Registering Debian Clients

This section contains information about registering Salt clients running Debian operating systems.

SUSE does not provide support for Debian operating systems. Uyuni allows you to manage Debian clients, but support is not provided. Using Uyuni to manage Debian clients is experimental. These instructions have been tested on Debian 9 Stretch and Debian 10 Buster. Do not rely on Debian clients in a production environment.

Debian is supported for Salt clients only. Traditional clients are not supported.

Bootstrapping can be used with Debian clients for performing initial state runs, and for profile updates.

1. Prepare to Register

Some preparation is required before you can register Debian clients to the Uyuni Server:

  • If you are using Debian 9, install the required packages on the client before you attempt to register. On the client, at the command prompt, as root, run:

    apt install apt-transport-https python-apt python3-apt
  • Ensure DNS is correctly configured and provides an entry for the client. Alternatively, you can configure the /etc/hosts files on both the Uyuni Server and the client with the appropriate entries.

  • The client must have the date and time synchronized with the Uyuni Server before registration.

2. Add Software Channels

Before you can register Debian clients to your Uyuni Server, you need to add the required software channels, and synchronize them.

In the following section, descriptions often default to the x86_64 architecture. Replace it with other architectures if appropriate.

The channels you need for this procedure are:

Table 1. Debian Channels - CLI
OS Version Base Channel Client Channel Updates Channel Security Channel

Debian 9

debian-9-pool-amd64-uyuni

debian-9-amd64-uyuni-client

debian-9-amd64-main-updates-uyuni

debian-9-amd64-main-security-uyuni

Debian 10

debian-10-pool-amd64-uyuni

debian-10-amd64-uyuni-client

debian-10-amd64-main-updates-uyuni

debian-10-amd64-main-security-uyuni

Debian 11

debian-11-pool-amd64-uyuni

debian-11-amd64-uyuni-client

debian-11-amd64-main-updates-uyuni

debian-11-amd64-main-security-uyuni

Procedure: Adding Software Channels at the Command Prompt
  1. At the command prompt on the Uyuni Server, as root, use the spacewalk-common-channels command to add the appropriate channels:

    spacewalk-common-channels \
    <base_channel_label>
    <child_channel_label_1> \
    <child_channel_label_2> \
    ... <child_channel_label_n>
  2. Synchronize the channels:

    spacewalk-repo-sync -p <base_channel_label>
  3. Ensure the synchronization is complete before continuing.

3. Check Synchronization Status

Procedure: Checking Synchronization Progress from the Web UI
  1. In the Uyuni Web UI, navigate to Software  Manage  Channels, then click the channel associated to the repository.

  2. Navigate to the Repositories tab, then click Sync and check Sync Status.

Procedure: Checking Synchronization Progress from the Command Prompt
  1. At the command prompt on the Uyuni Server, as root, use the tail command to check the synchronization log file:

    tail -f /var/log/rhn/reposync/<channel-label>.log
  2. Each child channel generates its own log during the synchronization progress. You need to check all the base and child channel log files to be sure that the synchronization is complete.

Debian channels can be very large. Synchronization can sometimes take several hours.

5. Trust GPG Keys on Clients

Operating systems either trust their own GPG keys directly or at least ship them installed with the minimal system. But third party packages signed by a different GPG key need manual handling. The clients can be successfully bootstrapped without the GPG key being trusted. However, you cannot install new client tool packages or update them until the keys are trusted.

Salt clients use now GPG key information entered for a software channel to manage the trusted keys. When a software channel with GPG key information is assigned to a client, the key gets trusted as soon as the channel is refreshed or the first package gets installed from this channel.

The GPG key URL which is set of a software channel must exist. In case it is a file URL, the GPG key file must be deployed on the client before the software channel is used.

The GPG keys for the Client Tools Channels of Red Hat based clients are deployed on the client into /etc/pki/rpm-gpg/ and can be referenced with file URLs. Same is the case with the GPG keys of Expanded Support clients. Only in case a software channel is assigned to the client they will be imported and trusted by the system.

Because Debian based systems sign only metadata, there is typically no need to specify extra keys for single channels. If a user configures an own GPG key to sign the metadata as described in "Use Your Own GPG Key" in administration:repo-metadata.adoc the deployment and trust of that key is executed automatically.

5.1. User defined GPG keys

Users can define their own GPG keys to be deployed to the client.

By providing some pillar data and providing the GPG key files in the Salt filesystem, they are automatically deployed to the client.

These keys are deployed into /etc/pki/rpm-gpg/ on RPM based operating systems and to /usr/share/keyrings/ on Debian systems:

Define the pillar key [literalcustom_gpgkeys for the client you want to deploy the key to and list the names of the key file.

cat /etc/pillar/mypillar.sls
custom_gpgkeys:
  - my_first_gpg.key
  - my_second_gpgkey.gpg

Additionally in the Salt filesystem create a directory named gpg and store there the GPG key files with the name specified in the custom_gpgkeys pillar data.

ls -la /etc/salt/gpg/
/etc/salt/gpg/my_first_gpg.key
/etc/salt/gpg/my_second_gpgkey.gpg

The keys are now deployed to the client at /etc/pki/rpm-gpg/my_first_gpg.key and /etc/pki/rpm-gpg/my_second_gpgkey.gpg.

The last step is to add the URL to the GPG key URL field of the software channel. Navigate to Software  Manage  Channels and select the channel you want to modify. Add to GPG key URL the value file:///etc/pki/rpm-gpg/my_first_gpg.key.

5.2. GPG Keys in Bootstrap Scripts

Procedure: Trusting GPG Keys on Clients Using a Bootstrap Script
  1. On the Uyuni Server, at the command prompt, check the contents of the /srv/www/htdocs/pub/ directory. This directory contains all available public keys. Take a note of the key that applies to the channel assigned to the client you are registering.

  2. Open the relevant bootstrap script, locate the ORG_GPG_KEY= parameter and add the required key. For example:

    uyuni-gpg-pubkey-0d20833e.key

    You do not need to delete any previously stored keys.

Trusting a GPG key is important for security on clients. It is the task of the admin to decide which keys are needed and can be trusted. Because a software channel cannot be used when the GPG key is not trusted, the decision of assigning a channel to a client depends on the decision of trusting the key.

Debian clients can require multiple GPG keys to be installed.

6. Register Clients

To register your Debian clients, you need a bootstrap repository. By default, bootstrap repositories are regenerated daily. You can manually create the bootstrap repository from the command prompt, using this command:

mgr-create-bootstrap-repo

For Debian 10, select debian10-amd64-uyuni when prompted.

For more information on registering your clients, see client-configuration:registration-overview.adoc.