DevNet
Jump to navigation
Jump to search
Spacewalk Documentation
Lockdown Scripts
#raw
printf " Locking Down CentOS 7: "
/bin/bash /tmp/status.sh &
echo 'CCE-27053-8 - Set Password Hashing Algorithm in /etc/libuser.conf' >> /root/ks-lockdown.log
sed -i 's~crypt_style.*~crypt_style = sha512~' /etc/libuser.conf
yum -y remove vasclnt &> /dev/null
yum -y install clamav &> /dev/null
echo 'Installing oscap' >> /root/ks-lockdown.log
yum -y --nogpgcheck install spacewalk-oscap scap-security-guide &>> /root/ks-lockdown.log
sed -i '/<platform idref="cpe:\/o:redhat:enterprise_linux:7"\/>/a \ \ <platform idref="cpe:\/o:centos:centos:7" \/>' /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml
#sed -i 's~idref="audit_rules_privileged_commands" selected=".*"~idref="audit_rules_privileged_commands" selected="false"~' /usr/share/xml/scap/ssg/content/ssg-centos7-xccdf.xml
/usr/bin/oscap xccdf eval --profile stig-rhel7-server-upstream --remediate /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml &>> /root/ks-lockdown.log
sed -i "s/MACs/\\nMACs/" /etc/ssh/sshd_config
/usr/bin/oscap xccdf eval --profile stig-rhel7-server-upstream --oval-results --results ssg-rhel7-xccdf.xml.result.xml /usr/share/xml/scap/ssg/content/ssg-rhel7-xccdf.xml &>> /root/ks-lockdown.log
/usr/bin/oscap xccdf generate report --oval-template ssg-rhel7-oval.xml.result.xml ssg-rhel7-xccdf.xml.result.xml > /root/stig-report-xccdf-oval.html
echo 'CVE-2004-1653' >> /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "\#AllowTcpForwarding yes" && sed -i 's/\#AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2004-1653 (1 of 2) Already complete' /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "AllowTcpForwarding yes" && sed -i 's/AllowTcpForwarding yes/AllowTcpForwarding no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2004-1653 (2 of 2)Already complete' /root/ks-lockdown.log
echo 'CVE-2007-2243' >> /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "\#ChallengeResponseAuthentication yes" && sed -i 's/\#ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2007-2243 (1 of 2) Already complete' /root/ks-lockdown.log
cat /etc/ssh/sshd_config | grep -q "ChallengeResponseAuthentication yes" && sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config || sed -i '$a\CVE-2007-2243 (2 of 2) Already complete' /root/ks-lockdown.log
STATUSPID=`ps -ef | grep status| egrep -v grep | head -1 | awk '{print $2}'`
kill $STATUSPID
printf "\b\b\b\b\b\b\b\b"
echo -e "[ \e[1;32mOK\e[0;39m ]"
#end raw
https://copr-be.cloud.fedoraproject.org/results/openscapmaint/openscap-latest/epel-7-x86_64/
Spacewalk Installation Instructions
Installing Spacewalk
Joining a Client (Centos 6) to Spacewalk
On the Client as root, run:
mkdir reg-rpms cd reg-rpms wget http://spacewalk/pub/register/rhn-check-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/rhn-client-tools-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/rhn-setup-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-actions-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhncfg-client-5.10.73-1.el6.noarch.rpm http://spacewalk/pub/register/rhnsd-5.0.14-1.el6.x86_64.rpm http://spacewalk/pub/register/yum-rhn-plugin-2.2.7-1.el6.noarch.rpm http://spacewalk/pub/register/m2crypto-0.20.2-9.el6.x86_64.rpm http://spacewalk/pub/register/python-dmidecode-3.10.13-3.el6_4.x86_64.rpm http://spacewalk/pub/register/python-gudev-147.1-4.el6_0.1.x86_64.rpm http://spacewalk/pub/register/python-hwdata-1.7.3-1.el6.noarch.rpm yum -y localinstall rhn-setup-2.2.7-1.el6.noarch.rpm rhnsd-5.0.14-1.el6.x86_64.rpm rhn-check-2.2.7-1.el6.noarch.rpm rhn-client-tools-2.2.7-1.el6.noarch.rpm yum-rhn-plugin-2.2.7-1.el6.noarch.rpm m2crypto-0.20.2-9.el6.x86_64.rpm python-dmidecode-3.10.13-3.el6_4.x86_64.rpm python-hwdata-1.7.3-1.el6.noarch.rpm python-gudev-147.1-4.el6_0.1.x86_64.rpm cd .. rm -rf reg-rpms mkdir keys cd keys wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2014 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2012 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2010 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2008 rpm --import * cd .. rm -rf keys/ mkdir -p /etc/sysconfig/rhn/allowed-actions/script touch /etc/sysconfig/rhn/allowed-actions/script/run mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles touch /etc/sysconfig/rhn/allowed-actions/configfiles/all mkdir -p /usr/share/rhn/ wget http://spacewalk.devnet.prv/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT perl -npe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/* rhnreg_ks --serverUrl=https://spacewalk.devnet.prv/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-97d994ea86b8f4ce665d6ef01546834b,1-centos6
Joining a Client (Centos 7) to Spacewalk
On the Client as root, run:
mkdir reg-rpms cd reg-rpms wget http://spacewalk/pub/register/centos7/jabberpy-0.5-0.27.el7.noarch.rpm http://spacewalk/pub/register/centos7/osad-5.11.57-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/python-hwdata-1.7.3-4.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-actions-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhncfg-client-5.10.83-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhn-check-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhn-client-tools-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhnsd-5.0.15-1.el7.x86_64.rpm http://spacewalk/pub/register/centos7/rhn-setup-2.3.16-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/yum-rhn-plugin-2.3.3-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/osa-common-5.11.57-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/rhnlib-2.5.75-1.el7.noarch.rpm http://spacewalk/pub/register/centos7/systemd-sysv-208-20.el7.x86_64.rpm http://spacewalk/pub/register/centos7/systemd-208-20.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-2.7.5-16.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libnl-1.1.4-3.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libxml2-python-2.9.1-5.el7_0.1.x86_64.rpm http://spacewalk/pub/register/centos7/m2crypto-0.21.1-15.el7.x86_64.rpm http://spacewalk/pub/register/centos7/pygobject2-2.28.6-11.el7.x86_64.rpm http://spacewalk/pub/register/centos7/pyOpenSSL-0.13.1-3.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-dmidecode-3.10.13-11.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-ethtool-0.8-5.el7.x86_64.rpm http://spacewalk/pub/register/centos7/usermode-1.111-5.el7.x86_64.rpm http://spacewalk/pub/register/centos7/python-gudev-147.2-7.el7.x86_64.rpm http://spacewalk/pub/register/centos7/libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm yum -y localinstall jabberpy-0.5-0.27.el7.noarch.rpm python-hwdata-1.7.3-4.el7.noarch.rpm rhncfg-actions-5.10.83-1.el7.noarch.rpm rhn-check-2.3.16-1.el7.noarch.rpm rhnsd-5.0.15-1.el7.x86_64.rpm yum-rhn-plugin-2.3.3-1.el7.noarch.rpm osad-5.11.57-1.el7.noarch.rpm rhncfg-5.10.83-1.el7.noarch.rpm rhncfg-client-5.10.83-1.el7.noarch.rpm rhn-client-tools-2.3.16-1.el7.noarch.rpm rhn-setup-2.3.16-1.el7.noarch.rpm systemd-sysv-208-20.el7.x86_64.rpm rhnlib-2.5.75-1.el7.noarch.rpm osa-common-5.11.57-1.el7.noarch.rpm libnl-1.1.4-3.el7.x86_64.rpm m2crypto-0.21.1-15.el7.x86_64.rpm pygobject2-2.28.6-11.el7.x86_64.rpm pyOpenSSL-0.13.1-3.el7.x86_64.rpm python-dmidecode-3.10.13-11.el7.x86_64.rpm python-ethtool-0.8-5.el7.x86_64.rpm usermode-1.111-5.el7.x86_64.rpm python-gudev-147.2-7.el7.x86_64.rpm libxml2-python-2.9.1-5.el7_1.2.x86_64.rpm cd .. rm -rf reg-rpms mkdir keys cd keys wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2014 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2012 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2010 http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-spacewalk-2008 rpm --import * cd .. rm -rf keys/ mkdir -p /etc/sysconfig/rhn/allowed-actions/script touch /etc/sysconfig/rhn/allowed-actions/script/run mkdir -p /etc/sysconfig/rhn/allowed-actions/configfiles touch /etc/sysconfig/rhn/allowed-actions/configfiles/all mkdir -p /usr/share/rhn/ wget http://spacewalk.devnet.prv/pub/RHN-ORG-TRUSTED-SSL-CERT -O /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT perl -npe 's/RHNS-CA-CERT/RHN-ORG-TRUSTED-SSL-CERT/g' -i /etc/sysconfig/rhn/* rhnreg_ks --serverUrl=https://spacewalk.devnet.prv/XMLRPC --sslCACert=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT --activationkey=1-centos7
Building RPM's
https://fedoraproject.org/wiki/How_to_create_an_RPM_package#Preparing_your_system
Finding GPG key ID and fingerprint
gpg --with-fingerprint RPM-GPG-KEY-redhat-release5
Output (First highlighted area is the ID and the Second is the fingerprint):
pub 1024D/37017186 2006-12-06 Red Hat, Inc. (release key) <[email protected]> Key fingerprint = 47DB 2877 89B2 1722 B6D9 5DDE 5326 8101 3701 7186
Import GPG key on Servers
Centos 6
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-6 rpm --import RPM-GPG-KEY-EPEL-6 RPM-GPG-KEY-CentOS-6 rm -f RPM-GPG-KEY-EPEL-6 RPM-GPG-KEY-CentOS-6
Centos 7
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-7 wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-CentOS-7 rpm --import RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-CentOS-7 rm -f RPM-GPG-KEY-EPEL-7 RPM-GPG-KEY-CentOS-7
RHEL 5
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release5 rpm --import RPM-GPG-KEY-redhat-release5 rm -f RPM-GPG-KEY-redhat-release5
RHEL 6
wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-redhat-release6 wget http://spacewalk.devnet.prv/pub/keys/RPM-GPG-KEY-EPEL-6 rpm --import RPM-GPG-KEY-redhat-release6 RPM-GPG-KEY-EPEL-6 rm -f RPM-GPG-KEY-redhat-release6 RPM-GPG-KEY-EPEL-6
Configure PXE Booting
Change PXE Menu Names
vi /etc/cobbler/pxe/pxeprofile.template
#set $new_name = $profile_name.replace(':1:SpacewalkDefaultOrganization', ' ')
#set $new_menu_label = $menu_label.replace(':1:SpacewalkDefaultOrganization', ' ')
LABEL $new_name
MENU PASSWD
kernel $kernel_path
$new_menu_label
$append_line
ipappend 2
Update PXE files
cobbler sync cat /var/lib/tftpboot/pxelinux.cfg/default
Add Password, Background, and WindowsDeployment to PXE Menu
vi /etc/cobbler/pxe/pxedefault.template
DEFAULT vesamenu.c32
PROMPT 0
MENU TITLE DevNet Image Central
MENU BACKGROUND /devnetSplash.png
MENU MARGIN 1
MENU ROWS 15
MENU COLOR BORDER 30;44 #ffffffff #00000000 std
MENU COLOR TITLE 1;36;44 #ffffffff #00000000 std
MENU COLOR UNSEL 37;44 #ffffffff #00000000 std
MENU COLOR TIMEOUT_MSG 37;40 #ffffffff #00000000 std
MENU MASTER PASSWD $1$YVi/j0hL$a6SdxIUHZCA7jFisNZh6O/
TIMEOUT 80
TOTALTIMEOUT 6000
ONTIMEOUT $pxe_timeout_profile
LABEL local
MENU LABEL (Boot Local System)
MENU DEFAULT
LOCALBOOT 0
$pxe_menu_items
LABEL WindowsDeployment
MENU LABEL Windows Deployment
MENU PASSWD
PXE tftp://10.81.49.27/pxelinux.0
MENU end
Setup Pam Authentication w/ VAS
- Put the following in /etc/pam.d/rhn-satellite
#%PAM-1.0 auth required pam_env.so auth sufficient pam_vas3.so auth required pam_deny.so account sufficient pam_vas3.so account requisite pam_vas3.so echo_return account required pam_unix.so broken_shadow
- Add the following line to /etc/rhn/rhn.conf
pam_auth_service = rhn-satellite
Troubleshooting
Client Yum Errors
Error: Cannot retrieve repository metadata (repomd.xml) for repository: <channel> Please verify its path and try again.
- Client Side: Check /etc/sysconfig/rhn/up2date and make sure that the spacewalk URL is Fully Qualified.
- Spacewalk Side: Check /var/cache/rhn/repodata/<channel>/
- If noyumrepo.txt exists log into the Web GUI and manage channels. Make sure that the channel Checksum Type is not set to 'None'.
Kickstart Errors
Installing error populating transaction, retrying (1/10) error populating transaction after 10 retries: failure: getPackage/<package name> from <repo name>: [Errno 256] No more mirrors to try.
- Spacewalk Side: Try running the following command:
chmod -R 777 /var/satellite/redhat/1/
Spacewalk Scripts
cleanupPackages
#!/bin/bash # Script that uses RHN API to cleanup obsolete packages # on Spacewalk server. # Copyright (C) 2012 Nicolas PRADELLES # # Author: Nicolas PRADELLES ([email protected]) # # This library is free software; you can redistribute it and/or # modify it under the terms of the GNU Lesser General Public # License as published by the Free Software Foundation; either # version 2.1 of the License, or (at your option) any later version. # # This library is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # Lesser General Public License for more details. # # You should have received a copy of the GNU Lesser General Public # License along with this library; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA # # Version Information: # # 0.1 - 2012-04-17 - Nicolas PRADELLES LOGIN='droessne' PASS= SRV='localhost' DIR='/tmp' # extract spacewalk channels CHANNELS=(`spacecmd -s $SRV -u $LOGIN -p $PASS -q softwarechannel_list`) # string cleanup to remove "esc[?1034h" in line beginning CHANNELS=${CHANNELS:8:${#CHANNELS}} TOTALSIZE=0 # For each channel for CHANNEL in ${CHANNELS[@]}; do echo -e "################\n$CHANNEL\n################" # extract all packages in channel spacecmd -s $SRV -u $LOGIN -p $PASS -q softwarechannel_listallpackages $CHANNEL > $DIR/$CHANNEL.tmp sed '1s/^.\{8\}//' $DIR/$CHANNEL.tmp > $DIR/$CHANNEL.all sort $DIR/$CHANNEL.all -o $DIR/$CHANNEL.all # extract latest packages in channel spacecmd -s $SRV -u $LOGIN -p $PASS -q softwarechannel_listpackages $CHANNEL > $DIR/$CHANNEL.tmp sed '1s/^.\{8\}//' $DIR/$CHANNEL.tmp > $DIR/$CHANNEL.latest sort $DIR/$CHANNEL.latest -o $DIR/$CHANNEL.latest # diff to find obsolete packages comm -23 $DIR/$CHANNEL.all $DIR/$CHANNEL.latest > $DIR/$CHANNEL.old DELETED=0 # if we have found obsolete packages if [[ `wc -l < $DIR/$CHANNEL.old` -gt 0 ]]; then # check if the old package is installed on a managed client while read PACKAGE; do echo $PACKAGE SYSTEMS=(`spacecmd -s $SRV -u $LOGIN -p $PASS -q package_listinstalledsystems $PACKAGE`) SYSTEMS=${SYSTEMS:8:${#SYSTEMS}} # If this package is not installed on a managed client if [[ ${#SYSTEMS[@]} -eq 2 ]]; then # delete the package in the channel spacecmd -s $SRV -u $LOGIN -p $PASS -q -y softwarechannel_removepackages $CHANNEL $PACKAGE > /dev/null let DELETED=$DELETED+1 fi done < $DIR/$CHANNEL.old fi echo "$CHANNEL: ALL=`wc -l < $DIR/$CHANNEL.all`, LATEST=`wc -l < $DIR/$CHANNEL.latest`, OLD=`wc -l < $DIR/$CHANNEL.old`, DELETED=$DELETED" rm -f $DIR/$CHANNEL.* done # delete orphaned packages spacecmd -s $SRV -u $LOGIN -p $PASS -q -y package_removeorphans > /dev/null # delete orphaned packages on disk spacewalk-data-fsck -r -S -C -O
convertISOtoKickstartTree
#!/bin/bash ISO=$1 if $ISO == '' ; then echo "USAGE: convertISOtoKickstartableTree.sh <linux.iso>" else NAME=`echo $ISO | rev | cut -d '/' -f 1 | rev | sed 's/-dvd.iso//'` mkdir -p /kickiso mount -o loop $ISO /kickiso > 2&>/dev/null mkdir -p /var/satellite/rhn/kickstart/$NAME cp -Ruf /kickiso/* /var/satellite/rhn/kickstart/$NAME/ umount /kickiso rm -rf /kickiso cd /var/satellite/rhn/kickstart/$NAME find -type f -name '*.rpm' -exec rm -f {} \; chmod 777 . fi
createKickstartISO
#yum -y install syslinux &> /dev/null mkdir -p isolinux rm -rf dren-ks.iso rm -rf isolinux/* cp -R /usr/share/syslinux/* isolinux/ cp -a ../centos7-latest/isolinux/* isolinux/ rm -rf isolinux/isolinux.cfg isolinux/splash.png cp /var/lib/tftpboot/pxelinux.cfg/default isolinux/isolinux.cfg cp /var/lib/tftpboot/splash.png isolinux/splash.png sed -i '/vmlinuz/c\ kernel vmlinuz ' isolinux/isolinux.cfg sed -i 's/\(initrd\).*\(initrd.img\)/initrd=initrd.img/g' isolinux/isolinux.cfg mkisofs -o dren-ks.iso -c isolinux/boot.cat -b isolinux/isolinux.bin -no-emul-boot -boot-load-size 4 -boot-info-table -J -l -r -T -v -V "DREN Kickstart CD" .
sudo su - cd /var/satellite/rhn/kickstart/1/ISO ./createKickstartISO.sh mv dren-ks.iso <destination directory>
exportAllChannels
DIRECTORY="/projects/SpacewalkExports"
CHANNELS=`rhn-satellite-exporter --list-channels | egrep -v '=' | egrep -v Channel | grep 'B\|C' | awk '{ print $2 }'`
mkdir -p $DIRECTORY/working
CMD=" rhn-satellite-exporter --start-date='`cat /usr/share/rhn/scripts/lastexportdate.txt`' --make-isos=dvd -d "$DIRECTORY"/working/"
for channel in $CHANNELS; do
CMD=$CMD" -c "$channel
done
eval $CMD
mv $DIRECTORY/working/satellite-isos/*.iso $DIRECTORY/
rsync -a --delete /empty/ $DIRECTORY/working/
#rm -rf $DIRECTORY/working
date +%Y%m%d > /usr/share/rhn/scripts/lastexportdate.txt
findAndGetKickstartTree
#!/bin/bash echo '########################################################################' >> /var/log/scripts/findAndGetKickstartTree.log date >> /var/log/scripts/findAndGetKickstartTree.log cobbler sync 2&>/dev/null CENT7LATEST=`curl --silent http://mirror.centos.org/centos/ | grep folder | grep ">7\." | cut -d '"' -f 8 | cut -d '/' -f 1 | sort -g | tail -1` CENT6LATEST=`curl --silent http://mirror.centos.org/centos/ | grep folder | grep ">6\." | cut -d '"' -f 8 | cut -d '/' -f 1 | sort -g | tail -1` /usr/share/rhn/scripts/mk-KickstartTree.py --release $CENT7LATEST --arch x86_64 --target /var/satellite/rhn/kickstart --mirror http://mirror.centos.org/centos/ -b centos7 -c 2&>> /var/log/scripts/findAndGetKickstartTree.log /usr/share/rhn/scripts/mk-KickstartTree.py --release $CENT6LATEST --arch x86_64 --target /var/satellite/rhn/kickstart --mirror http://mirror.centos.org/centos/ -b centos6 -c 2&>> /var/log/scripts/findAndGetKickstartTree.log cobbler sync 2&>/dev/null date >> /var/log/scripts/findAndGetKickstartTree.log echo '########################################################################' >> /var/log/scripts/findAndGetKickstartTree.log
getCompletedActionId
#!/usr/bin/python import xmlrpclib import time from datetime import datetime from space_cred import * SPACEWALK_USER, SPACEWALK_PASSWORD = space_cred() SPACEWALK_URL = "http://spacewalk.devnet.prv/rpc/api" CLIENT = xmlrpclib.Server(SPACEWALK_URL, verbose=0) KEY = CLIENT.auth.login(SPACEWALK_USER, SPACEWALK_PASSWORD) ACTIONS = CLIENT.schedule.listCompletedActions(KEY) print "-----------------------------------" for A in ACTIONS: print "Action Name: "+A['name'] print "Action ID: "+str(A['id']) print "-----------------------------------" CLIENT.auth.logout(KEY)
getServerIds
#!/usr/bin/python import xmlrpclib import time from datetime import datetime from space_cred import * SPACEWALK_USER, SPACEWALK_PASSWORD = space_cred() SPACEWALK_URL = "http://spacewalk.devnet.prv/rpc/api" CLIENT = xmlrpclib.Server(SPACEWALK_URL, verbose=0) KEY = CLIENT.auth.login(SPACEWALK_USER, SPACEWALK_PASSWORD) LIST = CLIENT.system.listSystems(KEY) print "-----------------------------------" for L in LIST: print "Server Name: "+L['name'] print "Server ID: "+str(L['id']) print "-----------------------------------" CLIENT.auth.logout(KEY)
makeKickstartTree
#!/usr/bin/env python from optparse import OptionParser import sys import os import shutil import xmlrpclib import getpass import stat #defining default mirrors default_centos="http://mirror.centos.org/centos" default_scientific="http://ftp.scientificlinux.org/linux/scientific" default_fedora="http://mirrors.kernel.org/fedora" default_folders=["images","isolinux","repodata"] if __name__ == "__main__": #define description, version and load parser desc=%prog is used to create kickstartable distribution trees of EL-like distros like CentOS, Fedora and ScientificLinux. Optionally you can also create kickstart distributions on Spacewalk, Red Hat Satellite and SUSE Manager. Login credentials are assigned using the following shell variables: SATELLITE_LOGIN username SATELLITE_PASSWORD password It is also possible to create an authfile (permissions 0600) for usage with this script. The first line needs to contain the username, the second line should consist of the appropriate password. If you're not defining variables or an authfile you will be prompted to enter your login information. Checkout the GitHub page for updates: https://github.com/stdevel/mkelfs parser = OptionParser(description=desc,version="%prog version 0.4") #-r / --release parser.add_option("-r", "--release", action="store", type="string", dest="release", help="define which release to use (e.g. 6.5)", metavar="RELEASE") #-x / --arch parser.add_option("-x", "--arch", action="store", type="string", dest="arch", help="define which architecture to use (e.g. x86_64)", metavar="ARCH") #-t / --target parser.add_option("-t", "--target", action="store", type="string", dest="target", default="/var/satellite/kickstart_tree", help="define where to store kickstart files. A subfolder will be created automatically. (default: /var/satellite/kickstart_tree)", metavar="DIR") #-m / --mirror parser.add_option("-m", "--mirror", dest="mirror", action="store", type="string", help="define a valid EL mirror to use - DON'T add the trailing slash! Have a loot at the EL mirror list (e.g. http://www.centos.org/download/mirrors) for alternatives", metavar="MIRROR") #-o / --distribution parser.add_option("-o", "--distro", dest="distro", default="centos", action="store", type="string", help="defines for which distro the files are downloaded (default: centos) - other possible values: fedora, scientific", metavar="DISTRO") #-f / --force parser.add_option("-f", "--force", dest="force", default=False, action="store_true", help="defines whether pre-existing kickstart files shall be overwritten") #-i / --ignore-existing parser.add_option("-i", "--ignore-existing", dest="ignoreExisting", default=False, action="store_true", help="don't throw errors if downloaded files are already existing (e.g. testing purposes)") #-q / --quiet parser.add_option("-q", "--quiet", action="store_false", dest="verbose", default=True, help="don't print status messages to stdout") #-d / --debug parser.add_option("-d", "--debug", dest="debug", default=False, action="store_true", help="enable debugging outputs") #-c / --create-distribution parser.add_option("-c", "--create-distribution", dest="createDistribution", default=False, action="store_true", help="creates a kickstart distribution on the Spacewalk / Red Hat Satellite or SUSE Manager server") #-b / --base-channel parser.add_option("-b", "--base-channel", dest="baseChannel", type="string", default="", help="defines the name of the distro base-channel", metavar="CHANNEL") #-a / --authfile parser.add_option("-a", "--authfile", dest="authfile", metavar="FILE", default="", help="defines an auth file to use instead of shell variables") #-s / --server parser.add_option("-s", "--server", dest="server", metavar="SERVER", default="localhost", help="defines the server to use") #parse arguments (options, args) = parser.parse_args() #check whether all required options are given if options.release is None and options.arch is None: parser.error("missing values for release and arch!") else: #make options being lower-case in case you missed it options.distro = str(options.distro).lower() options.release = str(options.release).lower() options.arch = str(options.arch).lower() #setup default mirror URL (if no other defined) depending on selected distro if options.mirror == None: if str(options.distro).lower() == "scientific": options.mirror = default_scientific if str(options.distro).lower() == "fedora": options.mirror = default_fedora if str(options.distro).lower() == "centos": options.mirror = default_centos if str(options.distro).lower() == "scientific": url = options.mirror+"/"+options.release+"/"+options.arch+"/os" elif str(options.distro).lower() == "fedora": url = options.mirror+"/releases/"+options.release+"/Fedora/"+options.arch+"/os" else: url = options.mirror+"/"+options.release+"/os/"+options.arch #workaround for EL7 if options.release == "7" and options.distro.lower() in ["centos","scientific"]: default_folders.append("LiveOS") if options.verbose: print("INFO: EL7 detected, making sure to also download LiveOS") #print debug output if required if options.debug: print("release: " + options.release + "\narch: " + options.arch + "\ntarget: " + options.target + "\nmirror: " + options.mirror + "\nforce: " + `options.force` + "\nverbose: " + `options.verbose` + "\ndebug: " + `options.debug` + "\ndistro: " + options.distro + "\nURL: " + url) #define URL and login information SATELLITE_URL = "http://"+options.server+"/rpc/api" #setup client and key depending on mode client = xmlrpclib.Server(SATELLITE_URL, verbose=options.debug) if options.authfile: #use authfile if options.debug: print "DEBUG: using authfile" try: #check filemode and read file filemode = oct(stat.S_IMODE(os.lstat(options.authfile).st_mode)) if filemode == "0600": if options.debug: print "DEBUG: file permission ("+filemode+") matches 0600" fo = open(options.authfile, "r") s_username=fo.readline().replace("\n", "") s_password=fo.readline().replace("\n", "") key = client.auth.login(s_username, s_password) else: if options.verbose: print "ERROR: file permission ("+filemode+") not matching 0600!" exit(1) except OSError: print "ERROR: file non-existent or permissions not 0600!" exit(1) elif "SATELLITE_LOGIN" in os.environ and "SATELLITE_PASSWORD" in os.environ: #shell variables if options.debug: print "DEBUG: checking shell variables" key = client.auth.login(os.environ["SATELLITE_LOGIN"], os.environ["SATELLITE_PASSWORD"]) else: s_username = "" s_password = "" try: from space_cred import * s_username, s_password = space_cred() except: pass if s_username == "": if options.debug: print "DEBUG: prompting for login credentials" s_username = raw_input("Username: ") if s_password == "": if options.debug: print "DEBUG: prompting for login credentials" s_password = getpass.getpass("Password: ") key = client.auth.login(s_username, s_password) #check whether the API version matches the minimum required api_level = client.api.getVersion() if not api_level in supportedAPI: print "ERROR: your API version ("+api_level+") does not support the required calls. You'll need API version 1.8 (11.1) or higher!" exit(1) else: if options.debug: print "INFO: supported API version ("+api_level+") found." #search for base-channel or check base-channel listChannels = client.channel.listAllChannels(key) if options.debug: print "INFO: all channels" + str(listChannels) if options.baseChannel != "": #check base-channel if options.baseChannel not in str(listChannels): print "ERROR: base-channel '" + options.baseChannel + "' does not exist!" exit(1) else: for dict in listChannels: if dict["label"] == options.baseChannel: if options.arch == "i386": if dict["arch_name"] != "IA-32": print "ERROR: base-channel '" + options.baseChannel + "' has a different architecture!" exit(1) else: if dict["arch_name"] != options.arch: print "ERROR: base-channel '" + options.baseChannel + "' has a different architecture!" exit(1) else: #search base-channel for dict in listChannels: #print dict if dict["label"] == options.distro+options.release+"-"+options.arch: if options.verbose: print "INFO: found matching base channel '" + dict["label"] + "'" options.baseChannel = dict["label"] #last check if we configured a base-channel if options.baseChannel == "": print "ERROR: unable to find a valid base-channel, please check your channels!" exit(1) #check whether target is writable if os.access(options.target, os.W_OK): if options.verbose: print "INFO: path exists and writable" #switch to directory and create subfolder non-existent os.chdir(options.target) #check whether the directory already exists if os.path.exists(options.distro+"-"+options.release+"-"+options.arch): #delete content of directory if force given if options.force == True: shutil.rmtree(options.target+"/"+options.distro+"-"+options.release+"-"+options.arch) if options.verbose: print "INFO: deleted directory ("+options.target+"/"+options.distro+"-"+options.release+"-"+options.arch+") because -f / --force given" elif options.ignoreExisting == False: #abort with error print >> sys.stderr, "ERROR: kickstart tree directory ("+options.target+"/"+options.distro+"-"+options.release+"-"+options.arch+") already exists! Use -f / --force to overwrite!" exit(1) #create directory and change directory if options.ignoreExisting == False: os.system("mkdir "+options.distro+"-"+options.release+"-"+options.arch) os.chdir(options.target+"/"+options.distro+"-"+options.release+"-"+options.arch) #download files if options.ignoreExisting == False: if options.verbose: print "INFO: about to download kickstart files for EL "+options.release+" "+options.arch+" from mirror "+options.mirror+"..." for i in default_folders: #setting offset based on mirror and distro if options.distro == "fedora": dir_offset=6 elif "vault" in options.mirror: dir_offset=3 elif options.distro == "scientific": dir_offset=5 else: dir_offset=5 if options.debug: print "INFO: dir_offset: "+`dir_offset` #run wget with or without quiet mode cmd = "wget -e robots=off -q -r -nH --cut-dirs="+`dir_offset`+" --no-parent --reject 'index.html*' "+url+"/"+i+"/" if options.verbose == False: cmd = cmd+" --quiet" retcode = os.system(cmd) else: retcode = os.system(cmd) #print error if wget had a error if retcode != 0: print >> sys.stderr, "ERROR: some error occurred (see output above!) - hint: check URL ("+options.mirror+"/"+options.release+")" exit(1) else: if options.verbose: print "INFO: successfully downloaded kickstart files for EL "+options.release+" "+options.arch+"!\nUse this file path for cobbler or the webui: "+options.target+"/"+options.distro+"-"+options.release+"-"+options.arch if "7." in options.release: #setting offset based on mirror and distro if options.distro == "fedora": dir_offset=6 elif "vault" in options.mirror: dir_offset=3 elif options.distro == "scientific": dir_offset=5 else: dir_offset=5 if options.debug: print "INFO: dir_offset: "+`dir_offset` #run wget with or without quiet mode cmd = "wget -e robots=off -q -r -nH --cut-dirs="+`dir_offset`+" --no-parent --reject 'index.html*' "+url+"/LiveOS/" if options.verbose == False: cmd = cmd+" --quiet" retcode = os.system(cmd) else: retcode = os.system(cmd) #print error if wget had a error if retcode != 0: print >> sys.stderr, "ERROR: some error occurred (see output above!) - hint: check URL ("+options.mirror+"/"+options.release+")" exit(1) else: if options.verbose: print "INFO: successfully downloaded kickstart files for EL "+options.release+" "+options.arch+"!\nUse this file path for cobbler or the webui: "+options.target+"/"+options.distro+"-"+options.release+"-"+options.arch cmd = "chmod -R 0777 "+options.target+"/"+options.distro+"-"+options.release+"-"+options.arch #print "CMD: "+cmd retcode = os.system(cmd) else: print >> sys.stderr, "ERROR: path non-existent or non-writable!" #create kickstart distribution if options.createDistribution: if options.verbose: print "INFO: Creating kickstart distribution..." #set install type if options.distro == "fedora": installType = "fedora" else: if "2.1" in options.release: installType = "rhel_2.1" if "3." in options.release: installType = "rhel_3" if "4." in options.release: installType = "rhel_4" if "5." in options.release: installType = "rhel_5" if "6." in options.release: installType = "rhel_6" if "7." in options.release: installType = "rhel_7" if options.debug: print "DEBUG: install type is '" + installType + "'" #create distribution result = client.kickstart.tree.create(key,"KD-"+options.distro+"-"+options.release+"-"+options.arch,options.target+"/"+options.distro+"-"+options.release+"-"+options.arch,options.baseChannel,installType) if result == 1: if options.verbose: print "Successfully created kickstart distribution 'KD-" + options.distro+"-"+options.release+"-"+options.arch + "'" #logout and exit client.auth.logout(key)
pushConfigurationChannelFiles
#!/usr/bin/python import xmlrpclib import time from datetime import datetime from space_cred import * SPACEWALK_USER, SPACEWALK_PASSWORD = space_cred() ################################################################# # VARIABLES # ################################################################# SPACEWALK_URL = "http://spacewalk.devnet.prv/rpc/api" MISSING_ENABLED = 0 ACTION_ID = [3064] ################################################################# # CODE # ################################################################# CLIENT = xmlrpclib.Server(SPACEWALK_URL, verbose=0) KEY = CLIENT.auth.login(SPACEWALK_USER, SPACEWALK_PASSWORD) LIST = CLIENT.system.listSystems(KEY) TOTAL_ID_LIST = [] for L in LIST: TOTAL_ID_LIST.append(L['id']) ACTION_ID_LIST = [] MISSING_SERVER_LIST = [] MISSING_ID_LIST = [] ACTION_SYSTEMS = CLIENT.schedule.listCompletedSystems(KEY, ACTION_ID[0]) for A in ACTION_SYSTEMS: ACTION_ID_LIST.append(A['server_id']) for TID in TOTAL_ID_LIST: if TID not in ACTION_ID_LIST: for L in LIST: if TID == L['id']: MISSING_SERVER_LIST.append(L['name']) MISSING_ID_LIST.append(L['id']) print "Missing %d Systems from the current scheduled action." % (len(MISSING_SERVER_LIST)) print "Pushing Configuration files to %d Systems" % (len(ACTION_ID_LIST)) RESULTS = CLIENT.schedule.rescheduleActions(KEY, ACTION_ID, 0) if RESULTS == 1: print "Successfully re-scheduled the action for the %d systems." % (len(ACTION_ID_LIST)) else: print "An Error occured while re-scheduling action ID %d." % (ACTION_ID[0]) if MISSING_ENABLED == 1: print "Pushing Configuration files to %d missing systems" % (len(MISSING_ID_LIST)) TODAY = datetime.today() EARLIEST_OCCURANCE = xmlrpclib.DateTime(TODAY) RESULTS = CLIENT.system.config.deployAll(KEY, MISSING_ID_LIST, EARLIEST_OCCURANCE) if RESULTS == 1: print "Successfully scheduled a deploy action for all %d missinge systems." % (len(MISSING_ID_LIST)) else: print "An Error occured while scheduling the deploy action." CLIENT.auth.logout(KEY)
reposync
mkdir -p /var/log/scripts/ echo ##################################################### >> /var/log/scripts/spacewalk-repo-sync.log CENT7LATEST=`curl --silent http://mirror.centos.org/centos/ | grep folder | grep ">7\." | cut -d '"' -f 8 | cut -d '/' -f 1 | sort -g | tail -1` CENT6LATEST=`curl --silent http://mirror.centos.org/centos/ | grep folder | grep ">6\." | cut -d '"' -f 8 | cut -d '/' -f 1 | sort -g | tail -1` spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest/RHEL/6/x86_64/ -c spacewalk-server6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest/RHEL/7/x86_64/ -c spacewalk-server7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/6/x86_64/ -c spacewalk-client >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/7/x86_64/ -c spacewalk-client-centos7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/6/x86_64/ -c spacewalk-client-rhel-6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.postgresql.org/9.4/redhat/rhel-7-x86_64/ -c 7-postgres94 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.postgresql.org/9.5/redhat/rhel-7-x86_64/ -c 7-postgres95 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://download.ceph.com/rpm/el7/x86_64/ -c ceph-centos7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/extras/x86_64/ -c centos-7-extras >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/updates/x86_64/ -c centos-7-updates >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://dl.fedoraproject.org/pub/epel/6/x86_64/ -c rhel-6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://rhel6.devnet.prv/rhel6/ -c rhel-6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://dl.fedoraproject.org/pub/epel/6/x86_64/ -c centos6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://dl.fedoraproject.org/pub/epel/7/x86_64/ -c epel-7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT6LATEST/os/x86_64/ -c centos6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT6LATEST/extras/x86_64/ -c centos6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT6LATEST/updates/x86_64/ -c centos6 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://mirror.centos.org/centos/$CENT7LATEST/os/x86_64/ -c centos7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://rhel5.devnet.prv/rhel5/ -c rhel-x86_64-server-5 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/5/x86_64/ -c spacewalk-client5 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://yum.spacewalkproject.org/latest-client/RHEL/7/x86_64/ -c spacewalk-client-rhel-7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://rhel7.devnet.prv/rhel7/ -c rhel-7 >> /var/log/scripts/spacewalk-repo-sync.log spacewalk-repo-sync -u http://dl.fedoraproject.org/pub/epel/7/x86_64/ -c rhel-7-epel >> /var/log/scripts/spacewalk-repo-sync.log chmod -R 777 /var/satellite/redhat/1/ echo #################################################### >> /var/log/scripts/spacewalk-repo-sync.log date >> /var/log/scripts/spacewalk-repo-sync.log
spacewalkCreds
#!/usr/bin/python def space_cred(): SPACEWALK_USER = "droessne" SPACEWALK_PASSWORD = "" return SPACEWALK_USER, SPACEWALK_PASSWORD