Red Hat Update Infrastructure 2.0.2 Release Notes

Updated -

NOTE: text format of this content is included as a README on the iso

Updating

Before following instructions in the Red Hat Update Infrastructure 2.0 Installation Guide to update to RHUI 2.0.2, some additional dependencies need to be installed.

On the RHUA, run:

% yum install PyPAM python-rhsm policycoreutils-python

On the CDS, run:

% yum install PyPAM

After the above steps are completed, proceed with the update instructions from the RHUI Installation Guide.

RHUA Configuration Updates

Step through the following manual configuration updates that are needed:

  • /etc/httpd/conf.d/pulp.conf -

Change:

    WSGISocketPrefix /srv/pulp/

To:

    WSGISocketPrefix run/wsgi
  • /etc/pulp/pulp.conf

Change:

    remove_old_packages: false

To:

    remove_old_versions: false
  • /etc/pulp/repo_auth.conf

Add the following to the [main] section of the file:

    log_failed_cert: true
    log_failed_cert_verbose: false
    max_num_certs_in_chain: 100

Note: The log_failed_cert and log_failed_cert_verbose options can help with debugging client entitlement certificate issues. Set them both to true for enhanced logging.

Change the following lines:

    [repos]
    cert_location: /etc/pki/content/
    global_cert_location: /etc/pki/content/
    protected_repo_listing_file: /etc/pki/content/pulp-protected-repos

To:

    [repos]
    cert_location: /etc/pki/pulp/content/
    global_cert_location: /etc/pki/pulp/content/
    protected_repo_listing_file: /etc/pki/pulp/content/pulp-protected-repos

Add the following to the end of the file:

    [crl]
    location: /etc/pki/pulp/content
  • /etc/rhui/rhui-tools.conf

Add to the end of the file:

    # Warnings will be issued if certificates expire within the set number of
    # days
    expiration_warning: 30
  • /etc/pulp/admin/admin.conf is a new config file that takes the place of /etc/pulp/client.conf

The new file needs to be edited, change the host option from localhost.localdomain to the fully qualified domain name of the RHUA system:

    [server]
    host = localhost.localdomain

CDS Configuration Updates

  • /etc/pulp/cds.conf

Change the following line:

    ca_cert_file = /etc/pki/content/pulp-server-ca.crt

To:

    ca_cert_file = /etc/pki/pulp/content/pulp-server-ca.crt
  • /etc/pulp/repo_auth.conf

Add the following to the [main] section of the file:

    log_failed_cert: true
    log_failed_cert_verbose: false
    max_num_certs_in_chain: 100

Note: The log_failed_cert and log_failed_cert_verbose options can help with debugging client entitlement certificate issues. Set them both to true for enhanced logging.

Change the following lines:

    [repos]
    cert_location: /etc/pki/content/
    global_cert_location: /etc/pki/content/
    protected_repo_listing_file: /etc/pki/content/pulp-protected-repos

To:

    [repos]
    cert_location: /etc/pki/pulp/content/
    global_cert_location: /etc/pki/pulp/content/
    protected_repo_listing_file: /etc/pki/pulp/content/pulp-protected-repos

Add the following to the end of the file:

    [crl]
    location: /etc/pki/pulp/content

pulp-migrate on the RHUA

After the configuration changes are completed on the RHUA and each CDS,
run pulp-migrate as the root user on the RHUA, and restart the pulp-server service again:

    $ pulp-migrate
    database migration to version 38 complete
    $ service pulp-server restart
    Stopping httpd:                                            [  OK  ]
    Stopping Qpid AMQP daemon:                                 [  OK  ]
    Stopping mongod:                                           [  OK  ]
    Starting mongod:                                           [  OK  ]
    Starting Qpid AMQP daemon:                                 [  OK  ]
    Starting httpd:                                            [  OK  ]

Restart the pulp-cds service on the CDS as well to pick up the configuration changes.

SELinux

You can now enable SELinux if you so choose on the RHUA and each CDS by
editing the /etc/selinux/config file or running "setenforce 1".

Restart the pulp-server service on the RHUA and the pulp-cds service on the CDS again after enabling SELinux.

Features

  • SELinux - RHUI can now run with SELinux enabled.
  • RHEL 6.2 - RHUI has added support for installing and running on RHEL 6.2.
  • Certificate expiration monitoring - The expiration dates of the entitlment CA and identity certificate are now monitored as part of the 'rhui-manager status' command.
  • Status return codes - The 'rhui-manager status' command now returns meaningful return codes. If there are multiple problems, the return codes are logically OR'd together so that it can be determined exactly what went wrong. The return codes are:
    • Ok = 0
    • Repository sync error = 1
    • CDS sync error = 2
    • CDS heartbeat error = 4
    • Identity certificate expiration warning = 8
    • Identity certificate expiration error = 16
    • Entitlement CA certificate expiration warning = 32
    • Entitlement CA certificate expiration error = 64
  • Repository sync status performance - The time it takes to get the status of a repository sync has been improved.
  • Client SSL verification with a CA chain - Clients can verify a CDS server's SSL certificate that is signed by an intermediate CA if the full CA chain is provided during client configuration rpm generation.

Known Issues

  • qpidd AVC denial - A SELinux AVC denial may be logged in /var/log/audit/audit.log for qpidd trying to access the resource 'name="tmp"'. This denial can be safely ignored. See https://bugzilla.redhat.com/show_bug.cgi?id=790759 for more information.

  • qpidd segfault with nss-3.13.1-6.el6_2 - An nss update caused a segfault with qpidd. nss-3.13.1-6.el6_2 is incompatible with qpidd, update to a newer version, or downgrade to an older version.

    • To downgrade to an older version if no update is available run:

      $ yum downgrade nss nss-tools nss-sysinit
      

See https://bugzilla.redhat.com/show_bug.cgi?id=797426 for more information.

Comments