File spacewalk-proxy-installer-git-0.484b753.obscpio of Package spacewalk-proxy-installer
07070100000000000041FD000000000000000000000002670D22FD00000000000000000000000000000000000000000000001A00000000spacewalk-proxy-installer07070100000001000081B4000000000000000000000001670D22FD000046AC000000000000000000000000000000000000002200000000spacewalk-proxy-installer/LICENSE GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your
freedom to share and change it. By contrast, the GNU General Public
License is intended to guarantee your freedom to share and change free
software--to make sure the software is free for all its users. This
General Public License applies to most of the Free Software
Foundation's software and to any other program whose authors commit to
using it. (Some other Free Software Foundation software is covered by
the GNU Lesser General Public License instead.) You can apply it to
your programs, too.
When we speak of free software, we are referring to freedom, not
price. Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
this service if you wish), that you receive source code or can get it
if you want it, that you can change the software or use pieces of it
in new free programs; and that you know you can do these things.
To protect your rights, we need to make restrictions that forbid
anyone to deny you these rights or to ask you to surrender the rights.
These restrictions translate to certain responsibilities for you if you
distribute copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether
gratis or for a fee, you must give the recipients all the rights that
you have. You must make sure that they, too, receive or can get the
source code. And you must show them these terms so they know their
rights.
We protect your rights with two steps: (1) copyright the software, and
(2) offer you this license which gives you legal permission to copy,
distribute and/or modify the software.
Also, for each author's protection and ours, we want to make certain
that everyone understands that there is no warranty for this free
software. If the software is modified by someone else and passed on, we
want its recipients to know that what they have is not the original, so
that any problems introduced by others will not reflect on the original
authors' reputations.
Finally, any free program is threatened constantly by software
patents. We wish to avoid the danger that redistributors of a free
program will individually obtain patent licenses, in effect making the
program proprietary. To prevent this, we have made it clear that any
patent must be licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and
modification follow.
GNU GENERAL PUBLIC LICENSE
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains
a notice placed by the copyright holder saying it may be distributed
under the terms of this General Public License. The "Program", below,
refers to any such program or work, and a "work based on the Program"
means either the Program or any derivative work under copyright law:
that is to say, a work containing the Program or a portion of it,
either verbatim or with modifications and/or translated into another
language. (Hereinafter, translation is included without limitation in
the term "modification".) Each licensee is addressed as "you".
Activities other than copying, distribution and modification are not
covered by this License; they are outside its scope. The act of
running the Program is not restricted, and the output from the Program
is covered only if its contents constitute a work based on the
Program (independent of having been made by running the Program).
Whether that is true depends on what the Program does.
1. You may copy and distribute verbatim copies of the Program's
source code as you receive it, in any medium, provided that you
conspicuously and appropriately publish on each copy an appropriate
copyright notice and disclaimer of warranty; keep intact all the
notices that refer to this License and to the absence of any warranty;
and give any other recipients of the Program a copy of this License
along with the Program.
You may charge a fee for the physical act of transferring a copy, and
you may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion
of it, thus forming a work based on the Program, and copy and
distribute such modifications or work under the terms of Section 1
above, provided that you also meet all of these conditions:
a) You must cause the modified files to carry prominent notices
stating that you changed the files and the date of any change.
b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any
part thereof, to be licensed as a whole at no charge to all third
parties under the terms of this License.
c) If the modified program normally reads commands interactively
when run, you must cause it, when started running for such
interactive use in the most ordinary way, to print or display an
announcement including an appropriate copyright notice and a
notice that there is no warranty (or else, saying that you provide
a warranty) and that users may redistribute the program under
these conditions, and telling the user how to view a copy of this
License. (Exception: if the Program itself is interactive but
does not normally print such an announcement, your work based on
the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If
identifiable sections of that work are not derived from the Program,
and can be reasonably considered independent and separate works in
themselves, then this License, and its terms, do not apply to those
sections when you distribute them as separate works. But when you
distribute the same sections as part of a whole which is a work based
on the Program, the distribution of the whole must be on the terms of
this License, whose permissions for other licensees extend to the
entire whole, and thus to each and every part regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest
your rights to work written entirely by you; rather, the intent is to
exercise the right to control the distribution of derivative or
collective works based on the Program.
In addition, mere aggregation of another work not based on the Program
with the Program (or with a work based on the Program) on a volume of
a storage or distribution medium does not bring the other work under
the scope of this License.
3. You may copy and distribute the Program (or a work based on it,
under Section 2) in object code or executable form under the terms of
Sections 1 and 2 above provided that you also do one of the following:
a) Accompany it with the complete corresponding machine-readable
source code, which must be distributed under the terms of Sections
1 and 2 above on a medium customarily used for software interchange; or,
b) Accompany it with a written offer, valid for at least three
years, to give any third party, for a charge no more than your
cost of physically performing source distribution, a complete
machine-readable copy of the corresponding source code, to be
distributed under the terms of Sections 1 and 2 above on a medium
customarily used for software interchange; or,
c) Accompany it with the information you received as to the offer
to distribute corresponding source code. (This alternative is
allowed only for noncommercial distribution and only if you
received the program in object code or executable form with such
an offer, in accord with Subsection b above.)
The source code for a work means the preferred form of the work for
making modifications to it. For an executable work, complete source
code means all the source code for all modules it contains, plus any
associated interface definition files, plus the scripts used to
control compilation and installation of the executable. However, as a
special exception, the source code distributed need not include
anything that is normally distributed (in either source or binary
form) with the major components (compiler, kernel, and so on) of the
operating system on which the executable runs, unless that component
itself accompanies the executable.
If distribution of executable or object code is made by offering
access to copy from a designated place, then offering equivalent
access to copy the source code from the same place counts as
distribution of the source code, even though third parties are not
compelled to copy the source along with the object code.
4. You may not copy, modify, sublicense, or distribute the Program
except as expressly provided under this License. Any attempt
otherwise to copy, modify, sublicense or distribute the Program is
void, and will automatically terminate your rights under this License.
However, parties who have received copies, or rights, from you under
this License will not have their licenses terminated so long as such
parties remain in full compliance.
5. You are not required to accept this License, since you have not
signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works. These actions are
prohibited by law if you do not accept this License. Therefore, by
modifying or distributing the Program (or any work based on the
Program), you indicate your acceptance of this License to do so, and
all its terms and conditions for copying, distributing or modifying
the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the
original licensor to copy, distribute or modify the Program subject to
these terms and conditions. You may not impose any further
restrictions on the recipients' exercise of the rights granted herein.
You are not responsible for enforcing compliance by third parties to
this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot
distribute so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you
may not distribute the Program at all. For example, if a patent
license would not permit royalty-free redistribution of the Program by
all those who receive copies directly or indirectly through you, then
the only way you could satisfy both it and this License would be to
refrain entirely from distribution of the Program.
If any portion of this section is held invalid or unenforceable under
any particular circumstance, the balance of the section is intended to
apply and the section as a whole is intended to apply in other
circumstances.
It is not the purpose of this section to induce you to infringe any
patents or other property right claims or to contest validity of any
such claims; this section has the sole purpose of protecting the
integrity of the free software distribution system, which is
implemented by public license practices. Many people have made
generous contributions to the wide range of software distributed
through that system in reliance on consistent application of that
system; it is up to the author/donor to decide if he or she is willing
to distribute software through any other system and a licensee cannot
impose that choice.
This section is intended to make thoroughly clear what is believed to
be a consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in
certain countries either by patents or by copyrighted interfaces, the
original copyright holder who places the Program under this License
may add an explicit geographical distribution limitation excluding
those countries, so that distribution is permitted only in or among
countries not thus excluded. In such case, this License incorporates
the limitation as if written in the body of this License.
9. The Free Software Foundation may publish revised and/or new versions
of the General Public License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free
programs whose distribution conditions are different, write to the author
to ask for permission. For software which is copyrighted by the Free
Software Foundation, write to the Free Software Foundation; we sometimes
make exceptions for this. Our decision will be guided by the two goals
of preserving the free status of all derivatives of our free software and
of promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
REPAIR OR CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest
possible use to the public, the best way to achieve this is to make it
free software which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest
to attach them to the start of each source file to most effectively
convey the exclusion of warranty; and each file should have at least
the "copyright" line and a pointer to where the full notice is found.
<one line to give the program's name and a brief idea of what it does.>
Copyright (C) <year> <name of author>
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this
when it starts in an interactive mode:
Gnomovision version 69, Copyright (C) year name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may
be called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
`Gnomovision' (which makes passes at compilers) written by James Hacker.
<signature of Ty Coon>, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Lesser General
Public License instead of this License.
07070100000002000081B4000000000000000000000001670D22FD00000339000000000000000000000000000000000000002A00000000spacewalk-proxy-installer/Makefile.pythonTHIS_MAKEFILE := $(realpath $(lastword $(MAKEFILE_LIST)))
CURRENT_DIR := $(dir $(THIS_MAKEFILE))
include $(CURRENT_DIR)../../rel-eng/Makefile.python
# Docker tests variables
DOCKER_CONTAINER_BASE = uyuni-master
DOCKER_REGISTRY = registry.mgr.suse.de
DOCKER_RUN_EXPORT = "PYTHONPATH=$PYTHONPATH"
DOCKER_VOLUMES = -v "$(CURDIR)/../../:/manager"
__pylint ::
$(call update_pip_env)
pylint --rcfile=pylintrc $(shell find -name '*.py') > reports/pylint.log || true
docker_pylint ::
docker run --rm -e $(DOCKER_RUN_EXPORT) $(DOCKER_VOLUMES) $(DOCKER_REGISTRY)/$(DOCKER_CONTAINER_BASE)-pgsql /bin/sh -c "cd /manager/proxy/installer/; make -f Makefile.python __pylint"
docker_shell ::
docker run -t -i --rm -e $(DOCKER_RUN_EXPORT) $(DOCKER_VOLUMES) $(DOCKER_REGISTRY)/$(DOCKER_CONTAINER_BASE)-pgsql /bin/bash
07070100000003000081B4000000000000000000000001670D22FD000004C2000000000000000000000000000000000000002600000000spacewalk-proxy-installer/answers.txt# example of answer file for configure-proxy.sh
# for full list of possible option see
# man configure-proxy.sh
VERSION=1.2
RHN_PARENT=your.susemanager.org
TRACEBACK_EMAIL=your@email.com
SSL_EMAIL=$TRACEBACK_EMAIL
FORCE_OWN_CA=
SSL_BUILD_DIR=/root/ssl-build
SSL_ORG="Your Org"
SSL_ORGUNIT="Spacewalk"
SSL_COMMON="CommonName"
SSL_CITY=Raleigh
SSL_STATE=NC
SSL_COUNTRY=US
SSL_PASSWORD=spacewalk-ssl-cert-password
CA_CHAIN=/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
HTTP_PROXY=
HTTP_USERNAME=
HTTP_PASSWORD=
# Use the following variables to import custom SSL keys/certificates
USE_EXISTING_CERTS=N
CA_CERT=/root/my_ca.crt
SERVER_CERT=/root/my_server.key
SERVER_KEY=/root/my_server.crt
# If you want to populate configuration channel
# and want to have really silent installation, then
# you must run rhncfg-manager to enter your login
# and password first. Otherwise you will be asked for
# these during proxy activation.
POPULATE_CONFIG_CHANNEL=Y
# if you do not want to start services after configuration
# set this variable to 0 or N
START_SERVICES=Y
# cname aliases for proxy, this MUST be in parentheses and separated by space
# do not put here the original hostname
#SSL_CNAME=(cname.alias.com another.alias.com)
07070100000004000081B4000000000000000000000001670D22FD000001BA000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/cobbler-proxy.confProxyPass /cobbler_api https://$RHN_PARENT/download/cobbler_api
ProxyPassReverse /cobbler_api https://$RHN_PARENT/download/cobbler_api
RewriteRule ^/cblr/svc/op/ks/(.*)$ /download/$0 [P,L]
RewriteRule ^/cblr/svc/op/autoinstall/(.*)$ /download/$0 [P,L]
ProxyPass /cblr https://$RHN_PARENT/cblr
ProxyPassReverse /cblr https://$RHN_PARENT/cblr
ProxyPass /cobbler https://$RHN_PARENT/cobbler
ProxyPassReverse /cobbler https://$RHN_PARENT/cobbler
07070100000005000081FD000000000000000000000001670D22FD000057B4000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/configure-proxy.sh#!/bin/bash
if [ 0$UID -gt 0 ]; then
echo Run as root.
exit 1
fi
if [ ! -e /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT -a -e /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT ]; then
ln -s /etc/pki/trust/anchors/RHN-ORG-TRUSTED-SSL-CERT /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT
fi
print_help() {
cat <<HELP
usage: configure-proxy.sh [options]
options:
--activate-SLP
activate the SLP server so SUSE Manager proxy gets advertised
--answer-file=filename
Indicates the location of an answer file to be use for answering
questions asked during the installation process. See man page for
for an example and documentation.
--force-own-ca
Do not use parent CA and force to create your own.
-h, --help
show this help message and exit
--http-password=HTTP_PASSWORD
The password to use for an authenticated proxy.
--http-proxy=HTTP_PROXY
HTTP proxy in host:port format, e.g. squid.redhat.com:3128
--http-username=HTTP_USERNAME
The username for an authenticated proxy.
--non-interactive
For use only with --answer-file. If the --answer-file doesn't
provide a required response, default answer is used.
--populate-config-channel
Create config chanel and save configuration files to that channel.
Configuration channel name is rhn_proxy_config_\${SYSTEM_ID}.
--rhn-password=RHN_PASSWORD
Red Hat Network or Spacewalk password.
--rhn-user=RHN_USER
Red Hat Network or Spacewalk user account.
--ssl-build-dir=SSL_BUILD_DIR
The directory where we build SSL certificate. Default is /root/ssl-build
--ssl-city=SSL_CITY
City to be used in SSL certificate.
--ssl-common=SSL_COMMON
Common name to be used in SSL certificate.
--ssl-country=SSL_COUNTRY
Two letters country code to be used in SSL certificate.
--ssl-email=SSL_EMAIL
Email to be used in SSL certificate.
--ssl-org=SSL_ORG
Organization name to be used in SSL certificate.
--ssl-orgunit=SSL_ORGUNIT
Organization unit name to be used in SSL certificate.
--ssl-password=SSL_PASSWORD
Password to be used for SSL CA certificate.
--ssl-state=SSL_STATE
State to be used in SSL certificate.
--ssl-cname=CNAME_ALIAS
Cname alias of the machine. Can be specified multiple times.
--start-services[=N]
1 or Y to start all services after configuration. This is default.
0 or N to not start services after configuration.
--traceback-email=TRACEBACK_EMAIL
Email to which tracebacks should be sent.
--ssl-use-existing-certs
Use custom SSL certificates instead of generating new ones (use
--ssl-ca-cert, --ssl-server-key and --ssl-server-cert parameters to
specify paths).
--ssl-ca-cert
Use a custom CA certificate from the given file.
--ssl-server-key
Use a server private SSL key from the given file.
--ssl-server-cert
Use a server public SSL certificate from the given file.
--version=VERSION
Version of Spacewalk Proxy Server you want to activate.
HELP
exit 1
}
open_firewall_ports() {
echo "Open needed firewall ports..."
if [ -x /usr/bin/firewall-cmd ]; then
firewall-cmd --state 2> /dev/null
if [ $? -eq 0 ]; then
firewall-cmd --permanent --zone=public --add-service=suse-manager-proxy
firewall-cmd --reload
else
firewall-offline-cmd --zone=public --add-service=suse-manager-proxy
fi
else
echo "firewalld not installed" >&2
fi
}
parse_answer_file() {
local FILE="$1"
local ALIAS
if [ ! -r "$FILE" ] ; then
echo "Answer file '$FILE' is not readable."
exit 1
fi
. "$FILE"
for ALIAS in ${SSL_CNAME[@]}; do
SSL_CNAME_PARSED[CNAME_INDEX++]=--set-cname=$ALIAS
done
}
set_value() {
local OPTION="$1"
local VAR="$2"
local ARG="$3"
[[ "$ARG" =~ ^- ]] \
&& echo "$0: option $OPTION requires argument! Use answer file if your argument starts with '-'." \
&& print_help
eval "$(printf "%q=%q" "$VAR" "$ARG")"
}
yes_no() {
case "$1" in
Y|y|Y/n|n/Y|1)
echo 1
;;
*)
echo 0
;;
esac
}
INTERACTIVE=1
INTERACTIVE_RETRIES=3
CNAME_INDEX=0
MANUAL_ANSWERS=0
OPTS=$(getopt --longoptions=help,activate-SLP,answer-file:,non-interactive,version:,traceback-email:,force-own-ca,http-proxy:,http-username:,http-password:,rhn-user:,rhn-password:,ssl-build-dir:,ssl-org:,ssl-orgunit:,ssl-common:,ssl-city:,ssl-state:,ssl-country:,ssl-email:,ssl-password:,ssl-cname:,ssl-use-existing-certs::,ssl-ca-cert:,ssl-server-key:,ssl-server-cert:,rhn-user:,rhn-password:,populate-config-channel::,start-services:: -n ${0##*/} -- h "$@")
if [ $? != 0 ] ; then
print_help
fi
# It is getopt's responsibility to make this safe
eval set -- "$OPTS"
while : ; do
case "$1" in
--help|-h) print_help;;
--activate-SLP) ACTIVATE_SLP=1;;
--answer-file) set_value "$1" ANSWER_FILE "$2";
parse_answer_file "$ANSWER_FILE"; shift;;
--non-interactive) INTERACTIVE=0;;
--version) set_value "$1" VERSION "$2"; shift;;
--traceback-email) set_value "$1" TRACEBACK_EMAIL "$2"; shift;;
--force-own-ca) FORCE_OWN_CA=1;;
--http-proxy) set_value "$1" HTTP_PROXY "$2"; shift;;
--http-username) set_value "$1" HTTP_USERNAME "$2"; shift;;
--http-password) set_value "$1" HTTP_PASSWORD "$2"; shift;;
--ssl-build-dir) set_value "$1" SSL_BUILD_DIR "$2"; shift;;
--ssl-org) set_value "$1" SSL_ORG "$2"; shift;;
--ssl-orgunit) set_value "$1" SSL_ORGUNIT "$2"; shift;;
--ssl-common) set_value "$1" SSL_COMMON "$2"; shift;;
--ssl-city) set_value "$1" SSL_CITY "$2"; shift;;
--ssl-state) set_value "$1" SSL_STATE "$2"; shift;;
--ssl-country) set_value "$1" SSL_COUNTRY "$2"; shift;;
--ssl-email) set_value "$1" SSL_EMAIL "$2"; shift;;
--ssl-password) set_value "$1" SSL_PASSWORD "$2"; shift;;
--ssl-cname) SSL_CNAME_PARSED[CNAME_INDEX++]="--set-cname=$2"; shift;;
--start-services) START_SERVICES="${2:-Y}"; shift;;
--rhn-user) set_value "$1" RHN_USER "$2"; shift;;
--rhn-password) set_value "$1" RHN_PASSWORD "$2"; shift;;
--ssl-use-existing-certs) USE_EXISTING_CERTS="${2:-Y}"; shift;;
--ssl-ca-cert) set_value "$1" CA_CERT "$2"; shift;;
--ssl-server-key) set_value "$1" SERVER_KEY "$2"; shift;;
--ssl-server-cert) set_value "$1" SERVER_CERT "$2"; shift;;
--) shift;
if [ $# -gt 0 ] ; then
echo "Error: Extra arguments found: $@"
print_help
exit 1
fi
break;;
*) echo Error: Invalid option $1; exit 1;;
esac
shift
done
# params dep check
if [[ $INTERACTIVE == 0 && -z $ANSWER_FILE ]]; then
echo "Option --non-interactive is for use only with option --answer-file."
exit 1
fi
ACCUMULATED_ANSWERS=""
generate_answers() {
if [ "$INTERACTIVE" = 1 -a "$MANUAL_ANSWERS" = 1 ]; then
local WRITE_ANSWERS
echo "There were some answers you had to enter manually."
echo "Would you like to have written those into file"
echo -n "formatted as answers file? [Y/n]: "
read WRITE_ANSWERS
WRITE_ANSWERS=$(yes_no ${WRITE_ANSWERS:-Y})
if [ "$WRITE_ANSWERS" = 1 ]; then
local tmp=$(mktemp proxy-answers.txt.XXXXX)
echo "Writing $tmp"
echo "# Answer file generated by ${0##*/} at $(date)$ACCUMULATED_ANSWERS" > $tmp
fi
fi
}
default_or_input() {
local MSG="$1"
local VARIABLE="$2"
local DEFAULT="$3"
local INPUT
local CURRENT_VALUE=${!VARIABLE}
#in following code is used not so common expansion
#var_a=${var_b:-word}
#which is like: var_a = $var_b ? word
DEFAULT=${CURRENT_VALUE:-$DEFAULT}
local VARIABLE_ISSET=$(set | grep "^$VARIABLE=")
echo -n "$MSG [$DEFAULT]: "
if [ "$INTERACTIVE" = "1" -a -z "$VARIABLE_ISSET" ]; then
MANUAL_ANSWERS=1
read INPUT
elif [ -z "$VARIABLE_ISSET" ]; then
echo "$DEFAULT"
else
DEFAULT=${!VARIABLE}
echo "$DEFAULT"
fi
if [ -z "$INPUT" ]; then
if [ "$DEFAULT" = "y/N" -o "$DEFAULT" = "Y/n" ]; then
INPUT=$(yes_no "$DEFAULT")
else
INPUT="$DEFAULT"
fi
fi
ACCUMULATED_ANSWERS+=$(printf "\n%q=%q" "$VARIABLE" "${INPUT:-$DEFAULT}")
eval "$(printf "%q=%q" "$VARIABLE" "$INPUT")"
}
config_error() {
if [ $1 -gt 0 ]; then
echo "$2 Installation interrupted."
/usr/sbin/rhn-proxy-activate \
--server="$RHN_PARENT" \
--http-proxy="$HTTP_PROXY" \
--http-proxy-username="$HTTP_USERNAME" \
--http-proxy-password="$HTTP_PASSWORD" \
--ca-cert="$CA_CHAIN" \
--deactivate --non-interactive
generate_answers
exit $1
fi
}
# Return 0 if rhnParent is Hosted. Otherwise return 1.
is_hosted() {
return 1
}
check_ca_conf() {
if [ -f /root/ssl-build/rhn-ca-openssl.cnf ] \
&& awk '/^[[:space:]]*\[[[:space:]]*[_[:alnum:]]*[[:space:]]*]/ {CORRECT_SECTION=0} \
/^[[:space:]]*\[[[:space:]]*CA_default[[:space:]]*]/ {CORRECT_SECTION=1} \
/^[[:space:]]*copy_extensions[[:space:]]*=[[:space:]]*copy/ && CORRECT_SECTION==1 {exit 1}' \
/root/ssl-build/rhn-ca-openssl.cnf > /dev/null \
&& [ ${#SSL_CNAME_PARSED[@]} -gt 0 ]; then
cat <<WARNING
It seems you tried to use the --set-cname option. On inspection we noticed that the openssl configuration file we use is missing a critically important option. Without this option, not only will multi host SSL certificates not work, but the planet Earth will implode in a massive rip in the time/space continuum. To avoid this failure, we choose to gracefully exit here and request for you to edit the openssl configuration file
/root/ssl-build/rhn-ca-openssl.cnf
and add this line:
copy_extensions = copy
in
[ CA_default ]
section.
Then re-run this script again.
WARNING
generate_answers
exit 3
fi
}
YUM="yum install"
UPGRADE="yum upgrade"
# add -y for non-interactive installation
if [ "$INTERACTIVE" = "0" ]; then
YUM="$YUM -y"
UPGRADE="$UPGRADE -y"
fi
if [ -x /usr/bin/zypper ]; then
YUM="zypper install"
UPGRADE="zypper update"
# add --non-interactive for non-interactive installation
if [ "$INTERACTIVE" = "0" ]; then
YUM="zypper --non-interactive install"
UPGRADE="zypper --non-interactive update"
fi
fi
SYSCONFIG_DIR=/etc/sysconfig/rhn
RHNCONF_DIR=/etc/rhn
HTTPDCONF_DIR=/etc/apache2
HTTPDCONFD_DIR=/etc/apache2/conf.d
#HTMLPUB_DIR=/var/www/html/pub
HTMLPUB_DIR=/srv/www/htdocs/pub
SQUID_DIR=/etc/squid
UP2DATE_FILE=$SYSCONFIG_DIR/up2date
SYSTEMID_PATH=$(awk -F '=[[:space:]]*' '/^[[:space:]]*systemIdPath[[:space:]]*=/ {print $2}' $UP2DATE_FILE)
PYTHON_CMD=""
systemctl is-active --quiet salt-minion && PYTHON_CMD="/usr/bin/python3"
systemctl is-active --quiet venv-salt-minion && PYTHON_CMD="/usr/lib/venv-salt-minion/bin/python"
if [[ -n $PYTHON_CMD ]]; then
$PYTHON_CMD /usr/share/rhn/proxy-installer/fetch-certificate.py $SYSTEMID_PATH
MASTER_CONF=/etc/salt/minion.d/susemanager.conf
if [ -f /etc/venv-salt-minion/minion.d/susemanager.conf ]; then
MASTER_CONF=/etc/venv-salt-minion/minion.d/susemanager.conf
fi
PROPOSED_PARENT=$(grep ^[[:blank:]]*master $MASTER_CONF | sed -e "s/.*:[[:blank:]]*//")
else
PROPOSED_PARENT=$(awk -F= '/serverURL=/ {split($2, a, "/")} END { print a[3]}' $UP2DATE_FILE)
fi
if [ ! -r $SYSTEMID_PATH ]; then
echo ERROR: This machine does not appear to be registered with SUSE Manager Server
exit 2
fi
SYSTEM_ID=$(/usr/bin/xsltproc /usr/share/rhn/get_system_id.xslt $SYSTEMID_PATH | cut -d- -f2)
DIR=/usr/share/rhn/proxy-template
HOSTNAME=$(hostname -f)
default_or_input "SUSE Manager Parent" RHN_PARENT $PROPOSED_PARENT
sed -i -e "s/^serverURL=.*/serverURL=https:\/\/$RHN_PARENT\/XMLRPC/" /etc/sysconfig/rhn/up2date
CA_CHAIN=$(awk -F'[=;]' '/sslCACert=/ {a=$2} END {print a}' $UP2DATE_FILE)
echo "Using CA Chain (from $UP2DATE_FILE): $CA_CHAIN"
if ! /bin/su nobody -s /bin/sh --command="[ -r $CA_CHAIN ]" ; then
echo Error: File $CA_CHAIN is not readable by nobody user.
exit 1
fi
default_or_input "HTTP Proxy" HTTP_PROXY ''
if [ "$HTTP_PROXY" != "" ]; then
default_or_input "HTTP username" HTTP_USERNAME ''
if [ "$HTTP_USERNAME" != "" ]; then
default_or_input "HTTP password" HTTP_PASSWORD ''
fi
fi
VERSION=$(rpm -q --queryformat %{version} spacewalk-proxy-installer|cut -d. -f1-2)
ACCUMULATED_ANSWERS+=$(printf "\n%q=%q" "VERSION" "$VERSION")
default_or_input "Traceback email" TRACEBACK_EMAIL ''
# lets do SSL stuff
cat <<SSLCERT
You will now need to either generate or import an SSL certificate.
This SSL certificate will allow client systems to connect to this Uyuni Proxy
securely. Refer to the Uyuni Proxy Installation Guide for more information.
SSLCERT
default_or_input "Do you want to import existing certificates?" \
USE_EXISTING_CERTS "y/N"
USE_EXISTING_CERTS=$(yes_no $USE_EXISTING_CERTS)
FORCE_OWN_CA=$(yes_no $FORCE_OWN_CA)
SSL_BUILD_DIR=${SSL_BUILD_DIR:-/root/ssl-build}
if ! [ -d $SSL_BUILD_DIR ] && [ 0$FORCE_OWN_CA -eq 0 ] && [ 0$USE_EXISTING_CERTS -eq 0 ]; then
mkdir -p $SSL_BUILD_DIR
fi
if [ 0$FORCE_OWN_CA -eq 0 ] && \
[ 0$USE_EXISTING_CERTS -eq 0 ] && \
! is_hosted "$RHN_PARENT" && \
[ ! -f /root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY ] && \
! diff $CA_CHAIN /root/ssl-build/RHN-ORG-TRUSTED-SSL-KEY &>/dev/null; then
cat <<CA_KEYS
Please do copy your CA key and public certificate from $RHN_PARENT to
/root/ssl-build directory. You may want to execute this command:
scp 'root@$RHN_PARENT:/root/ssl-build/{RHN-ORG-PRIVATE-SSL-KEY,RHN-ORG-TRUSTED-SSL-CERT,rhn-ca-openssl.cnf}' $SSL_BUILD_DIR
Please note that you need to re-run the proxy configure script after copying the certificate!
CA_KEYS
exit 1
fi
check_ca_conf
if [ -n "$SSL_PASSWORD" ] ; then
# use SSL_PASSWORD if already set
RHN_SSL_TOOL_PASSWORD_OPTION="--password"
RHN_SSL_TOOL_PASSWORD="$SSL_PASSWORD"
elif [ "$INTERACTIVE" = "0" ] && [ 0$USE_EXISTING_CERTS -eq 0 ] ; then
# non-interactive mode but no SSL_PASSWORD :(
config_error 4 "Please define SSL_PASSWORD."
fi
# get input for generating CA/server certs
if [ 0$USE_EXISTING_CERTS -eq 0 ]; then
default_or_input "Organization" SSL_ORG ''
default_or_input "Organization Unit" SSL_ORGUNIT "$HOSTNAME"
default_or_input "Common Name" SSL_COMMON "$HOSTNAME"
default_or_input "City" SSL_CITY ''
default_or_input "State" SSL_STATE ''
default_or_input "Country code" SSL_COUNTRY ''
default_or_input "Email" SSL_EMAIL "$TRACEBACK_EMAIL"
if [ ${#SSL_CNAME_PARSED[@]} -eq 0 ]; then
VARIABLE_ISSET=$(set | grep "^SSL_CNAME=")
if [ -z $VARIABLE_ISSET ]; then
default_or_input "Cname aliases (separated by space)" SSL_CNAME_ASK ''
CNAME=($SSL_CNAME_ASK)
for ALIAS in ${CNAME[@]}; do
SSL_CNAME_PARSED[CNAME_INDEX++]=--set-cname=$ALIAS
done
check_ca_conf
fi
fi
fi
if [ "$USE_EXISTING_CERTS" -eq "1" ]; then
default_or_input "Path to CA SSL certificate:" CA_CERT ""
if [ ! -e $CA_CERT ]; then
config_error 1 "Given file doesn't exist!"
fi
default_or_input "Path to the Proxy Server's SSL key:" SERVER_KEY ""
if [ ! -e $SERVER_KEY ]; then
config_error 1 "Given file doesn't exist!"
fi
default_or_input "Path to the Proxy Server's SSL certificate:" SERVER_CERT ""
if [ ! -e $SERVER_CERT ]; then
config_error 1 "Given file doesn't exist!"
fi
else
if [ ! -f $SSL_BUILD_DIR/RHN-ORG-PRIVATE-SSL-KEY ]; then
echo "Generating CA key and public certificate:"
/usr/bin/rhn-ssl-tool --gen-ca --no-rpm -q \
--dir="$SSL_BUILD_DIR" \
--set-common-name="$SSL_COMMON" \
--set-country="$SSL_COUNTRY" \
--set-city="$SSL_CITY" \
--set-state="$SSL_STATE" \
--set-org="$SSL_ORG" \
--set-org-unit="$SSL_ORGUNIT" \
--set-email="$SSL_EMAIL" \
$RHN_SSL_TOOL_PASSWORD_OPTION $RHN_SSL_TOOL_PASSWORD
config_error $? "CA certificate generation failed!"
fi
CA_CERT=$SSL_BUILD_DIR/RHN-ORG-TRUSTED-SSL-CERT
fi
if [ "$USE_EXISTING_CERTS" -eq "0" ]; then
echo "Using CA key at $SSL_BUILD_DIR/RHN-ORG-PRIVATE-SSL-KEY."
IFS="."; arrIN=($HOSTNAME); unset IFS
unset 'arrIN[${#arrIN[@]}-1]'
unset 'arrIN[${#arrIN[@]}-1]'
SYS_NAME=$(IFS=. eval 'echo "${arrIN[*]}"')
echo "Generating SSL key and public certificate."
/usr/bin/rhn-ssl-tool --gen-server -q --no-rpm \
--set-hostname "$HOSTNAME" \
--dir="$SSL_BUILD_DIR" \
--set-country="$SSL_COUNTRY" \
--set-city="$SSL_CITY" \
--set-state="$SSL_STATE" \
--set-org="$SSL_ORG" \
--set-org-unit="$SSL_ORGUNIT" \
--set-email="$SSL_EMAIL" \
${SSL_CNAME_PARSED[@]} \
$RHN_SSL_TOOL_PASSWORD_OPTION $RHN_SSL_TOOL_PASSWORD
config_error $? "SSL key generation failed!"
SERVER_KEY=$SSL_BUILD_DIR/$SYS_NAME/server.key
SERVER_CERT=$SSL_BUILD_DIR/$SYS_NAME/server.crt
fi
echo "Installing SSL certificates:"
/usr/bin/mgr-ssl-cert-setup --root-ca-file=$CA_CERT --server-cert-file=$SERVER_CERT --server-key-file=$SERVER_KEY
/usr/sbin/rhn-proxy-activate --server="$RHN_PARENT" \
--http-proxy="$HTTP_PROXY" \
--http-proxy-username="$HTTP_USERNAME" \
--http-proxy-password="$HTTP_PASSWORD" \
--ca-cert="$CA_CHAIN" \
--version="$VERSION" \
--non-interactive
config_error $? "Proxy activation failed!"
rpm -q rhn-apache >/dev/null
if [ $? -eq 0 ]; then
echo "Package rhn-apache present - assuming upgrade:"
echo "Force removal of /etc/httpd/conf/httpd.conf - backed up to /etc/httpd/conf/httpd.conf.rpmsave"
mv /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.rpmsave
fi
if [ -x /usr/sbin/rhn-proxy ]; then
/usr/sbin/rhn-proxy stop
fi
$YUM spacewalk-proxy-management
# check if package install successfully
rpm -q spacewalk-proxy-management >/dev/null
if [ $? -ne 0 ]; then
config_error 2 "Installation of package spacewalk-proxy-management failed."
fi
$UPGRADE
# size of squid disk cache will be 60% of free space on /var/cache/squid
# df -P give free space in kB
# * 60 / 100 is 60% of that space
# / 1024 is to get value in MB
SQUID_SIZE=$(df -P /var/cache/squid | awk '{a=$4} END {printf("%d", a * 60 / 100 / 1024)}')
SQUID_REWRITE="s|cache_dir ufs /var/cache/squid 15000 16 256|cache_dir ufs /var/cache/squid $SQUID_SIZE 16 256|g;"
SQUID_VER_MAJOR=$(squid -v | awk -F'[ .]' '/Version/ {print $4}')
if [ $SQUID_VER_MAJOR -ge 3 ] ; then
# squid 3.X has acl 'all' built-in
SQUID_REWRITE="$SQUID_REWRITE s/^acl all.*//;"
# squid 3.2 and later need none instead of -1 for range_offset_limit
SQUID_VER_MINOR=$(squid -v | awk -F'[ .]' '/Version/ {print $5}')
if [[ $SQUID_VER_MAJOR -ge 4 || ( $SQUID_VER_MAJOR -eq 3 && $SQUID_VER_MINOR -ge 2 ) ]] ; then
SQUID_REWRITE="$SQUID_REWRITE s/^range_offset_limit.*/range_offset_limit none/;"
fi
fi
sed "$SQUID_REWRITE" < $DIR/squid.conf > $SQUID_DIR/squid.conf
sed -e "s|\${session.ca_chain:/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT}|$CA_CHAIN|g" \
-e "s/\${session.http_proxy}/$HTTP_PROXY/g" \
-e "s/\${session.http_proxy_username}/$HTTP_USERNAME/g" \
-e "s/\${session.http_proxy_password}/$HTTP_PASSWORD/g" \
-e "s/\${session.rhn_parent}/$RHN_PARENT/g" \
-e "s/\${session.traceback_mail}/$TRACEBACK_EMAIL/g" \
< $DIR/rhn.conf > $RHNCONF_DIR/rhn.conf
# systemid need to be readable by apache/proxy
for file in $SYSTEMID_PATH $UP2DATE_FILE; do
chown root:www $file
chmod 0640 $file
done
#Setup the cobbler stuff, needed to use koan through a proxy
sed -e "s/\$RHN_PARENT/$RHN_PARENT/g" < $DIR/cobbler-proxy.conf > $HTTPDCONFD_DIR/cobbler-proxy.conf
default_or_input "Do you want to use an existing ssh key for proxying ssh-push Salt minions ?" USE_EXISTING_SSH_PUSH_KEY 'y/N'
USE_EXISTING_SSH_PUSH_KEY=$(yes_no $USE_EXISTING_SSH_PUSH_KEY)
if [ "$USE_EXISTING_SSH_PUSH_KEY" -eq "1" ]; then
default_or_input "Private SSH key for connecting to the next proxy in the chain (if any) for ssh-push minions" EXISTING_SSH_KEY ''
while [[ -z "$EXISTING_SSH_KEY" || ( ! -r "$EXISTING_SSH_KEY" || ! -r "${EXISTING_SSH_KEY}.pub" ) ]]; do
echo "'$EXISTING_SSH_KEY' or '${EXISTING_SSH_KEY}.pub' don't exist or are not readable."
unset EXISTING_SSH_KEY
default_or_input "Supply a valid path" EXISTING_SSH_KEY ''
done
/usr/sbin/mgr-proxy-ssh-push-init -k $EXISTING_SSH_KEY
else
/usr/sbin/mgr-proxy-ssh-push-init
fi
open_firewall_ports
default_or_input "Activate advertising proxy via SLP?" ACTIVATE_SLP "Y/n"
ACTIVATE_SLP=$(yes_no $ACTIVATE_SLP)
if [ $ACTIVATE_SLP -ne 0 ]; then
if [ -x /usr/bin/firewall-cmd ]; then
firewall-cmd --state 2> /dev/null
if [ $? -eq 0 ]; then
firewall-cmd --permanent --zone=public --add-service=slp
firewall-cmd --reload
else
firewall-offline-cmd --zone=public --add-service=slp
fi
else
echo "firewalld not installed" >&2
fi
/usr/bin/systemctl enable slpd
/usr/bin/systemctl start slpd
fi
echo "Enabling Spacewalk Proxy."
for service in squid apache2 salt-broker; do
/usr/bin/systemctl enable $service
done
# default is 1
START_SERVICES=$(yes_no ${START_SERVICES:-1})
if [ "$START_SERVICES" = "1" ]; then
/usr/sbin/rhn-proxy restart
else
echo Skipping start of services.
echo Use "/usr/sbin/rhn-proxy start" to manually start proxy.
fi
echo "Restarting salt-broker."
/usr/bin/systemctl restart salt-broker
# do not tell admin to configure proxy on next login anymore
rm -f /etc/motd
generate_answers
07070100000006000081B4000000000000000000000001670D22FD00003102000000000000000000000000000000000000003200000000spacewalk-proxy-installer/configure-proxy.sh.sgml<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V3.1//EN" [
<!ENTITY RHNPROXY "Spacewalk Proxy Server">
<!ENTITY SCRIPTCOMMAND "configure-proxy.sh">
]>
<refentry>
<RefMeta>
<RefEntryTitle>&SCRIPTCOMMAND;</RefEntryTitle><manvolnum>8</manvolnum>
<RefMiscInfo>Version 1.6</RefMiscInfo>
</RefMeta>
<RefNameDiv>
<RefName><command>&SCRIPTCOMMAND;</command></RefName>
<RefPurpose>
Configures and activates &RHNPROXY;.
</RefPurpose>
</RefNameDiv>
<RefSynopsisDiv>
<Synopsis>
<cmdsynopsis>
<command>&SCRIPTCOMMAND;</command>
<arg>options <replaceable>...</replaceable></arg>
</cmdsynopsis>
</Synopsis>
</RefSynopsisDiv>
<RefSect1><Title>Description</Title>
<para>
This script asks all necessary questions to configure &RHNPROXY;
and then deploys configuration files and activates the &RHNPROXY;.
</para>
<para>
You may run this script without any parameters and then you are interactively asked.
Alternatively you may set variables in answers file or set the option on comman line. See section Answer File for more info.
</para>
</RefSect1>
<RefSect1><Title>Options</Title>
<variablelist>
<varlistentry>
<term>--answer-file</term>
<listitem>
<para>Indicates the location of an answer file to be used for answering
questions asked during the installation process. See section Answer File for more details.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h, --help</term>
<listitem>
<para>Display the help screen with a list of options.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--non-interactive</term>
<listitem>
<para>For use only with --answer-file. If the --answer-file doesn't
provide a required response, default answer is used.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Following options can be set using answer file as well. See section ANSWER FILE.
</para>
<variablelist>
<varlistentry>
<term>--force-own-ca</term>
<listitem>
<para>Do not use parent CA and force to create your own.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-password=HTTP_PASSWORD</term>
<listitem>
<para>The password to use for an authenticated proxy.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-proxy=HTTP_PROXY</term>
<listitem>
<para>HTTP proxy in host:port format, e.g. squid.redhat.com:3128</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-username=HTTP_USERNAME</term>
<listitem>
<para>The username for an authenticated proxy.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--populate-config-channel=Y</term>
<listitem>
<para>Y if config chanel should be created and configuration files in that channel updated. Configuration channel will be named rhn_proxy_config_${SYSTEM_ID}</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--rhn-password=RHN_PASSWORD</term>
<listitem>
<para>Red Hat Network or Spacewalk password.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--rhn-user=RHN_USER</term>
<listitem>
<para>Red Hat Network or Spacewalk user account.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-build-dir=SSL_BUILD_DIR</term>
<listitem>
<para>The directory where we build SSL certificate. Default is /root/ssl-build.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-city=SSL_CITY</term>
<listitem>
<para>City to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-cname=SSL_CNAME</term>
<listitem>
<para>Cname alias of machine. This will allow you to generate multihost SSL certificate.
Can be specified multiple times.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-common=SSL_COMMON</term>
<listitem>
<para>Common name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-country=SSL_COUNTRY</term>
<listitem>
<para>Two letters country code to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-email=SSL_EMAIL</term>
<listitem>
<para>Email to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-org=SSL_ORG</term>
<listitem>
<para>Organization name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-orgunit=SSL_ORGUNIT</term>
<listitem>
<para>Organization unit name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-password=SSL_PASSWORD</term>
<listitem>
<para>Password to be used for SSL CA certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-state=SSL_STATE</term>
<listitem>
<para>State to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--start-services=START</term>
<listitem>
<para>1 or Y to start all services after configuration. This is default.</para>
<para>0 or N to not start services after configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--traceback-email=TRACEBACK_EMAIL</term>
<listitem>
<para>Email to which tracebacks should be sent.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-use-existing-certs=USE_EXISTING_CERTS</term>
<listitem>
<para>Use custom SSL certificates instead of generating new ones (use --ssl-ca-cert, --ssl-server-key and --ssl-server-cert parameters or corresponding variables to specify paths).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-ca-cert=CA_CERT</term>
<listitem>
<para>(If --ssl-use-existing-certs=1) use a custom CA certificate from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-server-key=SERVER_KEY</term>
<listitem>
<para>(If --ssl-use-existing-certs=1) use a server private SSL key from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ssl-server-cert=SERVER_CERT</term>
<listitem>
<para>(If --ssl-use-existing-certs=1) use a server public SSL certificate from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--version=VERSION</term>
<listitem>
<para>Version of Spacewalk Proxy Server you want to activate.</para>
</listitem>
</varlistentry>
</variablelist>
</RefSect1>
<RefSect1><Title>Answer File</Title>
<para>Answer File is interpreted as normal shell script. Following variables can be set there:</para>
<variablelist>
<varlistentry>
<term>VERSION</term>
<listitem>
<para>Version of &RHNPROXY; you want to activate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RHN_PASSWORD</term>
<listitem>
<para>Red Hat Network or Spacewalk password.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>RHN_USER</term>
<listitem>
<para>Red Hat Network or Spacewalk user account.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>TRACEBACK_EMAIL</term>
<listitem>
<para>Email to which tracebacks should be sent.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>USE_EXISTING_CERTS</term>
<listitem>
<para>Use custom SSL certificates instead of generating new ones (use CA_CERT, SERVER_KEY and SERVER_CERT variables to specify paths).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>CA_CERT</term>
<listitem>
<para>(If USE_EXISTING_CERTS=1) use a custom CA certificate from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SERVER_KEY</term>
<listitem>
<para>(If USE_EXISTING_CERTS=1) use a server private SSL key from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SERVER_CERT</term>
<listitem>
<para>(If USE_EXISTING_CERTS=1) use a server public SSL certificate from the given file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>FORCE_OWN_CA</term>
<listitem>
<para>Do not use parent CA and force to create your own.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HTTP_PROXY</term>
<listitem>
<para>HTTP proxy in host:port format, e.g. squid.redhat.com:3128</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HTTP_USERNAME</term>
<listitem>
<para>The username for an authenticated proxy.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>HTTP_PASSWORD</term>
<listitem>
<para>The password to use for an authenticated proxy.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_BUILD_DIR</term>
<listitem>
<para>The directory where we build SSL certificate. Default is /root/ssl-build.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_CNAME</term>
<listitem>
<para>Cname alias of machine. This will allow you to generate multihost SSL certificate.
Has to be specified in format: (cname.alias.com cname.alias2.com ...)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_ORG</term>
<listitem>
<para>Organization name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_ORGUNIT</term>
<listitem>
<para>Organization unit name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_COMMON</term>
<listitem>
<para>Common name to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_CITY</term>
<listitem>
<para>City to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_STATE</term>
<listitem>
<para>State to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_COUNTRY</term>
<listitem>
<para>Two letters country code to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_EMAIL</term>
<listitem>
<para>Email to be used in SSL certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>SSL_PASSWORD</term>
<listitem>
<para>Password to be used for SSL CA certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>START_SERVICES</term>
<listitem>
<para>1 or Y to start all services after configuration. This is default.</para>
<para>0 or N to not start services after configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>POPULATE_CONFIG_CHANNEL</term>
<listitem>
<para>Y if config chanel should be created and configuration files in that channel updated.
Configuration channel will be named rhn_proxy_config_${SYSTEM_ID}.</para>
</listitem>
</varlistentry>
</variablelist>
</RefSect1>
<RefSect1><Title>See Also</Title>
<simplelist>
<member>rhn-proxy-activate(8)</member>
</simplelist>
</RefSect1>
<RefSect1><Title>Authors</Title>
<simplelist>
<member>Miroslav Suchý <email>msuchy@redhat.com</email></member>
</simplelist>
</RefSect1>
</RefEntry>
07070100000007000081B4000000000000000000000001670D22FD00000800000000000000000000000000000000000000002F00000000spacewalk-proxy-installer/fetch-certificate.py#pylint: disable=invalid-name
import os
import sys
import argparse
RETRIES = 20
WAIT_RESPONSE = 10
REQUEST_TAG = 'suse/systemid/generate'
RESPONSE_TAG = 'suse/systemid/generated'
if __name__ == "__main__":
try:
import salt.config
import salt.utils.event
except ImportError as err:
print("Unable to use Salt on this machine. Assuming traditional client.")
sys.exit(0)
parser = argparse.ArgumentParser()
parser.add_argument('destination', default='/etc/sysconfig/rhn/systemid')
args = parser.parse_args()
if os.path.exists('/etc/venv-salt-minion/minion'):
opts = salt.config.minion_config('/etc/venv-salt-minion/minion', cache_minion_id=True)
else:
opts = salt.config.minion_config('/etc/salt/minion', cache_minion_id=True)
if not os.path.isdir(os.path.dirname(args.destination)):
print("There is a problem with the provided destination.")
sys.exit(1)
event = salt.utils.event.get_event(
'minion',
sock_dir=opts['sock_dir'],
transport=opts['transport'],
listen=True,
opts=opts)
event.subscribe(tag=RESPONSE_TAG, match_type='fnmatch')
for idx in range(RETRIES):
print("Requesting certificate from server. [{0}/{1}]".format(idx+1, RETRIES))
event.fire_master({}, REQUEST_TAG) # send event to master
data = event.get_event(
full=False, auto_reconnect=True, no_block=False, match_type='fnmatch', tag=RESPONSE_TAG, wait=WAIT_RESPONSE)
if data:
try:
with open(args.destination, 'wb') as _file:
_file.write(data['data'].encode('utf8'))
print("Certificate saved to: {0}".format(args.destination))
except Exception as ex: # pylint: disable=broad-except
print("Unable to write to destination: " + ex.message) # pylint: disable=no-member
sys.exit(1)
sys.exit(0)
print("Certificate not received from server. Exit.")
sys.exit(1)
07070100000008000081B4000000000000000000000001670D22FD00000143000000000000000000000000000000000000002D00000000spacewalk-proxy-installer/get_system_id.xslt<?xml version="1.0" ?>
<xsl:stylesheet
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
version="1.0">
<xsl:output method="text"/>
<xsl:template match="/">
<xsl:value-of select="/params/param/value/struct/member[name/text()='system_id']/value"/>
<xsl:text></xsl:text>
</xsl:template>
</xsl:stylesheet>
07070100000009000081B4000000000000000000000001670D22FD00000081000000000000000000000000000000000000002E00000000spacewalk-proxy-installer/insights-proxy.confProxyPass /redhat_access $PROTO://$RHN_PARENT/redhat_access
ProxyPassReverse /redhat_access $PROTO://$RHN_PARENT/redhat_access
0707010000000A000081B4000000000000000000000001670D22FD00001397000000000000000000000000000000000000002300000000spacewalk-proxy-installer/pylintrc# installer package pylint configuration
[MASTER]
# Profiled execution.
profile=no
# Pickle collected data for later comparisons.
persistent=no
[MESSAGES CONTROL]
# Disable the message(s) with the given id(s).
disable=I0011,
C0302,
C0111,
R0801,
R0902,
R0903,
R0904,
R0912,
R0913,
R0914,
R0915,
R0921,
R0922,
W0142,
W0403,
W0603,
C1001,
W0121,
useless-else-on-loop,
bad-whitespace,
unpacking-non-sequence,
superfluous-parens,
cyclic-import,
redefined-variable-type,
no-else-return,
# Uyuni disabled
E0203,
E0611,
E1101,
E1102
# list of disabled messages:
#I0011: 62: Locally disabling R0201
#C0302: 1: Too many lines in module (2425)
#C0111: 1: Missing docstring
#R0902: 19:RequestedChannels: Too many instance attributes (9/7)
#R0903: Too few public methods
#R0904: 26:Transport: Too many public methods (22/20)
#R0912:171:set_slots_from_cert: Too many branches (59/20)
#R0913:101:GETServer.__init__: Too many arguments (11/10)
#R0914:171:set_slots_from_cert: Too many local variables (38/20)
#R0915:171:set_slots_from_cert: Too many statements (169/50)
#W0142:228:MPM_Package.write: Used * or ** magic
#W0403: 28: Relative import 'rhnLog', should be 'backend.common.rhnLog'
#W0603: 72:initLOG: Using the global statement
# for pylint-1.0 we also disable
#C1001: 46, 0: Old-style class defined. (old-style-class)
#W0121: 33,16: Use raise ErrorClass(args) instead of raise ErrorClass, args. (old-raise-syntax)
#W:243, 8: Else clause on loop without a break statement (useless-else-on-loop)
# pylint-1.1 checks
#C:334, 0: No space allowed after bracket (bad-whitespace)
#W:162, 8: Attempting to unpack a non-sequence defined at line 6 of (unpacking-non-sequence)
#C: 37, 0: Unnecessary parens after 'not' keyword (superfluous-parens)
#C:301, 0: Unnecessary parens after 'if' keyword (superfluous-parens)
[REPORTS]
# Set the output format. Available formats are text, parseable, colorized, msvs
# (visual studio) and html
output-format=parseable
# Include message's id in output
include-ids=yes
# Tells whether to display a full report or only the messages
reports=yes
# Template used to display messages. This is a python new-style format string
# used to format the message information. See doc for all details
msg-template="{path}:{line}: [{msg_id}({symbol}), {obj}] {msg}"
[VARIABLES]
# A regular expression matching names used for dummy variables (i.e. not used).
dummy-variables-rgx=_|dummy
[BASIC]
# Regular expression which should only match correct module names
#module-rgx=(([a-z_][a-z0-9_]*)|([A-Z][a-zA-Z0-9]+))$
module-rgx=([a-zA-Z_][a-zA-Z0-9_]+)$
# Regular expression which should only match correct module level names
const-rgx=(([a-zA-Z_][a-zA-Z0-9_]*)|(__.*__))$
# Regular expression which should only match correct class names
class-rgx=[a-zA-Z_][a-zA-Z0-9_]+$
# Regular expression which should only match correct function names
function-rgx=[a-z_][a-zA-Z0-9_]{,42}$
# Regular expression which should only match correct method names
method-rgx=[a-z_][a-zA-Z0-9_]{,42}$
# Regular expression which should only match correct instance attribute names
attr-rgx=[a-z_][a-zA-Z0-9_]{,30}$
# Regular expression which should only match correct argument names
argument-rgx=[a-z_][a-zA-Z0-9_]{,30}$
# Regular expression which should only match correct variable names
variable-rgx=[a-z_][a-zA-Z0-9_]{,30}$
# Regular expression which should only match correct list comprehension /
# generator expression variable names
inlinevar-rgx=[A-Za-z_][A-Za-z0-9_]*$
# Regular expression which should only match correct class sttribute names
class-attribute-rgx=([A-Za-z_][A-Za-z0-9_]{2,42}|(__.*__))$
# Good variable names which should always be accepted, separated by a comma
good-names=i,j,k,ex,Run,_
# Bad variable names which should always be refused, separated by a comma
bad-names=foo,bar,baz,toto,tutu,tata
# List of builtins function names that should not be used, separated by a comma
bad-functions=apply,input
[DESIGN]
# Maximum number of arguments for function / method
max-args=10
# Maximum number of locals for function / method body
max-locals=20
# Maximum number of return / yield for function / method body
max-returns=6
# Maximum number of branch for function / method body
max-branchs=20
# Maximum number of statements in function / method body
max-statements=50
# Maximum number of parents for a class (see R0901).
max-parents=7
# Maximum number of attributes for a class (see R0902).
max-attributes=7
# Minimum number of public methods for a class (see R0903).
min-public-methods=1
# Maximum number of public methods for a class (see R0904).
max-public-methods=20
[CLASSES]
[FORMAT]
# Maximum number of characters on a single line.
max-line-length=120
# Maximum number of lines in a module
max-module-lines=1000
# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1
# tab).
indent-string=' '
[MISCELLANEOUS]
# List of note tags to take in consideration, separated by a comma.
notes=
0707010000000B000081B4000000000000000000000001670D22FD000046D8000000000000000000000000000000000000003000000000spacewalk-proxy-installer/rhn-proxy-activate.py#!/usr/bin/python -u
#
# Copyright (c) 2008--2017 Red Hat, Inc.
#
# This software is licensed to you under the GNU General Public License,
# version 2 (GPLv2). There is NO WARRANTY for this software, express or
# implied, including the implied warranties of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. You should have received a copy of GPLv2
# along with this software; if not, see
# http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt.
#
# Red Hat trademarks are not licensed under GPLv2. No permission is
# granted to use or replicate Red Hat trademarks that are incorporated
# in this software or its documentation.
#
""" Activate a Spacewalk Proxy
USAGE: ./rhn-proxy-activate
Author: Todd Warner <taw@redhat.com>
NOTE: this file is compatible with Spacewalk Proxies 4.0. It is not guaranteed to
work with older Spacewalk Proxies.
"""
# pylint: disable=E1101, invalid-name
# core lang imports
import os
import sys
import socket
try: # python 2
import urlparse
import xmlrpclib
except ImportError: # python3
# pylint: disable=F0401,E0611,redefined-builtin
import urllib.parse as urlparse
import xmlrpc.client as xmlrpclib
raw_input = input
# lib imports
from optparse import Option, OptionParser # pylint: disable=deprecated-module
from rhn import rpclib, SSL
from up2date_client import config # pylint: disable=E0012, C0413
DEFAULT_WEBRPC_HANDLER_v3_x = '/rpc/api'
def getSystemId(cfg):
""" returns content of systemid file """
path = cfg['systemIdPath']
if not os.access(path, os.R_OK):
return None
return open(path, "r").read()
def getServer(options, handler):
""" get an rpclib.Server object. NOTE: proxy is an HTTP proxy """
serverUrl = 'https://' + options.server + handler
s = None
if options.http_proxy:
s = rpclib.Server(serverUrl,
proxy=options.http_proxy,
username=options.http_proxy_username,
password=options.http_proxy_password)
else:
s = rpclib.Server(serverUrl)
if options.ca_cert:
s.add_trusted_cert(options.ca_cert)
return s
def _getProtocolError(e, hostname=''):
"""
Based on error, returns couple:
10 connection issues?
44 host not found
47 http proxy authentication failure
"""
if hostname:
hostname = ': %s' % hostname
if e.errcode == 407:
return 47, "ERROR: http proxy authentication required"
if e.errcode == 404:
return 44, "ERROR: host not found%s" % hostname
return 10, "ERROR: connection issues? %s" % repr(e)
def _getSocketError(e, hostname=''):
"""
Based on error, returns couple:
10 connection issues?
11 hostname unresolvable
12 connection refused
"""
if hostname:
hostname = ': %s' % hostname
if 'host not found' in e.args:
return 11, 'ERROR: hostname could not be resolved%s' % hostname
if 'connection refused' in e.args:
return 12, 'ERROR: "connection refused"%s' % hostname
return 10, "ERROR: connection issues? %s" % repr(e)
def _getActivationError(e):
""" common error strings dependent upon faultString
1 general
2 proxy_invalid_systemid
4 proxy_no_management_entitlements
5 proxy_no_enterprise_entitlements
6 proxy_no_channel_entitlements
7 proxy_no_proxy_child_channel
8 proxy_not_activated
"""
errorString = ''
errorCode = 1
if e.faultString.find('proxy_invalid_systemid') != -1:
errorString = ("this server does not seem to be registered or "
"/etc/sysconfig/rhn/systemid is corrupt.")
errorCode = 2
elif e.faultString.find('proxy_no_management_entitlements') != -1:
errorString = ("no Management entitlements available. There must be "
"at least one free Management/Provisioning slot "
"available in your SCC account.")
errorCode = 4
elif e.faultString.find('proxy_no_enterprise_entitlements') != -1:
# legacy error message
errorString = ("no Management entitlements available. There must be "
"at least one free Management/Provisioning slot "
"available in your SCC account.")
errorCode = 5
elif e.faultString.find('proxy_no_channel_entitlements') != -1:
errorString = ("no SUSE Manager Proxy entitlements available. There must be "
"at least one free SUSE Manager Proxy entitlement "
"available in your SCC account.")
errorCode = 6
elif e.faultString.find('proxy_no_proxy_child_channel') != -1:
errorString = ("no SUSE Manager Proxy entitlements available for this "
"server's version (or requested version) of SUSE Linux "
"Enterprise Server.")
errorCode = 7
elif e.faultString.find('proxy_not_activated') != -1:
errorString = "this server not an activated SUSE Manager Proxy yet."
errorCode = 8
else:
errorString = "unknown error - %s" % str(e)
errorCode = 1
return errorCode, errorString
def _errorHandler(pre='', post=''):
"""
NOTE: only currently called if within an exception block.
1 general
2 proxy_invalid_systemid
4 proxy_no_management_entitlements
5 proxy_no_enterprise_entitlements
6 proxy_no_channel_entitlements
7 proxy_no_proxy_child_channel
8 proxy_not_activated
10 connection issues?
11 hostname unresolvable
12 connection refused
13 SSL connection failed
44 host not found
47 http proxy authentication failure
"""
try:
raise # pylint: disable=bad-option-value, misplaced-bare-raise
except (SystemExit, KeyboardInterrupt, NameError, TypeError,
ValueError):
raise
except Exception: # pylint: disable=E0012, W0703
errorCode = 1
errorString = pre
try:
raise
except xmlrpclib.ProtocolError as e:
errorCode, s = _getProtocolError(e)
errorString = errorString + s
except socket.error as e:
errorCode, s = _getSocketError(e)
errorString = errorString + s
except xmlrpclib.Fault as e:
errorCode, errorString = _getActivationError(e)
except SSL.SSL.SSLError as e:
errorCode = 13
errorString = "ERROR: failed SSL connection - bad or expired cert?"
except Exception as e: # pylint: disable=E0012, W0703
e0, e1 = str(e), repr(e)
if e0:
s = "(%s)" % e0
if s and e1:
s = s + ', '
if e1:
s = s + "(%s)" % e1
errorString = errorString + "ERROR: unknown exception: %s" % s
errorString = errorString + post
return errorCode, errorString
def resolveHostnamePort(hostnamePort=''):
""" hostname:port sanity check """
hostname = urlparse.urlparse(hostnamePort)[1].split(':')
port = ''
if len(hostname) > 1:
hostname, port = hostname[:2]
else:
hostname = hostname[0]
if port:
try:
x = int(port)
if str(x) != port:
raise ValueError('should be an integer: %s' % port)
except ValueError:
sys.stderr.write("ERROR: the port setting is not an integer: %s\n" % port)
sys.exit(1)
if hostname:
try:
socket.getaddrinfo(hostname, None)
except: # pylint: disable=W0702
errorCode, errorString = _errorHandler()
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
def activateProxy_api_v3_x(options, cfg):
""" API version 3.*, 4.* - deactivate, then activate
"""
(errorCode, errorString) = _deactivateProxy_api_v3_x(options, cfg)
if errorCode == 0:
(errorCode, errorString) = _activateProxy_api_v3_x(options, cfg)
return (errorCode, errorString)
def _deactivateProxy_api_v3_x(options, cfg):
""" Deactivate this machine as Proxy """
s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
systemid = getSystemId(cfg)
errorCode, errorString = 0, ''
try:
if not s.proxy.is_proxy(systemid):
# if system is not proxy, we do not need to deactivate it
return (errorCode, errorString)
except: # pylint: disable=W0702
# api do not have proxy.is_proxy is implemented or it is hosted
# ignore error and try to deactivate
pass
try:
s.proxy.deactivate_proxy(systemid) # proxy 3.0+ API
except: # pylint: disable=W0702
errorCode, errorString = _errorHandler()
try:
raise
except xmlrpclib.Fault:
if errorCode == 8:
# fine. We weren't activated yet.
# noop and look like a success
errorCode = 0
else:
errorString = "WARNING: upon deactivation attempt: %s" % errorString
sys.stderr.write("%s\n" % errorString)
except SSL.SSL.SSLError:
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
except (xmlrpclib.ProtocolError, socket.error):
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
except:
errorString = "ERROR: upon deactivation attempt (something unexpected): %s" % errorString
return errorCode, errorString
else:
errorCode = 0
if not options.quiet:
sys.stdout.write("SUSE Manager Proxy successfully deactivated.\n")
return (errorCode, errorString)
def _activateProxy_api_v3_x(options, cfg):
""" Activate this machine as Proxy.
Do not check if has been already activated. For such case
use activateProxy_api_v3_x method instead.
"""
s = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
systemid = getSystemId(cfg)
errorCode, errorString = 0, ''
try:
s.proxy.activate_proxy(systemid, str(options.version))
except: # pylint: disable=W0702
errorCode, errorString = _errorHandler()
try:
raise
except SSL.SSL.SSLError:
# let's force a system exit for this one.
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
except (xmlrpclib.ProtocolError, socket.error):
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
except (xmlrpclib.Fault, Exception): # pylint: disable=E0012, W0703
# let's force a slight change in messaging for this one.
errorString = "ERROR: upon entitlement/activation attempt: %s" % errorString
except:
errorString = "ERROR: upon activation attempt (something unexpected): %s" % errorString
return errorCode, errorString
else:
errorCode = 0
if not options.quiet:
sys.stdout.write("SUSE Manager Proxy successfully activated.\n")
return (errorCode, errorString)
def activateProxy(options, cfg):
""" Activate proxy. Decide how to do it upon apiVersion. Currently we
support only API v.3.1+. Support for 3.0 and older has been removed.
"""
# errorCode == 0 means activated!
errorCode, errorString = activateProxy_api_v3_x(options, cfg)
if errorCode != 0:
if not errorString:
errorString = ("An unknown error occured. Consult with your SUSE representative.\n")
sys.stderr.write("\nThere was a problem activating the SUSE Manager Proxy entitlement:\n%s\n" % errorString)
sys.exit(abs(errorCode))
def listAvailableProxyChannels(options, cfg):
""" return list of version available to this system """
server = getServer(options, DEFAULT_WEBRPC_HANDLER_v3_x)
systemid = getSystemId(cfg)
errorCode, errorString = 0, ''
channel_list = []
try:
channel_list = server.proxy.list_available_proxy_channels(systemid)
except: # pylint: disable=W0702
errorCode, errorString = _errorHandler()
try:
raise
except:
# let's force a system exit for this one.
sys.stderr.write(errorString + '\n')
sys.exit(errorCode)
else:
errorCode = 0
if not options.quiet and channel_list:
sys.stdout.write("\n".join(channel_list) + "\n")
def processCommandline(cfg):
up2date_cfg = dict(cfg.items())
if isinstance(up2date_cfg['serverURL'], type([])):
rhn_parent = urlparse.urlparse(up2date_cfg['serverURL'][0])[1]
else:
rhn_parent = urlparse.urlparse(up2date_cfg['serverURL'])[1]
httpProxy = urlparse.urlparse(up2date_cfg['httpProxy'])[1]
httpProxyUsername = up2date_cfg['proxyUser']
httpProxyPassword = up2date_cfg['proxyPassword']
if not httpProxy:
httpProxyUsername, httpProxyPassword = '', ''
if not httpProxyUsername:
httpProxyPassword = ''
ca_cert = ''
defaultVersion = '5.2'
# parse options
optionsTable = [
Option('-s', '--server', action='store', default=rhn_parent,
help="alternative server hostname to connect to, default is %s" % repr(rhn_parent)),
Option('--http-proxy', action='store', default=httpProxy,
help="alternative HTTP proxy to connect to (HOSTNAME:PORT), default is %s" % repr(httpProxy)),
Option('--http-proxy-username', action='store', default=httpProxyUsername,
help="alternative HTTP proxy usename, default is %s" % repr(httpProxyUsername)),
Option('--http-proxy-password', action='store', default=httpProxyPassword,
help="alternative HTTP proxy password, default is %s" % repr(httpProxyPassword)),
Option('--ca-cert', action='store', default=ca_cert,
help="alternative SSL certificate to use, default is %s" % repr(ca_cert)),
Option('--version', action='store', default=defaultVersion,
help='which X.Y version of the SUSE Manager Proxy are you upgrading to?' +
' Default is your current proxy version (' + defaultVersion + ')'),
Option('--deactivate', action='store_true',
help='deactivate proxy, if already activated'),
Option('-l', '--list-available-versions', action='store_true',
help='print list of versions available to this system'),
Option('--non-interactive', action='store_true',
help='non-interactive mode'),
Option('-q', '--quiet', action='store_true',
help='quiet non-interactive mode.'),
]
parser = OptionParser(option_list=optionsTable)
options, _args = parser.parse_args()
if options.server:
if options.server.find('http') != 0:
options.server = 'https://' + options.server
options.server = urlparse.urlparse(options.server)[1]
if not options.http_proxy:
options.http_proxy_username, options.http_proxy_password = '', ''
if not options.http_proxy_username:
options.http_proxy_password = ''
exploded_version = options.version.split('.')
# Pad it to be at least 2 components
if len(exploded_version) == 1:
exploded_version.append('0')
# Make it a string
options.version = '.'.join(exploded_version[:2])
if options.quiet:
options.non_interactive = 1
return options
def yn(prompt):
""" returns 0 if 'n', and 1 if 'y' """
_yn = ''
while _yn == '':
_yn = raw_input(prompt)
if _yn and _yn[0].lower() not in ('y', 'n'):
_yn = ''
return _yn[0].lower() == 'y'
def main():
"""
0 success
1 general
2 proxy_invalid_systemid
4 proxy_no_management_entitlements
5 proxy_no_enterprise_entitlements
6 proxy_no_channel_entitlements
7 proxy_no_proxy_child_channel
8 proxy_not_activated
10 connection issues?
11 hostname unresolvable
12 connection refused
13 SSL connection failed
44 host not found
47 http proxy authentication failure
"""
cfg = config.initUp2dateConfig()
options = processCommandline(cfg)
if options.list_available_versions:
resolveHostnamePort(options.http_proxy)
if not options.http_proxy:
resolveHostnamePort(options.server)
listAvailableProxyChannels(options, cfg)
sys.exit(0)
if not options.non_interactive:
print ("\n"
"--server (RHN parent): %s\n"
"--http-proxy: %s\n"
"--http-proxy-username: %s\n"
"--http-proxy-password: %s\n"
"--ca-cert: %s\n"
"--version: %s\n"
% (options.server, options.http_proxy,
options.http_proxy_username, options.http_proxy_password,
options.ca_cert, options.version))
if not yn("Are you sure about these options? y/n: "):
return 0
# early checks
resolveHostnamePort(options.http_proxy)
if not options.http_proxy:
resolveHostnamePort(options.server)
if options.deactivate:
_deactivateProxy_api_v3_x(options, cfg)
else:
# ACTIVATE!!!!!!!!
activateProxy(options, cfg)
return 0
if __name__ == '__main__':
try:
sys.exit(abs(main() or 0))
except KeyboardInterrupt:
sys.stderr.write("\nUser interrupted process.\n")
sys.exit(0)
except SystemExit:
raise
except:
sys.stderr.write("\nERROR: unhandled exception occurred:\n")
raise
0707010000000C000081B4000000000000000000000001670D22FD00001551000000000000000000000000000000000000003200000000spacewalk-proxy-installer/rhn-proxy-activate.sgml<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V3.1//EN" [
<!ENTITY RHNPROXY "Spacewalk Proxy Server">
<!ENTITY SCRIPTNAME "Spacewalk Proxy Activate script">
<!ENTITY SCRIPTCOMMAND "rhn-proxy-activate">
]>
<refentry>
<RefMeta>
<RefEntryTitle>&SCRIPTCOMMAND;</RefEntryTitle><manvolnum>8</manvolnum>
<RefMiscInfo>Version 3.7</RefMiscInfo>
</RefMeta>
<RefNameDiv>
<RefName><command>&SCRIPTCOMMAND;</command></RefName>
<RefPurpose>
Use the WebUI to activate your &RHNPROXY; product. This command
should only be used under the direction of Red Hat personnel.
This script allows an admin to activate an Spacewalk Proxy via the
commandline.
</RefPurpose>
</RefNameDiv>
<RefSynopsisDiv>
<Synopsis>
<cmdsynopsis>
<command>&SCRIPTCOMMAND;</command>
<arg><replaceable>command</replaceable></arg>
<arg>options <replaceable>...</replaceable></arg>
<arg>-s<replaceable>HOSTNAME</replaceable></arg>
<arg>--server=<replaceable>HOSTNAME</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--http-proxy=<replaceable>HTTP_PROXY_HOSTNAME:PORT</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--http-proxy-username=<replaceable>HTTP_PROXY_USERNAME</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--http-proxy-password=<replaceable>HTTP_PROXY_PASSWORD</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--ca-cert=<replaceable>CA_CERTIFICATE</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--version=<replaceable>RHN_PROXY_VERSION</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<arg>--non-interactive</arg>
<arg>-q</arg>
<arg>--quiet</arg>
</cmdsynopsis>
</Synopsis>
</RefSynopsisDiv>
<RefSect1><Title>Description</Title>
<para>
Use the WebUI to activate your &RHNPROXY; product. This command
should only be used under the direction of Red Hat personnel.
The &SCRIPTNAME; (<emphasis>&SCRIPTCOMMAND;</emphasis>) is a
utility that will activate an &RHNPROXY; from the commandline of
the Spacewalk Proxy itself.
</para>
<para>
Without any command specified, this script will activate Spacewalk Proxy.
For other possibility see COMMANDS section.
</para>
</RefSect1>
<RefSect1><Title>COMMANDS</Title>
<variablelist>
<varlistentry>
<term>-l, --list-available-versions</term>
<listitem>
<para>List available versions of Spacewalk Proxy on parent.</para>
</listitem>
</varlistentry>
</variablelist>
</RefSect1>
<RefSect1><Title>Options</Title>
<variablelist>
<varlistentry>
<term>-h, --help</term>
<listitem>
<para>Display the help screen with a list of options.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s<replaceable>HOSTNAME</replaceable>,
--server=<replaceable>HOSTNAME</replaceable></term>
<listitem>
<para>parent to this &RHNPROXY;. Either RHN Classic, an
Red Hat Satellite, or another Spacewalk Proxy.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-proxy=<replaceable>HOSTNAME:PORT</replaceable></term>
<listitem>
<para>alternative http proxy (hostname:port)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-proxy-username=<replaceable>USERNAME</replaceable></term>
<listitem>
<para>alternative http proxy username</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--http-proxy-password=<replaceable>PASSWORD</replaceable></term>
<listitem>
<para>alternative http proxy password</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--ca-cert=<replaceable>SSL_CA_CERT_FULL_PATH</replaceable></term>
<listitem>
<para>alternative SSL CA Cert (fullpath to cert file)</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--version=<replaceable>RHN_PROXY_VERSION</replaceable></term>
<listitem>
<para>version of your &RHNPROXY;. Be very careful with this setting. Example: 3.2</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l,
--list-available-versions</term>
<listitem>
<para>print list of versions of proxy channels available to this system (i.e. which versions you can activate) and exit.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>--non-interactive</term>
<listitem>
<para>Non-interactivate mode. You won't be asked to confirm
your selections.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-q, --quiet</term>
<listitem>
<para>Quiet and non-interactivate mode. You won't be asked to confirm
your selections and you won't see any output.</para>
</listitem>
</varlistentry>
</variablelist>
</RefSect1>
<RefSect1><Title>See Also</Title>
<simplelist>
<member>rhn_package_manager(8)</member>
<member>rhn-proxy(8)</member>
<member>configure-proxy.sh(8)</member>
</simplelist>
</RefSect1>
<RefSect1><Title>Authors</Title>
<simplelist>
<member>Todd Warner <email>taw@redhat.com</email></member>
<member>Miroslav Suchy <email>msuchy@redhat.com</email></member>
</simplelist>
</RefSect1>
</RefEntry>
0707010000000D000081B4000000000000000000000001670D22FD00000335000000000000000000000000000000000000002300000000spacewalk-proxy-installer/rhn.conf# Automatically generated Spacewalk Proxy Server configuration file.
# -------------------------------------------------------------------------
# SSL CA certificate location
proxy.ca_chain = ${session.ca_chain:/usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT}
# Corporate HTTP proxy, format: corp_gateway.example.com:8080
proxy.http_proxy = ${session.http_proxy}
# Username for that corporate HTTP proxy
proxy.http_proxy_username = ${session.http_proxy_username}
# Password for that corporate HTTP proxy
proxy.http_proxy_password = ${session.http_proxy_password}
# Location of locally built, custom packages
proxy.pkg_dir = /var/spool/rhn-proxy
# Hostname of RHN Classic Server or Red Hat Satellite
proxy.rhn_parent = ${session.rhn_parent}
# Destination of all tracebacks, etc.
traceback_mail = ${session.traceback_mail}
0707010000000E000081B4000000000000000000000001670D22FD00004995000000000000000000000000000000000000003C00000000spacewalk-proxy-installer/spacewalk-proxy-installer.changes-------------------------------------------------------------------
Mon Oct 14 15:52:57 CEST 2024 - rosuna@suse.com
- version 5.1.1-0
* Bump version to 5.1.0
-------------------------------------------------------------------
Tue Jan 16 08:24:38 CET 2024 - jgonzalez@suse.com
- version 5.0.1-1
* Bump version to 5.0.0
-------------------------------------------------------------------
Fri Dec 15 17:21:47 CET 2023 - rosuna@suse.com
- version 4.4.4-1
* Remove unused makefiles
-------------------------------------------------------------------
Mon Sep 18 14:32:14 CEST 2023 - rosuna@suse.com
- version 4.4.3-1
* remove old provide/obsoletes dependency
* remove dependency to mgr-cfg which remove the possibility to create config channels for the proxy
* Fix squid refresh_pattern for "venv-enabled-*.txt" files to avoid
serving outdated version of the file (bsc#1211956)
-------------------------------------------------------------------
Wed Dec 14 14:14:01 CET 2022 - jgonzalez@suse.com
- version 4.4.2-1
* remove jabberd and osa-dispatcher
-------------------------------------------------------------------
Wed Sep 28 11:12:52 CEST 2022 - jgonzalez@suse.com
- version 4.4.1-1
* Bump version to 4.4.0
-------------------------------------------------------------------
Wed Jul 27 14:15:33 CEST 2022 - jgonzalez@suse.com
- version 4.3.10-1
* When salt bundle is used, set correct minion ID
-------------------------------------------------------------------
Wed May 04 15:21:09 CEST 2022 - jgonzalez@suse.com
- version 4.3.9-1
* Prefer salt-bundle minion config if available (bsc#1198226)
-------------------------------------------------------------------
Tue Apr 19 12:06:05 CEST 2022 - jgonzalez@suse.com
- version 4.3.8-1
* Configure squid for big images and kernel/initrd files
Part of saltboot containerization workflow
-------------------------------------------------------------------
Fri Mar 11 15:12:16 CET 2022 - jgonzalez@suse.com
- version 4.3.7-1
* Fix changelog format
-------------------------------------------------------------------
Fri Mar 11 14:52:46 CET 2022 - jgonzalez@suse.com
- version 4.3.6-1
* Remove pylint check according to Fedora package guidelines.
-------------------------------------------------------------------
Tue Feb 15 10:04:10 CET 2022 - jgonzalez@suse.com
- version 4.3.5-1
* integrate new TLS Certificate deployment tool
-------------------------------------------------------------------
Tue Jan 18 13:58:09 CET 2022 - jgonzalez@suse.com
- version 4.3.4-1
* Update Squid config only when available
* Remove outdated Squid config cleanup code
-------------------------------------------------------------------
Fri Dec 03 12:25:40 CET 2021 - jgonzalez@suse.com
- version 4.3.3-1
* during setup detect venv-salt-minion
-------------------------------------------------------------------
Fri Nov 05 13:51:44 CET 2021 - jgonzalez@suse.com
- version 4.3.2-1
* use system default for SSLProtocol
-------------------------------------------------------------------
Mon Aug 09 11:02:43 CEST 2021 - jgonzalez@suse.com
- version 4.3.1-1
- Improved for Enterprise Linux build.
- Modified for Pylint pass.
- Removed Python 2 build.
- Add new refresh_pattern to the squid.conf to fix a case where the repodata
was invalid due to being cached (bsc#1186026)
-------------------------------------------------------------------
Wed May 05 16:38:27 CEST 2021 - jgonzalez@suse.com
- version 4.2.4-1
- change deprecated path /var/run into /run for systemd (bsc#1185059)
-------------------------------------------------------------------
Thu Feb 25 12:08:14 CET 2021 - jgonzalez@suse.com
- version 4.2.3-1
- adapt to new SSL implementation of rhnlib (bsc#1181807)
-------------------------------------------------------------------
Wed Jan 27 13:04:41 CET 2021 - jgonzalez@suse.com
- version 4.2.2-1
- drop the --no-ssl option
-------------------------------------------------------------------
Fri Sep 18 11:35:58 CEST 2020 - jgonzalez@suse.com
- version 4.2.1-1
- Update package version to 4.2.0
-------------------------------------------------------------------
Wed May 20 10:56:10 CEST 2020 - jgonzalez@suse.com
- version 4.1.5-1
- do not cache metadata of the bootstrap repositories (bsc#1171169)
-------------------------------------------------------------------
Mon Apr 13 09:34:15 CEST 2020 - jgonzalez@suse.com
- version 4.1.4-1
- move vital proxy templates to a safe place outside of docu (bsc#1166284)
-------------------------------------------------------------------
Mon Feb 17 12:51:37 CET 2020 - jgonzalez@suse.com
- version 4.1.3-1
- remove support for SuSEfirewall2
- use salt master as parent for minion based proxies (bsc#1162129)
-------------------------------------------------------------------
Wed Jan 22 12:12:44 CET 2020 - jgonzalez@suse.com
- version 4.1.2-1
- do not ask for version to activate during proxy configuration (bsc#1140427)
-------------------------------------------------------------------
Wed Nov 27 16:46:47 CET 2019 - jgonzalez@suse.com
- version 4.1.1-1
- Bump version to 4.1.0 (bsc#1154940)
-------------------------------------------------------------------
Wed Jul 31 17:35:39 CEST 2019 - jgonzalez@suse.com
- version 4.0.11-1
- Remove double slashes from cobbler api endpoint (bsc#1133800)
-------------------------------------------------------------------
Wed May 15 15:13:56 CEST 2019 - jgonzalez@suse.com
- version 4.0.10-1
- SPEC cleanup
- Improve error message when trying to configure a proxy on an
machine that is not registered as client
-------------------------------------------------------------------
Mon Apr 22 12:14:25 CEST 2019 - jgonzalez@suse.com
- version 4.0.9-1
- fix connection type test for proxy (bsc#1132080)
- open needed firewall ports also when firewall not currently
running (bsc#1131231)
- Add makefile and lintrc for pylint
-------------------------------------------------------------------
Mon Mar 25 16:44:13 CET 2019 - jgonzalez@suse.com
- version 4.0.8-1
- redirect new cobbler autoinstall url
-------------------------------------------------------------------
Tue Mar 12 15:33:51 CET 2019 - jgonzalez@suse.com
- version 4.0.7-1
- fix syntax error in proxy firewall file (bsc#1128885)
-------------------------------------------------------------------
Sat Mar 02 00:11:37 CET 2019 - jgonzalez@suse.com
- version 4.0.6-1
- Cache .deb packages
-------------------------------------------------------------------
Wed Feb 27 13:03:24 CET 2019 - jgonzalez@suse.com
- version 4.0.5-1
- fetch-certificate: allow more time for onboarding
-------------------------------------------------------------------
Wed Jan 16 12:24:15 CET 2019 - jgonzalez@suse.com
- version 4.0.4-1
- configure firewalld if available
-------------------------------------------------------------------
Mon Dec 17 14:39:21 CET 2018 - jgonzalez@suse.com
- version 4.0.3-1
- Add support for Python 3 on spacewalk-proxy-installer
- don't write invalid values to answer file for configure-proxy.sh
-------------------------------------------------------------------
Fri Oct 26 10:35:58 CEST 2018 - jgonzalez@suse.com
- version 4.0.2-1
- Change dependencies from rhncfg to mgr-cfg (bsc#1104034)
- Add script for retrieving the systemid file in configure-proxy.sh for minions (FATE#323069)
- fix wrong paths to scripts; ensure CA can be found
-------------------------------------------------------------------
Fri Aug 10 15:26:11 CEST 2018 - jgonzalez@suse.com
- version 4.0.1-1
- Bump version to 4.0.0 (bsc#1104034)
- Fix copyright for the package specfile (bsc#1103696)
-------------------------------------------------------------------
Mon Mar 05 08:52:59 CET 2018 - jgonzalez@suse.com
- version 2.8.6.2-1
- remove empty clean section from spec (bsc#1083294)
-------------------------------------------------------------------
Wed Feb 28 09:48:18 CET 2018 - jgonzalez@suse.com
- version 2.8.6.1-1
- Sync with upstream
-------------------------------------------------------------------
Wed Jan 17 12:54:09 CET 2018 - jgonzalez@suse.com
- version 2.8.4.1-1
- fix default value in squid.conf template
-------------------------------------------------------------------
Tue Nov 28 12:14:04 CET 2017 - jgonzalez@suse.com
- version 2.7.2.4-1
- more exact question for custom certificate and key (bsc#1059998)
-------------------------------------------------------------------
Mon Jun 12 08:59:11 CEST 2017 - mc@suse.de
- version 2.7.2.3-1
- disable config channel population by default in non-interactive
mode (bsc#1043778)
-------------------------------------------------------------------
Mon May 29 15:32:31 CEST 2017 - mc@suse.de
- version 2.7.2.2-1
- proxy installer Apache certs did not match rhn-ssl-tools names
(bsc#1038858)
- Tell user the proxy configure scripts needs to be re-run after
copying the missing certificate (bsc#1035015)
-------------------------------------------------------------------
Fri Mar 31 09:34:27 CEST 2017 - mc@suse.de
- version 2.7.2.1-1
- do not start firewall on proxy during configuration if not already
active (bsc#1031338)
- salt minions get repodata via a different URL; reflect by
additional squid rule (bsc#1027873)
- extract utility to config ssh-push keys on a proxy
- only warn if parent ssh-push pub key could not be retrieved
- generate and auth ssh push keys for user mgrsshtunnel
- Authorize parent salt-ssh key on proxy
- Generate proxy ssh-push key and authorize the previous proxy in
the chain
- extract ssh push key directory to variable
- Generate own ssh-push key for proxy and authorize parent
-------------------------------------------------------------------
Tue Mar 07 14:37:36 CET 2017 - mc@suse.de
- version 2.7.1.2-1
- Updated links to github in spec files
- add options for rhn-user and rhn-password
- ask user for credentials only if configuration script works in
interactive mode
-------------------------------------------------------------------
Tue Feb 07 17:43:07 CET 2017 - michele.bologna@suse.com
- version 2.7.1.1-1
- Align with upstream versioning
-------------------------------------------------------------------
Wed Jan 11 16:27:46 CET 2017 - michele.bologna@suse.com
- version 2.7.0.1-1
- Bumping package versions for 2.7.
-------------------------------------------------------------------
Thu Oct 06 14:59:00 CEST 2016 - mc@suse.de
- version 2.5.2.4-1
- Restaring salt-broker service when configure-config.sh finished
the setup
- spacewalk-proxy-installer now requires spacewalk-proxy-salt
- configure firewall for saltproxy
-------------------------------------------------------------------
Mon Mar 21 16:33:55 CET 2016 - mc@suse.de
- version 2.5.2.3-1
- convert squid config parameter range_offset_limit for new squid
version on update
-------------------------------------------------------------------
Wed Mar 09 10:45:15 CET 2016 - mc@suse.de
- version 2.5.2.2-1
- do not open salt ports
-------------------------------------------------------------------
Wed Mar 02 12:10:22 CET 2016 - mc@suse.de
- version 2.5.2.1-1
- filter only existing config files
-------------------------------------------------------------------
Tue Jan 26 14:09:06 CET 2016 - mc@suse.de
- version 2.5.1.2-1
- fix comments about Salt
-------------------------------------------------------------------
Mon Nov 30 11:07:27 CET 2015 - mc@suse.de
- version 2.5.1.1-1
- fix start of proxy services
- make sure ssl build directory exists (bsc#949516)
-------------------------------------------------------------------
Thu Oct 22 16:28:32 CEST 2015 - mc@suse.de
- version 2.5.0.2-1
- open needed firewall ports
-------------------------------------------------------------------
Wed Oct 07 14:34:16 CEST 2015 - mc@suse.de
- version 2.5.0.1-1
- replace upstream subscription counting with new subscription
matching (FATE#311619)
-------------------------------------------------------------------
Mon Jun 22 16:14:33 CEST 2015 - jrenner@suse.de
- version 2.1.6.9-1
- Set USE_EXISTING_CERTS=N in the answers.txt example file.
- 'Bring your own certificate': update documentation for configure-proxy.sh
- configure-proxy.sh: 'Bring your own certificate' feature
-------------------------------------------------------------------
Tue Feb 03 11:59:55 CET 2015 - mc@suse.de
- version 2.1.6.8-1
- Added missing cli args (bnc#913941)
- Getting rid of Tabs and trailing spaces
-------------------------------------------------------------------
Thu Dec 04 13:30:20 CET 2014 - mc@suse.de
- version 2.1.6.7-1
- read systemid path from configuration
- proxy installer should use http proxy to get version number
-------------------------------------------------------------------
Fri Nov 07 13:16:16 CET 2014 - mc@suse.de
- version 2.1.6.6-1
- don't hardcode systemid path in rhn-proxy-activate
-------------------------------------------------------------------
Fri Sep 12 15:49:14 CEST 2014 - mc@suse.de
- version 2.1.6.5-1
- remove duplicate Summary and Group entries
-------------------------------------------------------------------
Tue May 06 15:17:23 CEST 2014 - mc@suse.de
- version 2.1.6.4-1
- move yes_no function before the first usage
-------------------------------------------------------------------
Thu Feb 27 15:29:55 CET 2014 - fcastelli@suse.com
- version 2.1.6.3-1
- add missing activate-SLP to option list
- correctly tell yum from zypper; not only in interactive mode
- Various fixes for configure-proxy.sh (rename YUM_OR_UPDATE to YUM, httpd to
apache2)
- fix wrong product name in configure-proxy.sh
- Add SLP activation to configure-proxy.sh; fix SLP registration file for proxy
-------------------------------------------------------------------
Fri Feb 07 13:57:39 CET 2014 - mc@suse.de
- version 2.1.6.2-1
- fixed bug where UP2DATE_FILE was not set
-------------------------------------------------------------------
Mon Dec 09 16:51:33 CET 2013 - mc@suse.de
- version 2.1.6.1-1
- switch to 2.1
-------------------------------------------------------------------
Fri Sep 27 09:58:47 CEST 2013 - mc@suse.de
- version 1.7.6.10-1
- fix usage of answer file for configure-proxy.sh (bnc#834899)
-------------------------------------------------------------------
Wed Jun 12 13:25:32 CEST 2013 - mc@suse.de
- version 1.7.6.9-1
- report extra commandline arguments
- fail if answer file is not readable
-------------------------------------------------------------------
Fri Feb 08 11:05:40 CET 2013 - mc@suse.de
- version 1.7.6.8-1
- Remove superfluous stuff from cobbler-proxy.conf (bnc#796581)
-------------------------------------------------------------------
Fri Sep 28 16:17:12 CEST 2012 - mc@suse.de
- version 1.7.6.7-1
- cleanup jabberd db and use insserv to switch to current
default runlevel
- enable proxy services only in runlevel 3 and 5
-------------------------------------------------------------------
Thu Aug 02 16:22:54 CEST 2012 - mc@suse.de
- version 1.7.6.6-1
- make sure username/password is correct
- reuse already assigned variable
-------------------------------------------------------------------
Mon Jul 16 15:21:43 CEST 2012 - ug@suse.de
- version 1.7.6.5-1
- proxy-installer should pre-require proxy-common to ensure correct order of
apache modules
-------------------------------------------------------------------
Mon Jun 25 13:58:26 CEST 2012 - mantel@suse.de
- proxy-installer should pre-require proxy-common to ensure correct
order of apache modules
-------------------------------------------------------------------
Mon May 14 10:54:11 CEST 2012 - mc@suse.de
- version 1.7.6.4-1
- if koan is requesting anything from /cobbller_api replace hostname
of server with hostname of first proxy in chain
-------------------------------------------------------------------
Fri Apr 27 16:54:44 CEST 2012 - mc@suse.de
- version 1.7.6.3-1
- fix jabberd setup in configure-proxy
-------------------------------------------------------------------
Thu Apr 19 13:46:08 CEST 2012 - mantel@suse.de
- squid stores its data in /var/cache/squid, not in
/var/spool/squid
-------------------------------------------------------------------
Fri Mar 30 14:50:00 CEST 2012 - mc@suse.de
- version 1.7.6.2-1
- run pylint on SUSE systems
-------------------------------------------------------------------
Wed Mar 21 17:36:54 CET 2012 - mc@suse.de
- version 1.7.6.1-1
- Bumping package version
-------------------------------------------------------------------
Thu Dec 22 14:59:55 CET 2011 - mantel@suse.de
- rename Novell to SUSE (#708333)
-------------------------------------------------------------------
Mon Sep 12 11:28:48 CEST 2011 - mc@suse.de
- fix example answer file (bnc#703980)
-------------------------------------------------------------------
Wed May 25 13:26:16 CEST 2011 - mc@suse.de
- allow only secure SSLCipher and SSLProtocols (bnc#685550)
-------------------------------------------------------------------
Mon May 2 17:25:35 CEST 2011 - ug@suse.de
- apache has to load mod_proxy_http (bnc#683382)
-------------------------------------------------------------------
Thu Mar 31 15:45:30 CEST 2011 - mantel@suse.de
- more debranding
-------------------------------------------------------------------
Tue Mar 29 16:42:00 CEST 2011 - ug@suse.de
- added some directories to redirect to the sever for
autoinstallation (/download and /ks - bnc#683382)
-------------------------------------------------------------------
Tue Mar 22 13:39:31 CET 2011 - mantel@suse.de
- remove /etc/motd after proxy has been configured (bnc#681220)
-------------------------------------------------------------------
Tue Mar 8 09:50:09 CET 2011 - mc@suse.de
- fix SSL certificate generation on SUSE (bnc#677468)
-------------------------------------------------------------------
Thu Mar 3 17:48:44 CET 2011 - mc@suse.de
- fix ssl configuration
-------------------------------------------------------------------
Thu Mar 3 15:54:20 CET 2011 - mantel@suse.de
- use FQHN for SSL certificate common name (bnc#676678)
-------------------------------------------------------------------
Thu Mar 3 12:43:00 CET 2011 - mantel@suse.de
- move apache module configuration to main package
-------------------------------------------------------------------
Thu Mar 3 10:48:58 CET 2011 - mantel@suse.de
- adapt for SUSE Manager
-------------------------------------------------------------------
Wed Feb 23 14:11:33 CET 2011 - mantel@suse.de
- some adaptations for SUSE manager
-------------------------------------------------------------------
Wed Sep 15 09:42:17 CEST 2010 - mantel@suse.de
- Initial release of spacewalk-proxy-installer
-------------------------------------------------------------------
0707010000000F000081B4000000000000000000000001670D22FD0000130D000000000000000000000000000000000000003900000000spacewalk-proxy-installer/spacewalk-proxy-installer.spec#
# spec file for package spacewalk-proxy-installer
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2008-2018 Red Hat, Inc.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
#!BuildIgnore: udev-mini libudev-mini1
%if 0%{?fedora} || 0%{?rhel}
%define apacheconfdir %{_sysconfdir}/httpd
%else
%define apacheconfdir %{_sysconfdir}/apache2
%endif
%define rhnroot %{_usr}/share/rhn
%define pythondir %{rhnroot}/proxy-installer
Name: spacewalk-proxy-installer
Version: 5.1.1
Release: 0
Summary: Spacewalk Proxy Server Installer
License: GPL-2.0-only
# FIXME: use correct group or remove it, see "https://en.opensuse.org/openSUSE:Package_group_guidelines"
Group: Applications/Internet
URL: https://github.com/uyuni-project/uyuni
Source0: https://github.com/spacewalkproject/spacewalk/archive/%{name}-%{version}.tar.gz
BuildArch: noarch
Requires: firewalld
Requires(pre): spacewalk-proxy-common
Requires: spacewalk-proxy-salt
%if 0%{?suse_version}
Requires: aaa_base
Requires: apache2
Requires: glibc
%else
Requires: chkconfig
Requires: glibc-common
Requires: hostname
Requires: httpd
Requires: net-tools
Requires: rhn-client-tools > 2.8.4
Requires: rhnlib
%endif
Requires: libxslt
Requires: salt
Requires: spacewalk-certs-tools >= 1.6.4
BuildRequires: /usr/bin/docbook2man
# weakremover used on SUSE to get rid of orphan packages which are
# unsupported and do not have a dependency anymore
Provides: weakremover(mgr-cfg)
Provides: weakremover(mgr-cfg-actions)
Provides: weakremover(mgr-cfg-client)
Provides: weakremover(mgr-cfg-management)
%define defaultdir %{_usr}/share/rhn/proxy-template
%description
The Spacewalk Proxy Server allows package proxying/caching
and local package delivery services for groups of local servers from
Spacewalk Server. This service adds flexibility and economy of
resources to package update and deployment.
This package includes command line installer of Spacewalk Proxy Server.
Run configure-proxy.sh after installation to configure proxy.
%prep
%setup -q
%build
/usr/bin/docbook2man rhn-proxy-activate.sgml
/usr/bin/gzip rhn-proxy-activate.8
/usr/bin/docbook2man configure-proxy.sh.sgml
/usr/bin/gzip configure-proxy.sh.8
%install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_usr}/sbin
mkdir -p %{buildroot}%{pythondir}
mkdir -p %{buildroot}%{_prefix}/lib/firewalld/services
install -m 755 -d %{buildroot}%{defaultdir}
install -m 644 squid.conf %{buildroot}%{defaultdir}
install -m 644 rhn.conf %{buildroot}%{defaultdir}
install -m 644 cobbler-proxy.conf %{buildroot}%{defaultdir}
install -m 644 insights-proxy.conf %{buildroot}%{defaultdir}
install -m 755 configure-proxy.sh %{buildroot}%{_usr}/sbin
install -m 644 fetch-certificate.py %{buildroot}%{pythondir}
install -m 755 spacewalk-setup-httpd %{buildroot}%{_bindir}
install -m 644 get_system_id.xslt %{buildroot}%{_usr}/share/rhn/
install -m 644 rhn-proxy-activate.8.gz %{buildroot}%{_mandir}/man8/
install -m 644 configure-proxy.sh.8.gz %{buildroot}%{_mandir}/man8/
install -m 0644 suse-manager-proxy.xml %{buildroot}%{_prefix}/lib/firewalld/services
# Fixing shebang for Python 3
for i in $(find . -type f);
do
sed -i '1s=^#!/usr/bin/\(python\|env python\)[0-9.]*=#!/usr/bin/python3=' $i;
done
install -m 755 rhn-proxy-activate.py %{buildroot}%{_usr}/sbin/rhn-proxy-activate
%check
%post
%if 0%{?suse_version}
if [ -f %{_sysconfdir}/sysconfig/apache2 ]; then
sysconf_addword %{_sysconfdir}/sysconfig/apache2 APACHE_MODULES proxy_http
sysconf_addword %{_sysconfdir}/sysconfig/apache2 APACHE_MODULES headers
fi
%endif
%files
%defattr(-,root,root,-)
%dir %{defaultdir}
%{defaultdir}/squid.conf
%{defaultdir}/rhn.conf
%{defaultdir}/cobbler-proxy.conf
%{defaultdir}/insights-proxy.conf
%{_usr}/sbin/configure-proxy.sh
%{_mandir}/man8/*
%{_usr}/share/rhn/get_system_id.xslt
%{_usr}/sbin/rhn-proxy-activate
%dir %{pythondir}
%{pythondir}/fetch-certificate.py
%{_bindir}/spacewalk-setup-httpd
%doc answers.txt
%license LICENSE
%dir %{_usr}/share/rhn/proxy-template
%dir %{_usr}/share/rhn
%{_prefix}/lib/firewalld/services/suse-manager-proxy.xml
%changelog
07070100000010000081B4000000000000000000000001670D22FD000002AA000000000000000000000000000000000000003000000000spacewalk-proxy-installer/spacewalk-setup-httpd#!/bin/bash
HTTPDCONF_DIR=/etc/apache2/vhosts.d
if [ ! -e /etc/apache2 ]; then
HTTPDCONF_DIR=/etc/httpd/conf.d
fi
PKI_DIR=/etc/pki/tls
if [ ! -e $HTTPDCONF_DIR/ssl.conf ]; then
cp $HTTPDCONF_DIR/vhost-ssl.template $HTTPDCONF_DIR/ssl.conf
fi
sed -i -e "s|^[\t ]*SSLCertificateFile.*$|SSLCertificateFile $PKI_DIR/certs/spacewalk.crt|g" \
-e "s|^[\t ]*SSLCertificateKeyFile.*$|SSLCertificateKeyFile $PKI_DIR/private/spacewalk.key|g" \
-e "s|^[\t ]*SSLCipherSuite.*$|SSLCipherSuite ALL:!aNULL:!eNULL:!SSLv2:!LOW:!EXP:!MD5:@STRENGTH|g" \
-e "s|</VirtualHost>|RewriteEngine on\nRewriteOptions inherit\nSSLProxyEngine on\n</VirtualHost>|" \
$HTTPDCONF_DIR/ssl.conf
07070100000011000081B4000000000000000000000001670D22FD00000ADD000000000000000000000000000000000000002500000000spacewalk-proxy-installer/squid.conf# squid.conf
# To be used for Spacewalk Proxy servers.
#
http_port 8080
cache_mem 400 MB
# cached images can be large
maximum_object_size 10 GB
maximum_object_size_in_memory 1024 KB
access_log /var/log/squid/access.log squid
# Size should be about 60% of your free space
cache_dir aufs /var/cache/squid 15000 16 256
# Average object size, used to estimate number of objects your
# cache can hold. The default is 13 KB.
store_avg_object_size 817 KB
# We want to keep the largest objects around longer, and just download the smaller objects if we can.
cache_replacement_policy heap LFUDA
memory_replacement_policy heap GDSF
# cache repodata only few minutes and then query parent whether it is fresh
refresh_pattern /XMLRPC/GET-REQ/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern /ks/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
# salt minions get the repodata via a different URL
refresh_pattern /rhn/manager/download/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
# bootstrap repos needs to be handled as well
refresh_pattern /pub/repositories/.*/repodata/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern /pub/repositories/.*/venv-enabled-.*.txt$ 0 1% 1440 reload-into-ims refresh-ims
# rpm will hardly ever change, force to cache it for very long time
refresh_pattern \.rpm$ 10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims
refresh_pattern \.deb$ 10080 100% 525600 override-expire override-lastmod ignore-reload reload-into-ims
# once downloaded images will never change. New image will have different revision number
refresh_pattern /os-images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private
# kernel and initrd are tied to images, will never change as well
refresh_pattern /tftp/images/.*$ 10080 100% 525600 ignore-no-store ignore-reload ignore-private
# rest of tftp are config files prone to change frequently
refresh_pattern /tftp/.*$ 0 1% 1440 reload-into-ims refresh-ims
refresh_pattern . 0 100% 525600
# secure squid
# allow request only from localhost and to http and https ports
acl all src 0.0.0.0/0.0.0.0
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 443 # https
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all
icp_access allow all
miss_access allow all
# if transport is canceled, finish downloading anyway
quick_abort_pct -1
quick_abort_min -1 KB
# when range is required, download whole file anyway
# when we request rpm header, we will nearly always get
# request for the rest of the file
range_offset_limit none
# we download only from 1 server, default is 1024
# which is too much for us
fqdncache_size 4
07070100000012000081B4000000000000000000000001670D22FD000002AC000000000000000000000000000000000000003100000000spacewalk-proxy-installer/suse-manager-proxy.xml<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SUSE Manager Proxy</short>
<description>SUSE Manager Proxy Server allows package caching and local package delivery services for groups of local servers from SUSE Manager Server.</description>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="443"/>
<port protocol="tcp" port="22"/>
<port protocol="tcp" port="5222"/>
<port protocol="tcp" port="5269"/>
<port protocol="tcp" port="4505"/>
<port protocol="tcp" port="4506"/>
<port protocol="udp" port="123"/>
<port protocol="udp" port="69"/>
<module name="nf_conntrack_tftp"/>
</service>
07070100000000000000000000000000000000000000010000000000000000000000000000000000000000000000000000000B00000000TRAILER!!!