5 Registering Clients
5.1 Introduction #
For SUSE Manager 3 and later, you can choose to use either traditional or Salt client management framework, or a mixture of both, depending on your environment and requirements.
- Salt
Is an end-to-end data-center automation tool which may also be used outside the scope of SUSE Manager to introduce reactive, real-time orchestration, and configuration management.
5.2 Creating Activation Keys #
Activation keys are used with both traditional and Salt clients to ensure that your clients have the correct software entitlements, are connecting to the appropriate channels, and are subscribed to the relevant groups. Each activation key is bound to an organization, which you can set when you create the key.
This section contains information on how to create activation keys for both traditional and Salt clients, and provides some best practices for working with activation keys.
Procedure: Creating Activation Keys #
As the administrator login to the SUSE Manager Web UI.
Navigate to › .
To open the
Activation Key Detailspage click the button in the upper right corner.
On the
Activation Key Detailspage in theDescriptionfield, enter a name for the activation key.In the
Keyfield, enter the distribution and service pack associated with the key. For example,SLES12-SP4for SUSE Linux Enterprise Server 12 SP4.
Warning: Allowed Characters
Do not use commas in the
Keyfield for any SUSE products. However, you must use commas for Red Hat Products. For more information, see Book “Reference Manual”, Chapter 7 “Systems”, Section 7.9 “Systems > Activation Keys”.In the
Base Channelsdrop-down box, select the SUSE Linux Enterprise channel that you added during First Channel Sync.When the base channel is selected the list of available child channels will get fetched and displayed in real time below the base channel. Select the child channels you need (for example, the SUSE Manager tools and the updates channels that are actually mandatory).
We recommend you leave the
Contact Methodset toDefault.We recommend you leave the
Universal Defaultsetting unchecked.Click to create the activation key.
Check the
Configuration File Deploymentcheck box to enable configuration management for this key, and click to save this change.
When you create activation keys, keep these best practices in mind:
Avoid using the
SUSE Manager Defaultparent channel. This setting forces SUSE Manager to choose a parent channel that best corresponds to the installed operating system, which can sometimes lead to unexpected behavior. Instead, we recommend you create activation keys specific to each distribution and architecture.If you are using bootstrap scripts, consider creating an activation key for each script. This will help you align channel assignments, package installation, system group memberships, and configuration channel assignments. You will also need less manual interaction with your system after registration.
If you do not enter a human-readable name for your activation keys, the system will automatically generate a number string, which can make it difficult to manage your keys. Consider a naming scheme for your activation keys to help you keep track of them.
Note that the
Configuration File Deploymentcheck box does not appear until after you have created the activation key. Ensure you go back and check the box if you need to enable configuration management.
5.3 Creating the SUSE Manager Tools Repository #
In this section you will create a tools repository on the SUSE Manager Server for providing client tools. The client tools repository contains packages for installing Salt on minions as well as required packages for registering traditional clients during the bootstrapping procedure. These packages will be installed from the newly generated repository during the registration process. In the following procedure you will create the SUSE Linux Enterprise tools repository.
Important: Creating a Tools Repository when an SCC Channel has not been Synced
Before following the procedure to create the tools repository make sure the SUSE vendor channel you will be using with your client has been completely synced.
You can check this by running tail -f /var/log/rhn/reposync/<CHANNEL_NAME>.log as root.
In the following example replace version with the actual version string:
# tail -f /var/log/rhn/reposync/sles`version`-pool-x86_64.log
Once completed you should see the following output in your terminal:
2017/12/12 15:20:32 +02:00 Importing packages started. 2017/12/12 15:22:02 +02:00 1.07 % ... 2017/12/12 15:34:25 +02:00 86.01 % 2017/12/12 15:35:49 +02:00 Importing packages finished. 2017/12/12 15:35:49 +02:00 Linking packages to channel. ... 2017/12/12 15:35:59 +02:00 Sync completed.
Procedure: Generating the Tools Repository for SUSE Linux Enterprise #
Open a terminal on the server as root and enter the following command to list available bootstrap repositories:
mgr-create-bootstrap-repo -l SLE-`version`-x86_64
Then invoke the same command using the listed repository as the product label to actually create the bootstrap repository:
mgr-create-bootstrap-repo -c SLE-`version`-x86_64
SUSE Manager will create and add the client tools to the newly created
repositoriesdirectory located at/srv/www/htdocs/pub/repositories/.
This repository is suitable for both Server and Desktop of SUSE Linux Enterprise.
Note: Support for SUSE Linux Enterprise 15 Products
If you have mirrored more than one SUSE Linux Enterprise 15 Product (for example, SLES, {slda}, and SLES for SAP Application), you can specify the one you are actually interested in. First check what is avaiable:
mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-custom-channel Multiple options for parent channel found. Please use option --with-parent-channel <label> and choose one of: - sle-product-sles15-pool-x86_64 - sle-product-sles_sap15-pool-x86_64 - sle-product-sled15-pool-x86_64
Then specify it with --with-parent-channel:
mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-parent-channel sle-product-sled15-pool-x86_64
5.4 Registering Traditional Clients #
5.4.1 Generating a Bootstrap Script #
This section goes over generating a template bootstrap script which will be copied and modified for use with “traditional” clients. Traditional clients register with SUSE Manager via a bootstrap script executed on the client which deploys all necessary packages to it. The bootstrap script contains parameters which assigns a client system to its base channel. Two of these important parameters are:
Activation Keys
GNU Privacy Guard (GPG) Keys
Note: SLES 15 and Python 3
SLES 15 utilizes Python 3 by default. Because of this change any older bootstrap scripts (based on python 2) must be re-created for SLES 15 systems. Attempting to register SLES 15 systems with SUSE Manager using Python 2 versions of the bootstrap script will fail.
The following procedure will guide you through generating a bootstrap script.
Procedure: Creating a Bootstrap Script #
From the SUSE Manager Web UI, browse to › › › . For more information, see Book “Reference Manual”, Chapter 17 “Admin”, Section 17.4 “ › › ”, Section 17.4.2 “ › ”.
In the
SUSE Manager Configuration - Bootstrapdialog disableBootstrap using Salt. Use default settings and click the button.
Warning: Using SSL
Unchecking in the Web UI or setting
USING_SSL=0in the bootstrap script is not recommended. If you disable SSL nevertheless you will need to manage custom CA certificates to be able to run the registration process successfully.A template bootstrap script is generated and stored on the server’s file system in the
/srv/www/htdocs/pub/bootstrapdirectory.cd /srv/www/htdocs/pub/bootstrap
The bootstrap script is also available at
https://example.com/pub/bootstrap/bootstrap.sh.
Section 5.4.2, “Editing the Bootstrap Script” will cover copying and modifying your bootstrap template for use with each client.
5.4.2 Editing the Bootstrap Script #
In this section you will copy and modify the template bootstrap script you created from Section 5.4.1, “Generating a Bootstrap Script”.
A minimal requirement when modifying a bootstrap script for use with SUSE Manager is the inclusion of an activation key. Depending on your organizations security requirements it is strongly recommended to include one or more (GPG) keys (for example, your organization key, and package signing keys). For this tutorial you will be registering with the activation keys created in the previous section.
Procedure: Modifying the Bootstrap Script #
Login as root from the command line on your SUSE Manager server.
Navigate to the bootstrap directory with:
cd /srv/www/htdocs/pub/bootstrap/
Create and rename two copies of the template bootstrap script for use with each of your clients.
cp bootstrap.sh bootstrap-sles11.sh cp bootstrap.sh bootstrap-sles12.sh
Open
sles12.shfor modification. Scroll down and modify both lines marked in green. You must comment outexit 1with a hash mark (#) to activate the script and then enter the name of the key for this script in theACTIVATION_KEYS=field as follows:echo "Enable this script: comment (with #'s) this block (or, at least just" echo "the exit below)" echo #exit 1 # can be edited, but probably correct (unless created during initial install): # NOTE: ACTIVATION_KEYS *must* be used to bootstrap a client machine. ACTIVATION_KEYS=1-sles12 ORG_GPG_KEY=
Once you have completed your modifications save the file and repeat this procedure for the second bootstrap script. Proceed to Section 5.4.3, “Connecting Clients”.
Note: Finding Your Keys
To find key names you have created: In the Web UI, click › › › . All keys created for channels are listed on this page. You must enter the full name of the key you wish to use in the bootstrap script exactly as presented in the key field.
5.4.3 Connecting Clients #
This section covers connecting your clients to SUSE Manager with the modified bootstrap script.
Procedure: Running the Bootstrap Script #
From your SUSE Manager Server command line as root navigate to the following directory:
cd /srv/www/htdocs/pub/bootstrap/
Run the following command to execute the bootstrap script on the client:
cat MODIFIED-SCRIPT.SH | ssh root@example.com /bin/bash
The script will execute and proceed to download the required dependencies located in the repositories directory you created earlier. Once the script has finished running, log in to the Web UI and click › to see the new client listed.
This concludes the bootstrap section of this guide. Section 5.5, “Registering Salt Clients” will go over registering Salt minions for use with SUSE Manager.
5.4.4 Package Locks #
Package locks are used to prevent unauthorized installation or upgrades to software packages on traditional clients. When a package has been locked, it will display to users with a padlock icon, indicating that it can not be installed. Any attempt to install a locked package will be reported as an error in the event log.
Locked packages can not be installed, upgraded, or removed, either through the SUSE Manager Web UI, or directly on the client machine using a package manager. Locked packages will also indirectly lock any dependent packages.
Note
Package locks can only be used on traditional clients that use the Zypper package manager. The feature is not currently supported on Red Hat Enterprise Linux or Salt clients.
Procedure: Using Package Locks #
On the client machine, install the
zypp-plugin-spacewalkpackage:# zypper in zypp-plugin-spacewalk
Navigate to the › › tab on the managed system to see a list of all available packages.
Select the packages to lock, and click . You can also choose to enter a date and time for the lock to activate. Note that even if you do not select a date and time, the lock might not activate immediately.
To remove a package lock, select the packages to unlock and click . You can also choose to enter a date and time for the lock to deactivate. Note that even if you do not select a date and time, the lock might not deactivate immediately.
5.5 Registering Salt Clients #
There are currently three methods for registering Salt minions.
This section describes the first method and uses a bootstrap repository.
The second method uses the bootstrap script, and is mostly similar to the procedure described in Section 5.4, “Registering Traditional Clients”-the difference is enabling Bootstrap using Salt and the activation key option Configuration File Deployment that applies highstate automatically.
The third method uses the Web UI, and is described in Book “Reference Manual”, Chapter 7 “Systems”, Section 7.6 “Bootstrapping (Salt)”.
You can also use these methods to change existing traditional clients into Salt minions.
The rest of this section assumes you have created a SUSE Manager tools repository. You can review creating a tools repository in Section 5.3, “Creating the SUSE Manager Tools Repository”.
When you have fully synchronized a base channel from the Web UI for clients to obtain software packages from (for example: SLES12-SP4-Pool_for_x86_64) perform the following procedure to register a Salt minion.
Procedure: Registering Salt Minions #
On your minion as root enter the following command:
zypper ar http://FQDN.server.example.com/pub/repositories/sle/12/4/bootstrap/ \ sles12-sp4
Note
Do not use
HTTPS. UseHTTPinstead to avoid errors.After adding the repository containing the necessary Salt packages execute:
zypper in salt-minion
Modify the minion configuration file to point to the fully qualified domain name (
FQDN) of the SUSE Manager server (master):vi /etc/salt/minion
Find and change the line:
master: salt
to:
master: FQDN.server.example.com
Restart the Salt minion with:
systemctl restart salt-minion
Your newly registered minion should now show up within the Web UI under › .
Accept the pending key to begin management.
5.6 Troubleshooting Salt Clients #
5.6.1 Mounting /tmp with noexec #
Salt runs remote commands from /tmp of the client’s filesystem.
Therefore you must not mount /tmp with the noexec option.
5.6.2 Cloned Salt Clients #
If you have used your hypervisor clone utility, and attempted to register the cloned Salt client, you might get this error:
We're sorry, but the system could not be found.
This is caused by the new, cloned, system having the same machine ID as an existing, registered, system. You can adjust this manually to correct the error and register the cloned system successfully.