Install SUSE Manager Proxy with openSUSE Leap

SUSE Manager Proxy can be installed as a server extension on openSUSE Leap. The proxy is installed in the same way as a client, but is designated as a proxy server during installation. This is achieved by adding the Uyuni Proxy pattern, and executing the proxy setup script.

1. Mirror SUSE Manager Proxy software

The SUSE Manager Proxy software is available from https://download.opensuse.org. You can synchronize the proxy software to your SUSE Manager Server. This process is also known as mirroring.

Procedure: Mirroring SUSE Manager Proxy software
  1. On the SUSE Manager Server, create openSUSE Leap and the SUSE Manager Proxy channels with the spacewalk-common-channels command. spacewalk-common-channels is part of the spacewalk-utils package:

    spacewalk-common-channels \
    opensuse_leap15_5 \
    opensuse_leap15_5-non-oss \
    opensuse_leap15_5-non-oss-updates \
    opensuse_leap15_5-updates \
    opensuse_leap15_5-backports-updates \
    opensuse_leap15_5-sle-updates \
    opensuse_leap15_5-uyuni-client \
    uyuni-proxy-stable-leap-155

    Instead of the uyuni-proxy-stable-leap-155 version you can also try the latest development version, called uyuni-proxy-devel-leap. For more information, see 注册 openSUSE Leap 客户端.

2. Register the openSUSE Leap system

Begin by installing openSUSE Leap on a physical or virtual machine. To ensure that the proxy is accessible across the network, you must have a resolvable fully qualified domain name (FQDN) on the openSUSE Leap system before you begin the installation. You can configure an FQDN with YaST by navigating to System  Network Settings  Hostname/DNS.

When you have installed openSUSE Leap on the proxy and configured the FQDN, you can prepare the SUSE Manager Server, and register the openSUSE Leap system as a client.

Procedure: Registering the openSUSE Leap system
  1. On the SUSE Manager Server, create an activation key with openSUSE Leap as a base channel and the proxy and the other channels as child channels. For more information about activation keys, see 激活密钥.

  2. Modify a bootstrap script for the proxy. Ensure you add the GPG key for Uyuni to the ORG_GPG_KEY= parameter. For example:

    ORG_GPG_KEY=uyuni-gpg-pubkey-0d20833e.key
  3. Bootstrap the client using the script.

  4. Navigate to Salt  Keys and accept the key. When the key is accepted, the new proxy will show in Systems  Overview in the Recently Registered Systems section.

  5. Navigate to System Details  Software  Software Channels, and check that the proxy channel is selected.

3. Install Uyuni Proxy on openSUSE Leap

On the client, use the zypper command line tool or on the SUSE Manager Server, the Web UI to install the proxy software on openSUSE Leap.

Procedure: Installing Uyuni Proxy on openSUSE Leap
  1. Install the pattern for the SUSE Manager Proxy. You can do this either on the client or on the server.

    • For the client, use zypper

      zypper in patterns-uyuni_proxy
    • Alternatively, on the SUSE Manager Server, use the Web UI. Navigate to the details tab of the client, click Software  Packages  Install, and schedule patterns-uyuni_proxy for installation.

  2. Reboot the client.

4. Prepare the Proxy

Before you begin, ensure that the proxy pattern is installed correctly. To verify a successful installation, on the SUSE Manager Server, select the pattern_uyuni_proxy package for installation.

The salt-broker service is automatically started after installation is complete. This service forwards the Salt interactions to the SUSE Manager Server.

It is possible to arrange Salt proxies in a chain. In this case, the upstream proxy is named parent.

Make sure the TCP ports 4505 and 4506 are open on the proxy. The proxy must be able to reach the SUSE Manager Server or a parent proxy on these ports.

The proxy shares some SSL information with the SUSE Manager Server. You need to copy the certificate and its key from the SUSE Manager Server or the parent proxy to the proxy you are setting up.

Procedure: Copying the Server Certificate and Key
  1. On the proxy you are setting up, at the command prompt, as root, create a directory for the certificate and key:

    mkdir -m 700 /root/ssl-build
    cd /root/ssl-build
  2. Copy the certificate and the key from the source to the new directory. In this example, the source location is called PARENT. Replace this with the correct path:

    scp root@<PARENT>:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY .
    scp root@<PARENT>:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT .
    scp root@<PARENT>:/root/ssl-build/rhn-ca-openssl.cnf .

To keep the security chain intact, the SUSE Manager Proxy functionality requires the SSL certificate to be signed by the same CA as the SUSE Manager Server certificate. Using certificates signed by different CAs for proxies and server is not supported. For more information on how SUSE Manager handles certificates, see SSL 证书.

5. Set Up the Proxy

When you have prepared the proxy, use the supplied interactive configure-proxy.sh script to complete the proxy setup.

Procedure: Setting up the Proxy
  1. On the proxy you are setting up, at the command prompt, as root, execute the setup script:

    configure-proxy.sh
  2. Follow the prompts to set up the proxy. Leave a field blank and type Enter to use the default values shown between square brackets.

More information about the settings set by the script:

SUSE Manager Parent

the SUSE Manager parent can be either another proxy or a server.

HTTP Proxy

A HTTP proxy enables your SUSE Manager Proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.

Traceback Email

An email address where to report problems.

Do You Want to Import Existing Certificates?

Answer N. This ensures using the new certificates that were copied previously from the SUSE Manager server.

Organization

The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.

Organization Unit

The default value here is the proxy’s hostname.

City

Further information attached to the proxy’s certificate.

State

Further information attached to the proxy’s certificate.

Country Code

In the country code field, enter the country code set during the SUSE Manager installation. For example, if your proxy is in the US and your SUSE Manager is in DE, enter DE for the proxy.

The country code must be two upper case letters. For a complete list of country codes, see https://www.iso.org/obp/ui/#search.

Cname Aliases (Separated by Space)

Use this if your proxy can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.

CA Password

Enter the password that was used for the certificate of your SUSE Manager Server.

Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?

Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.

Create and Populate Configuration Channel rhn_proxy_config_1000010001?

Accept default Y.

SUSE Manager Username

Use same user name and password as on the SUSE Manager server.

If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files. When the mandatory files are copied, run configure-proxy.sh again. If you receive an HTTP error during script execution, run the script again.

configure-proxy.sh activates services required by SUSE Manager Proxy, such as squid, apache2, salt-broker, and jabberd.

To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (Systems  System List  Proxy, then the system name). Connection and Proxy subtabs display various status information.

If you want to PXE boot your clients from your SUSE Manager Proxy, you also need to synchronize the TFTP data from the SUSE Manager Server.

Procedure: Synchronizing Profiles and System Information
  1. On the proxy, at the command prompt, as root, install the susemanager-tftpsync-recv package:

    zypper in susemanager-tftpsync-recv
  2. On the proxy, run the configure-tftpsync.sh setup script and enter the requested information:

    configure-tftpsync.sh

    You need to provide the hostname and IP address of the SUSE Manager Server and the proxy. You also need to enter the path to the tftpboot directory on the proxy.

  3. On the server, at the command prompt, as root, install susemanager-tftpsync:

    zypper in susemanager-tftpsync
  4. On the server, run configure-tftpsync.sh setup script and enter the requested information:

    configure-tftpsync.sh
  5. Run the script again with the fully qualified domain name of the proxy you are setting up. This creates the configuration, and uploads it to the SUSE Manager Proxy:

    configure-tftpsync.sh FQDN_of_Proxy
  6. On the server, start an initial synchronization:

    cobbler sync

    You can also synchronize after a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will run automatically when needed.

6. Configure DHCP for PXE through Proxy

SUSE Manager uses Cobbler for client provisioning. PXE (tftp) is installed and activated by default. Clients must be able to find the PXE boot on the SUSE Manager Proxy using DHCP. Use this DHCP configuration for the zone which contains the clients to be provisioned:

next-server: <IP_Address_of_Proxy>
filename: "pxelinux.0"

7. Reinstalling a Proxy

A proxy does not contain any information about the clients that are connected to it. Therefore, a proxy can be replaced by a new one at any time. The replacement proxy must have the same name and IP address as its predecessor.

Proxy systems are registered as Salt clients using a bootstrap script.

This procedure describes software channel setup and registering the installed proxy with an activation key as the SUSE Manager client.

Before you can select the correct child channels while creating the activation key, ensure you have properly synchronized the openSUSE Leap channel with all the needed child channels and the SUSE Manager Proxy channel.

8. More Information

For more information about the Uyuni project, and to download the source, see https://www.uyuni-project.org/.

For more Uyuni product documentation, see https://www.uyuni-project.org/uyuni-docs/uyuni/index.html.

To raise an issue or propose a change to the documentation, use the links under the Resources menu on the documentation site.