[Spacewalk-list] Hardware Vendor Repos
Snyder, Chris
Chris_Snyder at sra.com
Wed Dec 12 15:39:02 UTC 2012
Clients can NOT auto-import keys (there’s an exception here for Red Hat keys, though, but I’m not going to cover that right now).
A human either must execute ‘rpm –import <key file or url>’, or import the key via yum the next time you install a package from the new channel/repo. There’s no other way around it.
The only way I’ve found to use the GPG key data in the Channel configuration, is to define the location as local to the client system (i.e. file:////etc/pki/rpm-gpg/key_file_name<file:///\\etc\pki\rpm-gpg\key_file_name>...) and when the first time you are on the host and run ‘yum install <some package from channel>’, RHN passes the GPG info to the host and then yum knows where to get the key from. However, it won’t auto import the key (this is a security/safety thing), you should be prompted to either import the key or you could have it auto-imported if you ran yum with the ‘-y’ (either way, a human still has to initiate the process).
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Frank Mikkelsen Blohmé
Sent: Wednesday, December 12, 2012 9:44 AM
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Hardware Vendor Repos
To my knowledge, the GPG key configured for a software channel doesn’t get imported by the clients. However I haven’t tested this thoroughly.
I download and place the GPG keys locally on the Spacewalk server, available over HTTP, distributed and imported by each client when they are kickstarted.
Anyone who knows if the clients can auto-import GPG keys based on the software channel configuration? If not, what are the configurable GPG software channel options good for?
Best regards
Frank Mikkelsen Blohmé
Axis Communications AB – IT Group
Sweden, Lund
From: spacewalk-list-bounces at redhat.com [mailto:spacewalk-list-bounces at redhat.com] On Behalf Of Ciro Iriarte
Sent: den 12 december 2012 14:18
To: spacewalk-list at redhat.com
Subject: Re: [Spacewalk-list] Hardware Vendor Repos
2012/12/12 Ciro Iriarte <cyruspy at gmail.com<mailto:cyruspy at gmail.com>>
2012/12/12 Frank Mikkelsen Blohmé <frank.mikkelsen.blohme at axis.com<mailto:frank.mikkelsen.blohme at axis.com>>
In Spacewalk you can only tie one RPM GPG key to a software channel, so syncing in RPM packages from various sources signed with different RPM GPG keys isn’t recommended. This can be circumvented by resigning all RPM packages with your own RPM GPG key before syncing them to Spacewalk. But then you will have to download the RPM packages somewhere before resigning them.
This is why a 1:1 relationship is most convenient, one repo (one RPM GPG key) to one Spacewalk software channel.
It’s easy to subscribe a host to a new channel in the GUI, can also be done on command line.
So if you have to add a new repo with RPM packages in the future:
1. Create a new software channel in Spacewalk, a child channel to the base channel to which the host is subscribed.
2. Configure the software channel using the repo’s RPM GPG key
3. Sync the RPMs in the repo into the software channel.
4. Subscribe the host to the new software channel
5. Install the RPMs on the host
I hope this help you.
Best regards
Frank Mikkelsen Blohmé
Axis Communications AB – IT Group
Sweden, Lund
Hi!, isn't it easier to subscribe a server to one channel and add in the future the needed repositories?, that way you don't have to touch that node in the future (hmm, maybe rhel nodes would need GPG Keys for package from a new repository :s)
I'm trying to understand the channel/repo relationship to cover the most common use cases...
Regards,
--
Ciro Iriarte
http://cyruspy.wordpress.com
--
_______________________________________________
Spacewalk-list mailing list
Spacewalk-list at redhat.com<mailto:Spacewalk-list at redhat.com>
https://www.redhat.com/mailman/listinfo/spacewalk-list
Well, I was happy to split the repositories in different channels to solve the GPG key issue, but the management page gives me "invalid URL", apparently only local files are used, which defeats the purpose of adding the GPG URL for me...
Ref:
https://www.redhat.com/archives/spacewalk-list/2012-January/msg00202.html
Regards,
--
Ciro Iriarte
http://cyruspy.wordpress.com
--
Well, the form didn't like FTP URLs (my bad?), but accepted a HTTP one. The clients wont import the key either way according to the mentioned thread, correct?.
Regards,
--
Ciro Iriarte
http://cyruspy.wordpress.com
--
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20121212/1d95e757/attachment.htm>
More information about the Spacewalk-list
mailing list