Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]

5 Registering Clients

5.1 Introduction

For SUSE Manager 3 and later, you can choose to use either traditional or Salt client management framework, or a mixture of both, depending on your environment and requirements.


Is an end-to-end data-center automation tool which may also be used outside the scope of SUSE Manager to introduce reactive, real-time orchestration, and configuration management.

5.2 Creating Activation Keys

Activation keys are used with both traditional and Salt clients to ensure that your clients have the correct software entitlements, are connecting to the appropriate channels, and are subscribed to the relevant groups. Each activation key is bound to an organization, which you can set when you create the key.

This section contains information on how to create activation keys for both traditional and Salt clients, and provides some best practices for working with activation keys.

Procedure: Creating Activation Keys
  1. As the administrator login to the SUSE Manager Web UI.

  2. Navigate to Systems › Activation Keys.

  3. To open the Activation Key Details page click the Create Key button in the upper right corner.

    systems create activation key
  4. On the Activation Key Details page in the Description field, enter a name for the activation key.

  5. In the Key field, enter the distribution and service pack associated with the key. For example, SLES12-SP4 for SUSE Linux Enterprise Server 12 SP4.

    Warning: Allowed Characters

    Do not use commas in the Key field for any SUSE products. However, you must use commas for Red Hat Products. For more information, see Book “Reference Manual”, Chapter 7 “Systems”, Section 7.9 “Systems > Activation Keys”.

  6. In the Base Channels drop-down box, select the SUSE Linux Enterprise channel that you added during First Channel Sync.

  7. When the base channel is selected the list of available child channels will get fetched and displayed in real time below the base channel. Select the child channels you need (for example, the SUSE Manager tools and the updates channels that are actually mandatory).

    systems create activation key childchannels
  8. We recommend you leave the Contact Method set to Default.

  9. We recommend you leave the Universal Default setting unchecked.

  10. Click Update Activation Key to create the activation key.

  11. Check the Configuration File Deployment check box to enable configuration management for this key, and click Update Activation Key to save this change.

When you create activation keys, keep these best practices in mind:

  • Avoid using the SUSE Manager Default parent channel. This setting forces SUSE Manager to choose a parent channel that best corresponds to the installed operating system, which can sometimes lead to unexpected behavior. Instead, we recommend you create activation keys specific to each distribution and architecture.

  • If you are using bootstrap scripts, consider creating an activation key for each script. This will help you align channel assignments, package installation, system group memberships, and configuration channel assignments. You will also need less manual interaction with your system after registration.

  • If you do not enter a human-readable name for your activation keys, the system will automatically generate a number string, which can make it difficult to manage your keys. Consider a naming scheme for your activation keys to help you keep track of them.

  • Note that the Configuration File Deployment check box does not appear until after you have created the activation key. Ensure you go back and check the box if you need to enable configuration management.

5.3 Creating the SUSE Manager Tools Repository

In this section you will create a tools repository on the SUSE Manager Server for providing client tools. The client tools repository contains packages for installing Salt on minions as well as required packages for registering traditional clients during the bootstrapping procedure. These packages will be installed from the newly generated repository during the registration process. In the following procedure you will create the SUSE Linux Enterprise tools repository.

Important: Creating a Tools Repository when an SCC Channel has not been Synced

Before following the procedure to create the tools repository make sure the SUSE vendor channel you will be using with your client has been completely synced. You can check this by running tail -f /var/log/rhn/reposync/<CHANNEL_NAME>.log as root. In the following example replace version with the actual version string:

# tail -f /var/log/rhn/reposync/sles`version`-pool-x86_64.log

Once completed you should see the following output in your terminal:

2017/12/12 15:20:32 +02:00 Importing packages started.
2017/12/12 15:22:02 +02:00 1.07 %
2017/12/12 15:34:25 +02:00 86.01 %
2017/12/12 15:35:49 +02:00 Importing packages finished.
2017/12/12 15:35:49 +02:00 Linking packages to channel.
2017/12/12 15:35:59 +02:00 Sync completed.
Procedure: Generating the Tools Repository for SUSE Linux Enterprise
  1. Open a terminal on the server as root and enter the following command to list available bootstrap repositories:

    mgr-create-bootstrap-repo -l SLE-`version`-x86_64
  2. Then invoke the same command using the listed repository as the product label to actually create the bootstrap repository:

    mgr-create-bootstrap-repo -c SLE-`version`-x86_64
  3. SUSE Manager will create and add the client tools to the newly created repositories directory located at /srv/www/htdocs/pub/repositories/.

This repository is suitable for both Server and Desktop of SUSE Linux Enterprise.

Note: Support for SUSE Linux Enterprise 15 Products

If you have mirrored more than one SUSE Linux Enterprise 15 Product (for example, SLES, {slda}, and SLES for SAP Application), you can specify the one you are actually interested in. First check what is avaiable:

mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-custom-channel
Multiple options for parent channel found. Please use option
--with-parent-channel <label> and choose one of:
- sle-product-sles15-pool-x86_64
- sle-product-sles_sap15-pool-x86_64
- sle-product-sled15-pool-x86_64

Then specify it with --with-parent-channel:

mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-parent-channel sle-product-sled15-pool-x86_64

5.4 Registering Traditional Clients

5.4.1 Generating a Bootstrap Script

This section goes over generating a template bootstrap script which will be copied and modified for use with traditional clients. Traditional clients register with SUSE Manager via a bootstrap script executed on the client which deploys all necessary packages to it. The bootstrap script contains parameters which assigns a client system to its base channel. Two of these important parameters are:

  • Activation Keys

  • GNU Privacy Guard (GPG) Keys

Note: SLES 15 and Python 3

SLES 15 utilizes Python 3 by default. Because of this change any older bootstrap scripts (based on python 2) must be re-created for SLES 15 systems. Attempting to register SLES 15 systems with SUSE Manager using Python 2 versions of the bootstrap script will fail.

The following procedure will guide you through generating a bootstrap script.

Procedure: Creating a Bootstrap Script
  1. From the SUSE Manager Web UI, browse to Main Menu › Admin › Manager Configuration › Bootstrap Script. For more information, see Book “Reference Manual”, Chapter 17 “Admin”, Section 17.4 “Main Menu › Admin › Manager Configuration”, Section 17.4.2 “Manager Configuration › Bootstrap Script.

  2. In the SUSE Manager Configuration - Bootstrap dialog disable Bootstrap using Salt. Use default settings and click the Update button.

    mgr configuration bootstrap trad
    Warning: Using SSL

    Unchecking Enable SSL in the Web UI or setting USING_SSL=0 in the bootstrap script is not recommended. If you disable SSL nevertheless you will need to manage custom CA certificates to be able to run the registration process successfully.

  3. A template bootstrap script is generated and stored on the server’s file system in the /srv/www/htdocs/pub/bootstrap directory.

    cd /srv/www/htdocs/pub/bootstrap

    The bootstrap script is also available at https://example.com/pub/bootstrap/bootstrap.sh .

Section 5.4.2, “Editing the Bootstrap Script” will cover copying and modifying your bootstrap template for use with each client.

5.4.2 Editing the Bootstrap Script

In this section you will copy and modify the template bootstrap script you created from Section 5.4.1, “Generating a Bootstrap Script”.

A minimal requirement when modifying a bootstrap script for use with SUSE Manager is the inclusion of an activation key. Depending on your organizations security requirements it is strongly recommended to include one or more (GPG) keys (for example, your organization key, and package signing keys). For this tutorial you will be registering with the activation keys created in the previous section.

Procedure: Modifying the Bootstrap Script
  1. Login as root from the command line on your SUSE Manager server.

  2. Navigate to the bootstrap directory with:

    cd /srv/www/htdocs/pub/bootstrap/
  3. Create and rename two copies of the template bootstrap script for use with each of your clients.

    cp bootstrap.sh bootstrap-sles11.sh
    cp bootstrap.sh bootstrap-sles12.sh
  4. Open sles12.sh for modification. Scroll down and modify both lines marked in green. You must comment out exit 1 with a hash mark (#) to activate the script and then enter the name of the key for this script in the ACTIVATION_KEYS= field as follows:

    echo "Enable this script: comment (with #'s) this block (or, at least just"
    echo "the exit below)"
    #exit 1
    # can be edited, but probably correct (unless created during initial install):
    # NOTE: ACTIVATION_KEYS *must* be used to bootstrap a client machine.
  5. Once you have completed your modifications save the file and repeat this procedure for the second bootstrap script. Proceed to Section 5.4.3, “Connecting Clients”.

Note: Finding Your Keys

To find key names you have created: In the Web UI, click Home › Overview › Manage Activation keys › Key Field. All keys created for channels are listed on this page. You must enter the full name of the key you wish to use in the bootstrap script exactly as presented in the key field.

5.4.3 Connecting Clients

This section covers connecting your clients to SUSE Manager with the modified bootstrap script.

Procedure: Running the Bootstrap Script
  1. From your SUSE Manager Server command line as root navigate to the following directory:

    cd /srv/www/htdocs/pub/bootstrap/
  2. Run the following command to execute the bootstrap script on the client:

    cat MODIFIED-SCRIPT.SH | ssh root@example.com /bin/bash
  3. The script will execute and proceed to download the required dependencies located in the repositories directory you created earlier. Once the script has finished running, log in to the Web UI and click Systems › Overview to see the new client listed.

This concludes the bootstrap section of this guide. Section 5.5, “Registering Salt Clients” will go over registering Salt minions for use with SUSE Manager.

5.4.4 Package Locks

Package locks are used to prevent unauthorized installation or upgrades to software packages on traditional clients. When a package has been locked, it will display to users with a padlock icon, indicating that it can not be installed. Any attempt to install a locked package will be reported as an error in the event log.

Locked packages can not be installed, upgraded, or removed, either through the SUSE Manager Web UI, or directly on the client machine using a package manager. Locked packages will also indirectly lock any dependent packages.


Package locks can only be used on traditional clients that use the Zypper package manager. The feature is not currently supported on Red Hat Enterprise Linux or Salt clients.

Procedure: Using Package Locks
  1. On the client machine, install the zypp-plugin-spacewalk package:

    # zypper in zypp-plugin-spacewalk
  2. Navigate to the Software › Packages › Lock tab on the managed system to see a list of all available packages.

  3. Select the packages to lock, and click Request Lock. You can also choose to enter a date and time for the lock to activate. Note that even if you do not select a date and time, the lock might not activate immediately.

  4. To remove a package lock, select the packages to unlock and click Request Unlock. You can also choose to enter a date and time for the lock to deactivate. Note that even if you do not select a date and time, the lock might not deactivate immediately.

5.5 Registering Salt Clients

There are currently three methods for registering Salt minions. This section describes the first method and uses a bootstrap repository. The second method uses the bootstrap script, and is mostly similar to the procedure described in Section 5.4, “Registering Traditional Clients”-the difference is enabling Bootstrap using Salt and the activation key option Configuration File Deployment that applies highstate automatically. The third method uses the Web UI, and is described in Book “Reference Manual”, Chapter 7 “Systems”, Section 7.6 “Bootstrapping (Salt)”.

You can also use these methods to change existing traditional clients into Salt minions.

The rest of this section assumes you have created a SUSE Manager tools repository. You can review creating a tools repository in Section 5.3, “Creating the SUSE Manager Tools Repository”.

When you have fully synchronized a base channel from the Web UI for clients to obtain software packages from (for example: SLES12-SP4-Pool_for_x86_64) perform the following procedure to register a Salt minion.

Procedure: Registering Salt Minions
  1. On your minion as root enter the following command:

    zypper ar http://FQDN.server.example.com/pub/repositories/sle/12/4/bootstrap/ \

    Do not use HTTPS. Use HTTP instead to avoid errors.

  2. After adding the repository containing the necessary Salt packages execute:

    zypper in salt-minion
  3. Modify the minion configuration file to point to the fully qualified domain name (FQDN) of the SUSE Manager server (master):

    vi /etc/salt/minion

    Find and change the line:

    master: salt


    master: FQDN.server.example.com
  4. Restart the Salt minion with:

    systemctl restart salt-minion

Your newly registered minion should now show up within the Web UI under Salt › Keys. Accept the pending key to begin management.

5.6 Troubleshooting Salt Clients

5.6.1 Mounting /tmp with noexec

Salt runs remote commands from /tmp of the client’s filesystem. Therefore you must not mount /tmp with the noexec option.

5.6.2 Cloned Salt Clients

If you have used your hypervisor clone utility, and attempted to register the cloned Salt client, you might get this error:

We're sorry, but the system could not be found.

This is caused by the new, cloned, system having the same machine ID as an existing, registered, system. You can adjust this manually to correct the error and register the cloned system successfully.

Print this page