Assign recent errata automatically to Spacewalk

Recent bugs and security issue are mapped to necessary updates in the form of errata. Users of the commercial Red Hat Satellite or SUSE Manager server get these information directly from their distributor. Using Spacewalk this needs to be done manually – fortunately there a script CEFS by Steve Meier which automates this: [click me!]

Periodically a XML document containing all available errata is published there: [click me!]

This script can be automated in form of a cronjob to make sure that you always have to most recent errata information. First of all you need to have the following Perl modules installed on your Spacewalk system:

yum install perl-Text-Unidecode perl-XML-Simple

It is recommend to test the import at least once – this process looks like this:

# env -i SPACEWALK_USER=su-errata SPACEWALK_PASS=xyz ./errata-import.pl --server localhost --errata errata.latest.xml --publish
INFO: Server is running API version 13
INFO: API version is supported
INFO: Authentication successful
INFO: Loading errata XML
INFO: Getting server inventory
INFO: Checking for unpublished errata
INFO: Scanning channel CentOS 6 Extras - x86_64
INFO: Scanning channel CentOS 6 Base - x86_64
INFO: Scanning channel CentOS 6 Updates - x86_64
INFO: Scanning channel Spacewalk Client - x86_64
INFO: Scanning channel EPEL EL6 - x86_64
...
Veröffentlichte Errata in Spacewalk

Veröffentlichte Errata in Spacewalk

The script scans all software channels (in this case  amongst others CentOS 6 Base, Extras and Updates as well as EPEL) and assigns matching errata. Depending on your amount of software channels this can take a couple of minutes.

The parameter –publish is very important to make sure that all suitable erratas are published automatically to your spacewalk system.

It is recommend to create a dedicated Satellite user for the script so that you don’t have to use the credentials of your administrator account in the script. Using the variables SPACEWALK_USER and SPACEWALK_PASS these credentials need to be provided in plaintext. The “Channel Administrator” role needs to be assign to this user.

My cronjob looks like this:

# vi /etc/cron.daily/spacewalk_sync.cron
#!/bin/sh
MAILTO=root

# try to create the lock and check the outcome
LOCKFILE=/var/run/spacewalk_sync.lock
#lockfile -r 0 ${LOCKFILE} 1>/dev/null 2>&1
#status=$?
#if [ ${status} -ne 0 ] ;then
if [ -e "$LOCKFILE" ]; then
        echo "Another instance already running. Aborting."
        exit 1
else
        touch "$LOCKFILE"
fi
trap "rm ${LOCKFILE}" EXIT

#sync channels and publish updates
/usr/bin/spacewalk-repo-sync --channel centos6-base-x86_64 
                             --url http://mirror.centos.org/centos/6/os/x86_64/ 
                             --type yum -c centos6-base-x86_64 >/dev/null

/usr/bin/spacewalk-repo-sync --channel centos6-updates-x86_64 
                             --url http://mirror.centos.org/centos/6/updates/x86_64/ 
                             --type yum -c centos6-updates-x86_64 >/dev/null

/usr/bin/spacewalk-repo-sync --channel centos6-extras-x86_64 
                             --url http://mirror.centos.org/centos/6/extras/x86_64/ 
                             --type yum -c centos6-extras-x86_64 >/dev/null

/usr/bin/spacewalk-repo-sync --channel epel-el6-x86_64 
                             --url http://ftp-stud.hs-esslingen.de/pub/epel/6/x86_64/ 
                             --type yum -c epel-el6-x86_64 >/dev/null

#get errata file and checksums
cd /tmp
wget -N http://cefs.steve-meier.de/errata.latest.xml 1>/dev/null 2>&1
wget -N http://cefs.steve-meier.de/errata.latest.md5 1>/dev/null 2>&1
wget -N http://www.redhat.com/security/data/oval/com.redhat.rhsa-all.xml.bz2 1>/dev/null 2>&1
bunzip2 -f /tmp/com.redhat.rhsa-all.xml.bz2

#verify integrity
grep "errata.latest.xml$" errata.latest.md5 > myerrata.md5
md5sum -c myerrata.md5 1>/dev/null 2>&1
if [ "$?" == 0 ]; then
        #ok - import errata
        SPACEWALK_PASS=xyz SPACEWALK_USER=su-errata /opt/tools/errata-import.pl --server localhost --errata errata.latest.xml --include-channels=centos6-updates-x86_64,epel-el6-x86_64 --rhsa-oval=/tmp/com.redhat.rhsa-all.xml --publish 1>/dev/null
        if [ "$?" != 0 ]; then
                echo "It seems like there was a problem while publishing the most recent errata..."
                exit 1
        fi
        rm /tmp/myerrata.md5
else
        #errata information possibly invalid
        echo "ERROR: md5 checksum mismatch, check download!"
        exit 1
fi

First of all the recent XML document and the checksums of all XML documents (there are also compressed versions) are downloaded. After that a temporary file only containing the md5 checksum of the downloaded file is created. Using this file the integrity of the download is checked before errata information are imported and published.

Sharing is caring


Tweet about this on TwitterShare on FacebookShare on Google+Share on LinkedInShare on XingShare on RedditPrint this pageEmail this to someone

Leave a Reply