Reposync job
To add new repos, add the repo file to prod.repos.d, the GPG key to gpgkeys and any specific configuration to prod.repos.yaml. This last part is probably not needed.
If you're adding a redhat repo, you probably also need the SSL client certificate.
- Download the certificates, if necessary (see below)
- Add the certificate to Teigi:
tbag set --hg lxsoft/adm 4542809831846091597.pem --file 4542809831846091597.pem
- List the new certificate in
manifests/adm.pp
for the lxsoft machines (cluster_adm
branch). - Make sure your new repo files in prod.repos.yaml list the new certificate. You can use something like this to figure out which certificates belong to with repos:
(execute on an ADM node with the certificates)
for i in `ls /etc/cdn.redhat.com/*.pem`; do printf "$i returned http_code: "; curl -k -E $i https://cdn.redhat.com/content/dist/rhel/server/7/7.5/x86_64/os/repodata/ --write-out %{http_code} --silent --output /dev/null; printf "\n"; done
linuxsoft.cern.ch paths
By default all repos will be mirrored under https://linuxsoft.cern.ch/mirror/
You can control the path with prod.repos.yaml
file, by using pathroot
as in:
redhat-8-ev-x86_64.repo:
pathroot: ''
This will make mirrors start on https://linuxsoft.cern.ch/ instead.
PS: Be aware RH repos are blocked unless you belong to certain LANDB sets: https://linuxops.web.cern.ch/support/redhat/#landb-sets
Downloading Redhat certificates
Certs for linuxsoft-mirror system registered on RHN
These are the certs used as of 04/12/2020, you can use the following command to determine what certificate maps to which entitlement:
[root@lxsoftadm28 ~]# for i in /etc/cdn.redhat.com/*pem; do echo -n "$i: "; subscription-manager import --certificate $i >/dev/null; subscription-manager list --consumed |grep "Subscription Name" | cut -d: -f2; subscription-manager remove --all >/dev/null; done
/etc/cdn.redhat.com/195140964651792852.pem: Red Hat Enterprise Linux for Real Time, Premium (Physical Node)
/etc/cdn.redhat.com/3788516405494545882.pem: Red Hat Enterprise Linux Developer Suite
/etc/cdn.redhat.com/4542809831846091597.pem: Red Hat Virtualization (2-sockets), Premium
RedHat repos
Figuring out which RedHat repos to sync is not obvious as paths change between versions (i.e. RHEL7 use different repo URLs than RHEL8).
You could always spawn a new RHELX machine and follow these steps:
- Share the RH image with the tenant you want
eval $(ai-rc 'IT Linux Support - CI VMs')
openstack image list | grep RHEL ## To see all available images
# replace with the uuid of destination project
openstack image add project '$uuid-of-image' '$uuid-of-project'
- Spawn a machine with that image, select your private key when creating it
- Quickly add this machine to
LINUXSOFT RHEL LICENSED GPN
so it has access to RH repos for installation - ssh as
cloud-user
:ssh cloud-user@yournode
, thensudo -i
- Edit
/root/.ssh/authorized_keys
and remove everything before your ssh key - Allow access to the rest of the team. Install the latest cern-linuxsupport-access and enable it:
$ yum install http://linuxsoft.cern.ch/cern/centos/8/CERN/x86_64/Packages/cern-linuxsupport-access-1.2-1.el8.cern.noarch.rpm $ cern-linuxsupport-access enable
-
subscription-manager register --username yourrhaccount@cern.ch
. It will ask for your RH access password -
subscription-manager repos --list
will list all the repos and their URLs. You can now add those that you need.
Sample RH nodes
- As of 4/12/2020 these nodes are available for our team:
-
lx-rh7-certs
for RHEL 7 -
rhel8-sample
for RHEL 8
-