[Spacewalk-list] Spacewalk/RPM Key Management: [Was: spacewalk 1.3 - python-ethtool package being a problem within kickstart.]

Matthew Darcy MDarcy at sch-group.net
Fri May 20 06:12:52 UTC 2011 

>The really irritating part of this is that once you've done a kickstart
>(which if you look at the raw kickstart file you can see importing the
>keys by pulling down files and rpm --import'ing them) you're on your own
>if you ever want to add other RPM's signed by other keys - Spacewalk has
>no way of managing what keys are installed on clients or adding/removing
>them after a kickstart is complete.

>I assume this is partly down to the poor (imho) way RPM manages keys,
>and the fact that the yum-rhn-plugin won't allow you to install a
>package unless its signed and RPM has the key imported, so you can't
>easily have a custom keys rpm that gets updated and deployed for you
>when you add new keys.

>Personally I deal with this by not only loading the keys into Spacewalk
>so they get deployed with the kickstart, but adding them to
>/var/www/html/pub/ so I can rpm --import them directly from the server
>(although rpm uses wget which doesn't trust the Spacewalk CA cert so you
>have to use http:// !)

>Musing on this, I wonder if the answer is to get Spacewalk maintain an
>rpm within which all of your keys are stored. Of course you still have
>the problem of what keys to use to sign that rpm, and how to manage those...

>Mark.


Mark,

this is a really good topic and I can see exactly what you're saying from your detailed explination.

I best way I think think to manage this is have a small child channel called key-repo that is included in every kickstart build so it's subscribed to with every build and then simpley have a $version-key-set.noarch.rpm which matches your distro RHEL/Centos 5/6 etc and when you want to add a new repo to existing servers you deploy that rpm with what ever keys you want into the systems (as it's already a subscribed channel) and then use the spacewalk remote commands function to subscribe the target systems to the new repo/channel.

Quite scrappy but also a simple process.

Matt

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

More information about the Spacewalk-list mailing list