9 Configuring Clients to Use SMT #
Any machine running SUSE Linux Enterprise 10 SP4, 11 SP1 or later, or any version of SUSE Linux Enterprise 12 can be configured to register against SMT and download software updates from there, instead of communicating directly with SUSE Customer Center or Novell Customer Center.
If your network includes an SMT server to provide a local update source,
you need to equip the client with the server's URL. As client and server
communicate via the HTTPS protocol during registration, you also need to make
sure the client trusts the server's certificate. In case you set up your
SMT server to use the default server certificate, the CA certificate will
be available on the SMT server at
http://FQDN/smt.crt
.
If the certificate is not issued by a well-trusted authority, the
registration process will import the certificate from the URL specified as
regcert
parameter (SUSE Linux Enterprise Server 10 and 11). For SLE 12,
the certificate will be downloaded automatically from SMT. In this case,
the client displays the new certificate details (its fingerprint), and you
need to accept the certificate.
There are several ways to provide the registration information and to configure the client machine to use SMT:
Provide the required information via kernel parameters at boot time (Section 9.1, “Using Kernel Parameters to Access an SMT Server”).
Configure the clients using an AutoYaST profile (Section 9.2, “Configuring Clients with AutoYaST Profile”).
Use the
clientSetup4SMT.sh
script (Section 9.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12”). This script can be run on a client to make it register against a specified SMT server.In SUSE Linux Enterprise 11 and 12, you can set the SMT server URL with the YaST registration module during installation (Section 9.4, “Configuring Clients with YaST”).
These methods are described in the following sections.
9.1 Using Kernel Parameters to Access an SMT Server #
regcert
Parameter Support
Note that the regcert
kernel boot parameter is supported
for SLE 10 and 11. It is not supported from SLE 12.
Any client can be configured to use SMT by providing the following kernel
parameters during machine boot: regurl
and
regcert
. The first parameter is mandatory, the latter is
optional.
Make sure the values you enter are correct. If regurl
has not been specified correctly, the registration of the update source
will fail.
If an invalid value for regcert
has been entered, you
will be prompted for a local path to the certificate. In case
regcert
is not specified, it will default to
http://FQDN/smt.crt
with
FQDN
being the name of the SMT server.
- regurl
URL of the SMT server.
For SLE 11 and older clients, the URL needs to be in the following format:
https://FQDN/center/regsvc/
with FQDN being the fully qualified host name of the SMT server. It must be identical to the FQDN of the server certificate used on the SMT server. Example:regurl=https://smt.example.com/center/regsvc/
For SLE 12 clients, the URL needs to be in the following format:
https://FQDN
with FQDN being the fully qualified host name of the SMT server. It must be identical to the FQDN of the server certificate used on the SMT server. Example:regurl=https://smt.example.com/
- regcert
Location of the SMT server's CA certificate. Specify one of the following locations:
- URL
Remote location (HTTP, HTTPS, or FTP) from which the certificate can be downloaded. Example:
regcert=http://smt.example.com/smt.crt
- Floppy
Specifies a location on a floppy. The floppy needs to be inserted at boot time—you will not be prompted to insert it if it is missing. The value needs to start with the string
floppy
, followed by the path to the certificate. Example:regcert=floppy/smt/smt-ca.crt
- Local Path
Absolute path to the certificate on the local machine. Example:
regcert=/data/inst/smt/smt-ca.cert
- Interactive
Use
ask
to open a pop-up menu during installation where you can specify the path to the certificate. Do not use this option with AutoYaST. Example:regcert=ask
- Deactivate Certificate Installation
Use
done
if either the certificate will be installed by an add-on product, or if you are using a certificate issued by an official certificate authority. Example:regcert=done
If the SMT server gets a new certificate from an untrusted CA, the clients need to retrieve the new CA certificate file.
On SLE 10 and 11, this is done automatically with the registration process in the following cases:
If a URL was used at installation time to retrieve the certificate.
If the
regcert
parameter was omitted and thus the default URL is used.
If the certificate was loaded using any other method, such as floppy or local path, the CA certificate will not be updated.
On SUSE Linux Enterprise Server 12, after the certificate has changed, YaST displays a dialog for importing a new certificate. If you confirm importing the new certificate, the old one is replaced with the new one.
9.2 Configuring Clients with AutoYaST Profile #
Clients can be configured to register with SMT server via AutoYaST profile. For general information about creating AutoYaST profiles and preparing automatic installation, refer to the AutoYaST Guide. In this section, only SMT specific configuration is described.
To configure SMT specific data using AutoYaST, follow the steps for the relevant version of SMT client.
9.2.1 Configuring SUSE Linux Enterprise 11 Clients #
As
root
, start YaST and select › to start the graphical AutoYaST front-end.From a command line, you can start the graphical AutoYaST front-end with the
yast2 autoyast
command.Open an existing profile using
› , create a profile based on the current system's configuration using › , or work with an empty profile.Select
› . An overview of the current configuration is shown.Click
.Set the URL of the
and, optionally, the location of the . The possible values are the same as for the kernel parametersregurl
andregcert
(see Section 9.1, “Using Kernel Parameters to Access an SMT Server”). The only exception is that theask
value forregcert
does not work in AutoYaST, because it requires user interaction. If using it, the registration process will be skipped.Perform all other configuration needed for the systems to be deployed.
Select
› and enter a file name for the profile, such asautoinst.xml
.
9.2.2 Configuring SUSE Linux Enterprise 12 Clients #
As
root
, start YaST and select › to start the graphical AutoYaST front-end.From a command line, you can start the graphical AutoYaST front-end with the
yast2 autoyast
command.Open an existing profile using
› , create a profile based on the current system's configuration using › , or work with an empty profile.Select
› . An overview of the current configuration is shown.Click
.Check
, set the URL of the SMT server in , and you can set the . The possible values for the server URL are the same as for the kernel parameterregurl
. For the SSL certificate location, you can use either HTTP or HTTPS based URLs.Perform all other configuration needed for the systems to be deployed, then click
to return to the main screen.Select
› and enter a file name for the profile, such asautoinst.xml
.
9.3 Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12 #
In SLE 11 and 12, the
/usr/share/doc/packages/smt/clientSetup4SMT.sh
script is
provided together with SMT. This script allows you to configure a client
machine to use an SMT server. It can also be used to reconfigure an
existing client to use a different SMT server.
wget
The script clientSetup4SMT.sh
itself uses
wget
, so wget
must be installed on
the client.
clientSetup4SMT.sh
If you migrated your client OS from an older SUSE Linux Enterprise, check if the version
of the clientSetup4SMT.sh
script on your host is up to date.
clientSetup4SMT.sh
from older versions of SMT cannot manage SMT 12 clients.
If you apply software patches regularly on your SMT server, you can always find the latest version
of clientSetup4SMT.sh
at <SMT_HOSTNAME>/repo/tools/clientSetup4SMT.sh
.
To configure a client machine to use SMT with the
clientSetup4SMT.sh
script, follow these steps:
Copy the
clientSetup4SMT.sh
script from your SMT server to the client machine. The script is available at<SMT_HOSTNAME>/repo/tools/clientSetup4SMT.sh
and/srv/www/htdocs/repo/tools/clientSetup4SMT.sh
. You can download it with a browser, usingwget
, or by another means, such as withscp
.As
root
, execute the script on the client machine. The script can be executed in two ways. In the first case, the script name is followed by the registration URL. For example:./clientSetup4SMT.sh https://smt.example.com/center/regsvc/
In the second case, the script uses the
--host
option followed by the host name of the SMT server, and--regcert
followed by the URL of the SSL certificate; for example:./clientSetup4SMT.sh --host smt.example.com \ --regcert http://smt.example.com/smt.crt
In this case, without any “namespace” specified, the client will be configured to use the default production repositories. If
--namespace GROUPNAME
is specified, the client will use that staging group.The script downloads the server's CA certificate. Accept it by pressing Y.
The script performs all necessary modifications on the client. However, the registration itself is not performed by the script.
The script downloads and asks to accept additional GPG keys to sign repositories with.
On SLE 11, perform the registration by executing
suse_register
or running theyast2 inst_suse_register
module on the client.On SLE 12, perform the registration by executing
SUSEConnect -p PRODUCT_NAME --url https://smt.example.org
or running the
yast2 registration
(SUSE Linux Enterprise Server 12 SP1 and newer) oryast2 scc
(SUSE Linux Enterprise Server 12) module on the client.
The clientSetup4SMT.sh
script works with SUSE Linux Enterprise 10 SP2 and
later Service Packs, SLE 11, and SLE 12 systems.
This script is also provided for download. You can get it by running
wget http://smt.example.com/repo/tools/clientSetup4SMT.sh
When registering an existing system against SMT 12—both on the command line and using YaST—you need to register additional extensions and modules separately, one by one. This applies both to already installed extensions and to extensions that you plan to install.
9.3.1 Problems Downloading GPG Keys from the Server #
The apache2-example-pages
package includes a
robots.txt
file. The file is installed into the
Apache2 document root directory, and controls how clients can access files
from the Web server. If this package is installed on the server,
clientSetup4SMT.sh
fails to download the keys stored
under /repo/keys
.
You can solve this problem by either editing
robots.txt
, or uninstalling the
apache2-example-pages
package.
If you choose to edit the robots.txt
file, add before
the Disallow: /
statement:
Allow: /repo/keys
9.4 Configuring Clients with YaST #
9.4.1 Configuring Clients with YaST in SLE 11 #
To configure a client to perform the registration against an SMT server
use the YaST registration module (yast2
inst_suse_register
).
Click /center/regsvc/
), for example:
https://smt.example.com/center/regsvc/
After confirmation the certificate is loaded and the user is asked to accept it. Then continue.
If a staging group is used, make sure that settings in
/etc/suseRegister.conf
are done accordingly. If not
already done, modify the register=
parameter and append
&namespace=NAMESPACE
.
For more information about staging groups, see
Section 5.3, “Staging Repositories”.
Alternatively, use the clientSetup4SMT.sh
script (see
Section 9.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12”).
9.4.2 Configuring Clients with YaST in SLE 12 #
To configure a client to perform the registration against an SMT server
use the YaST yast2 registration
(SUSE Linux Enterprise Server 12 SP1 or newer) or yast2
scc
(SUSE Linux Enterprise Server 12).
On the client, the credentials are not necessary and you may leave the relevant fields empty. Click
and enter its URL. Then click until the exit from the module.9.5 Registering SLE11 Clients against SMT Test Environment #
To configure a client to register against the test environment instead of
the production environment, modify
/etc/suseRegister.conf
on the client machine by
setting:
register = command=register&namespace=testing
For more information about using SMT with a test environment, see Section 4.5, “Using the Test Environment”.
9.6 Registering SLE12 Clients against SMT Test Environment #
To register a client in the testing environment, follow these steps:
De-register the client from the SMT server by running
SUSEConnect --de-register
on the client host.Modify
/etc/SUSEConnect
on the client machine as follows:namespace: testing
Re-register the client host against SMT in order for the new namespace setting to take effect. See general information about registering SMT clients in Chapter 9, Configuring Clients to Use SMT.
For more information about using SMT with a test environment, see Section 4.5, “Using the Test Environment”.
9.7 Listing Accessible Repositories #
To retrieve the accessible repositories for a client, download
repo/repoindex.xml
from the SMT server with the
client's credentials. The credentials are stored in
/etc/zypp/credentials.d/SCCcredentials
(SUSE Linux Enterprise Server 12) or
/etc/zypp/credentials.d/NCCcredentials
(SUSE Linux Enterprise Server 11) on the
client machine. Using wget
, the command for testing could
be as follows:
wget https://USER:PASS@smt.example.com/repo/repoindex.xml
repoindex.xml
returns the complete repository list as
they come from the vendor. If a repository is marked for staging,
repoindex.xml
lists the repository in the
full
namespace (repos/full/$RCE
).
To get a list of all repositories available on the SMT server, use the
credentials specified in the [LOCAL]
section of
/etc/smt.conf
on the server as
mirrorUser
and mirrorPassword
.
9.8 Online Migration of SUSE Linux Enterprise Clients #
SUSE Linux Enterprise clients registered against SMT can be migrated online to the latest service pack of the same major release the same way as clients registered against SUSE Customer Center or Novell Customer Center. Before starting the migration, make sure that SMT is configured to provide the correct version of repositories to which you need the clients to migrate.
For detailed information on online migration, see https://documentation.suse.com/sles-11/html/SLES-all/cha-update-sle.html for SUSE Linux Enterprise 11 clients, or 19장 SUSE Linux Enterprise 업그레이드 for SUSE Linux Enterprise 12 clients.
9.9 How to Update Red Hat Enterprise Linux with SMT #
SMT enables customers that possess the required entitlements to mirror updates for Red Hat Enterprise Linux (RHEL). Refer to http://www.suse.com/products/expandedsupport/ for details on SUSE Linux Enterprise Server Subscription with Expanded Support. This section discusses the actions required to configure the SMT server and clients (RHEL servers) for this solution.
Configuring RHEL client with Subscription Management Tool for SUSE Linux Enterprise (SMT 1.0) running SUSE Linux Enterprise Server 10 is slightly different. For more information, see How to update Red Hat Enterprise Linux with SMT.
9.9.1 How to Prepare SMT Server for Mirroring and Publishing Updates for RHEL #
Install SUSE Linux Enterprise Server (SLES) with the SMT packages as per the documentation on the respective products.
During SMT setup, use organization credentials that have access to Novell-provided RHEL update repositories.
Verify that the organization credentials have access to download updates for the Red Hat products with
smt-repos -m | grep RES
Enable mirroring of the RHEL update repositories for the desired architecture(s):
smt-repos -e REPO-NAME ARCHITECTURE
Mirror the updates and log verbose output:
smt-mirror -d -L /var/log/smt/smt-mirror.log
The updates for RHEL will also be mirrored automatically as part of the default nightly SMT mirroring cron job. When the mirror process of the repositories for your RHEL products has completed, the updates are available via
http://smt-server.your-domain.top/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/
To enable GPG checking of the repositories, the key used to sign the repositories needs to be made available to the RHEL clients. This key is now available in the res-signingkeys package, which is included in the SMT 11 installation source.
Install the
res-signingkeys
package with the commandzypper in -y res-signingkeys
The installation of the package stores the key file as
/srv/www/htdocs/repo/keys/res-signingkeys.key
.Now the key is available to the clients and can be imported into their RPM database as described later.
9.9.2 How to Configure the YUM Client on RHEL 5.2 to Receive Updates from SMT #
Import the repository signing key downloaded above into the local RPM database with
rpm --import http://smt.example.com/repo/keys/res-signingkeys.key
Create a file in
/etc/yum.repos.d/
and name itRES5.repo
.Edit the file and enter the repository data, and point to the repository on the SMT server as follows:
[smt] name=SMT repository baseurl=http://smt.example.com/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/ enabled=1 gpgcheck=1
Example of base URL:
http://smt.mycompany.com/repo/$RCE/RES5/i386/
Save the file.
Disable standard Red Hat repositories by setting
enabled=0
in the repository entries in other files in
/etc/yum.repos.d/
(if any are enabled).Both YUM and the update notification applet should work correctly now and notify of available updates when applicable. You may need to restart the applet.
9.9.3 How to Configure the UP2DATE Client on RHEL 3.9 and 4.7 to Receive Updates from SMT #
Import the repository signing key downloaded above into the local RPM database with
rpm --import http://smt.example.com/repo/keys/res-signingkeys.key
Edit the file
/etc/sysconfig/rhn/sources
and make the following changes:Comment out any lines starting with
up2date
.Normally, there will be a line that says "up2date default".
Add an entry pointing to the SMT repository (all in one line):
yum REPO_NAME http://smt.example.com/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/
where
repo-name
should be set to RES3 for 3.9 and RES4 for 4.7.Save the file.
Both up2date and the update notification applet should work correctly now, pointing to the SMT repository and indicating updates when available. In case of trouble, try to restart the applet.
To ensure correct reporting of the Red Hat Enterprise systems in SUSE Customer Center, they need to be registered against your SMT server. For this a special suseRegisterRES package is provided through the RES* repositories and it should be installed, configured and executed as described below.
9.9.4 How to Register RHEL 5.2 against SMT #
Install the suseRegisterRES package.
yum install suseRegisterRES
Note: Additional PackagesYou may need to install the
perl-Crypt-SSLeay
andperl-XML-Parser
packages from the original RHEL media.Copy the SMT certificate to the system:
wget http://smt.example.com/smt.crt
cat smt.crt >> /etc/pki/tls/cert.pem
Edit
/etc/suseRegister.conf
to point to SMT by changing the URL value tourl: https://smt.example.com/center/regsvc/
Register the system:
suse_register
9.9.5 How to Register RHEL 4.7 and RHEL 3.9 against SMT #
Install the
suseRegisterRES
package:up2date --get suseRegisterRES up2date --get perl-XML-Writer rpm -ivh /var/spool/up2date/suseRegisterRES*.rpm /var/spool/up2date/perl-XML-Writer-0*.rpm
Note: Additional PackagesYou may need to install the
perl-Crypt-SSLeay
andperl-XML-Parser
packages from the original RHEL media.Copy the SMT certificate to the system:
wget http://smt.example.com/smt.crt
cat smt.crt >> /usr/share/ssl/cert.pem
Edit
/etc/suseRegister.conf
to point to SMT by changing the URL value tourl = https://smt.example.com/center/regsvc/
or (for SUSE Customer Center)
url = https://smt.example.com
Register the system:
suse_register