Deploy SUSE Manager Proxy
SUSE Manager Proxy can be installed as a server extension on openSUSE Leap. The proxy is installed in the same way as a client, but is designated as a proxy server during installation. This is achieved by adding the Uyuni Proxy pattern, and executing the proxy setup script.
-
For more information about the stable version of SUSE Manager, see https://www.uyuni-project.org/pages/stable-version.html.
-
For more information about the development version of SUSE Manager, see https://www.uyuni-project.org/pages/devel-version.html.
1. Mirror SUSE Manager Proxy software
The SUSE Manager Proxy software is available from https://download.opensuse.org. You can synchronize the proxy software to your SUSE Manager Server. This process is also known as mirroring.
-
On the SUSE Manager Server, create openSUSE Leap and the SUSE Manager Proxy channels with the
spacewalk-common-channels
command.spacewalk-common-channels
is part of thespacewalk-utils
package:spacewalk-common-channels \ opensuse_leap15_5 \ opensuse_leap15_5-non-oss \ opensuse_leap15_5-non-oss-updates \ opensuse_leap15_5-updates \ opensuse_leap15_5-backports-updates \ opensuse_leap15_5-sle-updates \ opensuse_leap15_5-uyuni-client \ uyuni-proxy-stable-leap-155
Instead of the
uyuni-proxy-stable-leap-155
version you can also try the latest development version, calleduyuni-proxy-devel-leap
. For more information, see Registering openSUSE Leap Clients.
2. Register the openSUSE Leap system
Begin by installing openSUSE Leap on a physical or virtual machine. To ensure that the proxy is accessible across the network, you must have a resolvable fully qualified domain name (FQDN) on the openSUSE Leap system before you begin the installation. You can configure an FQDN with YaST by navigating to
.When you have installed openSUSE Leap on the proxy and configured the FQDN, you can prepare the SUSE Manager Server, and register the openSUSE Leap system as a client.
-
On the SUSE Manager Server, create an activation key with openSUSE Leap as a base channel and the proxy and the other channels as child channels. For more information about activation keys, see Activation Keys.
-
Modify a bootstrap script for the proxy. Ensure you add the GPG key for Uyuni to the
ORG_GPG_KEY=
parameter. For example:ORG_GPG_KEY=uyuni-gpg-pubkey-0d20833e.key
-
For more information, see Registering openSUSE Leap Clients.
-
-
Bootstrap the client using the script.
-
For more information, see Register Clients with a Bootstrap Script.
-
-
Navigate to
and accept the key. When the key is accepted, the new proxy will show in in theRecently Registered Systems
section. -
Navigate to
, and check that the proxy channel is selected.
3. Install Uyuni Proxy on openSUSE Leap
On the client, use the zypper
command line tool or on the SUSE Manager Server, the Web UI to install the proxy software on openSUSE Leap.
-
Install the pattern for the SUSE Manager Proxy. You can do this either on the client or on the server.
-
For the client, use
zypper
zypper in patterns-uyuni_proxy
-
Alternatively, on the SUSE Manager Server, use the Web UI. Navigate to the details tab of the client, click
, and schedulepatterns-uyuni_proxy
for installation.
-
-
Reboot the client.
4. Prepare the Proxy
Before you begin, ensure that the proxy pattern is installed correctly.
To verify a successful installation, on the SUSE Manager Server, select the pattern_uyuni_proxy
package for installation.
The salt-broker service is automatically started after installation is complete. This service forwards the Salt interactions to the SUSE Manager Server.
It is possible to arrange Salt proxies in a chain.
In this case, the upstream proxy is named |
Make sure the TCP ports 4505
and 4506
are open on the proxy.
The proxy must be able to reach the SUSE Manager Server or a parent proxy on these ports.
The proxy shares some SSL information with the SUSE Manager Server. You need to copy the certificate and its key from the SUSE Manager Server or the parent proxy to the proxy you are setting up.
-
On the proxy you are setting up, at the command prompt, as root, create a directory for the certificate and key:
mkdir -m 700 /root/ssl-build cd /root/ssl-build
-
Copy the certificate and the key from the source to the new directory. In this example, the source location is called
PARENT
. Replace this with the correct path:scp root@<PARENT>:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY . scp root@<PARENT>:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT . scp root@<PARENT>:/root/ssl-build/rhn-ca-openssl.cnf .
To keep the security chain intact, the SUSE Manager Proxy functionality requires the SSL certificate to be signed by the same CA as the SUSE Manager Server certificate. Using certificates signed by different CAs for proxies and server is not supported. For more information on how SUSE Manager handles certificates, see SSL Certificates. |
5. Set Up the Proxy
When you have prepared the proxy, use the supplied interactive configure-proxy.sh
script to complete the proxy setup.
-
On the proxy you are setting up, at the command prompt, as root, execute the setup script:
configure-proxy.sh
-
Follow the prompts to set up the proxy. Leave a field blank and type Enter to use the default values shown between square brackets.
More information about the settings set by the script:
- SUSE Manager Parent
-
the SUSE Manager parent can be either another proxy or a server.
- HTTP Proxy
-
A HTTP proxy enables your SUSE Manager Proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.
- Traceback Email
-
An email address where to report problems.
- Do You Want to Import Existing Certificates?
-
Answer
N
. This ensures using the new certificates that were copied previously from the SUSE Manager server. - Organization
-
The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.
- Organization Unit
-
The default value here is the proxy’s hostname.
- City
-
Further information attached to the proxy’s certificate.
- State
-
Further information attached to the proxy’s certificate.
- Country Code
-
In the
country code
field, enter the country code set during the SUSE Manager installation. For example, if your proxy is in the US and your SUSE Manager is in DE, enterDE
for the proxy.The country code must be two upper case letters. For a complete list of country codes, see https://www.iso.org/obp/ui/#search.
- Cname Aliases (Separated by Space)
-
Use this if your proxy can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.
- CA Password
-
Enter the password that was used for the certificate of your SUSE Manager Server.
- Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?
-
Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.
- Create and Populate Configuration Channel rhn_proxy_config_1000010001?
-
Accept default
Y
. - SUSE Manager Username
-
Use same user name and password as on the SUSE Manager server.
If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files.
When the mandatory files are copied, run configure-proxy.sh
again.
If you receive an HTTP error during script execution, run the script again.
configure-proxy.sh
activates services required by SUSE Manager Proxy, such as squid
, apache2
, salt-broker
, and jabberd
.
To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (Connection
and Proxy
subtabs display various status information.
If you want to PXE boot your clients from your SUSE Manager Proxy, you also need to synchronize the TFTP data from the SUSE Manager Server.
-
On the proxy, at the command prompt, as root, install the
susemanager-tftpsync-recv
package:zypper in susemanager-tftpsync-recv
-
On the proxy, run the
configure-tftpsync.sh
setup script and enter the requested information:configure-tftpsync.sh
You need to provide the hostname and IP address of the SUSE Manager Server and the proxy. You also need to enter the path to the
tftpboot
directory on the proxy. -
On the server, at the command prompt, as root, install
susemanager-tftpsync
:zypper in susemanager-tftpsync
-
On the server, run
configure-tftpsync.sh
setup script and enter the requested information:configure-tftpsync.sh
-
Run the script again with the fully qualified domain name of the proxy you are setting up. This creates the configuration, and uploads it to the SUSE Manager Proxy:
configure-tftpsync.sh FQDN_of_Proxy
-
On the server, start an initial synchronization:
cobbler sync
You can also synchronize after a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will run automatically when needed.
6. Configure DHCP for PXE through Proxy
SUSE Manager uses Cobbler for client provisioning. PXE (tftp) is installed and activated by default. Clients must be able to find the PXE boot on the SUSE Manager Proxy using DHCP. Use this DHCP configuration for the zone which contains the clients to be provisioned:
next-server: <IP_Address_of_Proxy> filename: "pxelinux.0"
7. Reinstalling a Proxy
A proxy does not contain any information about the clients that are connected to it. Therefore, a proxy can be replaced by a new one at any time. The replacement proxy must have the same name and IP address as its predecessor.
Proxy systems are registered as Salt clients using a bootstrap script.
This procedure describes software channel setup and registering the installed proxy with an activation key as the SUSE Manager client.
Before you can select the correct child channels while creating the activation key, ensure you have properly synchronized the openSUSE Leap channel with all the needed child channels and the SUSE Manager Proxy channel. |
8. More Information
For more information about the Uyuni project, and to download the source, see https://www.uyuni-project.org/.
For more Uyuni product documentation, see https://www.uyuni-project.org/uyuni-docs/uyuni/index.html.
To raise an issue or propose a change to the documentation, use the links under the Resources
menu on the documentation site.