You are on page 1of 34

Hands-on Lab: System Management with

Spacewalk 2.6

Introduction

In this Hands-on Lab, you will learn the basics of systems management using Spacewalk 2.6:

• initial Repository and Software Channel creation


• syncing Software Channels with upstream repository sources
• creating and configuring a Spacewalk activation key
• registering an Oracle Linux server to Spacewalk
• running yum commands
• installing and testing the Spacewalk OSAD client
• installation and configuration the Spacewalk Configuration client
• creating a configuration channel in Spacewalk and deploying configuration files
• running an OpenSCAP-based audit

Spacewalk is an open source systems management solution for Linux. It manages software content updates
for Linux distributions derived from Red Hat Enterprise Linux including Oracle Linux, CentOS, Scientific Linux
and Fedora. It allows you to synchronize updates from upstream sources, then store and deploy those updates
to your local servers.

You can stage software content, including updates and configuration files through different environments. The
deployment of updates to registered servers is centrally controlled and the Spacewalk web interface shows a
unified view of all registered servers and their associated software update status. You can also trigger software
updates and remote actions via the web interface.

In addition, Spacewalk provides entire lifecycle management functionality via bare-metal and virtual server
provisioning using the standard PXE and Kickstart tools. Servers that are provisioned using Spacewalk are
automatically registered and monitored after installation.

To support very large enterprise deployments, you can connect multiple Spacewalk servers together using
Inter-Spacewalk Sync (ISS). Spacewalk also provides the Spacewalk Proxy server to support geographically-
distributed client servers. Spacewalk Proxy servers cache and distribute content, reducing the load on the
central Spacewalk servers and improving download times for local servers.

For more information on Spacewalk, visit the Spacewalk community website.

1
Hands-on Lab: System Management with Spacewalk 2.6

Requirements

Unbreakable Linux Network Access

This lab is designed to sync content from the Unbreakable Linux Network. You will need an Oracle Single Sign-
On account with ULN access to complete this lab.

Virtual machine requirements

If you're attending the Hands-On Lab at Oracle OpenWorld 2017, your laptop has already been setup
and configured. Otherwise, download the virtual machine template from here: Oracle Linux VM Images for
Hands-On Lab.

This lab is designed to synchronize packages from both the Oracle Unbreakable Linux Network (ULN) as well
as Oracle's Public Yum Repository. The lab does not include installation of Spacewalk itself as this is covered
in the Spacewalk 2.6 for Oracle Linux 7 Installation Guide.

Pre-requisite knowledge

Attendees are expected to have basic Oracle Linux system administration skills, particularly regarding package
management using RPM and yum.

You should be familiar with the following Linux concepts and commands:

• using the Linux terminal


• using sudo to run commands as root
• using the yum package management tool
• using vi or nano to edit configuration files

Lab structure

As many activities in the lab are performed using the Spacewalk web interface, screenshots are provided for
the initial exercises to assist with navigation and configuration.

2
Hands-on Lab: System Management with Spacewalk 2.6

Once the initial exercises are completed, screenshots will no longer be provided as the content will change
over time and static screenshots could be misleading.

Initial login

You should log into the virtual machine as the HOL User (holuser) using the password oracle.

Next, open a Terminal session from Application -> System Tools -> Terminal and have the Firefox web
browser open as well. As the lab instructions are web-based, it is recommended to have multiple Firefox
windows or tabs open so that you can follow the instructions.

Navigate to the Spacewalk web interface in Firefox: https://spacewalk.oracleworld.com.

You should see the initial login screen. Use the following credentials to login into Spacewalk:

• Username: admin

3
Hands-on Lab: System Management with Spacewalk 2.6

• Password: Oracle123

After successfully logging in, Spacewalk displays the Overview page.

Exercise: Create repositories and software channels

Spacewalk requires all packages and metadata to be stored and managed locally, so the initial step is to
configure upstream sources for package updates. These upstream sources can be the Oracle Unbreakable
Linux Network (ULN), the Oracle Yum Server or any 3rd-party yum repository.

Spacewalk uses the concept of Software Channels and Repositories to store packages and metadata. Client
systems subscribe to Software Channels, while Software Channels themselves can be subscribed to one or
more Repositories. In this way, you can create local channels that provide packages from a combination of
sources. Care should be taken to ensure that the upstream repositories do not contain the same packages to

4
Hands-on Lab: System Management with Spacewalk 2.6

reduce deployment complexity and confusion. It is recommended to connect a software channel to a single
repository for simplicity.

Spacewalk Software Channels are hierarchical: each client server is registered with a single base channel
and can be subscribed to multiple child channels. A client can only subscribe to the child channels of its base
channel.

In this exercise, you will create repositories for the following ULN channels:

• Oracle Linux 7 Update 4 Installation media set (x86_64)


• Oracle Linux 7 Update 4 Patches (x86_64)
• Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 (x86_64)

You will also create a Spacewalk repository for the following Yum repository:

• Spacewalk Client 2.6 for Oracle Linux 7 (x86_64)

Once these repositories are created, the following Software Channel hierarchy will be created:

• Oracle Linux 7 Update 4 Installation media set (x86_64)


• Oracle Linux 7 Update 4 Patches (x86_64)
• Unbreakable Enterprise Kernel Release 4 for Oracle Linux 7 (x86_64)
• Spacewalk Client 2.6 for Oracle Linux 7 (x86_64)

This will allow clients to subscribe to the Installation media set base channel as well as the individual child
channels.

Create the repositories

Navigate to the Manage Repositories screen in the Spacewalk web interface by clicking on Channels (in the
main menu bar), then Manage Software Channels in the left-hand menu and finally Manage Repositories.
There are no repositories configured by default.

5
Hands-on Lab: System Management with Spacewalk 2.6

Click Create Repository to start the creation process. The first repository you will create is the Oracle Linux 7
Update 4 Installation media set. Provide the following information:

• Repository label: Oracle Linux 7 Update 4 installation media copy x86_64


• Repository URL: uln:///ol7_x86_64_u4_base
• Repository Type: uln

6
Hands-on Lab: System Management with Spacewalk 2.6

ULN-based repositories use the uln:///<ULN_channel_label> syntax and the three / characters are
intentional. You can find a list of channel labels via the ULN interface.

Click the create repository button. Spacewalk will create the repository and return you to the repository edit
screen. Click Manage Repositories to return to the list of repositories to see the newly created repository.

Follow the above procedure to create the following ULN-based repositories:

1. Oracle Linux 7 Update 4 Patches x86_64 with the ULN channel label ol7_x86_64_u4_patch
2. UEK Release 4 for Oracle Linux 7 x86_64 with the ULN channel label ol7_x86_64_UEKR4

7
Hands-on Lab: System Management with Spacewalk 2.6

Once all three ULN-based repositories are created, you can create the Yum-based repository for the
Spacewalk 2.4 Client. The process is almost identical, except you use an http-based repository URL.

8
Hands-on Lab: System Management with Spacewalk 2.6

• Repository Label: Spacewalk Client 2.6 for Oracle Linux 7


• Repository URL:
• Repository Type: yum

In production, you should only use yum repositories hosted on the Oracle Yum Server or trusted 3rd-party
repositories.

Once you have all four repositories created, you can being to create the associated Software Channels.

Create the base and child software channels

As mentioned previously, Spacewalk uses a parent/child relationship for Software Channels. Client servers can
only subscribe to a single base channel and can only subscribe to child channels of the selected base channel.
In this exercise, we will create a single base channel and three child channels.

9
Hands-on Lab: System Management with Spacewalk 2.6

Click Manage Software Channels in the left-hand menu. By default, there are no software channels
configured in Spacewalk.

Click Create Channel to start the process. We will begin by creating the base channel using the following
details:

• Channel Name: Oracle Linux 7 Update 4 installation media copy x86_64


• Channel Label: ol7_x86_64_u4_base
• Parent Channel: none
• Architecture: x86_64
• Yum Repository Checksum Type: sha256
• Channel Summary: Oracle Linux 7 Update 4 installation media copy x86_64
• Channel Description: All packages released on the Oracle Linux 7 Update 4 (x86_64)
installation media. This channel does not contain updates.

10
Hands-on Lab: System Management with Spacewalk 2.6

Ensure that you set the architecture field correctly, otherwise the channel will not be visible to the client you will
register later in the lab. The architecture must match the architecture of the client.

You can fill your own (or dummy) information in the Contact/Support Information section. This information is
displayed in the Spacewalk UI so that other users know who to contact if they have issues with the software
contained in this channel.

For the purposes of the lab, you do not need to make any changes to the Channel Access Control section. For
production Spacewalk deployments, this section is used to determine who is permitted to use this channel and
which organizations can access the channel. Multi-user and multi-organization deployment of Spacewalk is
beyond the scope of this lab.

It is strongly recommended that you configure the Security: GPG section in production to ensure that packages
that are downloaded during the Spacewalk synchronization process have a valid security signature. You should
configure the section using the following:

• GPG key URL: file:///etc/pki/rpm-gpg/RPM-GPG-KEY


• GPG key ID: EC551F03

11
Hands-on Lab: System Management with Spacewalk 2.6

• GPG key Fingerprint: 4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03

You can find the GPG key ID and fingerprint for each Oracle Linux major version on the Oracle Yum Server.
Note that the GPG key ID and Fingerprint is identical for Oracle Linux 6 and 7. Oracle Linux installs the key
itself by default at /etc/pki/rpm-gpg/RPM-GPG-KEY and for security purposes, it is recommended that you use
the installed key instead of downloading a new one.

Click the Create Channel button once you have completed all the required fields. Spacewalk will create the
channel and return you to the channel edit screen for the newly created channel. Click Manage Software
Channels in the left-hand menu to return to the Software Channel list.

You will now create your first child channel. Click the create new channel link and enter the following details:

• Channel Name: Oracle Linux 7 Update 4 Patch x86_64


• Channel Label: ol7_x86_64_u4_patch
• Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64
• You will notice that when you select a parent channel, the Architecture and Yum Repository
Checksum Type are automatically selected.

12
Hands-on Lab: System Management with Spacewalk 2.6

• Channel Summary: Oracle Linux 7 Update 4 Patch x86_64


• Channel Description: Updated packages published after the release of Oracle Linux 7
Update 4 (x86_64).

Use the same Security: GPG settings as the Installation media set channel.

Repeat the above procedure for the remaining software channels:

• Channel Name and Channel Summary: Unbreakable Enterprise Kernel Release 4 for
Oracle Linux 7 x86_64
• Channel Label: ol7_x86_64_uekr4
• Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64

Note that Spacewalk channel labels can only contain lowercase letters, so this channel label differs from its
upstream repository label.

• Channel Name and Channel Summary: Spacewalk Client 2.6 for Oracle Linux 7 x86_64
• Channel Label: ol7_x86_64_spacewalk26_client

13
Hands-on Lab: System Management with Spacewalk 2.6

• Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64

Once a channel is created, you cannot change whether it is a base or child channel. If you forget to select
the correct parent channel, you will need to delete and recreate the channel. Once you have completed this
exercise, you should have all four channels created, with a single base and three child channels as shown in
the following screenshot:

Do not continue the lab until your software channel list matches the example.

Exercise: Configure ULN credentials

Before you can synchronize with ULN, you need to configure the credentials that Spacewalk should use when
connecting. These credentials are stored in a file that is only readable by the root user. You should ensure that
this file is suitably protected by setting the permissions accordingly:

14
Hands-on Lab: System Management with Spacewalk 2.6

Using a text editor, open /etc/rhn/spacewalk-repo-sync/uln.conf:

[holuser@spacewalk ~] $ sudo vim /etc/rhn/spacewalk-repo-sync/uln.conf


[main]
username = <Oracle SSO email address>
password = <Password>

Replace the placeholders in this file with your real ULN credentials before continuing. This file is set read-only
(umask 0400) by default, so you will need to force save the file as root using the :wq! command.

Exercise: Trigger the initial sync of the software


channels

Now that your software channels are created, we need to link them to the appropriate repository and trigger the
initial sync. Spacewalk should be configured in production to sync on a regular basis. As the Spacewalk web
interface does not provide any progress information during a sync, you should have a Terminal window open to
monitor the sync logs during this exercise.

In the Terminal, use sudo su - to become the root user and change directory to /var/log/rhn/reposync.
The sync logs are contained in this directory. The OpenWorld virtual machine already contains log files, as the
Spacewalk instance was pre-seeded with packages for performance reasons.

Tail the ol7_x86_64_u4_base.log file:

[root@spacewalk ~]# tail -F /var/log/rhn/reposync/ol7_x86_64_u4_base.log

The time for initial sync outside of this lab environment is dependent on network bandwidth and server
resources and can take anywhere from several hours to several days.

Switch back to Firefox to continue the exercise.

From Manage Software Channels, click the Oracle Linux 7 Update 4 installation media copy x86_64 channel
and navigate to the Repositories tab.

15
Hands-on Lab: System Management with Spacewalk 2.6

Click the checkbox next to Oracle Linux 7 Update 4 installation media copy x86_64 and then click the Update
Repositories button. This associates the repository with the software channel, so when a sync is triggered,
the contents of the repository are added to this software channel. It's possible to enable multiple repositories
in a single software channel, but this requires advanced knowledge of yum dependency analysis and is not
recommended.

Once you have saved the repository selection, click the Sync tab. This screen allows you to trigger an
immediate sync or schedule a task to sync the repository. For the purposes of the lab, check the Sync only
latest packages checkbox, then click the Sync Now button. In production you should schedule regular
synchronization of the Oracle Linux repositories on a daily basis. If you have multiple repositories, you should
offset the schedule time.

16
Hands-on Lab: System Management with Spacewalk 2.6

After clicking the Sync Now button, switch back to your terminal to monitor the sync activity. Spacewalk will
connect to ULN to retrieve the list of packages and then start downloading each package. In this exercise,
we have pre-seeded the packages in the virtual machine to reduce the download time as much as possible.
Spacewalk also displays a progress bar within the web UI.

Wait for the Sync completed. message to appear in the log before continuing.

Repeat this process for the remaining three software channels. Note that the Oracle Linux 7 Update 4 Patches
channel will take the longest to complete as new packages will have been published between the time the
virtual machine image was created and now. It could take between 15-25 minutes or longer for this process
to complete. Ensure that the Sync only latest packages checkbox is checked for all channels to reduce the
overall time required to sync from ULN.

Spacewalk will only sync a single software channel at a time, so wait for each channel to complete before
moving onto the next channel.

17
Hands-on Lab: System Management with Spacewalk 2.6

Exercise: Creating and configuring an activation key

Once you have completed the initial sync of all four channels, you can create an activation key. An activation
key is used by the Spacewalk client to register a server with Spacewalk. An activation key is tied to a specific
base channel (and optional child channels) and is used to determine channel subscription during activation. For
example, you can have multiple activation keys with the same base channel, but specify different child channel
subscriptions.

Navigate to the Activation Keys page by clicking on the Systems tab and selecting Activation Keys in the left-
hand menu. There are no activation keys created by default. Click Create Key to begin the process.

Use the following details to complete the activation key fields:

• Description: Oracle Linux 7 Update 4 (x86_64)


• Key: oraclelinux7-u4-x86_64

18
Hands-on Lab: System Management with Spacewalk 2.6

Spacewalk can automatically generate keys, but it is recommended to use a particular key name for ease of
identification later.

• Usage: -- blank --
• Base Channels: Oracle Linux 7 Update 4 installation media copy x86_64
• Add-on Entitlements: -- unchecked --
• Universal default: -- unchecked --

In Spacewalk 2.6 there is only the Virtualization entitlement available. Enabling this entitlement tells Spacewalk
to install additional packages onto any server registered with this key to allow Spacewalk to enumerate any
guest virtual machines that may be running on that server. This is useful for machines that host KVM-based
virtual machines.

Once you have provided the details above, click the Create Activation Key button to complete the process.
Once the key has been created, click the Child Channels tab. This screen determines which (if any) of the
child channels should be subscribed during activation of a system using this activation key. Select all three
available channels and click the Update Key button.

19
Hands-on Lab: System Management with Spacewalk 2.6

An activation key is not mandatory in order to register clients to Spacewalk, but it does make the process much
simpler. Activation keys can also trigger automatic package installation when used to register a server. Now
that you have created an activation key, we can register a client.

Exercise: Registering a client server

Registration to Spacewalk can be done manually or via the provisioning process. In this lab, we will perform a
manual registration, as the virtual machine has already been provisioned.

Switch to the Terminal and use sudo to become root (if not already root):

[holuser@spacewalk ~]$ sudo su -


Last login: Fri Sep 1 06:54:45 AEST 2017 on pts/2
[root@spacewalk ~]#

Run the following command:

[root@spacewalk ~]# rhnreg_ks --serverUrl=https://spacewalk.oracleworld.com/XMLRPC --


sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-oraclelinux7-u4-x86_64

The activation process can take several minutes as the local software inventory is collected and sent to
Spacewalk. Once the prompt returns, switch back to Firefox and click the Systems tab. You should now see
the VM listed. Notice that there are updates available for the server. We will demonstrate several patching
mechanisms in upcoming exercises to deploy those updates to the server.

Exercise: Running yum commands manually on the


client

Once the client is successfully registered to Spacewalk, you are able to run the yum tool to perform actions
using the packages available via Spacewalk.

List all the subscribed channels

Run the following yum command:

[root@spacewalk ~]# yum repolist


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.

20
Hands-on Lab: System Management with Spacewalk 2.6

repo id repo
name
status
ol7_x86_64_spacewalk26_client Spacewalk Client 2.6 for
Oracle Linux 7 x86_64 28
ol7_x86_64_u4_base Oracle Linux 7 Update 4
installation media copy x86_64 5,010
ol7_x86_64_u4_patch Oracle Linux 7 Update 4
Patch x86_64 147
ol7_x86_64_uekr4 Unbreakable Enterprise
Kernel Release 4 for Oracle Linux 7 x86_64 72
repolist: 5,257

List all available updates

Run the following yum command:

[root@spacewalk ~]# yum list updates


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.
Updated Packages
bind-libs.x86_64
32:9.9.4-51.el7 ol7_x86_64_u4_patch
bind-libs-lite.x86_64
32:9.9.4-51.el7 ol7_x86_64_u4_patch
bind-license.noarch
32:9.9.4-51.el7 ol7_x86_64_u4_patch
bind-utils.x86_64
32:9.9.4-51.el7 ol7_x86_64_u4_patch
evince.x86_64
3.22.1-5.2.el7_4 ol7_x86_64_u4_patch
evince-libs.x86_64
3.22.1-5.2.el7_4 ol7_x86_64_u4_patch
evince-nautilus.x86_64
3.22.1-5.2.el7_4 ol7_x86_64_u4_patch
firefox.x86_64
52.3.0-2.0.1.el7_4 ol7_x86_64_u4_patch
gdm.x86_64
1:3.22.3-12.el7 ol7_x86_64_u4_patch
java-1.8.0-openjdk.x86_64
1:1.8.0.141-2.b16.el7_4 ol7_x86_64_u4_patch
java-1.8.0-openjdk-headless.x86_64
1:1.8.0.141-2.b16.el7_4 ol7_x86_64_u4_patch
kernel.x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
...
qemu-img.x86_64
10:1.5.3-141.el7_4.1 ol7_x86_64_u4_patch
qemu-kvm.x86_64
10:1.5.3-141.el7_4.1 ol7_x86_64_u4_patch

21
Hands-on Lab: System Management with Spacewalk 2.6

qemu-kvm-common.x86_64
10:1.5.3-141.el7_4.1 ol7_x86_64_u4_patch
sos.noarch
3.4-6.0.1.el7 ol7_x86_64_u4_patch
spice-server.x86_64
0.12.8-2.el7.1 ol7_x86_64_u4_patch
xmlsec1.x86_64
1.2.20-7.el7_4 ol7_x86_64_u4_patch
xmlsec1-openssl.x86_64
1.2.20-7.el7_4 ol7_x86_64_u4_patch

List all available security updates

Run the following yum command:

[root@spacewalk ~]# yum --security list updates


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.
--> spacewalk-oscap-2.6.1-1.el7.noarch from ol7_x86_64_spacewalk26_client excluded
(updateinfo)
--> spacewalk-koan-2.6.1-1.el7.noarch from ol7_x86_64_spacewalk26_client excluded
(updateinfo)
...
--> dtrace-modules-4.1.12-37.3.1.el7uek-0.5.2-1.el7.x86_64 from ol7_x86_64_uekr4 excluded
(updateinfo)
--> dtrace-modules-4.1.12-37.4.1.el7uek-0.5.2-1.el7.x86_64 from ol7_x86_64_uekr4 excluded
(updateinfo)
18 package(s) needed for security, out of 50 available
Updated Packages
evince.x86_64
3.22.1-5.2.el7_4
ol7_x86_64_u4_patch
evince-libs.x86_64
3.22.1-5.2.el7_4
ol7_x86_64_u4_patch
evince-nautilus.x86_64
3.22.1-5.2.el7_4
ol7_x86_64_u4_patch
firefox.x86_64
52.3.0-2.0.1.el7_4
ol7_x86_64_u4_patch
kernel.x86_64
3.10.0-693.1.1.el7
ol7_x86_64_u4_patch
...
qemu-kvm.x86_64
10:1.5.3-141.el7_4.1
ol7_x86_64_u4_patch
qemu-kvm-common.x86_64
10:1.5.3-141.el7_4.1
ol7_x86_64_u4_patch

22
Hands-on Lab: System Management with Spacewalk 2.6

spice-server.x86_64
0.12.8-2.el7.1
ol7_x86_64_u4_patch
xmlsec1.x86_64
1.2.20-7.el7_4
ol7_x86_64_u4_patch
xmlsec1-openssl.x86_64
1.2.20-7.el7_4
ol7_x86_64_u4_patch

List CVEs fixed by available updates

Run the following yum command:

[root@spacewalk ~]# yum updateinfo list cves


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.
CVE-2017-1000083 security evince-3.22.1-5.2.el7_4.x86_64
CVE-2017-1000083 security evince-libs-3.22.1-5.2.el7_4.x86_64
CVE-2017-1000083 security evince-nautilus-3.22.1-5.2.el7_4.x86_64
CVE-2017-7779 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7753 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7800 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7809 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7787 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7786 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7785 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7784 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7807 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7801 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7802 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7803 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7791 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7792 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7798 security firefox-52.3.0-2.0.1.el7_4.x86_64
CVE-2017-7533 security kernel-3.10.0-693.1.1.el7.x86_64
CVE-2017-7533 security kernel-tools-3.10.0-693.1.1.el7.x86_64
CVE-2017-7533 security kernel-tools-libs-3.10.0-693.1.1.el7.x86_64
CVE-2017-12134 security kernel-uek-4.1.12-103.3.8.el7uek.x86_64
CVE-2017-1000365 security kernel-uek-4.1.12-103.3.8.el7uek.x86_64
CVE-2017-12134 security kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64
CVE-2017-1000365 security kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64
CVE-2017-12134 security kernel-uek-firmware-4.1.12-103.3.8.el7uek.noarch
CVE-2017-1000365 security kernel-uek-firmware-4.1.12-103.3.8.el7uek.noarch
CVE-2017-2885 security libsoup-2.56.0-4.el7_4.x86_64
CVE-2017-7533 security python-perf-3.10.0-693.1.1.el7.x86_64
CVE-2017-10664 security qemu-img-10:1.5.3-141.el7_4.1.x86_64
CVE-2017-10664 security qemu-kvm-10:1.5.3-141.el7_4.1.x86_64
CVE-2017-10664 security qemu-kvm-common-10:1.5.3-141.el7_4.1.x86_64
CVE-2017-7506 security spice-server-0.12.8-2.el7.1.x86_64
CVE-2017-1000061 security xmlsec1-1.2.20-7.el7_4.x86_64
CVE-2017-1000061 security xmlsec1-openssl-1.2.20-7.el7_4.x86_64

23
Hands-on Lab: System Management with Spacewalk 2.6

updateinfo list done

Install patches required to fix a particular CVE

Run the following yum command using a CVE chosen from the list generated in the previous example:

[root@spacewalk ~]# yum -y --cve=CVE-2017-7533 update


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.
--> evince-3.22.1-5.2.el7_4.x86_64 from ol7_x86_64_u4_patch removed (updateinfo)
--> libvirt-daemon-config-network-3.2.0-14.el7_4.2.x86_64 from ol7_x86_64_u4_patch removed
(updateinfo)
...
--> kernel-uek-4.1.12-103.3.8.el7uek.x86_64 from ol7_x86_64_uekr4 removed (updateinfo)
--> kernel-uek-devel-4.1.12-103.3.8.el7uek.x86_64 from ol7_x86_64_uekr4 removed
(updateinfo)
4 package(s) needed (+0 related) for security, out of 50 available
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-693.1.1.el7 will be installed
---> Package kernel-tools.x86_64 0:3.10.0-693.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-693.1.1.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-693.1.1.el7 will be an update
---> Package python-perf.x86_64 0:3.10.0-693.el7 will be updated
---> Package python-perf.x86_64 0:3.10.0-693.1.1.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
Package Arch
Version Repository
Size
=======================================================================================================
Installing:
kernel x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
43 M
Updating:
kernel-tools x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.1 M
kernel-tools-libs x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.0 M

24
Hands-on Lab: System Management with Spacewalk 2.6

python-perf x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.1 M

Transaction Summary
=======================================================================================================
Install 1 Package
Upgrade 3 Packages

Total download size: 58 M


Downloading packages:
No Presto metadata available for ol7_x86_64_u4_patch
(1/4):
kernel-3.10.0-693.1.1.el7.x86_64.rpm
| 43 MB 00:00:00
(2/4): kernel-
tools-3.10.0-693.1.1.el7.x86_64.rpm
| 5.1 MB 00:00:00
(3/4): kernel-tools-
libs-3.10.0-693.1.1.el7.x86_64.rpm
| 5.0 MB 00:00:00
(4/4): python-
perf-3.10.0-693.1.1.el7.x86_64.rpm
| 5.1 MB 00:00:00
-------------------------------------------------------------------------------------------------------
Total
75 MB/s | 58 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : kernel-tools-
libs-3.10.0-693.1.1.el7.x86_64
1/7
Updating : kernel-
tools-3.10.0-693.1.1.el7.x86_64
2/7
Installing :
kernel-3.10.0-693.1.1.el7.x86_64
3/7
Updating : python-
perf-3.10.0-693.1.1.el7.x86_64
4/7
Cleanup : kernel-
tools-3.10.0-693.el7.x86_64
5/7
Cleanup : kernel-tools-
libs-3.10.0-693.el7.x86_64
6/7
Cleanup : python-
perf-3.10.0-693.el7.x86_64
7/7

25
Hands-on Lab: System Management with Spacewalk 2.6

Verifying : python-
perf-3.10.0-693.1.1.el7.x86_64
1/7
Verifying : kernel-
tools-3.10.0-693.1.1.el7.x86_64
2/7
Verifying : kernel-tools-
libs-3.10.0-693.1.1.el7.x86_64
3/7
Verifying :
kernel-3.10.0-693.1.1.el7.x86_64
4/7
Verifying : kernel-tools-
libs-3.10.0-693.el7.x86_64
5/7
Verifying : kernel-
tools-3.10.0-693.el7.x86_64
6/7
Verifying : python-
perf-3.10.0-693.el7.x86_64
7/7

Installed:
kernel.x86_64
0:3.10.0-693.1.1.el7

Updated:
kernel-tools.x86_64 0:3.10.0-693.1.1.el7 kernel-tools-libs.x86_64
0:3.10.0-693.1.1.el7 python-perf.x86_64 0:3.10.0-693.1.1.el7

Complete!

Section 2.4 of the Oracle Linux 7 Administrator's Guide lists all the Yum commands that are available and
provides more detailed explanations of each command.

Exercise: Installing the OSA daemon

By default, the rhnsd daemon on the client connects to Spacewalk every 4 hours to look for scheduled
updates or actions. However, Spacewalk includes the OSA daemon which allows Spacewalk to trigger actions
immediately on a client. We will install this daemon now so that the following exercises that use the Spacewalk
web interface will occur immediately.

From the Terminal, run the following command to install the OSAD daemon:

[root@spacewalk ~]# yum -y install osad

26
Hands-on Lab: System Management with Spacewalk 2.6

Loaded plugins: langpacks, rhnplugin


This system is receiving updates from Spacewalk server.
Resolving Dependencies
--> Running transaction check
---> Package osad.noarch 0:5.11.74-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
Package Arch
Version
Repository Size
=======================================================================================================
Installing:
osad noarch
5.11.74-1.el7
ol7_x86_64_spacewalk26_client 46 k

Transaction Summary
=======================================================================================================
Install 1 Package

Total download size: 46 k


Installed size: 95 k
Downloading packages:
osad-5.11.74-1.el7.noarch.rpm
| 46 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing :
osad-5.11.74-1.el7.noarch
1/1
Verifying :
osad-5.11.74-1.el7.noarch
1/1

Installed:
osad.noarch
0:5.11.74-1.el7

Complete!

Enable the OSA daemon on startup:

27
Hands-on Lab: System Management with Spacewalk 2.6

[root@spacewalk ~]# systemctl enable osad


Created symlink from /etc/systemd/system/multi-user.target.wants/osad.service to /usr/lib/
systemd/system/osad.service.

And then manually start it immediately:

[root@spacewalk ~]# systemctl start osad

Switch back to Firefox and click the spacewalk.oracleworld.com server to view its Details screen. On the
right-hand side, in the OSA Status box, you should see "online as of unknown". This indicates that the OSA
daemon is running. Click Ping System to trigger a ping of the OSA daemon. If you wait a few moment and
then refresh the Details tab, the OSA Status should update to indicate how long the OSA daemon has been
running.

Once the OSA daemon is confirmed as running, you can move on to the following exercises.

Exercise: Updating packages on the client from


Spacewalk

If you're following from the previous exercise, click the Software tab under the spacewalk.oracleworld.com
heading. Otherwise, navigate to the System tab and click the spacewalk.oracleworld.com server first.

The software tab allows you to list, remove, upgrade, install and verify software packages. You can also see
the errata that are applicable to this server. First, we will manually upgrade an existing package.

Click Upgrade Packages. In the list that appears, select a few packages to upgrade. Once you have selected
some packages, click the Upgrade Packages button at the bottom of the page. A confirmation page will
appear listing the packages scheduled for update. You can chose whether to perform the upgrade as soon as
possible, or after a specific time.

Keep in mind that if the OSA daemon is not running on the client server, rhnsd only checks in every 4 hours
by default. This means that without the OSA daemon working, some actions could take up to 4 hours to be
triggered.

Once you are happy with the package selection, click the Confirm button. You will receive a message
indicating that package updates have been scheduled. Click scheduled in the alert message to view the
scheduled action. You can monitor this page until the action is completed. Once it has completed, navigate
back to the system detail view to confirm that the packages are no longer visible in the list of packages
available for upgrade.

28
Hands-on Lab: System Management with Spacewalk 2.6

Exercise: Updating packages based on an errata


notification

An alternative upgrade mechanism is to upgrade packages that resolve specific errata. From the Software tab
within the system detail view, click the Errata tab to view the available errata information for this server. This
list will display all available errata, but can be filtered to only display security, bug fixes or enhancements.

Use the drop-down box to filter the list to only show security advisories. Enter "critical" into the Filter by
Synopsis field and click the "eye" icon to view only the critical security errata. Click on an errata to view the
details. You can also click on the CVE link to go to the Mitre website for information about the particular CVE
resolved by this errata. Navigate to the Affected Systems tab to see all the servers that are affected by this
advisory. In production, you may have several servers affected by a single advisory and this screen allows you
to schedule the patching of multiple servers at once.

In the list, click the checkbox next to the server name and then click Apply Errata. The same confirmation
screen appears asking whether to schedule the action for as soon as possible or for some time in the future.
Click Confirm to apply the errata as soon as possible.

You can navigate to the Schedule tab on the main menu to monitor the action. While the action is active, it will
appear in the Pending Actions list. Once it has completed, it will appear in the Completed Actions list. When the
action has completed, navigate back to the errata view under the system details to confirm the errata no longer
appears as available for the system.

Exercise: Running a command on the client from


Spacewalk

Spacewalk is also capable of running remote commands from the web interface as well as deploying
configuration files stored in a central repository. In order to enable this functionality, we need to install the
rhncfg client.

To install the rhncfg client, run the following command via the Terminal or click the Install New Packages link
within the Software section of an individual system within the web interface to select and deploy the required
packages:

[root@spacewalk ~]# yum -y install 'rhncfg*'


Loaded plugins: langpacks, rhnplugin
This system is receiving updates from Spacewalk server.
Resolving Dependencies

29
Hands-on Lab: System Management with Spacewalk 2.6

--> Running transaction check


---> Package rhncfg.noarch 0:5.10.99-1.el7 will be installed
---> Package rhncfg-actions.noarch 0:5.10.99-1.el7 will be installed
---> Package rhncfg-client.noarch 0:5.10.99-1.el7 will be installed
---> Package rhncfg-management.noarch 0:5.10.99-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=======================================================================================================
Package Arch
Version
Repository Size
=======================================================================================================
Installing:
rhncfg noarch
5.10.99-1.el7
ol7_x86_64_spacewalk26_client 74 k
rhncfg-actions noarch
5.10.99-1.el7
ol7_x86_64_spacewalk26_client 46 k
rhncfg-client noarch
5.10.99-1.el7
ol7_x86_64_spacewalk26_client 43 k
rhncfg-management noarch
5.10.99-1.el7
ol7_x86_64_spacewalk26_client 52 k

Transaction Summary
=======================================================================================================
Install 4 Packages

Total download size: 215 k


Installed size: 420 k
Downloading packages:
(1/4):
rhncfg-5.10.99-1.el7.noarch.rpm
| 74 kB 00:00:00
(2/4): rhncfg-
actions-5.10.99-1.el7.noarch.rpm
| 46 kB 00:00:00
(3/4): rhncfg-
client-5.10.99-1.el7.noarch.rpm
| 43 kB 00:00:00
(4/4): rhncfg-
management-5.10.99-1.el7.noarch.rpm
| 52 kB 00:00:00
-------------------------------------------------------------------------------------------------------
Total
1.0 MB/s | 215 kB 00:00:00

30
Hands-on Lab: System Management with Spacewalk 2.6

Running transaction check


Running transaction test
Transaction test succeeded
Running transaction
Installing :
rhncfg-5.10.99-1.el7.noarch
1/4
Installing : rhncfg-
client-5.10.99-1.el7.noarch
2/4
Installing : rhncfg-
actions-5.10.99-1.el7.noarch
3/4
Installing : rhncfg-
management-5.10.99-1.el7.noarch
4/4
Verifying : rhncfg-
actions-5.10.99-1.el7.noarch
1/4
Verifying : rhncfg-
client-5.10.99-1.el7.noarch
2/4
Verifying : rhncfg-
management-5.10.99-1.el7.noarch
3/4
Verifying :
rhncfg-5.10.99-1.el7.noarch
4/4

Installed:
rhncfg.noarch 0:5.10.99-1.el7 rhncfg-actions.noarch 0:5.10.99-1.el7 rhncfg-
client.noarch 0:5.10.99-1.el7 rhncfg-management.noarch 0:5.10.99-1.el7

Complete!

Once the rhncfg client is installed, we need to manually configure what actions are permitted to be performed
remotely. The following actions are possible:

• deploy a file
• diff a file
• upload a file
• modify the mtime of a file (modified time)
• execute remote scripts

For the purposes of the lab, we will enable all actions:

[root@spacewalk ~]# rhn-actions-control --enable-all

31
Hands-on Lab: System Management with Spacewalk 2.6

You can view the currently enabled actions:

[root@spacewalk ~]# rhn-actions-control --report


deploy is enabled
diff is enabled
upload is enabled
mtime_upload is enabled
run is enabled

Now that rhncfg is installed and all actions are enabled, we can trigger a remote action from the web interface.
Switch back to Firefox and navigate to the Details tab of the server details view, then click the Remote
Command tab.

In the script box, enter the following:

#!/bin/sh
# Add your shell script below
uptime
uname -a

Then click the Schedule button. Remote commands use the same scheduling mechanism as package
updates, so without the OSA daemon running, it could take up to 4 hours to complete the remote command
action. Navigate to the Events tab to view the pending events. If the action does not appear in the pending list,
click the History tab. The action should appear at the top of the System History list. Click the action name to
view the script and the output.

Exercise: Creating a configuration channel in Spacewalk

Another feature of the rhncfg client is the ability to deploy configuration files from Spacewalk to multiple
servers. This requires the creation of one or more configuration channels and configuration files. In this
exercise, we will create a configuration channel, a configuration file and deploy it to our client.

Creating a configuration channel and file

First, navigate to the Configuration tab in the main menu, then select Configuration Channels in the left-
hand menu. There are no configuration channels created by default. Click Create Config Channel to start the
creation process.

Create a new configuration channel using the following details:

• Name: Generic Configuration


• Label: ol7_generic_config

32
Hands-on Lab: System Management with Spacewalk 2.6

• Description: Generic configuration files for Oracle Linux 7

Click the Create Config Channel button to complete the creation process. After the channel has been created,
we can add a file. Click the Add Files tab to start the process.

You can add a file in three ways: uploading a file from your workstation, importing a file from a registered client
system that has the upload action allowed or by creating a file directly in the interface. In this exercise, we will
create a file directly in the interface, so click the Create File tab.

Create a new configuration file using the following details:

• File Type: Text File


• Filename/Path: /etc/motd
• Ownership User name: root
• Ownership Group name: root
• File Permissions Mode: 644
• Macro Delimiters: Start Delimiter is {| and End Delimiter is |}
• File contents: This server is {|rhn.system.hostname|} and it is managed by Spacewalk.

Note that we have used the rhn.system.hostname macro in the configuration file contents. This macro
will be replaced by the name of the target server when the configuration file is deployed. Click the Create
Configuration File button once you are happy with the settings and content.

Associate the configuration channel with a client server

Navigate to the system detail view by clicking on the spacewalk.oracleworld.com server, then select the
Configuration tab, Manage Configuration Channels tab then the Subscribe to Channels tab. Click the
checkbox next to the Generic Configuration channel in the list, then click Continue. If you have multiple
configuration channels in your production environment, you can rank the channels in order of priority. This
allows you to have generic configuration files as well as more specific versions. As we only have a single
configuration channel in this exercise, click the Update Channel Rankings button to confirm the subscription.
The Generic Configuration channel should now appear in the list of Configuration Channels for this server.

Deploying a configuration file to the client

Switch to the Deploy Files tab to list the available files. Select the checkbox next to the /etc/motd file and
click the Deploy Files button. On the confirmation screen, ensure it's scheduled to deploy as soon as possible
then click the Schedule Deploy button.

33
Hands-on Lab: System Management with Spacewalk 2.6

To confirm that file has been deployed successfully and that the macro has been replaced properly during the
deployment, run the following command via a Terminal:

[root@spacewalk ~]# cat /etc/motd


This server is spacewalk.oracleworld.com and it is managed by Spacewalk.

Exercise: Run OpenSCAP auditing via Spacewalk

The final exercise is to configure and run an audit using the OpenSCAP tools. This example uses the scap-
security-guide provided with Oracle Linux. You can use any OpenSCAP compliant XCCDF and OVAL files in
your own environment.

To begin the auditing process, navigate to the Audit tab of the system detail view, then click the *Schedule*
tab. Spacewalk will inform you that in order to run OpenSCAP scans, the spacewalk-oscap package needs to
be installed. Using what you've learnt in previous exercises, install the spacewalk-oscap and scap-security-
guide packages either using yum or via the Spacewalk web interface.

Once the spacewalk-oscap and scap-security-guide packages and their dependencies are installed,
refresh the Schedule New XCCDF Scan page in Firefox. You should now be able to schedule a scan using
the following parameters:

• Command-line Arguments: --profile standard --cpe /usr/share/xml/scap/ssg/content/


ssg-rhel7-cpe-dictionary.xml
• Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml

Click the Schedule button once you're completed the fields. It can take between fifteen and twenty minutes
to complete the scan. Navigate to the List Scans tab to view the completed scans. You can then review the
results and filter on pass or failed results. You can also schedule regular scans to ensure that no security
regressions occur. Note that the virtual machine used by this hands-on lab is not configured according to best
security practice for a production deployment and will fail many of the OpenSCAP tests.

34

You might also like