Assign recent errata automatically to Spacewalk

calendar Nov 4, 2013 · 3 min read · red-hat-satellite spacewalk suse-manager  ·
Share on: linkedin copy

Recent bugs and security issue are mapped to necessary updates in the form of errata. Users of the commercial Red Hat Satellite or SUSE Manager server get these information directly from their distributor. Using Spacewalk this needs to be done manually - fortunately there a script CEFS by Steve Meier which automates this: [click me!]

Periodically a XML document containing all available errata is published there: [click me!]

This script can be automated in form of a cronjob to make sure that you always have to most recent errata information. First of all you need to have the following Perl modules installed on your Spacewalk system:

1# yum install perl-Text-Unidecode perl-XML-Simple

It is recommend to test the import at least once - this process looks like this:

 1# env -i SPACEWALK_USER=su-errata SPACEWALK_PASS=xyz ./errata-import.pl --server localhost --errata errata.latest.xml --publish
 2INFO: Server is running API version 13
 3INFO: API version is supported
 4INFO: Authentication successful
 5INFO: Loading errata XML
 6INFO: Getting server inventory
 7INFO: Checking for unpublished errata
 8INFO: Scanning channel CentOS 6 Extras - x86_64
 9INFO: Scanning channel CentOS 6 Base - x86_64
10INFO: Scanning channel CentOS 6 Updates - x86_64
11INFO: Scanning channel Spacewalk Client - x86_64
12INFO: Scanning channel EPEL EL6 - x86_64
13...

Veröffentlichte Errata in Spacewalk

The script scans all software channels (in this case  amongst others CentOS 6 Base, Extras and Updates as well as EPEL) and assigns matching errata. Depending on your amount of software channels this can take a couple of minutes.

The parameter --publish is very important to make sure that all suitable erratas are published automatically to your spacewalk system.

It is recommend to create a dedicated Satellite user for the script so that you don't have to use the credentials of your administrator account in the script. Using the variables SPACEWALK_USER and SPACEWALK_PASS these credentials need to be provided in plaintext. The "Channel Administrator" role needs to be assign to this user.

My cronjob looks like this:

 1# vi /etc/cron.daily/spacewalk_sync.cron
 2#!/bin/sh
 3MAILTO=root
 4
 5# try to create the lock and check the outcome
 6LOCKFILE=/var/run/spacewalk_sync.lock
 7#lockfile -r 0 ${LOCKFILE} 1>/dev/null 2>&1
 8#status=$?
 9#if [ ${status} -ne 0 ] ;then
10if [ -e "$LOCKFILE" ]; then
11        echo "Another instance already running. Aborting."
12        exit 1
13else
14        touch "$LOCKFILE"
15fi
16trap "rm ${LOCKFILE}" EXIT
17
18#sync channels and publish updates
19/usr/bin/spacewalk-repo-sync --channel centos6-base-x86_64
20                             --url http://mirror.centos.org/centos/6/os/x86_64/
21                             --type yum -c centos6-base-x86_64 >/dev/null
22
23/usr/bin/spacewalk-repo-sync --channel centos6-updates-x86_64
24                             --url http://mirror.centos.org/centos/6/updates/x86_64/
25                             --type yum -c centos6-updates-x86_64 >/dev/null
26
27/usr/bin/spacewalk-repo-sync --channel centos6-extras-x86_64
28                             --url http://mirror.centos.org/centos/6/extras/x86_64/
29                             --type yum -c centos6-extras-x86_64 >/dev/null
30
31/usr/bin/spacewalk-repo-sync --channel epel-el6-x86_64
32                             --url http://ftp-stud.hs-esslingen.de/pub/epel/6/x86_64/
33                             --type yum -c epel-el6-x86_64 >/dev/null
34
35#get errata file and checksums
36cd /tmp
37wget -N http://cefs.steve-meier.de/errata.latest.xml 1>/dev/null 2>&1
38wget -N http://cefs.steve-meier.de/errata.latest.md5 1>/dev/null 2>&1
39wget -N http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 1>/dev/null 2>&1
40bunzip2 -f /tmp/com.redhat.rhsa-all.xml.bz2
41
42#verify integrity
43grep "errata.latest.xml$" errata.latest.md5 > myerrata.md5
44md5sum -c myerrata.md5 1>/dev/null 2>&1
45if [ "$?" == 0 ]; then
46        #ok - import errata
47        SPACEWALK_PASS=xyz SPACEWALK_USER=su-errata /opt/tools/errata-import.pl --server localhost --errata errata.latest.xml --include-channels=centos6-updates-x86_64,epel-el6-x86_64 --rhsa-oval=/tmp/com.redhat.rhsa-all.xml --publish 1>/dev/null
48        if [ "$?" != 0 ]; then
49                echo "It seems like there was a problem while publishing the most recent errata..."
50                exit 1
51        fi
52        rm /tmp/myerrata.md5
53else
54        #errata information possibly invalid
55        echo "ERROR: md5 checksum mismatch, check download!"
56        exit 1
57fi

First of all the recent XML document and the checksums of all XML documents (there are also compressed versions) are downloaded. After that a temporary file only containing the md5 checksum of the downloaded file is created. Using this file the integrity of the download is checked before errata information are imported and published.

Translations: