System Locking

System locks are used to prevent actions from occurring on a client. For example, a system lock prevents a client from being updated or restarted. This is useful for clients running production software, or to prevent accidental changes. You can disable the system lock when you are ready to perform actions.

System locks are implemented differently on traditional and Salt clients.

System Locks on Traditional Clients

When a traditional client is locked, no actions can be scheduled using the Web UI, and a padlock icon is displayed next to the name of the client in the System  System List.

Procedure: System Locking a Traditional Client

  1. In the SUSE Manager Web UI, navigate to the System Details page for the client you want to lock.

  2. Under Lock Status, click Lock this system. The client remains locked until you click Unlock this system.

Some actions can still be completed on locked traditional clients, including remote commands, and automated patch updates. To stop automated patch updates, navigate to the System Details page for the client, and on the Properties tab, uncheck Auto Patch Update.

System Locks on Salt Clients

When a Salt client is locked, or put into blackout mode, no actions can be scheduled, Salt execution commands are disabled, and a yellow banner is displayed on the System Details page. In this mode, actions can be scheduled for the locked client using the Web UI or the API, but the actions fail.

The locking mechanism is not available for Salt SSH clients.
Procedure: System Locking a Salt Client

  1. In the SUSE Manager Web UI, navigate to the System Details page for the client you want to lock.

  2. Navigate to the Formulas tab, check the system lock formula, and click Save.

  3. Navigate to the Formulas  System Lock tab, check Lock system, and click Save. On this page, you can also enable specific Salt modules while the client is locked.

  4. When you have made your changes, you might need to apply the highstate. In this case, a banner in the Web UI notifies you. The client remains locked until you remove the system lock formula.

The system lock formula is enabled by default if SUSE CaaS Platform is detected on the node.

For more information about blackout mode in Salt, see https://docs.saltstack.com/en/latest/topics/blackout/index.html.

Package Locks

Package locks can only be used on traditional clients that use the Zypper package manager. The feature is not currently supported on Red Hat Enterprise Linux or Salt clients.

Package locks are used to prevent unauthorized installation or upgrades to software packages on traditional clients. When a package has been locked, it shows a padlock icon, indicating that it cannot be installed. Any attempt to install a locked package is reported as an error in the event log.

Locked packages cannot be installed, upgraded, or removed, either through the SUSE Manager Web UI, or directly on the client machine using a package manager. Locked packages also indirectly lock any dependent packages.

Procedure: Using Package Locks

  1. On the client machine, install the zypp-plugin-spacewalk package as root:

    zypper in zypp-plugin-spacewalk

  2. Navigate to the Software  Packages  Lock tab on the managed system to see a list of all available packages.

  3. Select the packages to lock, and click Request Lock. You can also choose to enter a date and time for the lock to activate. Leave the date and time blank if you want the lock to activate as soon as possible. Note that the lock might not activate immediately.

  4. To remove a package lock, select the packages to unlock and click Request Unlock. Leave the date and time blank if you want the lock to deactivate as soon as possible. The lock might not deactivate immediately.