Red Hat Update Infrastructure 2.0.2 Release Notes
NOTE: text format of this content is included as a README on the iso
Updating
Before following instructions in the Red Hat Update Infrastructure 2.0 Installation Guide to update to RHUI 2.0.2, some additional dependencies need to be installed.
On the RHUA, run:
% yum install PyPAM python-rhsm policycoreutils-python
On the CDS, run:
% yum install PyPAM
After the above steps are completed, proceed with the update instructions from the RHUI Installation Guide.
RHUA Configuration Updates
Step through the following manual configuration updates that are needed:
- /etc/httpd/conf.d/pulp.conf -
Change:
WSGISocketPrefix /srv/pulp/
To:
WSGISocketPrefix run/wsgi
- /etc/pulp/pulp.conf
Change:
remove_old_packages: false
To:
remove_old_versions: false
- /etc/pulp/repo_auth.conf
Add the following to the [main] section of the file:
log_failed_cert: true
log_failed_cert_verbose: false
max_num_certs_in_chain: 100
Note: The log_failed_cert and log_failed_cert_verbose options can help with debugging client entitlement certificate issues. Set them both to true for enhanced logging.
Change the following lines:
[repos]
cert_location: /etc/pki/content/
global_cert_location: /etc/pki/content/
protected_repo_listing_file: /etc/pki/content/pulp-protected-repos
To:
[repos]
cert_location: /etc/pki/pulp/content/
global_cert_location: /etc/pki/pulp/content/
protected_repo_listing_file: /etc/pki/pulp/content/pulp-protected-repos
Add the following to the end of the file:
[crl]
location: /etc/pki/pulp/content
- /etc/rhui/rhui-tools.conf
Add to the end of the file:
# Warnings will be issued if certificates expire within the set number of
# days
expiration_warning: 30
- /etc/pulp/admin/admin.conf is a new config file that takes the place of /etc/pulp/client.conf
The new file needs to be edited, change the host option from localhost.localdomain to the fully qualified domain name of the RHUA system:
[server]
host = localhost.localdomain
CDS Configuration Updates
- /etc/pulp/cds.conf
Change the following line:
ca_cert_file = /etc/pki/content/pulp-server-ca.crt
To:
ca_cert_file = /etc/pki/pulp/content/pulp-server-ca.crt
- /etc/pulp/repo_auth.conf
Add the following to the [main] section of the file:
log_failed_cert: true
log_failed_cert_verbose: false
max_num_certs_in_chain: 100
Note: The log_failed_cert and log_failed_cert_verbose options can help with debugging client entitlement certificate issues. Set them both to true for enhanced logging.
Change the following lines:
[repos]
cert_location: /etc/pki/content/
global_cert_location: /etc/pki/content/
protected_repo_listing_file: /etc/pki/content/pulp-protected-repos
To:
[repos]
cert_location: /etc/pki/pulp/content/
global_cert_location: /etc/pki/pulp/content/
protected_repo_listing_file: /etc/pki/pulp/content/pulp-protected-repos
Add the following to the end of the file:
[crl]
location: /etc/pki/pulp/content
pulp-migrate on the RHUA
After the configuration changes are completed on the RHUA and each CDS,
run pulp-migrate as the root user on the RHUA, and restart the pulp-server service again:
$ pulp-migrate
database migration to version 38 complete
$ service pulp-server restart
Stopping httpd: [ OK ]
Stopping Qpid AMQP daemon: [ OK ]
Stopping mongod: [ OK ]
Starting mongod: [ OK ]
Starting Qpid AMQP daemon: [ OK ]
Starting httpd: [ OK ]
Restart the pulp-cds service on the CDS as well to pick up the configuration changes.
SELinux
You can now enable SELinux if you so choose on the RHUA and each CDS by
editing the /etc/selinux/config file or running "setenforce 1".
Restart the pulp-server service on the RHUA and the pulp-cds service on the CDS again after enabling SELinux.
Features
- SELinux - RHUI can now run with SELinux enabled.
- RHEL 6.2 - RHUI has added support for installing and running on RHEL 6.2.
- Certificate expiration monitoring - The expiration dates of the entitlment CA and identity certificate are now monitored as part of the 'rhui-manager status' command.
- Status return codes - The 'rhui-manager status' command now returns meaningful return codes. If there are multiple problems, the return codes are logically OR'd together so that it can be determined exactly what went wrong. The return codes are:
- Ok = 0
- Repository sync error = 1
- CDS sync error = 2
- CDS heartbeat error = 4
- Identity certificate expiration warning = 8
- Identity certificate expiration error = 16
- Entitlement CA certificate expiration warning = 32
- Entitlement CA certificate expiration error = 64
- Repository sync status performance - The time it takes to get the status of a repository sync has been improved.
- Client SSL verification with a CA chain - Clients can verify a CDS server's SSL certificate that is signed by an intermediate CA if the full CA chain is provided during client configuration rpm generation.
Known Issues
-
qpidd AVC denial - A SELinux AVC denial may be logged in /var/log/audit/audit.log for qpidd trying to access the resource 'name="tmp"'. This denial can be safely ignored. See https://bugzilla.redhat.com/show_bug.cgi?id=790759 for more information.
-
qpidd segfault with nss-3.13.1-6.el6_2 - An nss update caused a segfault with qpidd. nss-3.13.1-6.el6_2 is incompatible with qpidd, update to a newer version, or downgrade to an older version.
-
To downgrade to an older version if no update is available run:
$ yum downgrade nss nss-tools nss-sysinit
-
See https://bugzilla.redhat.com/show_bug.cgi?id=797426 for more information.
Comments