kdc = labdc02.${dc_domain}
        #admin_server =
        default_domain = ${dc_domain}
        .${dc_domain} = ${dc_realm}
        ${dc_domain} = ${dc_realm}
  3. Join to Active Directory (your domain account must have Domain Admin privileges):
    [root@spacewalk ~]# net ads join -S labdc01.svelab.local -U sve createcomputer="Computers"
    Enter sve's password:
    Using short domain name -- SVELAB
    Joined 'SPACEWALK' to dns domain 'svelab.local'
    [root@spacewalk ~]# wbinfo -t
    checking the trust secret for domain SVELAB via RPC calls succeeded

    Enable/disable autorun:

    systemctl enable winbind
    systemctl disable smb
    systemctl disable nmb
    systemctl start winbind
  4. Enable Winbind as PAM:
    ### reconfigure
    chk=$(grep -Esn '^(passwd|group|shadow)' "${F}" | grep -v 'winbind')
    if [ "${chk}" != '' ]; then
        while read -r line; do
    	IFS=':' read -r -a cfg_oldval <<< "${line}"
        	cfg_newval="${cfg_oldval[1]}:${cfg_oldval[2]} winbind"
        	sed -i "${cfg_oldval[0]}s/.*/${cfg_newval}/" "${F}"
        done <<< "{chk}"
    ### restart Winbind
    systemctl restart winbind

    Verify (you should see Active Directory users and groups in the output):

    wbinfo -t
    wbinfo -g
    wbinfo -u
    getent passwd
    getent group
  5. Set up Spacewalk to use PAM:
    ### configure PAM for Spacewalk
    cat > /etc/pam.d/rhn-spacewalk <<EOF
    auth        required
    auth        sufficient no_user_check
    auth        required
    account     required no_user_check
    ### activate PAM in Spacewalk
    cat >> /etc/rhn/rhn.conf <<EOF
    ### Active Directory Integration
    pam_auth_service = rhn-spacewalk
    ### restart Spacewalk
    spacewalk-service restart
  6. Create an account in Active Directory for Spacewalk and grant admin permissions to it:
    Spacewalk - AD user
    Spacewalk - Users
    Spacewalk - OrgAdmin
    Spacewalk - Admin

Hardening and tuning

  1. Apache

    Disable all SSL protocols except TLSv1.2:

    cat > /etc/httpd/conf.d/zz-ssl-strong.conf <<EOF
    SSLProtocol +TLSv1.2
    SSLHonorCipherOrder on

    Adjust timeouts:

    sed -i 's/ProxyTimeout 210/ProxyTimeout 300/' /etc/httpd/conf.d/zz-spacewalk-www.conf
    cat > /etc/httpd/conf.d/zz-timeouts.conf <<EOF
    Timeout 600
    ProxyTimeout 600
    MaxKeepAliveRequests 300
    KeepAlive On
    KeepAliveTimeout 30

    Adjust Apache Multi-Processing Module (MPM):

    cat >> /etc/httpd/conf.modules.d/00-mpm.conf <<EOF
    StartServers            8
    MinSpareServers         6
    MaxSpareServers         32
    ServerLimit             512
    MaxClients              512
    MaxRequestsPerChild     4000
  2. Tomcat

    Allocate more RAM:

    sed -i 's/' /usr/share/rhn/config-defaults/rhn_taskomatic_daemon.conf
    sed -i 's/-Xmx256m/-Xmx1024m/' /etc/sysconfig/tomcat
  3. IPv6 (optional)

    If you did not disable IPv6 before installing Spacewalk, execute the following commands to do it now:

    echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/noipv6.conf
    sysctl -p /etc/sysctl.d/noipv6.conf
    sed -i 's#::1#' /etc/jabberd/c2s.xml
    sed -i 's#::1#' /etc/jabberd/s2s.xml
    sed -i 's#::1#' /etc/jabberd/sm.xml
    sed -i 's#::#' /etc/jabberd/c2s.xml
    sed -i 's#::#' /etc/jabberd/s2s.xml
    sed -i 's#::#' /etc/jabberd/router.xml
  4. Restart Spacewalk:
    [root@spacewalk ~]# spacewalk-service restart
  5. Checks:
    ps aux | grep -Esio '(Xmx.[0-9]*)m'
    nmap -sV --script ssl-enum-ciphers -p 443 localhost
    [root@spacewalk ~]# ps aux | grep -Esio '(Xmx.[0-9]*)m'
    [root@spacewalk ~]# nmap -sV --script ssl-enum-ciphers -p 443 localhost
    Starting Nmap 6.40 ( ) at 2018-01-17 21:12 AEDT
    Nmap scan report for localhost (
    Host is up (-980s latency).
    Other addresses for localhost (not scanned):
    443/tcp open  ssl/http Apache httpd
    | ssl-enum-ciphers:
    |   SSLv3: No supported ciphers found
    |   TLSv1.2:
    |     ciphers:
    |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_ECDHE_RSA_WITH_RC4_128_SHA - strong
    |       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA - strong
    |       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
    |       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
    |       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
    |       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
    |       TLS_RSA_WITH_RC4_128_SHA - strong
    |     compressors:
    |       NULL
    |_  least strength: strong
    Service detection performed. Please report any incorrect results at .
    Nmap done: 1 IP address (1 host up) scanned in 12.16 seconds

Configure Software Channels

  1. Display the list of predefined channels:
    spacewalk-common-channels --list | grep -E '(centos7|epel)'
    [root@spacewalk ~]# spacewalk-common-channels --list | grep -E '(centos7|epel)'
     centos7:             x86_64
     centos7-atomic:      x86_64
     centos7-centosplus:  x86_64
     centos7-cloud:       x86_64
     centos7-cr:          x86_64
     centos7-extras:      x86_64
     centos7-fasttrack:   x86_64
     centos7-opstools:    x86_64
     centos7-paas:        x86_64
     centos7-rt:          x86_64
     centos7-scio:        x86_64
     centos7-storage:     x86_64
     centos7-updates:     x86_64
     centos7-virt:        x86_64
     epel6:               i386, x86_64, ppc64
     epel7:               x86_64, ppc64
     spacewalk-nightly-client-centos7: i386, x86_64
     spacewalk-nightly-server-centos7: i386, x86_64
     spacewalk25-client-centos7: i386, x86_64
     spacewalk25-server-centos7: i386, x86_64
     spacewalk26-client-centos7: i386, x86_64
     spacewalk26-server-centos7: i386, x86_64
     spacewalk27-client-centos7: i386, x86_64
     spacewalk27-server-centos7: i386, x86_64

  2. Create channels for CentOS 7 (replace credentials with yours):
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7-updates'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'centos7-extras'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'epel7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'spacewalk27-client-centos7'
    spacewalk-common-channels -u spacewalk_admin -p 'SpacePa!!w0rd' -a x86_64 'spacewalk27-server-centos7'

    Spacewalk - Software Channels

  3. Synchronise channels with external repositories (also select a daily schedule):
    Spacewalk - Channels sync

    Repeat this task for all new channels/sub-channels. First synchronisation may take a few hours, next ones will take a few minutes. To see the current progress:

    root@spacewalk ~]# cd /var/log/rhn/reposync/
    [root@spacewalk reposync]# tail -n1 *
    2018/01/16 22:34:54 +11:00 1273/9591 : dyninst-devel-9.3.1-1.el7.x86_64.rpm
  4. Create an additional repository/channel via the WebGUI (this one is needed for registering Spacewalk itself).

    Get the system details:

    [root@spacewalk ~]# python -c 'import yum, pprint; yb = yum.YumBase(); pprint.pprint(yb.conf.yumvar, width=1)'
    Loaded plugins: fastestmirror, langpacks, rhnplugin
    This system is receiving updates from RHN Classic or Red Hat Satellite.
    {'arch': 'ia32e',
     'basearch': 'x86_64',
     'infra': 'stock',
     'releasever': '7',
     'uuid': 'ee6529fc-2ad0-4e39-963b-24be897b8482'}

    Get the repository details:

    [root@spacewalk ~]# cat /etc/yum.repos.d/group_spacewalkproject-java-packages-epel-7.repo
    name=Copr repo for java-packages owned by @spacewalkproject

    Now you can add a new repository and create a new channel using obtained details:

    Spacewalk - Add extra channel
    Spacewalk - Assign repo

  5. Errata for CentOS

    As you can see, general CentOS repositories do not contain errata data, however, it can be extracted from the CentOS-Announce mailing list by using a third-party script.

    Spacewalk - Channels synced

    1. Install required packages:
      yum -y install perl-Text-Unidecode perl-Frontier-RPC perl-XML-Simple perl-Net-SSLeay perl-Crypt-SSLeay
    2. Create the script (replace values with yours):
      cat > /root/scripts/ <<EOF
      #! /bin/bash
      export SPACEWALK_USER='spacewalk_admin'
      export SPACEWALK_PASS='SpacePa!!w0rd'
      # no spaces or tabs
      mkdir -p "\${workdir}"
      cd \${workdir}
      # 0. remove all current dbs
      rm -f \${workdir}/*
      # 1. download the latest errata XML file
      wget -q -c -O \${workdir}/errata.latest.xml
      # 2. download the latest RedHat OVAL file
      wget -q -c -O \${workdir}/com.redhat.rhsa-all.xml
      # 3. download the latest errata-import.tar script
      wget -q -c -O \${workdir}/
      chmod +x \${workdir}/
      # 4. run the parser
      ./ --server \${servername} --errata \${workdir}/errata.latest.xml  \
      --include-channels=\$(printf "%s" "\${errata_channels}" | tr -d '\n') \
      --publish --rhsa-oval /usr/local/centos/com.redhat.rhsa-RHEL7.xml > \${logfile}
      Source code

    3. Add the cron job:
      cat > /etc/cron.d/rhn-errata <<EOF
      # .---------------- minute (0 - 59)
      # |   .------------- hour (0 - 23)
      # |   |   .---------- day of month (1 - 31)
      # |   |   |   .------- month (1 - 12) OR jan,feb,mar,apr ...
      # |   |   |   |  .----- day of week (0 - 7) (Sunday=0 or 7)  OR sun,mon,tue,wed,thu,fri,sat
      # |   |   |   |  |
      # *   *   *   *  *  command to be executed
      ### CentOS Errata Parsing
      0 4 * * * root /root/scripts/
    4. Reload crond and start the script manually:
      chmod 750 /root/scripts/
      systemctl reload crond

      Spacewalk - Errata

    5. Configuration Channels

      1. Create a new config channel:
        Spacewalk - ConfigsSpacewalk - New Config Channel
      2. Create the configuration file that will contain the parameters below (for example):
        net.ipv6.conf.all.disable_ipv6 = 1
        vm.swappiness = 10

        Note: configs and scripts should not contain the ^M symbol, especially cron jobs

        Spacewalk - Common Configs

      3. Create a new config channel with GPG keys of all repositories.

        For example, put the GPG key of the Spacewalk Java Packages repository into the channel:
        Spacewalk - RPM GPG Key
        To import GPG keys on target systems you can execute the following command via the Spacewalk Remote Command Execution feature:
        Spacewalk - Remote Commands

        To check which GPG keys are installed in the system:

        [root@spacewalk ~]# rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
        gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <>)
        gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <>)
        gpg-pubkey-b8002de1-553126bd    gpg(Spacewalk <>)
        gpg-pubkey-e8e1716a-58d0f953    gpg(@spacewalkproject_java-packages (None) <>)
        gpg-pubkey-0608b895-4bd22942    gpg(EPEL (6) <>)
        gpg-pubkey-b6792c39-53c4fbdd    gpg(CentOS-7 Debug (CentOS-7 Debuginfo RPMS) <>)
        gpg-pubkey-8fae34bd-538f1e51    gpg(CentOS-7 Testing (CentOS 7 Testing content) <>)
      4. Create a new activation key:
        Spacewalk - New Key
      5. Assign default software channels:
        Spacewalk - Assign Channels
      6. Subscribe to configuration channels:
        Spacewalk - Subscribe to Configs
      7. Configure automated deployment of configs:
        Spacewalk - Automated Deployment of Configs

      Security Audit with OpenSCAP

      1. Install packages:
        yum -y install spacewalk-oscap openscap-utils scap-security-guide
      2. Download OpenSCAP remote resources:
        wget -q -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
        wget -q -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
      3. Add the cron job:
        cat > /etc/cron.d/rhn-oscap-update-db <<EOF
        ### Update OpenSCAP database
        30 3 * * * root /usr/bin/wget -q -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
        35 3 * * * root /usr/bin/wget -q -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
        systemctl reload crond
      4. Apply the workaround for CentOS 6 because it does not contain these files:
        ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml /var/www/html/pub/ssg-centos6-ds.xml
        ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml /var/www/html/pub/ssg-centos6-xccdf.xml
        ln -s /usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml /var/www/html/pub/ssg-rhel6-ocil.xml
      5. Re-point remote resources links to local ones (replace values with yours):
        sed -i "s@" /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        sed -i "s@" /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
      6. Reduce the retention period of OpenSCAP reports:
        Spacewalk - OpenSCAP Retention Period
      7. Get the list of available OpenSCAP profiles:
        oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        [root@spacewalk ~]# oscap info /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        Document type: Source Data Stream
        Imported: 2018-01-21T12:41:08
        Generated: (null)
        Version: 1.2
                        Status: draft
                        Generated: 2017-10-19
                        Resolved: true
                        Referenced check files:
                        Status: draft
                        Generated: 2017-10-19
                        Resolved: true
                        Referenced check files:

      8. Add scripts into a configuration channel for target systems:

        Upload the script into the Common configuration channel and create the cron job:

        Spacewalk - OpenSCAP Check DB

        Cron job:

        40 3 * * * root /root/scripts/

        Spacewalk - OpenSCAP Cron

      9. Start the system audit on a target system using OpenSCAP via Spacewalk:
        CentOS 7CentOS 6Oracle Linux 7
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhevh-upstream
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhel6-server-upstream
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml
        Command-line Arguments: --fetch-remote-resources --profile xccdf_org.ssgproject.content_profile_stig-rhel7-disa
        Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel7-ds.xml

        Spacewalk - OpenSCAP Audit
        Spacewalk - OpenSCAP Report
        Spacewalk - OpenSCAP Details

        Note: Do not worry if you see this error in the OpenSCAP Scans tab:

        Downloading: http://spacewalk.svelab.local/pub/com.redhat.rhsa-RHEL7.xml.bz2 ... ok
        xccdf_eval: oscap tool returned 2

        Explanation(from man oscap):
        Normally, the exit status is 0 when operation finished successfully and 1 otherwise. In cases when oscap performs evaluation of the system it may return 2 indicating success of the operation but incompliance of the assessed system.

      Register Clients

      1. Upload required files onto Spacewalk:
        cd /var/www/html/pub/
        wget -q
        wget -q
        wget -q -O RPM-GPG-KEY-EPEL-7
        wget -q -O RPM-GPG-KEY-EPEL-6
        wget -q -O RPM-GPG-KEY-spacewalk-2015
      2. Download and install the script below:
        cd /tmp
        unzip /tmp/ -d /var/www/html/pub/
        rm -f /tmp/
        Source code

        Important: Replace the values of LINMAN_SITES and LINMAN_SITES_MENU variables in the script with yours.

      3. Register itself (Spacewalk server):
        bash /var/www/html/pub/
        [root@spacewalk ~]# bash /var/www/html/pub/
         Spacewalk Registrator for CentOS 6/7 and Oracle Linux 7 v0.3 (21-Dec-2017)
        [1]   Importing GPG keys
        gpg-pubkey-f4a80eb5-53a7ff4b    gpg(CentOS-7 Key (CentOS 7 Official Signing Key) <>)
        gpg-pubkey-352c64e5-52ae6884    gpg(Fedora EPEL (7) <>)
        gpg-pubkey-b8002de1-553126bd    gpg(Spacewalk <>)
        gpg-pubkey-e8e1716a-58d0f953    gpg(@spacewalkproject_java-packages (None) <>)
        gpg-pubkey-0608b895-4bd22942    gpg(EPEL (6) <>)
        [2]   Installing packages for registering this box with Spacewalk / SUSE Manager
        Package deltarpm-3.6-3.el7.x86_64 already installed and latest version
        Package epel-release-7-11.noarch already installed and latest version
        Package yum-utils-1.1.31-42.el7.noarch already installed and latest version
        Warning: RPMDB altered outside of yum.
        warning: /etc/sysconfig/rhn/rhnsd created as /etc/sysconfig/rhn/rhnsd.rpmnew
        [3]   Disabling all external repositories
        Repositories to be disabled:
        Loaded plugins: fastestmirror, langpacks
        Loading mirror speeds from cached hostfile
         * base:
         * epel:
         * extras:
         * updates:
        repo id                                                                            repo name                                                                                     status
        base/7/x86_64                                                                      CentOS-7 - Base                                                                                9,591
        epel/x86_64                                                                        Extra Packages for Enterprise Linux 7 - x86_64                                                12,219
        extras/7/x86_64                                                                    CentOS-7 - Extras                                                                                329
        group_spacewalkproject-java-packages/x86_64                                        Copr repo for java-packages owned by @spacewalkproject                                           211
        spacewalk/x86_64                                                                   Spacewalk                                                                                        117
        spacewalk-client/x86_64                                                            Spacewalk Client Tools                                                                            25
        updates/7/x86_64                                                                   CentOS-7 - Updates                                                                             1,698
        repolist: 24,190
        [4]   Registering this system with Spacewalk / SUSE Manager
        [5]   This system is now subscribed to the following channels:
        [6]   Installing and configuring Remote Command Execution
        deploy is enabled
        diff is enabled
        upload is enabled
        mtime_upload is enabled
        run is enabled
        [7]   Installing and configuring OSAD for enabling Push to Clients
        Created symlink from /etc/systemd/system/ to /usr/lib/systemd/system/osad.service.
        [8]   Installing and configuring OpenSCAP
        [9]   Pulling all configs/scripts from Spacewalk / SUSE Manager
        Client health:
         [OK] Spacewalk client (rhnsd)
         [OK] Push to Client feature (osad)
         [OK] Remote Command feature (rhncfg-actions-control)
         [OK] OpenSCAP utility (oscap)
         [OK] OpenSCAP datastreams (xml files)
         [OK] Config management client (rhncfg-client)
        Subscription to config channels:
        Using server name spacewalk.svelab.local
        Config channels:
        Label                           Name
        -----                           ----
        common-configs                  Common Configs
        Subscription to software channels:

        Spacewalk - Register Clients

      4. Subscribe this system to additional software channels:
        Spacewalk - Subscribe to channels
      5. Start the OpenSCAP audit (see the Security Audit with OpenSCAP section).
      6. Execute the following commands on target systems to register them to Spacewalk (replace values with yours):
        wget --no-proxy http://spacewalk.svelab.local/pub/ -O /usr/sbin/
        chmod +x /usr/sbin/

      Unregister clients

      1. Delete a system from Spacewalk:
        Spacewalk - Unregister clients
      2. Disable the Spacewalk agent on a target system:
        rm -f /etc/sysconfig/rhn/systemid
        sed -i 's/enabled = 1/enabled = 0/' /etc/yum/pluginconf.d/rhnplugin.conf
        systemctl disable rhnsd
        systemctl disable osad
        systemctl stop rhnsd
        systemctl stop osad
      3. Enable external repositories:
        yum-config-manager -q --enable base extras updates epel >> /dev/null 2>&1

      See also

      Deploying a Spacewalk Proxy
      Unattended Linux Installation
      Official Spacewalk Website
      Official Spacewalk Installation Instructions
      Spacewalk and RHN Satellite – Getting Started Guide
      How to use a certificate from a third party Certificate Authority (CA)
      How to regenerate SSL keys and CA certificates
      Push to Clients Troubleshooting (server side)
      Push to Clients Troubleshooting (client side)
      YUM Command Cheat Sheet

      Contact us

      Please, feel free to contact us if you have any questions or suggestions. Post a comment below if you want to report a bug.

By |2018-04-28T21:42:42+00:00December 9th, 2017|How To, Linux, Management, Monitoring, Scripts, Security|0 Comments

Leave A Comment