Deploying a Spacewalk Proxy

/, Linux, Management, Monitoring, Scripts, Security/Deploying a Spacewalk Proxy
This article is about how to deploy a Spacewalk Proxy v2.7 from scratch.
A Spacewalk proxy acts as an intermediary between Spacewalk clients and a Spacewalk server. The main purposes of a Spacewalk proxy are to mitigate the loading on the Spacewalk server and to reduce the download times for Spacewalk clients. Typically, it does make sense to roll out Spacewalk proxies on geographically remote sites. This article is based on Deploying a Spacewalk Server and is the continuation of it.
Spacewalk Proxy - Design

Fresh Installation of CentOS

The following virtual server configuration was used for this article: CPU 1×2 (2 cores) / RAM 16GB / HDD 100GB.

  1. Download the last version of CentOS using official CentOS download page.
  2. Start your server and wait for the CentOS installation menu to appear:
    CentOS Installation Menu
  3. Press the ESCAPE button to start unattended installation:
    boot: linux ks=http://192.168.100.10/rksw.php?v=r7&h=spacewalk-eu
    
  4. After completing the installation (takes up to 10 minutes), log in on the server using a terminal client (for example, ssh, PuTTy, MobaXTerm, etc.) and check current disk space:
    [root@spacewalk-eu ~]# df -h | grep map
    /dev/mapper/vg00-lv_root  2.0G  1.1G  725M  61% /
    /dev/mapper/vg00-lv_var   9.8G  207M  9.1G   3% /var
    /dev/mapper/vg00-lv_tmp   488M  848K  452M   1% /tmp
    /dev/mapper/vg00-lv_home  976M  2.6M  907M   1% /home
    
    [root@spacewalk-eu ~]# vgs
      VG   #PV #LV #SN Attr   VSize   VFree
      vg00   1   5   0 wz--n- <99.51g <82.01g
    
  5. Extend current partitions:
    ### Extend current partitions
    lvextend -L+3.1G /dev/vg00/lv_root
    lvextend -L+61.2G /dev/vg00/lv_var
    resize2fs /dev/vg00/lv_root
    resize2fs /dev/vg00/lv_var
    

    Check what you have now:

    [root@spacewalk-eu ~]# df -h | grep map
    /dev/mapper/vg00-lv_root  5.0G  1.1G  3.7G  23% /
    /dev/mapper/vg00-lv_var    70G  223M   67G   1% /var
    /dev/mapper/vg00-lv_tmp   488M  848K  452M   1% /tmp
    /dev/mapper/vg00-lv_home  976M  2.6M  907M   1% /home
    [root@spacewalk-eu ~]# vgs
      VG   #PV #LV #SN Attr   VSize   VFree
      vg00   1   5   0 wz--n- <99.51g 17.70g
    
  6. Set the static network settings and the FQDN (replace values with yours):
    ### Static IP
    F=/etc/sysconfig/network-scripts/ifcfg-ens160
    sed -i 's/BOOTPROTO.*/BOOTPROTO="none"/' ${F}
    cat >> ${F} <<EOF
    IPADDR=192.168.105.10
    PREFIX=24
    GATEWAY=192.168.105.254
    PEERDNS=no
    DNS1=192.168.105.1
    DNS2=192.168.105.2
    ZONE=public
    EOF
    
    ### FQDN
    echo 'spacewalk-eu.svelab.local' > /etc/hostname
    echo '192.168.105.10   spacewalk-eu.svelab.local spacewalk-eu' >> /etc/hosts
    
  7. Apply all available patches, disable IPv6, change the timezone, and reboot the server:
    yum -y update && yum upgrade
    echo "net.ipv6.conf.all.disable_ipv6 = 1" > /etc/sysctl.d/noipv6.conf
    rm -f /etc/localtime
    ln -s /usr/share/zoneinfo/Europe/Warsaw /etc/localtime
    reboot
    

Spacewalk Proxy Installation

  1. Register this machine with your Spacewalk Server (replace values with your):
    wget --no-proxy http://spacewalk.svelab.local/pub/linman-centos.sh -O /usr/sbin/linman-centos.sh
    chmod +x /usr/sbin/linman-centos.sh
    linman-centos.sh
    
  2. Subscribe this machine to software channels:
    Spacewalk - Software Channels for Proxy
  3. Install a Spacewalk Proxy:
    yum -y install spacewalk-proxy-installer
    

    Initial settings (replace values with yours):

    [root@spacewalk-eu ~]# configure-proxy.sh --force-own-ca
    Using RHN parent (from /etc/sysconfig/rhn/up2date): spacewalk.svelab.local
    Using CA Chain (from /etc/sysconfig/rhn/up2date): /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
    HTTP Proxy []:
    Proxy version to activate [2.7]:
    Traceback email []: admin@svelab.com
    Use SSL [Y/n]: Y
    Regardless of whether you enabled SSL for the connection to the Spacewalk Parent
    Server, you will be prompted to generate an SSL certificate.
    This SSL certificate will allow client systems to connect to this Spacewalk Proxy
    securely. Refer to the Spacewalk Proxy Installation Guide for more information.
    Organization []: SVELAB
    Organization Unit [spacewalk-eu.svelab.local]: IT
    Common Name [spacewalk-eu.svelab.local]: spacewalk-eu.svelab.local
    City []: Warsaw
    State []: Warsaw
    Country code []: PL
    Email [admin@svelab.com]: admin@svelab.com
    Cname aliases (separated by space) []: spacewalk-eu
    Spacewalk Proxy successfully activated.
    
    --- omitted the installation output ---
    
    Generating CA key and public certificate:
    CA password: pa$$w0rd
    CA password confirmation: pa$$w0rd
    Copying CA public certificate to /var/www/html/pub for distribution to clients:
    Generating SSL key and public certificate:
    CA password: pa$$w0rd
    Rotated: rhn-ca-openssl.cnf --> rhn-ca-openssl.cnf.1
    Installing SSL certificate for Apache and Jabberd:
    Preparing packages...
    rhn-org-httpd-ssl-key-pair-spacewalk-eu-1.0-1.noarch
    Create and populate configuration channel rhn_proxy_config_1000010004? [Y/n]: Y
    RHN username: []: spacewalk_admin
    Password: SpacePa!!w0rd
    Using server name spacewalk.svelab.local
    Creating config channel rhn_proxy_config_1000010004
    Config channel rhn_proxy_config_1000010004 created
    Using server name spacewalk.svelab.local
    Pushing to channel rhn_proxy_config_1000010004:
    
    --- omitted the installation output ---
    
    There were some answers you had to enter manually.
    Would you like to have written those into file
    formatted as answers file? [Y/n]: Y
    Writing proxy-answers.txt.RQF7n
    
  4. Configure the firewall:
    firewall-cmd --permanent --add-service=http
    firewall-cmd --permanent --add-service=https
    firewall-cmd --permanent --add-port=5222/tcp
    firewall-cmd --permanent --add-port=5269/tcp
    firewall-cmd --reload
    
  5. Checks:
    [root@spacewalk-eu ~]# rhn-proxy status
    Output
    [root@spacewalk-eu ~]# rhn-proxy status
    Redirecting to /bin/systemctl status squid.service
    ● squid.service - Squid caching proxy
       Loaded: loaded (/usr/lib/systemd/system/squid.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2018-01-28 14:29:27 CET; 10h left
      Process: 5702 ExecStart=/usr/sbin/squid $SQUID_OPTS -f $SQUID_CONF (code=exited, status=0/SUCCESS)
      Process: 5695 ExecStartPre=/usr/libexec/squid/cache_swap.sh (code=exited, status=0/SUCCESS)
     Main PID: 5705 (squid)
       CGroup: /system.slice/squid.service
               ├─5705 /usr/sbin/squid -f /etc/squid/squid.conf
               ├─5707 (squid-1) -f /etc/squid/squid.conf
               └─5719 (unlinkd)
    
    Jan 28 14:29:27 spacewalk-eu.svelab.local cache_swap.sh[5695]: init_cache_dir /var/spool/squid...
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: because of this '127.0.0.1' is ignored to keep splay tree sea...dictable
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: (B) '127.0.0.1' is a subnetwork of (A) '127.0.0.1'
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: because of this '127.0.0.1' is ignored to keep splay tree sea...dictable
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5702]: 2018/01/29 00:29:27| WARNING: You should probably remove '127.0.0.1' from the ACL named 'localhost'
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5705]: Squid Parent: will start 1 kids
    Jan 28 14:29:27 spacewalk-eu.svelab.local squid[5705]: Squid Parent: (squid-1) process 5707 started
    Jan 28 14:29:27 spacewalk-eu.svelab.local systemd[1]: Started Squid caching proxy.
    Hint: Some lines were ellipsized, use -l to show in full.
    Redirecting to /bin/systemctl status httpd.service
    ● httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
       Active: active (running) since Sun 2018-01-28 14:29:27 CET; 10h left
         Docs: man:httpd(8)
               man:apachectl(8)
     Main PID: 5725 (httpd)
       Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
       CGroup: /system.slice/httpd.service
               ├─5725 /usr/sbin/httpd -DFOREGROUND
               ├─5726 /usr/sbin/httpd -DFOREGROUND
               ├─5727 /usr/sbin/httpd -DFOREGROUND
               ├─5728 /usr/sbin/httpd -DFOREGROUND
               ├─5729 /usr/sbin/httpd -DFOREGROUND
               └─5730 /usr/sbin/httpd -DFOREGROUND
    
    Jan 28 14:29:27 spacewalk-eu.svelab.local systemd[1]: Starting The Apache HTTP Server...
    Jan 28 14:29:27 spacewalk-eu.svelab.local httpd[5725]: [Mon Jan 29 00:29:27.605400 2018] [core:warn] [pid 5725] AH00117: Ignoring deprecated use o...xy.conf.
    Jan 28 14:29:27 spacewalk-eu.svelab.local httpd[5725]: [Mon Jan 29 00:29:27.605519 2018] [core:warn] [pid 5725] AH00117: Ignoring deprecated use o...xy.conf.
    Jan 28 14:29:27 spacewalk-eu.svelab.local httpd[5725]: [Mon Jan 29 00:29:27.605525 2018] [core:warn] [pid 5725] AH00117: Ignoring deprecated use o...xy.conf.
    Jan 28 14:29:27 spacewalk-eu.svelab.local httpd[5725]: [Mon Jan 29 00:29:27.605528 2018] [core:warn] [pid 5725] AH00117: Ignoring deprecated use o...xy.conf.
    Jan 28 14:29:27 spacewalk-eu.svelab.local httpd[5725]: [Mon Jan 29 00:29:27.605531 2018] [core:warn] [pid 5725] AH00117: Ignoring deprecated use o...xy.conf.
    Jan 28 14:29:27 spacewalk-eu.svelab.local systemd[1]: Started The Apache HTTP Server.
    Hint: Some lines were ellipsized, use -l to show in full.
    Redirecting to /bin/systemctl status jabberd.service
    ● jabberd.service - Jabber Server
       Loaded: loaded (/usr/lib/systemd/system/jabberd.service; enabled; vendor preset: disabled)
       Active: active (exited) since Sun 2018-01-28 14:29:27 CET; 10h left
      Process: 5751 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
     Main PID: 5751 (code=exited, status=0/SUCCESS)
    
    Jan 28 14:29:27 spacewalk-eu.svelab.local systemd[1]: Starting Jabber Server...
    Jan 28 14:29:27 spacewalk-eu.svelab.local systemd[1]: Started Jabber Server.
    

    Firewall:

    [root@spacewalk-eu ~]# firewall-cmd --permanent --list-all | grep -E '(services| ports)'
      services: ssh dhcpv6-client http https
      ports: 5222/tcp 5269/tcp
    

    Main Spacewalk server:

    Spacewalk - Proxies

  6. Upload a set of required files to operate locally instead of retrieving them from the Internet by clients:
    cd /var/www/html/pub
    wget -q http://yum.spacewalkproject.org/2.7-client/RHEL/7/x86_64/spacewalk-client-repo-2.7-2.el7.noarch.rpm
    wget -q http://yum.spacewalkproject.org/2.7-client/RHEL/6/x86_64/spacewalk-client-repo-2.7-2.el6.noarch.rpm
    wget -q http://mirrors.kernel.org/fedora-epel/RPM-GPG-KEY-EPEL-7 -O RPM-GPG-KEY-EPEL-7
    wget -q http://mirrors.kernel.org/fedora-epel/RPM-GPG-KEY-EPEL-6 -O RPM-GPG-KEY-EPEL-6
    wget -q http://yum.spacewalkproject.org/RPM-GPG-KEY-spacewalk-2015 -O RPM-GPG-KEY-spacewalk-2015
    wget -q https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
    wget -q https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
    ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-ds.xml /var/www/html/pub/ssg-centos6-ds.xml
    ln -s /usr/share/xml/scap/ssg/content/ssg-centos6-xccdf.xml /var/www/html/pub/ssg-centos6-xccdf.xml
    ln -s /usr/share/xml/scap/ssg/content/ssg-rhel6-ocil.xml /var/www/html/pub/ssg-rhel6-ocil.xml
    
  7. Add the cron job:

    cat > /etc/cron.d/rhn-oscap-update-db <<EOF
    ### Update OpenSCAP database
    30 3 * * * root /usr/bin/wget -q https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2 -O /var/www/html/pub/com.redhat.rhsa-RHEL7.xml.bz2
    35 3 * * * root /usr/bin/wget -q https://www.redhat.com/security/data/oval/Red_Hat_Enterprise_Linux_6.xml -O /var/www/html/pub/Red_Hat_Enterprise_Linux_6.xml
    EOF
    systemctl reload crond
    

Replace self-signed certificates

  1. Backup existing keys/certificates:
    cd /root
    tar -zcvf SSL_configs_$(date +"%Y%m%d").tgz /etc/httpd/conf/ssl.* /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build /var/www/html/pub 
    
  2. Get the Certificate Signing Request (CSR):
    [root@spacewalk-eu ~]# cat /root/ssl-build/$(hostname -s)/server.csr | awk '/BEGIN/ {seen=1} seen {print}'
    -----BEGIN CERTIFICATE REQUEST-----
    MIIDNTCCAh0CAQAwgZIxCzAJBgNVBAYTAlBPMQ8wDQYDVQQIDAZXYXJzYXcxDzAN
    BgNVBAcMBldhcnNhdzEPMA0GA1UECgwGU1ZFTEFCMQswCQYDVQQLDAJJVDEiMCAG
    A1UEAwwZc3BhY2V3YWxrLWV1LnN2ZWxhYi5sb2NhbDEfMB0GCSqGSIb3DQEJARYQ
    YWRtaW5Ac3ZlbGFiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    ALGjC3/DnNV/fdQIJ+8puArAK6LE0VPnpZ4o1mmul0M1Zh/MuTLbE44upCAvidJ7
    kW8+RjXnsCPsyaT3kEO9leD1nXmAH56eMqyJs3/wurFIv7yj3r6euOV/i2yMkGNz
    1ArP4L6x7VtOij01hU+s/Y/FFjCeWb92M8MYptYhJ7WIKQXUp8WJf07ZCBnwsrF6
    VaFzA2lZlSQLEgGdnvaALnIYU3/R3imd5H5qOdhXpssZ/AoGAR6sqrwqOjya91jo
    lxHu0oTligGXa4EaqhTka9HLjqztpNsnGhYzhFzVySJiI3WLar1KL5QjKln0KpB9
    1T/uKtekGIENS6sBErsWtuECAwEAAaBdMFsGCSqGSIb3DQEJDjFOMEwwCQYDVR0T
    BAIwADALBgNVHQ8EBAMCBeAwMgYDVR0RBCswKYIZc3BhY2V3YWxrLWV1LnN2ZWxh
    Yi5sb2NhbIIMc3BhY2V3YWxrLWV1MA0GCSqGSIb3DQEBCwUAA4IBAQAB8wVhkttv
    1gCaHeWubCzbtuJpoWwmhApE22rLfF73U3sLV0E3FrOiKDWmim+/sDAgJgDFl5R6
    1NKkY9udI2o8IC2dVMzrV1SnnhjPIQ4g78EOKTHQnYsVRNj+NnI+SDZnub21MNVp
    nXvaTgBkB1e2bJiOUXZUSe6YK1s1eqcx7AdXIYZH/FRlGVppP940yJshVniTtcYX
    g/s2v/GVaxbYxlfQM45VhX8fzw8xjnmiqJElDQOxoqVzJz8t570dQ1oksknn555/
    A09m0dYWWhgHiF2WeDjGQN5YzDg9PE2PI3bZSmWEaE/31BjNwzcHJM9gNS6kbqV+
    RwnYaHWnK8Kw
    -----END CERTIFICATE REQUEST-----
    
  3. Sign the CSR with your local Microsoft Certificate Authority (you can find more details in Deploying a Spacewalk Server).
  4. Upload the saved certificate chain (certnew.p7b) onto the server in /tmp and replace the self-signed one:
    ### replace the current certificate
    cat /tmp/certnew.p7b | openssl pkcs7 -print_certs > /root/ssl-build/$(hostname -s)/server.crt
    ### remove the ^M symbol
    sed -i -e 's/\r//' /root/ssl-build/$(hostname -s)/server.crt
    
  5. Create new RPM packages with SSL certificates and update certificates in the system:
    cd /root
    wget --no-proxy --no-check-certificate --user=sve --ask-password 'https://labdc01.svelab.local/certsrv/certnew.p7b?ReqID=CACert&Renewal=0&Enc=b64' -O /root/certs/local_root_ca.p7b
    sed -i -e 's/\r//' /root/certs/local_root_ca.p7b
    cat /root/certs/local_root_ca.p7b | openssl pkcs7 -print_certs > /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-server --rpm-only
    rpm -Uvh /root/ssl-build/$(hostname -s)/$(grep noarch /root/ssl-build/$(hostname -s)/latest.txt)
    cat /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT > /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    rhn-ssl-tool --gen-ca --dir /root/ssl-build/ --rpm-only
    cp $(ls /root/ssl-build/rhn-org-trusted-ssl-cert*.noarch.rpm | sort | tail -n1) /var/www/html/pub/
    cat /root/ssl-build/$(hostname -s)/server.pem > /etc/pki/spacewalk/jabberd/server.pem
    chown jabber.jabber /etc/pki/spacewalk/jabberd/server.pem
    chmod 600 /etc/pki/spacewalk/jabberd/server.pem
    
    ### for other systems (for example, postfix):
    cp /root/ssl-build/$(hostname -s)/server.key /etc/pki/tls/private/$(hostname -s).key
    cp /root/ssl-build/$(hostname -s)/server.crt /etc/pki/tls/certs/$(hostname -s).crt
    chmod 640 /etc/pki/tls/private/$(hostname -s).key
    update-ca-trust force-enable
    update-ca-trust extract
    

    Verify:

    [root@spacewalk-eu ~]# openssl verify -CAfile /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT /root/ssl-build/$(hostname -s)/server.crt
    /root/ssl-build/spacewalk-eu/server.crt: OK
    
    [root@spacewalk-eu ~]# md5sum /etc/pki/spacewalk/jabberd/server.pem /root/ssl-build/$(hostname -s)/server.pem
    a2da0654ec887e353a32ed0bbdeee5f5  /etc/pki/spacewalk/jabberd/server.pem
    a2da0654ec887e353a32ed0bbdeee5f5  /root/ssl-build/spacewalk-eu/server.pem
    
    [root@spacewalk-eu ~]# md5sum /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT
    4cc24e4ac95401c2837dae3e26535869  /var/www/html/pub/RHN-ORG-TRUSTED-SSL-CERT
    
  6. Restart the Spacewalk Proxy:
    [root@spacewalk-eu ~]# rhn-proxy restart
    Shutting down rhn-proxy...
    Redirecting to /bin/systemctl stop jabberd.service
    Redirecting to /bin/systemctl stop httpd.service
    Redirecting to /bin/systemctl stop squid.service
    Done.
    Starting rhn-proxy...
    Redirecting to /bin/systemctl start squid.service
    Redirecting to /bin/systemctl start httpd.service
    Redirecting to /bin/systemctl start jabberd.service
    Done.
    
    [root@spacewalk-eu ~]# systemctl restart osad
    

    Checks:

    rhn-proxy status
    systemctl status osad
    

    Now the connection to the Spacewalk Proxy is 'green' (secure):
    Spacewalk Proxy - HTTPS

Spacewalk Proxy and Client Timeouts

This is an important paragraph, please read it carefully!

Yum package manager on a client machine which gets updates and installs packages from Spacewalk Proxy works slightly different and you may encounter with an uncommon issue when you are unable to install huge packages, and/or, even to get the yum repolist command completed.

The difference in behaviours as below:

  • Standard - yum requests data from a standard CentOS mirror and starts getting first bytes immediately
  • Spacewalk Proxy - yum requests from Spacewalk Proxy, Spacewalk Proxy in (its turn) starts downloading data from a parent Spacewalk Server (if that data doesn't have it cached), and starts sending data back to yum on a client machine only when the download is complete

The possible issue is the reaching two timeouts - on the Spacewalk Proxy side and the yum side on of the client machine. The issue looks as follow:

[root@spacewalk-eu ~]# tail -n2 | /var/log/httpd/error_log
error_log:[Thu Sep 13 14:23:22 2018] [error] [client 10.122.20.181] mod_wsgi (pid=29734): Exception occurred processing WSGI script '/usr/share/rhn/wsgi/xmlrpc.py'.
error_log:[Thu Sep 13 14:23:22 2018] [error] [client 10.122.20.181] IOError: failed to write data

This may happen due to two timeouts defined on both sides (client and server). To avoid such situations which can occur due to slow/saturated communication links and/or dealing with huge packages, you should adjust the following timeouts:

Server side - Spacewalk Proxy (increase the timeout from the default 120s to 1200s):

[root@spacewalk-eu ~]# cat >> /etc/rhn/rhn.cfg <<EOF
# timeout for big files
timeout = 1200
EOF

[root@spacewalk-eu ~]# rhn-proxy restart

Client side - client machines (you can configure a software channel on Spacewalk to propagate this config automatically):

[root@spacewalk-eu ~]# cat /etc/yum/pluginconf.d/rhnplugin.conf
[main]
enabled = 1
gpgcheck = 1
timeout = 1200

# You can specify options per channel, e.g.:
#
#[rhel-i386-server-5]
#enabled = 1
#
#[some-unsigned-custom-channel]
#gpgcheck = 0

Hardening and tuning

  1. Apache

    Disable all SSL protocols except TLSv1.2:

    cat > /etc/httpd/conf.d/zz-ssl-strong.conf <<EOF
    SSLProtocol +TLSv1.2
    SSLCipherSuite "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:HIGH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
    SSLHonorCipherOrder on
    EOF
    

    Adjust timeouts:

    sed -i 's/ProxyTimeout 210/ProxyTimeout 300/' /etc/httpd/conf.d/zz-spacewalk-www.conf
    cat > /etc/httpd/conf.d/zz-timeouts.conf <<EOF
    Timeout 600
    ProxyTimeout 600
    MaxKeepAliveRequests 300
    KeepAlive On
    KeepAliveTimeout 30
    EOF
    

    Adjust Apache Multi-Processing Module (MPM):

    cat >> /etc/httpd/conf.modules.d/00-mpm.conf <<EOF
    StartServers            8
    MinSpareServers         6
    MaxSpareServers         32
    ServerLimit             512
    MaxClients              512
    MaxRequestsPerChild     4000
    EOF
    
  2. Squid

    Adjust the cache parameters:

    F="/etc/squid/squid.conf"
    sed -i 's/^cache_mem.*/cache_mem 5120 MB/' ${F}
    sed -i 's/^maximum_object_size .*/maximum_object_size 1024 MB/' ${F}
    sed -i 's/^maximum_object_size_in_memory.*/maximum_object_size_in_memory 51200 KB/' ${F}
    sed -i 's#^cache_dir.*#cache_dir ufs /var/spool/squid 51200 32 512#' ${F}
    

    Rebuild the cache:

    systemctl stop squid
    rm -rf /var/spool/squid/ 
    mkdir -p /var/spool/squid
    chown squid:squid /var/spool/squid
    restorecon -vr /var/spool/squid
    squid -z
    systemctl start squid
    
  3. Restart the Spacewalk Proxy:
    rhn-proxy restart
    rhn-proxy status
    

Register and Unregister Clients

You can find more details in Deploying a Spacewalk Server.

  1. Amend the LINMAN_SITES and LINMAN_SITES_MENU variables in the linman-centos.sh script.
  2. Execute the following commands on target systems to register them to Spacewalk (replace values with yours):
    wget --no-proxy http://spacewalk.svelab.local/pub/linman-centos.sh -O /usr/sbin/linman-centos.sh
    chmod +x /usr/sbin/linman-centos.sh
    linman-centos.sh
    
  3. To unregister clients follow the instructions.

See also

Deploying a Spacewalk Server
Unattended Linux Installation
Official Spacewalk Website

Contact us

Please, feel free to contact us if you have any questions or suggestions. Post a comment below if you want to report a bug.

By |2018-12-30T15:34:37+00:00January 28th, 2018|How To, Linux, Management, Monitoring, Scripts, Security|0 Comments

Leave A Comment