Skip to content
Snippets Groups Projects
Commit c5ec61dd authored by Daniel Juarez's avatar Daniel Juarez :speech_balloon: Committed by Alex Iribarren
Browse files

Update README.md instructions

parent 993e025e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 47 additions and 37 deletions
README.md
+ 47
37
View file @ c5ec61dd
...@@ -6,61 +6,71 @@ This last part is probably not needed. ...@@ -6,61 +6,71 @@ This last part is probably not needed.
If you're adding a redhat repo, you probably also need the SSL client certificate. If you're adding a redhat repo, you probably also need the SSL client certificate.
1. Download the certificates, if necessary (see below) 1. Download the certificates, if necessary (see below)
1. Add the certificate to Teigi: `tbag set --hg lxsoft/adm 8a85f983598e8558015993b62b96699e.pem --file 8a85f983598e8558015993b62b96699e.pem` 1. Add the certificate to Teigi: `tbag set --hg lxsoft/adm 4542809831846091597.pem --file 4542809831846091597.pem`
1. List the new certificate in `manifests/adm.pp` for the lxsoft machines. 1. List the new certificate in `manifests/adm.pp` for the lxsoft machines (`cluster_adm` branch).
1. Make sure your new repo files in [prod.repos.yaml](prod.repos.yaml) list the new certificate. You can use something like this to figure out which certificates belong to with repos: 1. Make sure your new repo files in [prod.repos.yaml](prod.repos.yaml) list the new certificate. You can use something like this to figure out which certificates belong to with repos:
(execute on an ADM node with the certificates) (execute on an ADM node with the certificates)
``` ```bash
for i in `ls /etc/cdn.redhat.com/*.pem`; do printf "$i returned http_code: "; curl -k -E $i https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os/repodata/ --write-out %{http_code} --silent --output /dev/null; printf "\n"; done for i in `ls /etc/cdn.redhat.com/*.pem`; do printf "$i returned http_code: "; curl -k -E $i https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os/repodata/ --write-out %{http_code} --silent --output /dev/null; printf "\n"; done
``` ```
## linuxsoft.cern.ch paths
By default all repos will be mirrored under <https://linuxsoft.cern.ch/mirror/>
You can control the path with `prod.repos.yaml` file, by using `pathroot` as in:
```yaml
redhat-8-ev-x86_64.repo:
pathroot: ''
```
This will make mirrors start on <https://linuxsoft.cern.ch/> instead.
PS: Be aware RH repos are blocked unless you belong to certain LANDB sets: <https://linuxops.web.cern.ch/support/redhat/#landb-sets>
# Downloading Redhat certificates # Downloading Redhat certificates
Certs for linuxsoft-mirror system registered on [RHN](https://access.redhat.com/management/systems/b4ec8c2d-3eae-4ae0-b8fa-ec6d8a08ce9f/subscriptions) Certs for linuxsoft-mirror system registered on [RHN](https://access.redhat.com/management/systems/b4ec8c2d-3eae-4ae0-b8fa-ec6d8a08ce9f/subscriptions)
These are the certs used as of 04/12/2020, you can use the following command to determine what certificate maps to which entitlement:
``` ```
8a85f9845993af3f015993b34c3f0210 - 2017-01-01 - 2020-01-01 Red Hat Enterprise Linux Server, Self-support (1-2 sockets) (Up to 1 guest) [root@lxsoftadm28 ~]# for i in /etc/cdn.redhat.com/*pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done
8a85f983598e8558015993b62b96699e - 2017-01-01 - 2020-01-01 Extended Update Support /etc/cdn.redhat.com/195140964651792852.pem: Red Hat Enterprise Linux for Real Time, Premium (Physical Node)
8a85f9875993915c015993b8460b1956 - 2017-01-01 - 2020-01-01 Red Hat Enterprise Linux Developer Suite /etc/cdn.redhat.com/3788516405494545882.pem: Red Hat Enterprise Linux Developer Suite
8a85f983598e8558015993be99386c0f - 2017-01-01 - 2020-01-01 Red Hat JBoss A-MQ, 64-Core Standard /etc/cdn.redhat.com/4542809831846091597.pem: Red Hat Virtualization (2-sockets), Premium
8a85f9825cc471b3015cc47ecc80054c - 2017-06-20 - 2020-01-01 Red Hat Virtualization (2-sockets), Premium
8a85f983598e8558015993c40f836ef2 - 2017-01-01 - 2020-01-01 Red Hat Enterprise MRG Realtime, Standard (1-2 sockets)
8a85f9875b339bfe015b33aaa17019fc - 2017-04-03 - 2020-01-01 Red Hat Enterprise Linux Extended Life Cycle Support (Physical or Virtual Nodes)
``` ```
Note: with each new/changed subscription we have to add/remove subscription for linuxsoft-mirror # RedHat repos
on RHN and use freshly regenerated cert .. seems to be necessary also in case of new product
versions which appeared after the orig. cert was generated
removed/replaced certs: Figuring out which RedHat repos to sync is not obvious as paths change between versions (i.e. RHEL7 use different repo URLs than RHEL8).
``` You could always spawn a new RHELX machine and follow these steps:
8a85f98159926149015993c2a4ed781a - 2017-01-01 - 2020-06-20 Red Hat Virtualization (2-sockets), Premium
8a85f983598e8558015993be99386c0f - replaced 2018-02-27 for RH-SSO 7.2
d0ef2de33635419fbf7467a54ba485c9 - replaced 2019-08-16 for Extended Update Support
```
You can use the following command to determine what certificate maps to which entitlement: * Share the RH image with the tenant you want
``` ```
# for i in *pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done eval $(ai-rc 'IT Linux Support - CI VMs')
8a85f9825cc471b3015cc47ecc80054c.pem: Red Hat Virtualization (2-sockets), Premium openstack image list | grep RHEL ## To see all available images
8a85f983598e8558015993be99386c0f.pem: Red Hat AMQ, Standard (64 Cores) # replace with the uuid of destination project
8a85f983598e8558015993c40f836ef2.pem: Red Hat Enterprise MRG Realtime, Standard (1-2 sockets) openstack image add project '$uuid-of-image' '$uuid-of-project'
8a85f9845993af3f015993b34c3f0210.pem: Red Hat Enterprise Linux Server, Self-support (1-2 sockets) (Up to 1 guest)
8a85f9875993915c015993b8460b1956.pem: Red Hat Enterprise Linux Developer Suite
8a85f9875b339bfe015b33aaa17019fc.pem: Red Hat Enterprise Linux Extended Life Cycle Support (Physical or Virtual Nodes)
97a00645e90241a495c87c71cab7258f.pem: Red Hat Virtualization Manager
d0ef2de33635419fbf7467a54ba485c9.pem: Extended Update Support
#
``` ```
## Procedure (Update 2018/04): * Spawn a machine with that image, select your private key when creating it
* Quickly add this machine to `LINUXSOFT RHEL LICENSED GPN` so it has access to RH repos for installation
* ssh as `cloud-user`: `ssh cloud-user@yournode`, then `sudo -i`
* Edit `/root/.ssh/authorized_keys` and remove everything before your ssh key
* Allow access to the rest of the team. Install the latest cern-linuxsupport-access and enable it:
```
$ yum install http://linuxsoft.cern.ch/cern/centos/8/CERN/x86_64/Packages/cern-linuxsupport-access-1.2-1.el8.cern.noarch.rpm
$ cern-linuxsupport-access enable
```
* `subscription-manager register --username yourrhaccount@cern.ch`. It will ask for your RH access password
* `subscription-manager repos --list` will list all the repos and their URLs. You can now add those that you need.
1. Download the zip with all certificates ## Sample RH nodes
1. Rename them to the subject (be careful, the following may need to be adapted as Subject format may change)
```bash * As of 4/12/2020 these nodes are available for our team:
for i in `ls *.pem`; do NAME=`openssl x509 -in $i -text | grep -i "Subject:" | sed 's/.*CN *= *\([a-z0-9]\{32\}\).*/\1/'`; mv $i $NAME.pem; done * `lx-rh7-certs` for RHEL 7
``` * `rhel8-sample` for RHEL 8
3. Proceed with step 2 above, adding the certificates to Teigi.
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment