search

dagwieers / mrepo

RPM repository management tool supporting ftp/http/sftp/rsync/rhn/you
http://dag.wieers.com/home-made/mrepo/
GNU General Public License v2.0
172 stars 74 forks source link

help with pointing to internal rhn satellite #54

Open mvanwinkle opened 12 years ago

mvanwinkle commented 12 years ago

Greetings.

We're trying to use mrepo against an internal RHN satellite. I've read up on some of the RHEL tools for managing PKI stuff, but I don't know what the "best" / "shortest" way of handling this is.

During the mrepo server's creation, I registered it against RHN through a proxy, and now I'm wondering if I should just wipe the server and start clean; unless I can do something with "internal-satellite-server"'s keys.

Here's the output I'm getting:

rhel6s-x86_64: Mirror packages from rhns://internal-satellite-server/rhel-x86_64-server-6 to /app/mrepo/srcdir/rhel6s-x86_64/updates Traceback (most recent call last): File "/usr/bin/rhnget", line 517, in main() File "/usr/bin/rhnget", line 498, in main mirrorrhn(op.uri, op.destination) File "/usr/bin/rhnget", line 352, in mirrorrhn systemid = rhnlogin(url, path) File "/usr/bin/rhnget", line 319, in rhnlogin li = rpcServer.doCall(server.up2date.login, systemid) File "/usr/share/mrepo/up2date_client/rpcServer.py", line 234, in doCall ret = apply(method, args, kwargs) File "/usr/lib64/python2.6/xmlrpclib.py", line 1199, in call return self.send(self.name, args) File "/usr/share/mrepo/up2date_client/rpcServer.py", line 44, in _request1 ret = self._request(methodname, params) File "/usr/share/mrepo/rhn/rpclib.py", line 319, in _request request, verbose=self._verbose) File "/usr/share/mrepo/rhn/transports.py", line 171, in request headers, fd = req.send_http(host, handler) File "/usr/share/mrepo/rhn/transports.py", line 700, in send_http headers=self.headers) File "/usr/lib64/python2.6/httplib.py", line 914, in request self._send_request(method, url, body, headers) File "/usr/lib64/python2.6/httplib.py", line 951, in _send_request self.endheaders() File "/usr/lib64/python2.6/httplib.py", line 908, in endheaders self._send_output() File "/usr/lib64/python2.6/httplib.py", line 780, in _send_output self.send(msg) File "/usr/lib64/python2.6/httplib.py", line 759, in send self.sock.sendall(str) File "/usr/share/mrepo/rhn/SSL.py", line 216, in write sent = self._connection.send(data) OpenSSL.SSL.Error: [('SSL routines', 'SSL3_GET_SERVER_CERTIFICATE', 'certificate verify failed')] mrepo: Mirroring failed for rhns://internal-satellite-server/rhel-x86_64-server-6 with message: Failed with return code: 256

dagwieers commented 12 years ago

Find the original RHN server certificate on the mrepo server (/usr/share/rhn/RHNS-CA-CERT), and replace it by the one from the internal-satellite server. I think this is done as part of registering the server (running mrepo) with the internal satellite as well.

I would recommend to register the server running mrepo with the RHN Satellite server it is pulling from. At the moment mrepo cannot pull from more than one RHN (satellite) server because of this, although there is an option sslCACert that you can configure in /etc/sysconfig/rhn/up2date to change the location of the certificate. I guess we could learn rhnget to use a different certificate and make mrepo expose this to rhnget. Maybe this deserves its own feature request (although nobody ever requested this...)

mvanwinkle commented 12 years ago

Thanks for your response; I had gone through different permutations of registering the machine to RHN, to our satellite, etc, but somewhere a key must have gotten clogged or something. I'll try building again.

Another question: if the satellite is registered against an internal satellite (i.e. the satellite the machine is registered to is listed in /etc/sysconfig/rhn/up2date), does the URI rhns:///rhel-x86_64-server-ha-6 still point to rhn.redhat.com?

dagwieers commented 12 years ago

On Tue, 21 Aug 2012, mvanwinkle wrote:

Thanks for your response; I had gone through different permutations of registering the machine to RHN, to our satellite, etc, but somewhere a key must have gotten clogged or something. I'll try building again.

Another question: if the satellite is registered against an internal satellite (i.e. the satellite the machine is registered to is listed in /etc/sysconfig/rhn/up2date), does the URI rhns:///rhel-x86_64-server-ha-6 still point to rhn.redhat.com?

Yes, an empty server-name means xmlrpc.rhn.redhat.com.

-- dag wieers, dag@wieers.com, http://dag.wieers.com/ -- dagit linux solutions, info@dagit.net, http://dagit.net/

[Any errors in spelling, tact or fact are transmission errors]

mvanwinkle commented 12 years ago

I'm successfully mirroring a channel. I need to mess around with it a bit more, but yeah, it would be cool to be able to specify the rhn server and the cert to use. Thanks for your help.

mvanwinkle commented 12 years ago

Actually, the ability to specify what cert to use is even more useful when you want to install mrepo on the same box as your RHN satellite.

Then, this might also be nuts, but, another script (if you installed mrepo on the satellite) could potentially symlink the rpms from /var/satellite.

mvanwinkle commented 12 years ago

Is there a way to pass the fqdn of the satellite RHN server you want to register against?

mvanwinkle commented 12 years ago

rephrasing: /usr/bin/gensystemid - can I tell it what satellite I want to register against? Or does it just assume I want to create a system ID on the satellite the system is registered to?

stephenjamieson commented 10 years ago

This is old, but I was looking at it recently. gensystemid uses whatever your rhn is configured for, so by default it's redhat rhn. If you have registered with your own satellite, it will try and register against that.