System Management with Spacewalk

Similar documents
Unbreakable Linux Network An Overview

IBM Endpoint Manager Version 9.1. Patch Management for Red Hat Enterprise Linux User's Guide

Open Source Datacenter Conference 2011 System Management with RHN Satellite. Dirk Herrmann, Solution Architect, Red Hat

SOA Software API Gateway Appliance 7.1.x Administration Guide

IBM Endpoint Manager Version 9.2. Patch Management for SUSE Linux Enterprise User's Guide

System Administration Training Guide. S100 Installation and Site Management

owncloud Configuration and Usage Guide

Team Foundation Server 2010, Visual Studio Ultimate 2010, Team Build 2010, & Lab Management Beta 2 Installation Guide

There are numerous ways to access monitors:

TUT19344 Managing RH/CentOS with SUSE Manager

User Guide. Version R91. English

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Installing and Configuring vcloud Connector

Secure Messaging Server Console... 2

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

VMware vcenter Support Assistant 5.1.1

Eucalyptus User Console Guide

User Manual for Web. Help Desk Authority 9.0

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

Using and Contributing Virtual Machines to VM Depot

Local Caching Servers (LCS) February 2015

IBM WebSphere Application Server Version 7.0

Rochester Institute of Technology. Finance and Administration. Drupal 7 Training Documentation

Coveo Platform 7.0. Microsoft Dynamics CRM Connector Guide

MultiSite Manager. User Guide

XyLoc Security Server w/ AD Integration (XSS-AD 5.x.x) Administrator's Guide

Audit Management Reference

Managing Software Updates with System Center 2012 R2 Configuration Manager

ThirtySix Software WRITE ONCE. APPROVE ONCE. USE EVERYWHERE. SMARTDOCS SHAREPOINT CONFIGURATION GUIDE THIRTYSIX SOFTWARE

SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

OnCommand Performance Manager 1.1

Getting Started. Getting Started with Time Warner Cable Business Class. Voice Manager. A Guide for Administrators and Users

Nessus Enterprise Cloud User Guide. October 2, 2014 (Revision 9)

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Colligo Manager 6.0. Offline Mode - User Guide

Red Hat Network Satellite Management and automation of your Red Hat Enterprise Linux environment

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Corporate Telephony Toolbar User Guide

NetIQ. How to guides: AppManager v7.04 Initial Setup for a trial. Haf Saba Attachmate NetIQ. Prepared by. Haf Saba. Senior Technical Consultant

HDA Integration Guide. Help Desk Authority 9.0

Installation and Setup: Setup Wizard Account Information

Best Practices for Deploying and Managing Linux with Red Hat Network

Sophos Mobile Control Startup guide. Product version: 3.5

QuickStart Guide for Managing Computers. Version 9.2

Managing your Red Hat Enterprise Linux guests with RHN Satellite

ZENworks 11 Support Pack 4 Management Zone Settings Reference. May 2016

Novell ZENworks 10 Configuration Management SP3

Adobe Summit 2015 Lab 718: Managing Mobile Apps: A PhoneGap Enterprise Introduction for Marketers

PSA INTEGRATION GUIDE

User's Guide. Product Version: Publication Date: 7/25/2011

How To Set Up Egnyte For Netapp Sync For Netapp

Protected Trust Directory Sync Guide

Citrix Systems, Inc.

Version 1.0 January Xerox Phaser 3635MFP Extensible Interface Platform

PTC Integrity Eclipse and IBM Rational Development Platform Guide

Installation Guidelines (MySQL database & Archivists Toolkit client)

ScheduleOne - Help Guide

Nevepoint Access Manager 1.2 BETA Documentation

Continuous security audit automation with Spacewalk, Puppet, Mcollective and SCAP

Configuration Information

Gigabyte Management Console User s Guide (For ASPEED AST 2400 Chipset)

COMMANDS 1 Overview... 1 Default Commands... 2 Creating a Script from a Command Document Revision History... 10

Installing and Administering VMware vsphere Update Manager

NSi Mobile Installation Guide. Version 6.2

i>clicker v7 Gradebook Integration: Blackboard Learn Instructor Guide

Frequently Asked Questions

Quick Deployment: Step-by-step instructions to deploy the SampleApp Virtual Machine v406

Installing and Configuring vcloud Connector

Lenovo Online Data Backup User Guide Version

Install Cacti Network Monitoring Tool on CentOS 6.4 / RHEL 6.4 / Scientific Linux 6.4

Wimba Pronto. Version 3.1. Administrator Guide

Red Hat Satellite Management and automation of your Red Hat Enterprise Linux environment

Dell KACE K1000 System Management Appliance Version 5.4. Service Desk Administrator Guide

VPS Hosting User Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Attix5 Pro Server Edition

Sophos Mobile Control Startup guide. Product version: 3

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

VMTurbo Operations Manager 4.5 Installing and Updating Operations Manager

Addonics T E C H N O L O G I E S. NAS Adapter. Model: NASU Key Features

Synchronizer Installation

Active Directory Management. Agent Deployment Guide

Storage Sync for Hyper-V. Installation Guide for Microsoft Hyper-V

Address Synchronization Tool Administrator Guide

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Actualtests.C questions

User Management Guide

WatchGuard Dimension v1.1 Update 1 Release Notes

Nipper Studio Beginner s Guide

XCloner Official User Manual

Using Red Hat Enterprise Linux with Georgia Tech's RHN Satellite Server Installing Red Hat Enterprise Linux

SysPatrol - Server Security Monitor

Kaseya 2. Installation guide. Version 7.0. English

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Discovery Guide. Secret Server. Table of Contents

OneLogin Integration User Guide

CTERA Agent for Linux

Administering Jive for Outlook

Transcription:

System Management with Spacewalk System Management with Spacewalk System Management with Spacewalk Introduction Requirements Virtual machine requirements Pre-requisite knowledge Connectivity Lab structure Initial login Exercise: Create repositories and software channels Create the repositories Create the base and child software channels Exercise: Trigger the initial sync of the software channels Exercise: Creating and configuring an activation key Exercise: Registering a client server Exercise: Running yum commands manually on the client List all the subscribed channels List all available updates List all available security updates List CVEs fixed by available updates Install patches required to fix a particular CVE Exercise: Installing the OSA daemon Exercise: Updating packages on the client from Spacewalk Exercise: Updating packages based on an errata notification Exercise: Running a command on the client from Spacewalk Exercise: Creating a configuration channel in Spacewalk Creating a configuration channel and file Associate the configuration channel with a client server Deploying a configuration file to the client Exercise: Run OpenSCAP auditing via Spacewalk Introduction In this Hands-on Lab, you will learn the basics of systems management using Spacewalk: initial Repository and Software Channel creation syncing Software Channels with upstream repository sources creating and configuring a Spacewalk activation key registering an Oracle Linux server to Spacewalk running yum commands installing and testing the Spacewalk OSAD client installing and configuration the Spacewalk Configuration client creating a configuration channel in Spacewalk and deploying configuration files running an OpenSCAP-based audit Spacewalk is an Open Source Linux systems management solution. It manages software content updates for Linux distributions derived from Red Hat Enterprise Linux including Oracle Linux, CentOS, Scientific Linux and Fedora. It allows you to synchronize updates from upstream sources, then store and deploy those updates to your local servers. You can stage software content, including updates and configuration files through different environments. The deployment of updates to registered servers is centrally controlled and the Spacewalk web interface shows a unified view of all registered servers and their associated software update status. You can also trigger software updates and remote actions via the web interface. In addition, Spacewalk provides entire lifecycle management functionality via bare-metal and virtual server provisioning using the standard PXE and Kickstart tools. Servers that are provisioned using Spacewalk are automatically registered and monitored after installation. To support very large enterprise deployments, you can connect multiple Spacewalk servers together using Inter-Spacewalk Sync. Spacewalk also provides the Spacewalk Proxy server to support geographically-distributed client servers. Spacewalk Proxy servers cache and distribute content, reducing the load on the central Spacewalk servers and improving download times for local servers. For more information on Spacewalk, visit the Spacewalk community website.

Requirements Virtual machine requirements Unlike the other Hands-on Labs, the Virtual Machine used in this lab is NOT based on the generic Oracle Linux 6 template. If you are attending this Hands-on Lab at Oracle OpenWorld 2014, a pre-built VM has already been provided as Spacewalk requires significant available disk space to store packages. This lab is designed to synchronize packages from both the Oracle Unbreakable Linux Network (ULN) as well as Oracle's Public Yum Repository. If you are attending this Hands-on Lab at Oracle OpenWorld 2014, an alternative yum server is used instead of Oracle's Public Yum Repository to improve overall lab performance. The generic account which is used for ULN access will be disabled at the conclusion of the lab. The lab does not include installation of Spacewalk itself as this is covered in the Spacewalk 2.0 for Oracle Linux 6 release notes. Pre-requisite knowledge Attendees are expected to have basic Oracle Linux system administration skills, particularly regarding package management using RPM and yum. If you need a refresher, follow our Package management with RPM and yum hands-on lab. You should be familiar with the following Linux concepts and commands: using the Linux terminal using sudo to run commands as root using the yum package management tool using vi or nano to edit configuration files Connectivity This lab has been designed specifically for delivery at Oracle OpenWorld 2014. As such, the examples assume the virtual machine is running within the OpenWorld lab environment. After OpenWorld concludes, the lab will be refreshed to include initial VM creation information as well as replacing the OpenWorld-specific configuration with generic configuration. Lab structure As many activities in the lab are performed using the Spacewalk web interface, screenshots are provided for the initial exercises to assist with navigation and configuration. These screenshots are hidden by default and can be viewed by clicking the arrow next to the screenshot title. Once the initial exercises are completed, screenshots will no longer be provided as the content will change over time and static screenshots could be misleading. Initial login You should have already logged into the virtual machine as the HOL User (holuser) using the provided password. You should open a Terminal session from Application -> System Tools -> Terminal and have the Firefox web browser open as well. As the lab instructions are web-based, it is recommended to have multiple Firefox windows or tabs open so that you can follow the instructions. Navigate to the Spacewalk web interface in Firefox: https://hol9666.oracleworld.com Spacewalk login screen (screenshot)

You should see the initial login screen. Use the following credentials to login into Spacewalk: Username: admin Password: Oracle123 After successfully logging in, Spacewalk displays the Overview page. Initial Spacewalk overview screen (screenshot)

Exercise: Create repositories and software channels Spacewalk requires all packages and metadata to be stored and managed locally, so the initial step is to configure upstream sources for package updates. These upstream sources can be the Oracle Unbreakable Linux Network (ULN), the Oracle Public Yum Server or any 3rd-party yum repository. Spacewalk uses the concept of Software Channels and Repositories to store packages and metadata. Client systems subscribe to Software Channels, while Software Channels themselves can be subscribed to one or more Repositories. In this way, you can create local channels that provide packages from a combination of sources. Care should be taken to ensure that the upstream repositories do not contain the same packages to reduce deployment complexity and confusion. It is recommended to connect a software channel to a single repository for simplicity. Spacewalk Software Channels are hierarchical: each client server is registered with a single base channel and can be subscribed to multiple child channels. A client can only subscribe to the client channels of its base channel. In this exercise, you will create repositories for the following ULN channels: Oracle Linux 6 Update 5 Installation media set (x86_64) Oracle Linux 6 Update 5 Patches (x86_64) Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64) You will also create a Spacewalk repository for the following Yum repository: Spacewalk Client 2.0 for Oracle Linux 6 (x86_64) Once these repositories are created, the following Software Channel hierarchy will be created: Oracle Linux 6 Update 5 Installation media set (x86_64) Oracle Linux 6 Update 5 Patches (x86_64) Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 (x86_64) Spacewalk Client 2.0 for Oracle Linux 6 (x86_64) This will allow clients to subscribe to the Installation media set base channel as well as the individual child channels. Create the repositories Navigate to the Manage Repositories screen in the Spacewalk web interface by clicking on Channels (in the main menu bar), then Software Channels in the left-hand menu and finally Manage Repositories. There are no repositories configured by default. Empty Repository list (screenshot)

Click create new repository to start the creation process. The first repository you will create is the Oracle Linux 6 Installation media set. Provide the following information: Repository label: Oracle Linux 6 Update 5 installation media copy x86_64 Repository URL: uln:///ol6_u5_x86_64_base Create the Oracle Linux 6 Update 5 Base repository (screenshot)

ULN-based repositories use the uln:///<uln_channel_label> syntax and the three / characters are intentional. You can find a list of channel labels via the ULN interface. Click the create repository button. Spacewalk will create the repository and return you to the repository edit screen. Click Manage Repositories to return to the list of repositories to see the newly created repository. Follow the above procedure to create the following ULN-based repositories: 1. 2. Oracle Linux 6 Update 5 Patches (x86_64) with the ULN channel label ol6_u5_x86_64_patch. UEK Release 3 for Oracle Linux 6 x86_64 with the ULN channel label ol6_x86_64_uekr3_latest. List of Oracle Linux repositories (screenshot)

Once all three ULN-based channels are created, you can create the Yum-based channel for the Spacewalk 2.0 Client. The process is almost identical, except you use an http based repository URL. Create the Spacewalk 2.0 Client repository (screenshot)

Repository Label: Spacewalk Client 2.0 for Oracle Linux 6 Repository URL: http://oow-lab1.oracleworld.com/yum/oraclelinux/ol6/spacewalk20/client/x86_64/ Note that we are using a custom Yum repository hosted within the Oracle OpenWorld lab environment for performance reasons. In production, you should use yum repositories hosted on the Oracle Public Yum server or a 3rd-party repository. Once you have all four repositories created, you can being to create the associated Software Channels. Create the base and child software channels As mentioned previously, Spacewalk uses a parent/child relationship for Software Channels. Client servers can only subscribe to a single base channel and can only subscribe to child channels of the selected base channel. In this exercise, we will create a single base channel and three child channels. Click Manage Software Channels in the left-hand menu. By default, there are no software channels configured in Spacewalk. Empty Software Channel list (Screenshot)

Click create new channel to start the process. We will begin by creating the base channel using the following details: Channel Name: Oracle Linux 6 Update 5 installation media copy x86_64 Channel Label: ol6_u5_x86_64_base Parent Channel: none Architecture: x86_64 Yum Repository Checksum Type: sha256 Channel Summary: Oracle Linux 6 Update 5 installation media copy x86_64 Channel Description: All packages released on the Oracle Linux 6 Update 5 (x86_64) installation media. This channel does not contain updates. Oracle Linux 6 Update 5 Base: Software Channel basic details (screenshot)

Ensure that you set the architecture field correctly, otherwise the channel will not be visible to the client you will register later in the lab. The architecture must match the architecture of the client. You can fill your own (or dummy) information in the Contact/Support Information section. This information is displayed in the Spacewalk UI so that other users know who to contact if they have issues with the software contained in this channel. For the purposes of the lab, you do not need to make any changes to the Channel Access Control section. For production Spacewalk deployments, this section is used to determine who is permitted to use this channel and which organizations can access the channel. Multi-user and multi-organization deployment of Spacewalk is beyond the scope of this lab. It is strongly recommended that you configure the Security: GPG section in production to ensure that packages that are downloaded during the Spacewalk synchronization process have a valid security signature. You should configure the section using the following: GPG key URL: file:///etc/pki/rpm-gpg/rpm-gpg-key GPG key ID: EC551F03 GPG key Fingerprint: 4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03 Oracle Linux 6 Update 5 Base: Software Channel GPG key details (screenshot)

You can find the GPG key ID and fingerprint for each Oracle Linux major version on the Oracle Public Yum server. Note that the GPG key ID and Fingerprint is identical for Oracle Linux 6 and 7. Oracle Linux installs the key itself by default at /etc/pki/rpm-gpg/rpm-gpg-key and for security purposes, it is mandatory that you use an on-disk key. Click the Create Channel button once you have completed all the required fields. Spacewalk will create the channel and return you to the channel edit screen for the newly created channel. Click Manage Software Channels in the left-hand menu to return to the Software Channel list. You will now create your first child channel. Click the create new channel link and enter the following details: Channel Name: Oracle Linux 6 Update 5 Patch x86_64 Channel Label: ol6_u5_x86_64_patch Parent Channel: Oracle Linux 6 Update 5 installation media copy x86_64 You will notice that when you select a parent channel, the Architecture and Yum Repository Checksum Type are automatically selected. Channel Summary: Oracle Linux 6 Update 5 Patch x86_64 Channel Description: Updated packages published after the release of Oracle Linux 6 Update 5 (x86_64). Use the same Security: GPG settings as the Installation media set channel. Oracle Linux 6 Update 5 Patches: Software Channel basic details (screenshot)

Repeat the above procedure for the remaining software channels: Channel Name: Unbreakable Enterprise Kernel Release 3 for Oracle Linux 6 x86_64 Channel Label: ol6_x86_64_uekr3_latest Parent Channel: Oracle Linux 6 Update 5 installation media copy x86_64 Note that Spacewalk channel labels can only contain lowercase letters, so this channel label differs from it's upstream repository label. Channel Name: Spacewalk Client 2.0 for Oracle Linux 6 Channel Label: ol6_spacewalk20_client Parent Channel: Oracle Linux 6 Update 5 installation media copy x86_64 Once a channel is created, you cannot change whether it is a base or child channel. If you forget to select the correct parent channel, you will need to delete and recreate the channel. Once you have completed this exercise, you should have all four channels created, with a single base and three child channels as shown in the following screenshot: List of all Software Channels (screenshot)

Do not continue the lab until your software channel list matches the example. Exercise: Trigger the initial sync of the software channels Now that your software channels are created, we need to link them to the appropriate repository and trigger the initial sync. Spacewalk should be configured in production to sync on a regular basis. As the Spacewalk web interface does not provide any progress information during a sync, you should have a Terminal window open to monitor the sync logs during this exercise. In the Terminal, use sudo to become the root user and change directory to /var/log/rhn/reposync. The sync logs are contained in this directory. The OpenWorld virtual machine already contains log files, as the Spacewalk instance was pre-seeded with packages for performance reasons. Tail the ol6_u5_x86_64_base.log file: [root@hol9666 ~]# tail -f ol6_u5_x86_64_base.log You will notice that the last few lines of the initial sync logs report that the sync took just under 3 hours to complete for this channel. The time for initial sync is dependent on network bandwidth and server resources and can take anywhere from 3 hours to several days. Switch back to Firefox to continue the exercise. From Manage Software Channels, click the Oracle Linux 6 Update 5 installation media copy x86_64 channel and navigate to the Repositories tab. Connect Oracle Linux 6 Update 5 Base Software Channel to repository (screenshot)

Click the check box next to Oracle Linux 6 Update 5 installation media copy x86_64 and then click the Update Repositories button. Once you have saved the repository selection, click the Sync tab. This screen allows you to trigger an immediate sync or schedule a task to sync the repository. For the purposes of the lab, just click the Sync Now button, but in production you should schedule regular synchronization of the Oracle Linux repositories on a daily basis. If you have multiple repositories, you should offset the schedule time. Trigger sync of Oracle Linux 6 Update 5 Base Software Channel (screenshot)

After clicking the Sync Now button, switch back to your terminal to monitor the sync activity. Spacewalk will connect to ULN to retrieve the list of packages and then start downloading each package. In this exercise, we have pre-seeded the packages in the virtual machine to reduce the download time as much as possible. Wait for the " Sync completed. " message to appear in the log before continuing. Repeat this process for the remaining three software channels. Note that the Oracle Linux 6 Update 5 Patches channel will take the longest to complete as new packages will have been published between the time the virtual machine image was created and now. It could take between 15-25 minutes or longer for this process to complete. Spacewalk will only sync a single software channel at a time, so wait for each channel to complete before moving onto the next channel. Exercise: Creating and configuring an activation key Once you have completed the initial sync of all four channels, you can create an activation key. An activation key is used by the Spacewalk client to register a server with Spacewalk. An activation key is tied to a specific base channel (and optional child channels) and is used to determine channel subscription during activation. For example, you can have multiple activation keys with the same base channel, but specify different child channel subscriptions. Navigate to the Activation Keys page by clicking on the Systems tab and selecting Activation Keys in the left-hand menu. There are no activation keys created by default. Click create new key to begin the process. Create an activation key (screenshot)

Use the following details to complete the activation key fields: Description: Oracle Linux 6 Update 5 (x86_64) Key: oraclelinux6-x86_64 Spacewalk can automatically generate keys, but it is recommended to use a particular key name for ease of identification later. Usage: -- blank -- Base Channels: Oracle Linux 6 Update 5 installation media copy x86_64 Add-on Entitlements: select Monitoring and Provisioning Universal default: -- unchecked -- Once the key is created, click the Child Channels tab. This screen determines which (if any) of the child channels should be subscribed during activation of a system using this activation key. Select all three available channels and click the Update Key button. Enable child channels for an activation key (screenshot)

An activation key is mandatory to register clients to Spacewalk. Now that you have created an activation key, we can register a client. Exercise: Registering a client server Registration to Spacewalk can be done manually or via the provisioning process. In this lab, we will perform a manual registration, as the virtual machine has already been provisioned. Switch to the Terminal and use sudo to become root (if not already root). Run the following command: [root@hol9666 ~]# rhnreg_ks --serverurl=http://hol9666.oracleworld.com/xmlrpc --user=admin --password=oracle123 --activationkey=1-oraclelinux6-x86_64 The activation process can take several minutes as the local software inventory is collected and sent to Spacewalk. Once the prompt returns, switch back to Firefox and click the Systems tab. You should now see the VM listed. Notice that there are updates available for the server. We will demonstrate several patching mechanisms in upcoming exercises to deploy those updates to the server. Exercise: Running yum commands manually on the client Once the client is successfully registered to Spacewalk, you are able to run the yum tool to perform actions using the packages available via Spacewalk. List all the subscribed channels Run the following yum command:

[root@hol9666 ~]# yum repolist Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. repo id repo name status ol6_spacewalk20_client_x86_64 Spacewalk Client 2.0 for Oracle Linux 6 43 ol6_u5_x86_64_base Oracle Linux 6 Update 5 installation media copy x86_64 6,421 ol6_u5_x86_64_patch Oracle Linux 6 Update 5 Patch x86_64 1,571 ol6_x86_64_uekr3_latest Unbreakable Enterprise Kernel Release 3 for Oracle LInux 6 x86_64 180 repolist: 8,215 List all available updates Run the following yum command: [root@hol9666 ~]# yum list updates Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. Available Packages 389-ds-base.x86_64 1.2.11.15-34.el6_5 ol6_u5_x86_64_patch 389-ds-base-devel.i686 1.2.11.15-34.el6_5 ol6_u5_x86_64_patch 389-ds-base-devel.x86_64 1.2.11.15-34.el6_5 ol6_u5_x86_64_patch 389-ds-base-libs.i686 1.2.11.15-34.el6_5 ol6_u5_x86_64_patch 389-ds-base-libs.x86_64 1.2.11.15-34.el6_5 ol6_u5_x86_64_patch ConsoleKit-devel.i686 0.4.1-3.el6 ol6_u5_x86_64_base ConsoleKit-devel.x86_64 0.4.1-3.el6 ol6_u5_x86_64_base... List all available security updates Run the following yum command:

[root@hol9666 ~]# yum --security list updates Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. Limiting package lists to security relevant ones ol6_u5_x86_64_base/updateinfo 86 kb 00:00 ol6_u5_x86_64_patch/updateinfo 182 kb 00:00 ol6_x86_64_uekr3_latest/updateinfo 20 kb 00:00 52 package(s) needed for security, out of 154 available Updated Packages bind-libs.x86_64 32:9.8.2-0.23.rc1.el6_5.1 ol6_u5_x86_64_patch bind-utils.x86_64 32:9.8.2-0.23.rc1.el6_5.1 ol6_u5_x86_64_patch ca-certificates.noarch 2014.1.98-65.0.el6_5 ol6_u5_x86_64_patch curl.x86_64 7.19.7-37.el6_5.3 ol6_u5_x86_64_patch dracut.noarch 004-336.0.1.el6_5.2 ol6_u5_x86_64_patch dracut-kernel.noarch 004-336.0.1.el6_5.2 ol6_u5_x86_64_patch firefox.x86_64 24.8.0-1.0.1.el6_5 ol6_u5_x86_64_patch glibc.x86_64 2.12-1.132.el6_5.4 ol6_u5_x86_64_patch glibc-common.x86_64 2.12-1.132.el6_5.4 ol6_u5_x86_64_patch glibc-devel.x86_64 2.12-1.132.el6_5.4 ol6_u5_x86_64_patch glibc-headers.x86_64 2.12-1.132.el6_5.4 ol6_u5_x86_64_patch gnutls.x86_64 2.8.5-14.el6_5 ol6_u5_x86_64_patch java-1.7.0-openjdk.x86_64 1:1.7.0.65-2.5.1.2.0.1.el6_5 ol6_u5_x86_64_patch kernel.x86_64 2.6.32-431.23.3.el6 ol6_u5_x86_64_patch kernel-firmware.noarch 2.6.32-431.23.3.el6 ol6_u5_x86_64_patch kernel-headers.x86_64 2.6.32-431.23.3.el6 ol6_u5_x86_64_patch kernel-uek.x86_64 3.8.13-44.el6uek ol6_x86_64_uekr3_latest kernel-uek-devel.x86_64 3.8.13-44.el6uek ol6_x86_64_uekr3_latest kernel-uek-doc.noarch 3.8.13-44.el6uek ol6_x86_64_uekr3_latest kernel-uek-firmware.noarch 3.8.13-44.el6uek ol6_x86_64_uekr3_latest... List CVEs fixed by available updates Run the following yum command: [root@hol9666 ~]# yum updateinfo list cves Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. CVE-2014-0591 security bind-libs-32:9.8.2-0.23.rc1.el6_5.1.x86_64 CVE-2014-0591 security bind-utils-32:9.8.2-0.23.rc1.el6_5.1.x86_64 CVE-2014-0138 security curl-7.19.7-37.el6_5.3.x86_64 CVE-2014-0015 security curl-7.19.7-37.el6_5.3.x86_64 CVE-2012-4453 security dracut-004-336.0.1.el6.noarch CVE-2012-4453 security dracut-kernel-004-336.0.1.el6.noarch CVE-2013-5616 security firefox-24.2.0-1.0.1.el6_5.x86_64 CVE-2013-5613 security firefox-24.2.0-1.0.1.el6_5.x86_64... Install patches required to fix a particular CVE Run the following yum command using a CVE chosen from the list generated in the previous example:

[root@hol9666 ~]# yum -y --cve=cve-2013-1881 update Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Update Process Resolving Dependencies Limiting packages to security relevant ones 1 package(s) needed (+0 related) for security, out of 152 available --> Running transaction check ---> Package librsvg2.x86_64 0:2.26.0-5.el6_1.1 will be updated ---> Package librsvg2.x86_64 0:2.26.0-6.el6_5.3 will be an update --> Finished Dependency Resolution Dependencies Resolved ========================================================================================== Package Arch Version Repository Size ========================================================================================== Updating: librsvg2 x86_64 2.26.0-6.el6_5.3 ol6_u5_x86_64_patch 139 k Transaction Summary ========================================================================================== Upgrade 1 Package(s) Total download size: 139 k Downloading Packages: librsvg2-2.26.0-6.el6_5.3.x86_64.rpm 139 kb 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Updating : librsvg2-2.26.0-6.el6_5.3.x86_64 1/2 Cleanup : librsvg2-2.26.0-5.el6_1.1.x86_64 2/2 Verifying : librsvg2-2.26.0-6.el6_5.3.x86_64 1/2 Verifying : librsvg2-2.26.0-5.el6_1.1.x86_64 2/2 Updated: librsvg2.x86_64 0:2.26.0-6.el6_5.3 Complete! Section 2.4 of the Oracle Linux 6 Administrator's Guide lists all the Yum commands that are available and provides more detailed explanations of each command. Exercise: Installing the OSA daemon By default, the rhnsd daemon on the client connects to Spacewalk every 4 hours to look for scheduled updates or actions. However, Spacewalk includes the OSA daemon which allows Spacewalk to trigger actions immediately on a client. We will install this daemon now so that the following exercises that use the Spacewalk web interface will occur immediately. From the Terminal, run the following command to install the OSAD daemon:

[root@hol9666 ~]# yum install osad Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package osad.noarch 0:5.11.27-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================== Package Arch Version Repository Size ========================================================================================== Installing: osad noarch 5.11.27-1.el6 ol6_spacewalk20_client_x86_64 74 k Transaction Summary ========================================================================================== Install 1 Package(s) Total download size: 74 k Installed size: 265 k Is this ok []: y Downloading Packages: osad-5.11.27-1.el6.noarch.rpm 74 kb 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : osad-5.11.27-1.el6.noarch 1/1 Verifying : osad-5.11.27-1.el6.noarch 1/1 Installed: osad.noarch 0:5.11.27-1.el6 Complete! Enable the OSA daemon on startup and manually start it now: [root@hol9666 ~]# chkconfig osad on [root@hol9666 ~]# service osad start Starting osad: [ OK ] Switch back to Firefox and click the hol9666.oracleworld.com server to view its Details screen. On the right-hand side, in the OSA Status box, you should see "online as of unknown". This indicates that the OSA daemon is running. Click Ping System to trigger a ping of the OSA daemon. If you wait a few moment and then refresh the Details tab, the OSA Status should update to indicate how long the OSA daemon has been running. Once the OSA daemon is confirmed as running, you can move on to the following exercises. Exercise: Updating packages on the client from Spacewalk If you're following from the previous exercise, click the Software tab under the hol9666.oracleworld.com heading. Otherwise, navigate to the System tab and click the hol9666.oracleworld.com server first. The software tab allows you to list, remove, upgrade, install and verify software packages. You can also see the errata that are applicable to this server. First, we will manually upgrade an existing package. Click Upgrade Packages. In the list that appears, select a few packages to upgrade. Once you have selected some packages, click the Upgrade Packages button at the bottom of the page. A confirmation page will appear listing the packages scheduled for update. You can chose whether to perform the upgrade as soon as possible, or after a specific time. Keep in mind that if the OSA daemon is not running on the client server, rhnsd only checks in every 4 hours by default. This means that without the OSA daemon working, some actions could take up to 4 hours to be triggered. Once you are happy with the package selection, click the Confirm button. You will receive a message indicating that package updates have been scheduled. Clic scheduled in the alert message to view the scheduled action. You can monitor this page until the action is completed. Once it has

completed, navigate back to the system detail view of the hol9666.oracleworld.com server to confirm that the packages are no longer visible in the list of packages available for upgrade. Exercise: Updating packages based on an errata notification An alternative upgrade mechanism is to upgrade packages that resolve specific errata. From the Software tab within the system detail view of the hol9666.oracleworld.com server, click the Errata tab to view the available errata information for this server. This list will display all available errata, but can be filtered to only display security, bugfixes or enhancements. Use the drop-down box to filter the list to only show security advisories. Enter "critical" into the Filter by Synopsis field and click Go to view only the critical security errata. Click on an errata to view the details. You can also click on the CVE link to go to the Mitre website for information about the particular CVE resolved by this errata. Navigate to the Affected Systems tab to see all the servers that are affected by this advisory. In production, you may have several servers affected by a single advisory and this screen allows you to schedule the patching of multiple servers at once. In the list, click the checkbox next to the server name and then click Apply Errata. The same confirmation screen appears asking whether to schedule the action for as soon as possible or for some time in the future. Click Confirm to apply the errata as soon as possible. You can navigate to the Schedule tab on the main menu to monitor the action. While the action is active, it will appear in the Pending Actions list. Once it has completed, it will appear in the Completed Actions list. When the action has completed, navigate back to the errata view under the system details to confirm the errata no longer appears as available for the system. Exercise: Running a command on the client from Spacewalk Spacewalk is also capable of running remote commands from the web interface as well as deploying configuration files stored in a central repository. In order to enable this functionality, we need to install the rhncfg client. To install the rhncfg client, run the following command via the Terminal or use the Install New Software page within the web interface to select and deploy the required packages:

[root@hol9666 ~]# yum install -y rhncfg rhncfg-actions rhncfg-client Loaded plugins: rhnplugin, security This system is receiving updates from RHN Classic or Red Hat Satellite. Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package rhncfg.noarch 0:5.10.55-1.el6 will be installed ---> Package rhncfg-actions.noarch 0:5.10.55-1.el6 will be installed ---> Package rhncfg-client.noarch 0:5.10.55-1.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ========================================================================================== Package Arch Version Repository Size ========================================================================================== Installing: rhncfg noarch 5.10.55-1.el6 ol6_spacewalk20_client_x86_64 65 k rhncfg-actions noarch 5.10.55-1.el6 ol6_spacewalk20_client_x86_64 40 k rhncfg-client noarch 5.10.55-1.el6 ol6_spacewalk20_client_x86_64 37 k Transaction Summary ========================================================================================== Install 3 Package(s) Total download size: 141 k Installed size: 299 k Downloading Packages: (1/3): rhncfg-5.10.55-1.el6.noarch.rpm 65 kb 00:00 (2/3): rhncfg-actions-5.10.55-1.el6.noarch.rpm 40 kb 00:00 (3/3): rhncfg-client-5.10.55-1.el6.noarch.rpm 37 kb 00:00 ------------------------------------------------------------------------------------------ Total 6.2 MB/s 141 kb 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : rhncfg-5.10.55-1.el6.noarch 1/3 Installing : rhncfg-client-5.10.55-1.el6.noarch 2/3 Installing : rhncfg-actions-5.10.55-1.el6.noarch 3/3 Verifying : rhncfg-client-5.10.55-1.el6.noarch 1/3 Verifying : rhncfg-actions-5.10.55-1.el6.noarch 2/3 Verifying : rhncfg-5.10.55-1.el6.noarch 3/3 Installed: rhncfg.noarch 0:5.10.55-1.el6 rhncfg-actions.noarch 0:5.10.55-1.el6 rhncfg-client.noarch 0:5.10.55-1.el6 Complete! Once the rhncfg client is installed, we need to manually configure what actions are permitted to be performed remotely. The following actions are possible: deploy a file diff a file upload a file upload mtime (modified time) execute remote scripts For the purposes of the lab, we will enable all actions: [root@hol9666 ~]# rhn-actions-control --enable-all You can view the currently enabled actions:

[root@hol9666 ~]# rhn-actions-control --report deploy is enabled diff is enabled upload is enabled mtime_upload is enabled run is enabled Now that rhncfg is installed and all actions are enabled, we can trigger a remote action from the web interface. Switch back to Firefox and navigate to the Details tab of the server details view, then click the Remote Command tab. In the script box, enter the following: #!/bin/sh uptime uname -a Then click the Schedule Remote Command button. Remote commands use the same scheduling mechanism as package updates, so without the OSA daemon running, it could take up to 4 hours to complete the remote commend action. Navigate to the Events tab to view the pending events. If the action does not appear in the pending list, click the History tab. The action should appear at the top of the System History list. Click the action name to view the script and the output. Exercise: Creating a configuration channel in Spacewalk Another feature of the rhncfg client is the ability to deploy configuration files from Spacewalk to multiple servers. This requires the creation of one or more configuration channels and configuration files. In this exercise, we will create a configuration channel, a configuration file and deploy it to our client. Creating a configuration channel and file First, navigate to the Configuration tab in the main menu, then select Configuration Channels in the left-hand menu. There are no configuration channels created by default. Click create new config channel to start the creation process. Create a new configuration channel using the following details: Name: Generic Configuration Label: ol6_generic_config Description: Generic configuration files for Oracle Linux 6 Once the configuration channel is created, we can add a file. Click the Add Files tab to start the process. You can add a file in three ways: uploading a file from your workstation, importing a file from a registered client system that has the upload action allowed or by creating a file directly in the interface. In this exercise, we will create a file directly in the interface, so click the Create File tab. Create a new configuration file using the following details: File Type: Text File Filename/Path: /etc/motd Ownership User name: root Ownership Group name: root File Permissions Mode: 644 File contents: This server is { rhn.system.hostname } and it is managed by Spacewalk. Note that we have used the rhn.system.hostname macro in the configuration file contents. This macro will be replaced by the name of the target server when the configuration file is deployed. Click the Create Configuration File button once you are happy with the settings and content. Associate the configuration channel with a client server Navigate to the system detail view of the hol9666.oracleworld.com server, then select the Configuration tab, Manage Configuration Channels tab then the Subscribe to Channels tab. Click the checkbox next to the Generic Configuration channel in the list, then click Continue. If you have multiple configuration channels in your production environment, you can rank the channels in order of priority. This allows you to have generic configuration files as well as more specific versions. As we only have a single configuration channel in this exercise, click the Update Channel Rankings button to confirm the subscription. The Generic Configuration channel should now appear in the list of Configuration Channels for this server.

Deploying a configuration file to the client Switch to the Deploy Files tab to list the available files. Select the checkbox next to the /etc/motd file and click the Deploy Files button. On the confirmation screen, ensure it's scheduled to deploy as soon as possible then click the Schedule Deploy button. NOTE: there is a known bug with the first rhncfg deploy action where the first deploy action may fail because to the /var/log/rhncfg-actions log file does not on the client. However, the failed action will actually create the log file after the failure occurs. If this happens during the lab, simply reschedule the same action, which should then succeed. To confirm that file has been deployed successfully and that the macro has been replaced properly during the deployment, run the following command via a Terminal: [root@hol9666 ~]# cat /etc/motd This server is hol9666.oracleworld.com and it is managed by Spacewalk. Exercise: Run OpenSCAP auditing via Spacewalk The final exercise is to configure and run an audit using the OpenSCAP tools. This example uses the scap-security-guide provided by the Extra Packages for Enterprise Linux (EPEL) project. You can use any OpenSCAP compliant XCCDF and OVAL files in your own environment. To begin the auditing process, navigate to the Audit tab of the system detail view of the hol9666.oracleworld.com server, then click the Schedule tab. Spacewalk will inform you that in order to run OpenSCAP scans, the spacewalk-openscap package needs to be installed. Using what you've learnt in previous exercises, install the spacewalk-oscap package either using yum or via the Spacewalk web interface. Once the spacewalk-oscap package and its dependencies are installed, refresh the Schedule New XCCDF Scan page in Firefox. You should now be able to schedule a scan using the following parameters: Command-line Arguments: --profile server Path to XCCDF document: /usr/share/xml/scap/ssg/content/ssg-rhel6-xccdf.xml Click the Schedule button once you're completed the fields. It can take several minutes to complete the scan. Navigate to the List Scans tab to view the completed scans. You can then review the results and filter on pass or failed results. You can also schedule regular scans to ensure that no security regressions occur.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information