Spacewalk Step by Step
Spacewalk Step by Step
Spacewalk Step by Step
Spacewalk 2.6
In this Hands-on Lab, you will learn the basics of systems management using Spacewalk 2.6:
Spacewalk is an open source systems management solution for Linux. It manages software content updates
for Linux distributions derived from Red Hat Enterprise Linux including Oracle Linux, CentOS, Scientific Linux
and Fedora. It allows you to synchronize updates from upstream sources, then store and deploy those updates
to your local servers.
You can stage software content, including updates and configuration files through different environments. The
deployment of updates to registered servers is centrally controlled and the Spacewalk web interface shows a
unified view of all registered servers and their associated software update status. You can also trigger software
updates and remote actions via the web interface.
In addition, Spacewalk provides entire lifecycle management functionality via bare-metal and virtual server
provisioning using the standard PXE and Kickstart tools. Servers that are provisioned using Spacewalk are
automatically registered and monitored after installation.
To support very large enterprise deployments, you can connect multiple Spacewalk servers together using
Inter-Spacewalk Sync (ISS). Spacewalk also provides the Spacewalk Proxy server to support geographically-
distributed client servers. Spacewalk Proxy servers cache and distribute content, reducing the load on the
central Spacewalk servers and improving download times for local servers.
Hands-on Lab: System Management with Spacewalk 2.6
This lab is designed to sync content from the Unbreakable Linux Network. You will need an Oracle Single Sign-
On account with ULN access to complete this lab.
If you're attending the Hands-On Lab at Oracle OpenWorld 2017, your laptop has already been setup
and configured. Otherwise, download the virtual machine template from here: Oracle Linux VM Images for
Hands-On Lab.
This lab is designed to synchronize packages from both the Oracle Unbreakable Linux Network (ULN) as well
as Oracle's Public Yum Repository. The lab does not include installation of Spacewalk itself as this is covered
in the Spacewalk 2.6 for Oracle Linux 7 Installation Guide.
Pre-requisite knowledge
Attendees are expected to have basic Oracle Linux system administration skills, particularly regarding package
management using RPM and yum.
You should be familiar with the following Linux concepts and commands:
Lab structure
As many activities in the lab are performed using the Spacewalk web interface, screenshots are provided for
the initial exercises to assist with navigation and configuration.
Hands-on Lab: System Management with Spacewalk 2.6
Once the initial exercises are completed, screenshots will no longer be provided as the content will change
over time and static screenshots could be misleading.
Initial login
You should log into the virtual machine as the HOL User (holuser) using the password oracle.
Next, open a Terminal session from Application -> System Tools -> Terminal and have the Firefox web
browser open as well. As the lab instructions are web-based, it is recommended to have multiple Firefox
windows or tabs open so that you can follow the instructions.
You should see the initial login screen. Use the following credentials to login into Spacewalk:
• Username: admin
Hands-on Lab: System Management with Spacewalk 2.6
• Password: Oracle123
Spacewalk requires all packages and metadata to be stored and managed locally, so the initial step is to
configure upstream sources for package updates. These upstream sources can be the Oracle Unbreakable
Linux Network (ULN), the Oracle Yum Server or any 3rd-party yum repository.
Spacewalk uses the concept of Software Channels and Repositories to store packages and metadata. Client
systems subscribe to Software Channels, while Software Channels themselves can be subscribed to one or
more Repositories. In this way, you can create local channels that provide packages from a combination of
sources. Care should be taken to ensure that the upstream repositories do not contain the same packages to
Hands-on Lab: System Management with Spacewalk 2.6
reduce deployment complexity and confusion. It is recommended to connect a software channel to a single
repository for simplicity.
Spacewalk Software Channels are hierarchical: each client server is registered with a single base channel
and can be subscribed to multiple child channels. A client can only subscribe to the child channels of its base
In this exercise, you will create repositories for the following ULN channels:
You will also create a Spacewalk repository for the following Yum repository:
Once these repositories are created, the following Software Channel hierarchy will be created:
This will allow clients to subscribe to the Installation media set base channel as well as the individual child
Navigate to the Manage Repositories screen in the Spacewalk web interface by clicking on Channels (in the
main menu bar), then Manage Software Channels in the left-hand menu and finally Manage Repositories.
There are no repositories configured by default.
Hands-on Lab: System Management with Spacewalk 2.6
Click Create Repository to start the creation process. The first repository you will create is the Oracle Linux 7
Update 4 Installation media set. Provide the following information:
Hands-on Lab: System Management with Spacewalk 2.6
ULN-based repositories use the uln:///<ULN_channel_label> syntax and the three / characters are
intentional. You can find a list of channel labels via the ULN interface.
Click the create repository button. Spacewalk will create the repository and return you to the repository edit
screen. Click Manage Repositories to return to the list of repositories to see the newly created repository.
1. Oracle Linux 7 Update 4 Patches x86_64 with the ULN channel label ol7_x86_64_u4_patch
2. UEK Release 4 for Oracle Linux 7 x86_64 with the ULN channel label ol7_x86_64_UEKR4
Hands-on Lab: System Management with Spacewalk 2.6
Once all three ULN-based repositories are created, you can create the Yum-based repository for the
Spacewalk 2.4 Client. The process is almost identical, except you use an http-based repository URL.
Hands-on Lab: System Management with Spacewalk 2.6
In production, you should only use yum repositories hosted on the Oracle Yum Server or trusted 3rd-party
Once you have all four repositories created, you can being to create the associated Software Channels.
As mentioned previously, Spacewalk uses a parent/child relationship for Software Channels. Client servers can
only subscribe to a single base channel and can only subscribe to child channels of the selected base channel.
In this exercise, we will create a single base channel and three child channels.
Hands-on Lab: System Management with Spacewalk 2.6
Click Manage Software Channels in the left-hand menu. By default, there are no software channels
configured in Spacewalk.
Click Create Channel to start the process. We will begin by creating the base channel using the following
Hands-on Lab: System Management with Spacewalk 2.6
Ensure that you set the architecture field correctly, otherwise the channel will not be visible to the client you will
register later in the lab. The architecture must match the architecture of the client.
You can fill your own (or dummy) information in the Contact/Support Information section. This information is
displayed in the Spacewalk UI so that other users know who to contact if they have issues with the software
contained in this channel.
For the purposes of the lab, you do not need to make any changes to the Channel Access Control section. For
production Spacewalk deployments, this section is used to determine who is permitted to use this channel and
which organizations can access the channel. Multi-user and multi-organization deployment of Spacewalk is
beyond the scope of this lab.
It is strongly recommended that you configure the Security: GPG section in production to ensure that packages
that are downloaded during the Spacewalk synchronization process have a valid security signature. You should
configure the section using the following:
Hands-on Lab: System Management with Spacewalk 2.6
• GPG key Fingerprint: 4214 4123 FECF C55B 9086 313D 72F9 7B74 EC55 1F03
You can find the GPG key ID and fingerprint for each Oracle Linux major version on the Oracle Yum Server.
Note that the GPG key ID and Fingerprint is identical for Oracle Linux 6 and 7. Oracle Linux installs the key
itself by default at /etc/pki/rpm-gpg/RPM-GPG-KEY and for security purposes, it is recommended that you use
the installed key instead of downloading a new one.
Click the Create Channel button once you have completed all the required fields. Spacewalk will create the
channel and return you to the channel edit screen for the newly created channel. Click Manage Software
Channels in the left-hand menu to return to the Software Channel list.
You will now create your first child channel. Click the create new channel link and enter the following details:
Hands-on Lab: System Management with Spacewalk 2.6
Use the same Security: GPG settings as the Installation media set channel.
• Channel Name and Channel Summary: Unbreakable Enterprise Kernel Release 4 for
Oracle Linux 7 x86_64
• Channel Label: ol7_x86_64_uekr4
• Parent Channel: Oracle Linux 7 Update 4 installation media copy x86_64
Note that Spacewalk channel labels can only contain lowercase letters, so this channel label differs from its
upstream repository label.
• Channel Name and Channel Summary: Spacewalk Client 2.6 for Oracle Linux 7 x86_64
• Channel Label: ol7_x86_64_spacewalk26_client
Hands-on Lab: System Management with Spacewalk 2.6
Once a channel is created, you cannot change whether it is a base or child channel. If you forget to select
the correct parent channel, you will need to delete and recreate the channel. Once you have completed this
exercise, you should have all four channels created, with a single base and three child channels as shown in
the following screenshot:
Do not continue the lab until your software channel list matches the example.
Before you can synchronize with ULN, you need to configure the credentials that Spacewalk should use when
connecting. These credentials are stored in a file that is only readable by the root user. You should ensure that
this file is suitably protected by setting the permissions accordingly:
Hands-on Lab: System Management with Spacewalk 2.6
Replace the placeholders in this file with your real ULN credentials before continuing. This file is set read-only
(umask 0400) by default, so you will need to force save the file as root using the :wq! command.
Now that your software channels are created, we need to link them to the appropriate repository and trigger the
initial sync. Spacewalk should be configured in production to sync on a regular basis. As the Spacewalk web
interface does not provide any progress information during a sync, you should have a Terminal window open to
monitor the sync logs during this exercise.
In the Terminal, use sudo su - to become the root user and change directory to /var/log/rhn/reposync.
The sync logs are contained in this directory. The OpenWorld virtual machine already contains log files, as the
Spacewalk instance was pre-seeded with packages for performance reasons.
The time for initial sync outside of this lab environment is dependent on network bandwidth and server
resources and can take anywhere from several hours to several days.
From Manage Software Channels, click the Oracle Linux 7 Update 4 installation media copy x86_64 channel
and navigate to the Repositories tab.
Hands-on Lab: System Management with Spacewalk 2.6
Click the checkbox next to Oracle Linux 7 Update 4 installation media copy x86_64 and then click the Update
Repositories button. This associates the repository with the software channel, so when a sync is triggered,
the contents of the repository are added to this software channel. It's possible to enable multiple repositories
in a single software channel, but this requires advanced knowledge of yum dependency analysis and is not
Once you have saved the repository selection, click the Sync tab. This screen allows you to trigger an
immediate sync or schedule a task to sync the repository. For the purposes of the lab, check the Sync only
latest packages checkbox, then click the Sync Now button. In production you should schedule regular
synchronization of the Oracle Linux repositories on a daily basis. If you have multiple repositories, you should
offset the schedule time.
Hands-on Lab: System Management with Spacewalk 2.6
After clicking the Sync Now button, switch back to your terminal to monitor the sync activity. Spacewalk will
connect to ULN to retrieve the list of packages and then start downloading each package. In this exercise,
we have pre-seeded the packages in the virtual machine to reduce the download time as much as possible.
Spacewalk also displays a progress bar within the web UI.
Wait for the Sync completed. message to appear in the log before continuing.
Repeat this process for the remaining three software channels. Note that the Oracle Linux 7 Update 4 Patches
channel will take the longest to complete as new packages will have been published between the time the
virtual machine image was created and now. It could take between 15-25 minutes or longer for this process
to complete. Ensure that the Sync only latest packages checkbox is checked for all channels to reduce the
overall time required to sync from ULN.
Spacewalk will only sync a single software channel at a time, so wait for each channel to complete before
moving onto the next channel.
Hands-on Lab: System Management with Spacewalk 2.6
Once you have completed the initial sync of all four channels, you can create an activation key. An activation
key is used by the Spacewalk client to register a server with Spacewalk. An activation key is tied to a specific
base channel (and optional child channels) and is used to determine channel subscription during activation. For
example, you can have multiple activation keys with the same base channel, but specify different child channel
Navigate to the Activation Keys page by clicking on the Systems tab and selecting Activation Keys in the left-
hand menu. There are no activation keys created by default. Click Create Key to begin the process.
Hands-on Lab: System Management with Spacewalk 2.6
Spacewalk can automatically generate keys, but it is recommended to use a particular key name for ease of
identification later.
• Usage: -- blank --
• Base Channels: Oracle Linux 7 Update 4 installation media copy x86_64
• Add-on Entitlements: -- unchecked --
• Universal default: -- unchecked --
In Spacewalk 2.6 there is only the Virtualization entitlement available. Enabling this entitlement tells Spacewalk
to install additional packages onto any server registered with this key to allow Spacewalk to enumerate any
guest virtual machines that may be running on that server. This is useful for machines that host KVM-based
virtual machines.
Once you have provided the details above, click the Create Activation Key button to complete the process.
Once the key has been created, click the Child Channels tab. This screen determines which (if any) of the
child channels should be subscribed during activation of a system using this activation key. Select all three
available channels and click the Update Key button.
Hands-on Lab: System Management with Spacewalk 2.6
An activation key is not mandatory in order to register clients to Spacewalk, but it does make the process much
simpler. Activation keys can also trigger automatic package installation when used to register a server. Now
that you have created an activation key, we can register a client.
Registration to Spacewalk can be done manually or via the provisioning process. In this lab, we will perform a
manual registration, as the virtual machine has already been provisioned.
Switch to the Terminal and use sudo to become root (if not already root):
The activation process can take several minutes as the local software inventory is collected and sent to
Spacewalk. Once the prompt returns, switch back to Firefox and click the Systems tab. You should now see
the VM listed. Notice that there are updates available for the server. We will demonstrate several patching
mechanisms in upcoming exercises to deploy those updates to the server.
Once the client is successfully registered to Spacewalk, you are able to run the yum tool to perform actions
using the packages available via Spacewalk.
Hands-on Lab: System Management with Spacewalk 2.6
repo id repo
ol7_x86_64_spacewalk26_client Spacewalk Client 2.6 for
Oracle Linux 7 x86_64 28
ol7_x86_64_u4_base Oracle Linux 7 Update 4
installation media copy x86_64 5,010
ol7_x86_64_u4_patch Oracle Linux 7 Update 4
Patch x86_64 147
ol7_x86_64_uekr4 Unbreakable Enterprise
Kernel Release 4 for Oracle Linux 7 x86_64 72
repolist: 5,257
Hands-on Lab: System Management with Spacewalk 2.6
10:1.5.3-141.el7_4.1 ol7_x86_64_u4_patch
3.4-6.0.1.el7 ol7_x86_64_u4_patch
0.12.8-2.el7.1 ol7_x86_64_u4_patch
1.2.20-7.el7_4 ol7_x86_64_u4_patch
1.2.20-7.el7_4 ol7_x86_64_u4_patch
Hands-on Lab: System Management with Spacewalk 2.6
Hands-on Lab: System Management with Spacewalk 2.6
Run the following yum command using a CVE chosen from the list generated in the previous example:
Dependencies Resolved
Package Arch
Version Repository
kernel x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
43 M
kernel-tools x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.1 M
kernel-tools-libs x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.0 M
Hands-on Lab: System Management with Spacewalk 2.6
python-perf x86_64
3.10.0-693.1.1.el7 ol7_x86_64_u4_patch
5.1 M
Transaction Summary
Install 1 Package
Upgrade 3 Packages
Hands-on Lab: System Management with Spacewalk 2.6
Verifying : python-
Verifying : kernel-
Verifying : kernel-tools-
Verifying :
Verifying : kernel-tools-
Verifying : kernel-
Verifying : python-
kernel-tools.x86_64 0:3.10.0-693.1.1.el7 kernel-tools-libs.x86_64
0:3.10.0-693.1.1.el7 python-perf.x86_64 0:3.10.0-693.1.1.el7
Section 2.4 of the Oracle Linux 7 Administrator's Guide lists all the Yum commands that are available and
provides more detailed explanations of each command.
By default, the rhnsd daemon on the client connects to Spacewalk every 4 hours to look for scheduled
updates or actions. However, Spacewalk includes the OSA daemon which allows Spacewalk to trigger actions
immediately on a client. We will install this daemon now so that the following exercises that use the Spacewalk
web interface will occur immediately.
From the Terminal, run the following command to install the OSAD daemon:
Hands-on Lab: System Management with Spacewalk 2.6
Dependencies Resolved
Package Arch
Repository Size
osad noarch
ol7_x86_64_spacewalk26_client 46 k
Transaction Summary
Install 1 Package
Hands-on Lab: System Management with Spacewalk 2.6
Switch back to Firefox and click the server to view its Details screen. On the
right-hand side, in the OSA Status box, you should see "online as of unknown". This indicates that the OSA
daemon is running. Click Ping System to trigger a ping of the OSA daemon. If you wait a few moment and
then refresh the Details tab, the OSA Status should update to indicate how long the OSA daemon has been
Once the OSA daemon is confirmed as running, you can move on to the following exercises.
If you're following from the previous exercise, click the Software tab under the
heading. Otherwise, navigate to the System tab and click the server first.
The software tab allows you to list, remove, upgrade, install and verify software packages. You can also see
the errata that are applicable to this server. First, we will manually upgrade an existing package.
Click Upgrade Packages. In the list that appears, select a few packages to upgrade. Once you have selected
some packages, click the Upgrade Packages button at the bottom of the page. A confirmation page will
appear listing the packages scheduled for update. You can chose whether to perform the upgrade as soon as
possible, or after a specific time.
Keep in mind that if the OSA daemon is not running on the client server, rhnsd only checks in every 4 hours
by default. This means that without the OSA daemon working, some actions could take up to 4 hours to be
Once you are happy with the package selection, click the Confirm button. You will receive a message
indicating that package updates have been scheduled. Click scheduled in the alert message to view the
scheduled action. You can monitor this page until the action is completed. Once it has completed, navigate
back to the system detail view to confirm that the packages are no longer visible in the list of packages
available for upgrade.
Hands-on Lab: System Management with Spacewalk 2.6
An alternative upgrade mechanism is to upgrade packages that resolve specific errata. From the Software tab
within the system detail view, click the Errata tab to view the available errata information for this server. This
list will display all available errata, but can be filtered to only display security, bug fixes or enhancements.
Use the drop-down box to filter the list to only show security advisories. Enter "critical" into the Filter by
Synopsis field and click the "eye" icon to view only the critical security errata. Click on an errata to view the
details. You can also click on the CVE link to go to the Mitre website for information about the particular CVE
resolved by this errata. Navigate to the Affected Systems tab to see all the servers that are affected by this
advisory. In production, you may have several servers affected by a single advisory and this screen allows you
to schedule the patching of multiple servers at once.
In the list, click the checkbox next to the server name and then click Apply Errata. The same confirmation
screen appears asking whether to schedule the action for as soon as possible or for some time in the future.
Click Confirm to apply the errata as soon as possible.
You can navigate to the Schedule tab on the main menu to monitor the action. While the action is active, it will
appear in the Pending Actions list. Once it has completed, it will appear in the Completed Actions list. When the
action has completed, navigate back to the errata view under the system details to confirm the errata no longer
appears as available for the system.
Spacewalk is also capable of running remote commands from the web interface as well as deploying
configuration files stored in a central repository. In order to enable this functionality, we need to install the
rhncfg client.
To install the rhncfg client, run the following command via the Terminal or click the Install New Packages link
within the Software section of an individual system within the web interface to select and deploy the required
Hands-on Lab: System Management with Spacewalk 2.6
Dependencies Resolved
Package Arch
Repository Size
rhncfg noarch
ol7_x86_64_spacewalk26_client 74 k
rhncfg-actions noarch
ol7_x86_64_spacewalk26_client 46 k
rhncfg-client noarch
ol7_x86_64_spacewalk26_client 43 k
rhncfg-management noarch
ol7_x86_64_spacewalk26_client 52 k
Transaction Summary
Install 4 Packages
Hands-on Lab: System Management with Spacewalk 2.6
rhncfg.noarch 0:5.10.99-1.el7 rhncfg-actions.noarch 0:5.10.99-1.el7 rhncfg-
client.noarch 0:5.10.99-1.el7 rhncfg-management.noarch 0:5.10.99-1.el7
Once the rhncfg client is installed, we need to manually configure what actions are permitted to be performed
remotely. The following actions are possible:
• deploy a file
• diff a file
• upload a file
• modify the mtime of a file (modified time)
• execute remote scripts
Hands-on Lab: System Management with Spacewalk 2.6
Now that rhncfg is installed and all actions are enabled, we can trigger a remote action from the web interface.
Switch back to Firefox and navigate to the Details tab of the server details view, then click the Remote
Command tab.
# Add your shell script below
uname -a
Then click the Schedule button. Remote commands use the same scheduling mechanism as package
updates, so without the OSA daemon running, it could take up to 4 hours to complete the remote command
action. Navigate to the Events tab to view the pending events. If the action does not appear in the pending list,
click the History tab. The action should appear at the top of the System History list. Click the action name to
view the script and the output.
Another feature of the rhncfg client is the ability to deploy configuration files from Spacewalk to multiple
servers. This requires the creation of one or more configuration channels and configuration files. In this
exercise, we will create a configuration channel, a configuration file and deploy it to our client.
First, navigate to the Configuration tab in the main menu, then select Configuration Channels in the left-
hand menu. There are no configuration channels created by default. Click Create Config Channel to start the
creation process.
Hands-on Lab: System Management with Spacewalk 2.6
Click the Create Config Channel button to complete the creation process. After the channel has been created,
we can add a file. Click the Add Files tab to start the process.
You can add a file in three ways: uploading a file from your workstation, importing a file from a registered client
system that has the upload action allowed or by creating a file directly in the interface. In this exercise, we will
create a file directly in the interface, so click the Create File tab.
Note that we have used the rhn.system.hostname macro in the configuration file contents. This macro
will be replaced by the name of the target server when the configuration file is deployed. Click the Create
Configuration File button once you are happy with the settings and content.
Navigate to the system detail view by clicking on the server, then select the
Configuration tab, Manage Configuration Channels tab then the Subscribe to Channels tab. Click the
checkbox next to the Generic Configuration channel in the list, then click Continue. If you have multiple
configuration channels in your production environment, you can rank the channels in order of priority. This
allows you to have generic configuration files as well as more specific versions. As we only have a single
configuration channel in this exercise, click the Update Channel Rankings button to confirm the subscription.
The Generic Configuration channel should now appear in the list of Configuration Channels for this server.
Switch to the Deploy Files tab to list the available files. Select the checkbox next to the /etc/motd file and
click the Deploy Files button. On the confirmation screen, ensure it's scheduled to deploy as soon as possible
then click the Schedule Deploy button.
Hands-on Lab: System Management with Spacewalk 2.6
To confirm that file has been deployed successfully and that the macro has been replaced properly during the
deployment, run the following command via a Terminal:
The final exercise is to configure and run an audit using the OpenSCAP tools. This example uses the scap-
security-guide provided with Oracle Linux. You can use any OpenSCAP compliant XCCDF and OVAL files in
your own environment.
To begin the auditing process, navigate to the Audit tab of the system detail view, then click the *Schedule*
tab. Spacewalk will inform you that in order to run OpenSCAP scans, the spacewalk-oscap package needs to
be installed. Using what you've learnt in previous exercises, install the spacewalk-oscap and scap-security-
guide packages either using yum or via the Spacewalk web interface.
Once the spacewalk-oscap and scap-security-guide packages and their dependencies are installed,
refresh the Schedule New XCCDF Scan page in Firefox. You should now be able to schedule a scan using
the following parameters:
Click the Schedule button once you're completed the fields. It can take between fifteen and twenty minutes
to complete the scan. Navigate to the List Scans tab to view the completed scans. You can then review the
results and filter on pass or failed results. You can also schedule regular scans to ensure that no security
regressions occur. Note that the virtual machine used by this hands-on lab is not configured according to best
security practice for a production deployment and will fail many of the OpenSCAP tests.