[katello-devel] Bootstrap RPM and QPID SSL hit upstream

Lukas Zapletal lzap at redhat.com
Mon Feb 27 15:08:30 UTC 2012


Found one issue in the boostrap - once it configures rhsm it does not
restart goferd so agent won't connect using the new cert.

I assume we should do this automatically (if it is running). So I will
add this to the post script and fix this.

Martin also encountered one Puppet race condition and also solving it.
Please expect two commits with those BZ numbers later today.

LZ

On Mon, Feb 27, 2012 at 02:20:49PM +0100, Lukas Zapletal wrote:
> Hello,
> 
> Martin and I were working on two bugs:
> 
> Bug 790835 - Create a RPM package with consumer certificate and rhsm
> conf for bootstrapping
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=790835
> 
> 761314 - Make sure katello-agent communicates with ssl
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=761314
> 
> Let me start with the latter. The change is "behind the scenes" and does
> not require any attention. Katello Agent must be now configured in SSL
> mode as well as Pulp server. We do it by default, please note when
> upgrading you will probably need to check for .rpmnew files as some
> files are "noreplace". Clean install is recommended if you hit any
> issues with Katello Agend or QPID.
> 
> The former bug changes how we configure rhsm client. Now we build a RPM
> package that contains: a) certificate, b) post-install script that
> configures rhsm (and agent).
> 
> I have changed the wiki page:
> 
> https://fedorahosted.org/katello/wiki/GuideSystemRegistrationClient
> 
> There is still the manual installation process if you want to go for it.
> But using our RPM bootstrap is as simple as:
> 
> # yum -y install \
> http://$KATELLO_HOSTNAME/pub/candlepin-cert-consumer-$KATELLO_HOSTNAME-1.0-1.noarch.rpm
> 
> More info about the bootstrap script is here:
> 
> https://fedorahosted.org/katello/wiki/ConsumerBootstrap
> 
> We had to change the way we generate our certificates:
> 
> 1) We dropped generation of the main KATELLO certificate.
> 2) We generate candlepin CA, it signs: qpid cert for server, qpid pulp
> client. It is also used for the Katello HTTP communication (rhsm ->
> katello) and it is used for generating rhsm consumer certificates which
> is used for rhsm -> katello communication and also agent -> qpid -> pulp
> communication.
> 3) Pulp repo CA is a copy of candlepin CA cert.
> 
> In future we want to improve things by generating KATELLO CA which would
> sign Candlepin CA. Currently there are some issues when Candlepin CA is
> not self-signed.
> 
> -- 
> Later,
> 
>  Lukas Zapletal | E32E400A
>  RHN Satellite Engineering
>  Red Hat Czech s.r.o. Brno
> 
> _______________________________________________
> katello-devel mailing list
> katello-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/katello-devel

-- 
Later,

 Lukas Zapletal | E32E400A
 RHN Satellite Engineering
 Red Hat Czech s.r.o. Brno




More information about the katello-devel mailing list