Reposync job

To add new repos, add the repo file to prod.repos.d, the GPG key to gpgkeys and any specific configuration to prod.repos.yaml. This last part is probably not needed.

If you're adding a redhat repo, you probably also need the SSL client certificate.

1. Download the certificates, if necessary (see below)
2. Add the certificate to Teigi: tbag set --hg lxsoft/adm 4542809831846091597.pem --file 4542809831846091597.pem
3. List the new certificate in manifests/adm.pp for the lxsoft machines (cluster_adm branch).
4. Make sure your new repo files in prod.repos.yaml list the new certificate. You can use something like this to figure out which certificates belong to with repos:

(execute on an ADM node with the certificates)

for i in `ls /etc/cdn.redhat.com/*.pem`; do printf "$i returned http_code: "; curl -k -E $i https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os/repodata/ --write-out %{http_code} --silent --output /dev/null; printf "\n"; done

linuxsoft.cern.ch paths

By default all repos will be mirrored under https://linuxsoft.cern.ch/mirror/

You can control the path with prod.repos.yaml file, by using pathroot as in:

redhat-8-ev-x86_64.repo:
  pathroot: ''

This will make mirrors start on https://linuxsoft.cern.ch/ instead.

PS: Be aware RH repos are blocked unless you belong to certain LANDB sets: https://linuxops.web.cern.ch/support/redhat/#landb-sets

Downloading Redhat certificates

Certs for linuxsoft-mirror system registered on RHN

These are the certs used as of 04/12/2020, you can use the following command to determine what certificate maps to which entitlement:

[root@lxsoftadm28 ~]# for i in /etc/cdn.redhat.com/*pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done
/etc/cdn.redhat.com/195140964651792852.pem:    Red Hat Enterprise Linux for Real Time, Premium (Physical Node)
/etc/cdn.redhat.com/3788516405494545882.pem:    Red Hat Enterprise Linux Developer Suite
/etc/cdn.redhat.com/4542809831846091597.pem:    Red Hat Virtualization (2-sockets), Premium

RedHat repos

Figuring out which RedHat repos to sync is not obvious as paths change between versions (i.e. RHEL7 use different repo URLs than RHEL8).

You could always spawn a new RHELX machine and follow these steps:

• Share the RH image with the tenant you want

eval $(ai-rc 'IT Linux Support - CI VMs')
openstack image list | grep RHEL  ## To see all available images
# replace with the uuid of destination project
openstack image add project '$uuid-of-image' '$uuid-of-project'

• Spawn a machine with that image, select your private key when creating it
• Quickly add this machine to LINUXSOFT RHEL LICENSED GPN so it has access to RH repos for installation
• ssh as cloud-user: ssh cloud-user@yournode, then sudo -i
• Edit /root/.ssh/authorized_keys and remove everything before your ssh key
• Allow access to the rest of the team. Install the latest cern-linuxsupport-access and enable it:

  $ yum install http://linuxsoft.cern.ch/cern/centos/8/CERN/x86_64/Packages/cern-linuxsupport-access-1.2-1.el8.cern.noarch.rpm
  $ cern-linuxsupport-access enable

• subscription-manager register --username yourrhaccount@cern.ch. It will ask for your RH access password
• subscription-manager repos --list will list all the repos and their URLs. You can now add those that you need.

Sample RH nodes

• As of 4/12/2020 these nodes are available for our team:
  • lx-rh7-certs for RHEL 7
  • rhel8-sample for RHEL 8