Archive for the ‘ spacewalk ’ Category

Reviewing auditd logs with Spacewalk

One feature of Spacewalk is the ability to review auditd logs. If you dont know what auditd is, here is a good introduction http://security.blogoverflow.com/2013/01/a-brief-introduction-to-auditd/
To sum it up, you can monitor/log nearly every change on your system with it, like file access, file attribute changes, logins, service starts, user interaction etc. based on rules.
As you can imagine, this produces a tremendous amount of logs. For effectively reading them, we need some assistance. For instance: Spacewalk.
Read more

Spacewalk Errata integration for Slack

We are using Slack at our company and we are having a #emergency room for collboration during critical situation. I thought it would be nice to have Spacewalk Errata information posted there additionally to the emails Spacewalk sends us.

So I made a small python script which can be run as a cron and collects all relevant security Errata affecting at least one system. It then posts those to a Slack channel or group.

Read more

Spacewalk 2.3 tested to work with Ubuntu / Debian clients

As announced on the Spacewalk Mailinglist Spacewalk 2.3 is going to be released soon and is on QA/QE now.

I took this as a reason for testing Ubuntu / Debian integration with Spacewalk 2.3 from nightly repo. As it turns out, everything is working good, namely:

  • Creation of Debian Channels
  • Pushing / Syncing .deb packages to Spacewalk
  • Registering Ubuntu systems
  • Importing Ubuntu Errata ( I updated errata-import.pl script slightly to make it work )
  • OSAD
  • Package management
  • Remote Command Execution

Refer to my other articles around Spacewalk about how to set all this up.

GPG signing APT repository in Spacewalk

After following my article on how to register Ubuntu and Debian clients with Spacewalk you might have noticed a APT warning

WARNING: The following packages cannot be authenticated.

This happens because the APT repositories in Spacewalk are not GPG signed. You can still install the packages but have to acknowledge it by entering “yes”.

For various reasons it would be better to have the repository signed. Read on after the jump how I got that working.
Read more

Spacewalk Remote Command Execution with Ubuntu / Debian clients

In my last article I’ve shown you how to get OSAD working for Ubuntu clients. Which comes in handy for my new article about remote command execution. With the help of OSAD the commands will be executed immediately and you dont need to wait for clients to check-in and pick them up.

Read on after the jump…

Read more

Enabling Spacewalks OSAD for Ubuntu clients

What is OSAD?

Spacewalk clients are checking in with Spacewalk every 240 minutes by default. You can change this in /etc/rhn/rhnsd but it will still be polling for scheduled actions and not receiving them instantly.
OSAD solves this problem. Its based on Jabber and runs a osa-dispatcher on the Spacewalk server which tells clients to please check-in immediately when there are actions scheduled for them.
You can read more on it here https://fedorahosted.org/spacewalk/wiki/OsadHowTo

Do I really need it?

That depends on your individual setup and what you are using Spacewalk for. For most people its probably ok to have scheduled actions be performed with a delay. For some it might not.
Especially if you want to use the “Command Execution” capability of Spacewalk, you certainly want them to be executed asap. I’ll be showing you how to get that working with Ubuntu clients in my next article.

So read on after the jump how to get OSAD running.

Read more

Chef Cookbook for Spacewalk server and clients

I wrote two cookbooks to work with Spacewalk and submitted them to Chefs supermarket.

Read on after the jump how to use these cookbooks. I promise its really simple tho

Read more

Kickstarting and Provisioning Ubuntu systems with Spacewalk

In the comments of my last article someone asked about provisioning Ubuntu clients with Spacewalk. As I never tried this it got me curious.So I played around with it. It was a bit tricky but in the end I got it working pretty well.

First of all you need a Ubuntu repository and channel in your Spacewalk like describes in this article.

Now for some prerequisites

yum install cobbler-loaders
# SELinux should be disabled in general for Spacewalk to avoid several problems
setenforce 0

Read more

Configuring Errata for Ubuntu with Spacewalk

In my last article I have shown you how to get Ubuntu servers registered and integrated with Spacewalk.

However something important is still missing: Getting Errata into Spacewalk for Ubuntu systems. Errata are security, bugfix, enhancement advisories published by distribution vendors like Debian, CentOS, RHEL, Ubuntu. These Errata can be imported to Spacewalk and show/email which systems/packages are affected along with information like CVE numbers. You can then “apply” the Errata to these systems, triggering a remote update. That way you will always know if your systems lack critical updates.

Unfortunately, there is no general source or feed getting these Errata into Spacewalk. A good source are the security mailing lists of the vendors but you still need to parse them and import via API. For CentOS / RHEL there exist a few scripts:

However for Ubuntu there didnt exist such a script so I had to do one myself. Read on where to get and how to integrate it ! Read more

Registering Ubuntu and Debian Servers with Spacewalk

You probably have heard of Spacewalk, the systems management solution for RHEL / CentOS and other RedHat-based systems.
It provides and manages content / package updates for all your servers along with some other features like kickstarting / bootstrapping nodes, audits and some simple config management if you dont run Chef or Puppet or similar.

However, did you know that you can meanwhile also (fully) manage your Debian/Ubuntu systems with Spacewalk ? Documentation on this is still sparse and you have to figure out certain things on your own.
Read on after the jump how to completly setup and configure Spacewalk 2.2 to work with Ubuntu clients. Including Errata !

Read more