Spacewalk cluster with self-signed certs.

Spacewalk has a lot of options. There’s a lot of good docs out there by the default docs are somewhat hard to follow.┬áThis post is intended to be a framework to create a self-signed CA (or use a third-party CA and skip the self-signed portion), and then apply the root CA cert to the entire cluster simplifying configuration. If you go self-signed, you’re definitely going to want to create the CA certs.

For the purpose of this post, we’re making a master and slave configuration with proxies.

Wewt. We have our signing key. Time to sign some certs. For this post we’re going to have 7 servers: – the spacewalk master server. – These are the spacewalk portal/slave servers. These will pull packages and channels from the master server. – These are the Spacewalk proxies. Each of these sits in front of the Spacewalk slave and caches packages.

A quick note on how this configuration works. The master server pulls in packages and assigns them to channels (repos.) The slave servers sync content with the master. Errata is assigned to the slaves and tied to channels, and packages in those channels. You can run servers directly against the slaves or master, but it can be tipped over under heavy load. The proxies use Squid to cache packages offloading much of the work but otherwise are just relays.

On relays, there’s two basic forms of package management. OSAD, and RHN. OSAD uses a HTTP keepalive sessions from each client to the SW server to allow for pushes. It’s very handy, but it can be a pain to maintain with a large number of clients. RHN is the other method. Each server will check into the proxy/slave/master every 60 minutes by default and see if there are commands queued.

Back to the build. We’re going to make some client certs, then sign them.

Now we have ssl certs for each of the servers in this cluster. Copy them over to each server. The structure of the directories on each server will need to be this:

This imports the cert into the Spacewalk application. Lets create the RPM for the CA, and each server:

Substitute proxy.c.slave for each of the hostnames listed previously. There will be 7 total here. Validate that each cert matches:

If there are any problems, recreate, or resign the certs.

Now that we have the actual SSL certs, lets start applying them. Spacewalk has tools that creates RPM’s for the CA (/root/RHN-ORG-TRUSTED-SSL-CERT) and also the certs.

There’s an additional step on the slaves, and the master:


On the proxies:

There’s some basic management needed next and good guides out there for that stage of things. At a minimum, you need to go into the slave servers and add the proxies, grant them access to any wanted channels and make sure that they have a provisioning entitlement.

On each client to connect to these servers:

This took a lot of piecing things together. It’s not really complex and there’s some good guides out there but it’s hard to get everything working from end to end.