2 Pakiti Client SetupInstall one small client rpm on the clients and a configuration file.pakiti-client noarch.rpmedit /etc/pakiti/pakiti-client.conf to point to the web server, select yum/apt/up2date, and insert sys admins name
3 Extract from the README for more details: tmp]# more /usr/share/doc/pakiti-server-1/README.SERVER INTRODUCTIONThe Pakiti Client is a small Perl script, which will check what packages are available to install on the system and report themto the central Pakiti Server.WHAT DOES IT DO?It simply gather packages provided by your vendor and send the list to the server.Pakiti DOES NOT INSTALL ANY UPDATED PACKAGE.HOW AVAILABLE PACKAGES ARE GATHERED?Pakiti can currently use 3 tools to gather information about available packages:- yum- up2date- apt-getOf course, the tool you choose MUST be first properly configured to be able to install updated packages relevant to your distribution.For instance, if you decide to go for yum, it MUST point to a relevant yum repository.
4 HOW ARE THEY REPORTED TO THE SERVER? The Pakiti client send an HTTP message to the server containing the list of available packages.It is recommended to use HTTPS to authenticate the remote server and to send information through a secure channel. To use HTTPS, your Pakiti configuration file MUST contains the full path of the certificate of the CA who issued the Pakiti server's certificate. In this way, the Pakiti client will be able to check the Pakiti server's certificate. Of course, to use HTTPS, your Pakiti server MUST be HTTPS enabled.WHERE CAN I CONFIGURE Pakiti CLIENT?There is only on configuration file to setup the Pakiti client. It is located here:/etc/pakiti/pakiti-client.confIt contains the following information:# Configuration file for Pakiti.# URL of your local Pakiti server. HTTPS is strongly recommended!server_url = https://pakiti.cern.ch/feed/# CA Path for HTTPS connection to your local Pakiti server.# This is mandatory for HTTPS.ca_certificate = /etc/grid-security/certificates/# Curl binary, with the options you likecurl_path = /usr/bin/curl -s# Delay (minutes)delay = 0# Package handling tool: 'up2date' or 'yum' or 'apt-get'method = apt-get# section: the contact for the system.# Put something small that can identify your site.admin = My_Organization Production# Log file location.log = /var/log/pakiti/pakiti.log
5 Pakiti Server Setup Need to install it on a web server Install the server rpmConfigure MySQLConfigure httpd
6 HOW CAN I CONFIGURE A PAKITI SERVER? On a RHEL/SL system, the following steps should be sufficient:1. Install Apache, PHP, mysql-server, mod_ssl, php-mysql and pakiti-client# apt-get install httpd php mysql-server php-mysql mod_ssl pakiti-clientIf some other dependency are needed, the packages should be available through your vendor.For more information about installing the client, please see the previous section.2. Install Pakiti-serverDownload the latest RPM and run:# rpm -i pakiti-server-*.rpm3. Configure the MySQL serverConfigure MySQL to start at boot# chkconfig --level 235 mysqld onStart the mysqld service# /etc/init.d/mysqld startChange the MySQL root password# /usr/bin/mysql mysql~ update mysql.user set Password=PASSWORD('strong_root_password') where User='root' and Host='localhost';~ flush privileges;~ quit;Create the pakiti database# mysqladmin -u root -p create pakitiFill the tables# /usr/bin/mysql -u root -p pakiti < /usr/share/doc/pakiti-server-*/pakiti.sqlCreate a Pakiti user# /usr/bin/mysql -u root -p mysql~ GRANT SELECT,INSERT,UPDATE,DELETE ON pakiti.* TO IDENTIFIED BY 'mysql_password';Of course, 'mysql_user'and 'mysql_password' are up to you.
7 4. Configure ApacheIt is *strongly* recommended to use HTTPS and client authentication.One way of doing this is to create a /etc/httpd/conf.d/pakiti.conf containing:<VirtualHost :443>SSLEngine onSSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXPSSLCertificateKeyFile <YOUR_HOST_KEY_PATH>SSLCertificateFile <YOUR_HOST_CERTIFICATE_PATH>SSLCACertificatePath /etc/grid-security/certificatesDocumentRoot /var/lib/pakiti/www/ErrorLog logs/pakiti-errorCustomLog logs/pakiti-access commonAlias /feed "/var/lib/pakiti/feed"<Directory "/var/lib/pakiti/feed">SSLRequireSSLOptions -AllAllowOverride NoneDirectoryIndex index.php</Directory><Directory "/var/lib/pakiti/www/">SSLVerifyClient requireSSLVerifyDepthSSLCACertificatePath /etc/grid-security/certificates/SSLOptions FakeBasicAuthAuthName "Pakiti: YOUR CERTIFICATE MUST BE REGISTERED"AuthType Basicrequire valid-userAuthUserFile /var/lib/pakiti/users</VirtualHost>
8 Then people can be authenticated by putting their DN in /var/lib/pakiti/users such as: /C=CH/O=CERN/OU=GRID/CN=Romain Wartel 7120:xxj31ZMTZzkVANote that FakeBasicAuth must have ":xxj31ZMTZzkVA" as a suffix of every DN.The format is the following:<DN of user 1>:xxj31ZMTZzkVA<DN of user 2>:xxj31ZMTZzkVA<DN of user 3>:xxj31ZMTZzkVA...For more details refer to Apache's FakeBasicAuth documentation.
9 5. Configure the Pakiti Server The configuration of the Pakiti server can be changed in /etc/pakiti/pakiti-server.conf# Configuration file for the Pakiti webinterface.# Set the parameters for connecting to# the Pakiti database.[mysql]hostname = localhostdbname = pakitiusername = mysql_userpassword = mysql_password[webinterface]# URL of your local Pakiti serverurl = https://pakiti.cern.chtitle = My_Organization# Reference URL to download the list of security RPMs.# This setting should normally *not* be changed.[security_module]security_rpms =[reporting]# This section contains details about statistics and full reports# that can be exported from this local Pakiti server to central Pakiti servers.# URLs of trusted *central* Pakiti servers, separated by ';'# that would receive statistics from this local Pakiti server#send_stats_to =# that would receive detailed reports from this local Pakiti server#send_detailed_report_to =# CA Path for HTTPS reporting to the central servers. This is mandatory for HTTPSca_certificate = /etc/grid-security/certificates/# Curl binary to connect to the central Pakiti servers, with the options you likecurl_path = /usr/bin/curl -s
10 Known BugsRHEL 2.1 is using curl 7.8.1, which does not support SSL. This version of curl has also limited buffers. As a result, if the system tries to report a large number of packages to be installed (>50), the reporting process might be broken.There are two workarounds:1. Apply a few patches to reduce the number of outstanding updates. your system should not have a large number of fixes to apply!2. Update the curl package to curl The installation might not be nice, you might need to install it with "--no-deps" andyou might need to create the following synlink:ln -s /usr/lib/libcurl.so.2 /usr/lib/libcurl.so.1Note that curl handles SSL.ContactPlease contact Romain Wartel for any information.