[Spacewalk-list] OSAD fails to check in on two servers

[Reneau, Wes W [HDS]]

Fellow walkers,

I have two clients that originally checked in to swalk via OSAD w/o any 
problems but now they continue to show “offline as of unknown”.  I have nearly 
100 other clients that are online w/o any problem.

I’ve removed the osad-auth.conf file and restarted osad w/o no luck.  I’ve 
confirmed a connection is being made to swalk from the client with lsof –I and 
netstat yet the GUI still shows the client as offline.  I’ve confirmed the keys 
and certs all include the correct FQDN. The osad.conf file is using the cert 
from spacewalk, and I’ve confirmed the serverURL matches the spacewalk FQDN.

osad   9895   root3u  IPv4 5217633   TCP 
:47331->:xmpp-client (ESTABLISHED)
tcp0  0 :47331  :5222  ESTABLISHED


As stated originally, this is only for 2 clients.

Ideas?

Thanks
Wes
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] registering clients after update

[Boyd, Robert]

Hemen,

If you already include a sub-channel for the Spacewalk Client tools under the 
channel your clients are subscribed to, you can simply update the repository to 
point to the 2.3 client feed, resync the sub-channel/repository, and then you 
will see the client update available to each of your clients.   The next time 
you update them automatically or manually they will pull the new client.

Robert Boyd
Sr. Systems Engineer 
PeopleFluent
p. 919-645-2972 | c. 919-306-4681
e. robert.b...@peoplefluent.com


Click here to experience the power of the new PeopleFluent Mirror Suite T
Visit: www.peoplefluent.com | Read: PeopleFluent Blog | Follow: @PeopleFluent

-Original Message-
From: spacewalk-list-boun...@redhat.com 
[mailto:spacewalk-list-boun...@redhat.com] On Behalf Of hemen.me...@gmail.com
Sent: Wednesday, April 29, 2015 10:00 AM
To: spacewalk-list@redhat.com
Subject: [Spacewalk-list] registering clients after update

I had a working install of SW 2.2. with clients that were registered and 
working properly, then I decided to upgrade to SW 2.3 and followed the 
directions here:
https://fedorahosted.org/spacewalk/wiki/HowToUpgrade

I now would like to know how to upgrade the clients to work with the newly 
upgraded 2.3 server. (is it as simple as treating the existing clients as new 
clients and follow the procedures on this page?
https://fedorahosted.org/spacewalk/wiki/RegisteringClients)

Thank you for all your help, it is very much appreciated.

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list

Re: [Spacewalk-list] Config management questions

[Will Beldman]

Hi Andy,

I appreciate these comments.

While I recognize that if the root user is properly locked down, sharing a 
password would be acceptable. Unfortunately, I cannot wield that level of 
control over all our systems.

In the end, I have decided to forgo the /etc/shadow file and depend on the 
/etc/passwd to alert me to local user creates. I will re-address it when 
either:
* We put up a config management server
* Spacewalk supports logic and/or wildcards in its config management macros

WB

On April 28, 2015 01:25:36 PM Andy Ingham wrote:
> Will --
> 
> Your use cases seem similar to what we've implemented here.  That is, the
> versioning isn't as full-featured as something like git, but serves the
> purpose well of validating that key files haven't changed across the plant
> (I've got a daily script that leverages the spacewalk API to flag the
> files that are no longer in spec.)
> 
> You are also correct that it isn't close to the power of puppet, but
> certainly is much lighter-weight and quicker to deploy (again, for a
> specific use-case).
> 
> On the subject of root passwords:  is it important to your organization to
> have DIFFERENT root passwords for each of your servers?  (Yes, I'm
> serious!)  If you disallow remote root login (which you should!), and
> leverage "sudo" for elevating privileges (with users' using their OWN
> password), the root passwords are never really used / exposed.  In such a
> case, it's much easier to manage if they are all the same.
> 
> (Which leads me back to ansible...)  If having them the same makes you (or
> your bosses) insist on CHANGING those passwords more frequently, I'd
> suggest using ansible to do so.  It's worked GREAT for us here.  (It's a
> fast enough process that you could change your root passwords once a
> MONTH, if that's what would make folks happy.)
> 
> Changing root passwords across the plant via ansible:
> 
> Create a pseudo-random salt to use for the password hashing:
>  [root@HOSTXYZ ~]# python
> 
>  >>> import os
>  >>> os.urandom(32).encode('base_64')
> 
>  '+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/NpLcyJDE=\n'
> 
> The output of the step above provides the INPUT for the next set of
> commands (see right AFTER "$1$" below)
> 
> Create a hash of the new password using python's crypt function (see
> also
> http://mjanja.co.ke/2013/01/generate-salted-shadow-hashes-using-python-cryp
> 
> t/ ).  E.g.:
>  >>> import crypt
> 
> crypt.crypt("mysupertoughpassword",'$1$+Ks4YQAwuHLotW6PX/+9Tzf0B8HQmF43Kr/N
> pLcyJDE=\n')
>  '$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0'
> 
>  >>> quit()
> 
> The output of the step above allows for the needed INPUT to ansible
> below:
>  ansible HOSTS_LISTED_HERE -m user -a 'name=root
> password=$1$+Ks4YQAw$l0aKYjp7tZinnU25B.KfN0' -K --sudo
> 
> 
> 
> Just some thoughts...
> 
> 
> Andy
> 
> On 4/27/15, 12:02 PM, "Will Beldman"  wrote:
> 
> I'm trying to do a better job in my organization managing changes to
> configuration files.
> 
> Most of our authentication and authorization I'd like to defer to LDAP so
> I
> figured monitoring some local user management config files would be a good
> start (eg. /etc/passwd, /etc/shadow, /etc/group). My idea was that if a
> sysadmin tried to add a local user, Spacewalk could alert me to the change
> because it would no longer match my centrally manged files.
> 
> However, I've already realized that I have a problem with my /etc/shadow
> file
> because the hash associated with the root password will obviously be
> different
> for every machine so I cannot manage it centrally.
> 
> I tried to use macros like so:
> =
> root:{| rhn.system.custom_info(root_hash) |}::0:9:7:::
> ...
> =
> and this works but I've realized that this means I am loading the root
> password hash onto every system as a custom info value which is probably
> not a
> good idea security-wise. If my Spacewalk server were compromised, the
> /etc/shadow file for every system is also compromised.
> 
> Is there any ability to do things like ignore certain lines or put in
> regex
> wildcards so I can just say "put whatever you want in here"? Or is there a
> feature request for this?
> 
> 
> Also, can I get some idea, philosophically, on how to leverage config
> management in Spacewalk to it's potential. I think I really need to put up
> a
> config management server (Puppet/Chef/etc) to do what I really want, but
> in
> the interim, I was hoping to get some ideas on common uses for config
> management in Spacewalk.
> 
> ___
> Spacewalk-list mailing list
> Spacewalk-list@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
> 
> 
> ___
> Spacewalk-list mailing list
> Spacewalk-list@redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list
-- 
*Will Beldman*
*Systems and Database Administrator (ITS)*
*Weste

[Spacewalk-list] Spacewalk kickstart package dependencies

[James Feister]

Trying to kickstart a centos 7 system with spacewalk and cobbler.

The base for centos7 contains amongst others the following packages

rhn-client-tools-2.0.2-6.el7.noarch.rpm
rhnlib-2.5.65-2.el7.noarch.rpm

According to this branch on git hub
https://github.com/spacewalkproject/spacewalk/pull/215  some functions in
these packages were renamed from pune to puny.  The new packages from
http://yum.spacewalkproject.org/2.3-client/RHEL/7/x86_64/ reflect this
change.

rhnlib-2.5.75-1.el7.noarch.rpm
rhn-setup-2.3.16-1.el7.noarch.rpm


The problem is when creating a kickstart for the centos machine, there are
two lines a 'wget and rpm' that will only request and update the following
packages

libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm
libxml2-2.9.1-5.el7_1.2.x86_64.rpm
pyOpenSSL-0.13.1-3.el7.x86_64.rpm
rhnlib-2.5.75-1.el7.noarch.rpm

The request and install are sucessfull but it  does not include the updated
rhn-client-tools that uses the newer puny naming.  It is when the client
executes rhnreg_ks that it is calling the original function names that have
changed.


I have tried removing the older package versions and replacing my kickstart
distribution basechannel packages with the newer ones but the dependencies
fail for the rhnlib-2.5.65-2.el7.noarch.rpm.

Am I overlooking something or is there a workaround for this?

Thanks,

Jim
___
Spacewalk-list mailing list
Spacewalk-list@redhat.com
https://www.redhat.com/mailman/listinfo/spacewalk-list