Registering CentOS Clients

Table of Contents

1. Add Software Channels
2. Check Synchronization Status
3. Create an Activation Key
4. Trust GPG Keys on Clients
5. Trust GPG Keys on Clients
- 5.1. User defined GPG keys
- 5.2. GPG Keys in Bootstrap Scripts
6. Register Clients
7. Manage Errata

This section contains information about registering traditional and Salt clients running CentOS operating systems.

CentOS clients are based on CentOS and are unrelated to SUSE Linux Enterprise Server with Expanded Support, RES, Red Hat, or Expanded Support. You are responsible for arranging access to CentOS base media repositories and CentOS installation media, as well as connecting Uyuni Server to the CentOS content delivery network.

Traditional clients are not available on CentOS 8. CentOS 8 clients are only supported as Salt clients.

Registering CentOS clients to Uyuni is tested with the default SELinux configuration of enforcing with a targeted policy. You do not need to disable SELinux to register CentOS clients to Uyuni.

1. Add Software Channels

Before you can register CentOS clients to your Uyuni Server, you need to add the required software channels, and synchronize them.

The architectures currently supported are: x86_64 and aarch64. For full list of supported products and architectures, see client-configuration:supported-features.adoc.

In the following section, descriptions often default to the x86_64 architecture. Replace it with other architectures if appropriate.

The channels you need for this procedure are:

Table 1. CentOS Channels - CLI
OS Version	Base Channel	Client Channel	Updates/Appstream Channel
CentOS 6	centos6	centos6-uyuni-client	centos6-updates
CentOS 7	centos7	centos7-uyuni-client	centos7-updates
CentOS 8	centos8	centos8-uyuni-client	centos8-appstream

CentOS 6 is now at end-of-life, and the ISO images provided in the repository are out of date. Bootstrapping new CentOS 6 clients using these packages will fail. If you need to bootstrap new CentOS 6 clients, follow the troubleshooting procedure in client-configuration:tshoot-clients.adoc.

Procedure: Adding Software Channels at the Command Prompt

At the command prompt on the Uyuni Server, as root, use the spacewalk-common-channels command to add the appropriate channels. Ensure you specify the correct architecture:
```
spacewalk-common-channels \
-a <architecture> \
<base_channel_name> \
<child_channel_name_1> \
<child_channel_name_2> \
... <child_channel_name_n>
```

Synchronize the channels:

spacewalk-repo-sync -p <base_channel_label>

Ensure the synchronization is complete before continuing.

The client tools channel provided by spacewalk-common-channels is sourced from Uyuni and not from SUSE.

For CentOS 8 clients, add both the Base and AppStream channels. You require packages from both channels. If you do not add both channels, you cannot create the bootstrap repository, due to missing packages.

If you are using modular channels, you must enable the Python 3.6 module stream on the client. If you do not provide Python 3.6, the installation of the spacecmd package will fail.

You might notice some disparity in the number of packages available in the AppStream channel between upstream and the Uyuni channel. You might also see different numbers if you compare the same channel added at a different point in time. This is due to the way that CentOS manages their repositories. CentOS removes older version of packages when a new version is released, while Uyuni keeps all of them, regardless of age.

The AppStream repository provides modular packages. This results in the Uyuni Web UI showing incorrect package information. You cannot perform package operations such as installing or upgrading directly from modular repositories using the Web UI or API.

You can use the AppStream filter with content lifecycle management (CLM) to transform modular repositories into regular repositories. Make sure to include python:3.6 using an AppStream filter if you want to use spacecmd on the clients.

Alternatively, you can use Salt states to manage modular packages on Salt clients, or use the dnf command on the client. For more information about CLM, see administration:content-lifecycle.adoc.

2. Check Synchronization Status

Procedure: Checking Synchronization Progress from the Web UI

In the Uyuni Web UI, navigate to Software Manage Channels, then click the channel associated to the repository.
Navigate to the Repositories tab, then click Sync and check Sync Status.

Procedure: Checking Synchronization Progress from the Command Prompt

At the command prompt on the Uyuni Server, as root, use the tail command to check the synchronization log file:
```
tail -f /var/log/rhn/reposync/<channel-label>.log
```
Each child channel generates its own log during the synchronization progress. You need to check all the base and child channel log files to be sure that the synchronization is complete.

3. Create an Activation Key

You need to create an activation key that is associated with your CentOS channels.

For more information on activation keys, see client-configuration:activation-keys.adoc.

4. Trust GPG Keys on Clients

5. Trust GPG Keys on Clients

Operating systems either trust their own GPG keys directly or at least ship them installed with the minimal system. But third party packages signed by a different GPG key need manual handling. The clients can be successfully bootstrapped without the GPG key being trusted. However, you cannot install new client tool packages or update them until the keys are trusted.

Salt clients use now GPG key information entered for a software channel to manage the trusted keys. When a software channel with GPG key information is assigned to a client, the key gets trusted as soon as the channel is refreshed or the first package gets installed from this channel.

The GPG key URL which is set of a software channel must exist. In case it is a file URL, the GPG key file must be deployed on the client before the software channel is used.

The GPG keys for the Client Tools Channels of Red Hat based clients are deployed on the client into /etc/pki/rpm-gpg/ and can be referenced with file URLs. Same is the case with the GPG keys of Expanded Support clients. Only in case a software channel is assigned to the client they will be imported and trusted by the system.

Because Debian based systems sign only metadata, there is typically no need to specify extra keys for single channels. If a user configures an own GPG key to sign the metadata as described in "Use Your Own GPG Key" in administration:repo-metadata.adoc the deployment and trust of that key is executed automatically.

5.1. User defined GPG keys

Users can define their own GPG keys to be deployed to the client.

By providing some pillar data and providing the GPG key files in the Salt filesystem, they are automatically deployed to the client.

These keys are deployed into /etc/pki/rpm-gpg/ on RPM based operating systems and to /usr/share/keyrings/ on Debian systems:

Define the pillar key [literalcustom_gpgkeys for the client you want to deploy the key to and list the names of the key file.

cat /etc/pillar/mypillar.sls
custom_gpgkeys:
  - my_first_gpg.key
  - my_second_gpgkey.gpg

Additionally in the Salt filesystem create a directory named gpg and store there the GPG key files with the name specified in the custom_gpgkeys pillar data.

ls -la /etc/salt/gpg/
/etc/salt/gpg/my_first_gpg.key
/etc/salt/gpg/my_second_gpgkey.gpg

The keys are now deployed to the client at /etc/pki/rpm-gpg/my_first_gpg.key and /etc/pki/rpm-gpg/my_second_gpgkey.gpg.

The last step is to add the URL to the GPG key URL field of the software channel. Navigate to Software Manage Channels and select the channel you want to modify. Add to GPG key URL the value file:///etc/pki/rpm-gpg/my_first_gpg.key.

5.2. GPG Keys in Bootstrap Scripts

Procedure: Trusting GPG Keys on Clients Using a Bootstrap Script

On the Uyuni Server, at the command prompt, check the contents of the /srv/www/htdocs/pub/ directory. This directory contains all available public keys. Take a note of the key that applies to the channel assigned to the client you are registering.
Open the relevant bootstrap script, locate the ORG_GPG_KEY= parameter and add the required key. For example:
```
uyuni-gpg-pubkey-0d20833e.key
```
You do not need to delete any previously stored keys.

Trusting a GPG key is important for security on clients. It is the task of the admin to decide which keys are needed and can be trusted. Because a software channel cannot be used when the GPG key is not trusted, the decision of assigning a channel to a client depends on the decision of trusting the key.

6. Register Clients

CentOS clients are registered in the same way as all other clients. For more information, see client-configuration:registration-overview.adoc.

To register and use CentOS 6 clients, you need to configure the Uyuni Server to support older types of SSL encryption. For more information about how to resolve this error, see Registering Older Clients at client-configuration:tshoot-clients.adoc.

7. Manage Errata

When you update CentOS clients, the packages do not include metadata about the updates. You can use a third-party errata service to obtain this information.

The authors of CEFS provide patches or errata on a best-effort basis, in the hope they are useful but with no guarantees of correctness or currency. This could mean that the patch dates could be incorrect, and in at least one case, the published data was shown to be more than a month old. For more information on these cases, see https://github.com/stevemeier/cefs/issues/28#issuecomment-656579382 and https://github.com/stevemeier/cefs/issues/28#issuecomment-656573607.

Any problems or delays with the patch data might result in unreliable patch information being imported to your Uyuni Server. This would cause reports, audits, CVE updates, or other patch-related information to also be incorrect. Please consider alternatives to using this service, such as independently verifying patch data, or choosing a different operating system, depending on your security-related requirements and certifications criteria.

Procedure: Installing an Errata Service

On the Uyuni Server, from the command prompt, as root, add the sle-module-development-tools module:
```
SUSEConnect --product sle-module-development-tools/15.2/x86_64
```
Install errata service dependencies:
```
zypper in  perl-Text-Unidecode
```

Add or edit this line in /etc/rhn/rhn.conf:

java.allow_adding_patches_via_api = centos7-updates-x86_64,centos7-x86_64,centos7-extras-x86_64

Restart Tomcat:
```
systemctl restart tomcat
```
Create a file for your errata script:
```
touch /usr/local/bin/cent-errata.sh
```

Edit the new file to include this script, editing the repository details as required. This script fetches the errata details from an external errata service, unpacks it, and publishes the details:

#!/bin/bash
mkdir -p /usr/local/centos
cd /usr/local/centos
rm *.xml
wget -c http://cefs.steve-meier.de/errata.latest.xml
#wget -c https://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml
wget -c https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml.bz2
bzip2 -d com.redhat.rhsa-RHEL7.xml.bz2
wget -c http://cefs.steve-meier.de/errata-import.tar
tar xvf errata-import.tar
chmod +x /usr/local/centos/errata-import.pl
export SPACEWALK_USER='<adminname>';export SPACEWALK_PASS='<password>'
/usr/local/centos/errata-import.pl --server '<servername>' \
--errata /usr/local/centos/errata.latest.xml  \
--include-channels=centos7-updates-x86_64,centos7-x86_64,centos7-extras-x86_64 \
--publish --rhsa-oval /usr/local/centos/com.redhat.rhsa-RHEL7.xml

Set up a cron job to run the script daily:

ln -s /usr/local/bin/cent-errata.sh /etc/cron.daily

For more information on this tool, see https://cefs.steve-meier.de/.