Jump to contentJump to page navigation: previous page [access key p]/next page [access key n]
documentation.suse.com / SUSE Linux Enterprise Server 설명서 / SMT Guide / Configuring Clients to Use SMT
Applies to SUSE Linux Enterprise Server 12 SP5

9 Configuring Clients to Use SMT

Any machine running SUSE Linux Enterprise 10 SP4, 11 SP1 or later, or any version of SUSE Linux Enterprise 12 can be configured to register against SMT and download software updates from there, instead of communicating directly with SUSE Customer Center or Novell Customer Center.

If your network includes an SMT server to provide a local update source, you need to equip the client with the server's URL. As client and server communicate via the HTTPS protocol during registration, you also need to make sure the client trusts the server's certificate. In case you set up your SMT server to use the default server certificate, the CA certificate will be available on the SMT server at http://FQDN/smt.crt .

If the certificate is not issued by a well-trusted authority, the registration process will import the certificate from the URL specified as regcert parameter (SUSE Linux Enterprise Server 10 and 11). For SLE 12, the certificate will be downloaded automatically from SMT. In this case, the client displays the new certificate details (its fingerprint), and you need to accept the certificate.

There are several ways to provide the registration information and to configure the client machine to use SMT:

  1. Provide the required information via kernel parameters at boot time (Section 9.1, “Using Kernel Parameters to Access an SMT Server”).

  2. Configure the clients using an AutoYaST profile (Section 9.2, “Configuring Clients with AutoYaST Profile”).

  3. Use the clientSetup4SMT.sh script (Section 9.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12”). This script can be run on a client to make it register against a specified SMT server.

  4. In SUSE Linux Enterprise 11 and 12, you can set the SMT server URL with the YaST registration module during installation (Section 9.4, “Configuring Clients with YaST”).

These methods are described in the following sections.

9.1 Using Kernel Parameters to Access an SMT Server

Important
Important: regcert Parameter Support

Note that the regcert kernel boot parameter is supported for SLE 10 and 11. It is not supported from SLE 12.

Any client can be configured to use SMT by providing the following kernel parameters during machine boot: regurl and regcert. The first parameter is mandatory, the latter is optional.

Warning
Warning: Beware of Typing Errors

Make sure the values you enter are correct. If regurl has not been specified correctly, the registration of the update source will fail.

If an invalid value for regcert has been entered, you will be prompted for a local path to the certificate. In case regcert is not specified, it will default to http://FQDN/smt.crt with FQDN being the name of the SMT server.

regurl

URL of the SMT server.

For SLE 11 and older clients, the URL needs to be in the following format: https://FQDN/center/regsvc/ with FQDN being the fully qualified host name of the SMT server. It must be identical to the FQDN of the server certificate used on the SMT server. Example:

regurl=https://smt.example.com/center/regsvc/

For SLE 12 clients, the URL needs to be in the following format: https://FQDN with FQDN being the fully qualified host name of the SMT server. It must be identical to the FQDN of the server certificate used on the SMT server. Example:

regurl=https://smt.example.com/
regcert

Location of the SMT server's CA certificate. Specify one of the following locations:

URL

Remote location (HTTP, HTTPS, or FTP) from which the certificate can be downloaded. Example:

regcert=http://smt.example.com/smt.crt
Floppy

Specifies a location on a floppy. The floppy needs to be inserted at boot time—you will not be prompted to insert it if it is missing. The value needs to start with the string floppy, followed by the path to the certificate. Example:

regcert=floppy/smt/smt-ca.crt
Local Path

Absolute path to the certificate on the local machine. Example:

regcert=/data/inst/smt/smt-ca.cert
Interactive

Use ask to open a pop-up menu during installation where you can specify the path to the certificate. Do not use this option with AutoYaST. Example:

regcert=ask
Deactivate Certificate Installation

Use done if either the certificate will be installed by an add-on product, or if you are using a certificate issued by an official certificate authority. Example:

regcert=done
Warning
Warning: Change of SMT Server Certificate

If the SMT server gets a new certificate from an untrusted CA, the clients need to retrieve the new CA certificate file.

On SLE 10 and 11, this is done automatically with the registration process in the following cases:

  • If a URL was used at installation time to retrieve the certificate.

  • If the regcert parameter was omitted and thus the default URL is used.

If the certificate was loaded using any other method, such as floppy or local path, the CA certificate will not be updated.

On SUSE Linux Enterprise Server 12, after the certificate has changed, YaST displays a dialog for importing a new certificate. If you confirm importing the new certificate, the old one is replaced with the new one.

9.2 Configuring Clients with AutoYaST Profile

Clients can be configured to register with SMT server via AutoYaST profile. For general information about creating AutoYaST profiles and preparing automatic installation, refer to the AutoYaST Guide. In this section, only SMT specific configuration is described.

To configure SMT specific data using AutoYaST, follow the steps for the relevant version of SMT client.

9.2.1 Configuring SUSE Linux Enterprise 11 Clients

  1. As root, start YaST and select Miscellaneous › Autoinstallation to start the graphical AutoYaST front-end.

    From a command line, you can start the graphical AutoYaST front-end with the yast2 autoyast command.

  2. Open an existing profile using File › Open, create a profile based on the current system's configuration using Tools › Create Reference Profile, or work with an empty profile.

  3. Select Software › Novell Customer Center Configuration. An overview of the current configuration is shown.

  4. Click Configure.

  5. Set the URL of the SMT Server and, optionally, the location of the SMT Certificate. The possible values are the same as for the kernel parameters regurl and regcert (see Section 9.1, “Using Kernel Parameters to Access an SMT Server”). The only exception is that the ask value for regcert does not work in AutoYaST, because it requires user interaction. If using it, the registration process will be skipped.

  6. Perform all other configuration needed for the systems to be deployed.

  7. Select File › Save As and enter a file name for the profile, such as autoinst.xml.

9.2.2 Configuring SUSE Linux Enterprise 12 Clients

  1. As root, start YaST and select Miscellaneous › Autoinstallation to start the graphical AutoYaST front-end.

    From a command line, you can start the graphical AutoYaST front-end with the yast2 autoyast command.

  2. Open an existing profile using File › Open, create a profile based on the current system's configuration using Tools › Create Reference Profile, or work with an empty profile.

  3. Select Software › Product Registration. An overview of the current configuration is shown.

  4. Click Edit.

  5. Check Register the Product, set the URL of the SMT server in Use Specific Server URL Instead of the Default, and you can set the Optional SSL Server Certificate URL. The possible values for the server URL are the same as for the kernel parameter regurl. For the SSL certificate location, you can use either HTTP or HTTPS based URLs.

  6. Perform all other configuration needed for the systems to be deployed, then click Finish to return to the main screen.

  7. Select File › Save As and enter a file name for the profile, such as autoinst.xml.

9.3 Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12

In SLE 11 and 12, the /usr/share/doc/packages/smt/clientSetup4SMT.sh script is provided together with SMT. This script allows you to configure a client machine to use an SMT server. It can also be used to reconfigure an existing client to use a different SMT server.

Note
Note: Installation of wget

The script clientSetup4SMT.sh itself uses wget, so wget must be installed on the client.

Important
Important: Upgrade clientSetup4SMT.sh

If you migrated your client OS from an older SUSE Linux Enterprise, check if the version of the clientSetup4SMT.sh script on your host is up to date. clientSetup4SMT.sh from older versions of SMT cannot manage SMT 12 clients. If you apply software patches regularly on your SMT server, you can always find the latest version of clientSetup4SMT.sh at <SMT_HOSTNAME>/repo/tools/clientSetup4SMT.sh.

To configure a client machine to use SMT with the clientSetup4SMT.sh script, follow these steps:

  1. Copy the clientSetup4SMT.sh script from your SMT server to the client machine. The script is available at <SMT_HOSTNAME>/repo/tools/clientSetup4SMT.sh and /srv/www/htdocs/repo/tools/clientSetup4SMT.sh. You can download it with a browser, using wget, or by another means, such as with scp.

  2. As root, execute the script on the client machine. The script can be executed in two ways. In the first case, the script name is followed by the registration URL. For example:

    ./clientSetup4SMT.sh https://smt.example.com/center/regsvc/

    In the second case, the script uses the --host option followed by the host name of the SMT server, and --regcert followed by the URL of the SSL certificate; for example:

    ./clientSetup4SMT.sh --host smt.example.com \
      --regcert http://smt.example.com/smt.crt

    In this case, without any namespace specified, the client will be configured to use the default production repositories. If --namespace GROUPNAME is specified, the client will use that staging group.

  3. The script downloads the server's CA certificate. Accept it by pressing Y.

  4. The script performs all necessary modifications on the client. However, the registration itself is not performed by the script.

  5. The script downloads and asks to accept additional GPG keys to sign repositories with.

  6. On SLE 11, perform the registration by executing suse_register or running the yast2 inst_suse_register module on the client.

    On SLE 12, perform the registration by executing

    SUSEConnect -p PRODUCT_NAME --url https://smt.example.org

    or running the yast2 registration (SUSE Linux Enterprise Server 12 SP1 and newer) or yast2 scc (SUSE Linux Enterprise Server 12) module on the client.

The clientSetup4SMT.sh script works with SUSE Linux Enterprise 10 SP2 and later Service Packs, SLE 11, and SLE 12 systems.

This script is also provided for download. You can get it by running

wget http://smt.example.com/repo/tools/clientSetup4SMT.sh
Important
Important: Extension and Module Registration in SUSE Linux Enterprise 12

When registering an existing system against SMT 12—both on the command line and using YaST—you need to register additional extensions and modules separately, one by one. This applies both to already installed extensions and to extensions that you plan to install.

9.3.1 Problems Downloading GPG Keys from the Server

The apache2-example-pages package includes a robots.txt file. The file is installed into the Apache2 document root directory, and controls how clients can access files from the Web server. If this package is installed on the server, clientSetup4SMT.sh fails to download the keys stored under /repo/keys.

You can solve this problem by either editing robots.txt, or uninstalling the apache2-example-pages package.

If you choose to edit the robots.txt file, add before the Disallow: / statement:

Allow: /repo/keys

9.4 Configuring Clients with YaST

9.4.1 Configuring Clients with YaST in SLE 11

To configure a client to perform the registration against an SMT server use the YaST registration module (yast2 inst_suse_register).

Click Advanced › Local Registration Server and enter the name of the SMT server plus the path to the registration internals (/center/regsvc/), for example:

https://smt.example.com/center/regsvc/

After confirmation the certificate is loaded and the user is asked to accept it. Then continue.

Warning
Warning: Staging Groups Registration

If a staging group is used, make sure that settings in /etc/suseRegister.conf are done accordingly. If not already done, modify the register= parameter and append &namespace=NAMESPACE. For more information about staging groups, see Section 5.3, “Staging Repositories”.

Alternatively, use the clientSetup4SMT.sh script (see Section 9.3, “Configuring Clients with the clientSetup4SMT.sh Script in SLE 11 and 12”).

9.4.2 Configuring Clients with YaST in SLE 12

To configure a client to perform the registration against an SMT server use the YaST Product Registration module yast2 registration (SUSE Linux Enterprise Server 12 SP1 or newer) or yast2 scc (SUSE Linux Enterprise Server 12).

On the client, the credentials are not necessary and you may leave the relevant fields empty. Click Local Registration Server and enter its URL. Then click Next until the exit from the module.

9.5 Registering SLE11 Clients against SMT Test Environment

To configure a client to register against the test environment instead of the production environment, modify /etc/suseRegister.conf on the client machine by setting:

register = command=register&namespace=testing

For more information about using SMT with a test environment, see Section 4.5, “Using the Test Environment”.

9.6 Registering SLE12 Clients against SMT Test Environment

To register a client in the testing environment, follow these steps:

  1. De-register the client from the SMT server by running SUSEConnect --de-register on the client host.

  2. Modify /etc/SUSEConnect on the client machine as follows:

    namespace: testing
  3. Re-register the client host against SMT in order for the new namespace setting to take effect. See general information about registering SMT clients in Chapter 9, Configuring Clients to Use SMT.

For more information about using SMT with a test environment, see Section 4.5, “Using the Test Environment”.

9.7 Listing Accessible Repositories

To retrieve the accessible repositories for a client, download repo/repoindex.xml from the SMT server with the client's credentials. The credentials are stored in /etc/zypp/credentials.d/SCCcredentials (SUSE Linux Enterprise Server 12) or /etc/zypp/credentials.d/NCCcredentials (SUSE Linux Enterprise Server 11) on the client machine. Using wget, the command for testing could be as follows:

wget https://USER:PASS@smt.example.com/repo/repoindex.xml

repoindex.xml returns the complete repository list as they come from the vendor. If a repository is marked for staging, repoindex.xml lists the repository in the full namespace (repos/full/$RCE).

To get a list of all repositories available on the SMT server, use the credentials specified in the [LOCAL] section of /etc/smt.conf on the server as mirrorUser and mirrorPassword.

9.8 Online Migration of SUSE Linux Enterprise Clients

SUSE Linux Enterprise clients registered against SMT can be migrated online to the latest service pack of the same major release the same way as clients registered against SUSE Customer Center or Novell Customer Center. Before starting the migration, make sure that SMT is configured to provide the correct version of repositories to which you need the clients to migrate.

For detailed information on online migration, see https://documentation.suse.com/sles-11/html/SLES-all/cha-update-sle.html for SUSE Linux Enterprise 11 clients, or 19장 SUSE Linux Enterprise 업그레이드 for SUSE Linux Enterprise 12 clients.

9.9 How to Update Red Hat Enterprise Linux with SMT

SMT enables customers that possess the required entitlements to mirror updates for Red Hat Enterprise Linux (RHEL). Refer to http://www.suse.com/products/expandedsupport/ for details on SUSE Linux Enterprise Server Subscription with Expanded Support. This section discusses the actions required to configure the SMT server and clients (RHEL servers) for this solution.

Note
Note: SUSE Linux Enterprise Server 10

Configuring RHEL client with Subscription Management Tool for SUSE Linux Enterprise (SMT 1.0) running SUSE Linux Enterprise Server 10 is slightly different. For more information, see How to update Red Hat Enterprise Linux with SMT.

9.9.1 How to Prepare SMT Server for Mirroring and Publishing Updates for RHEL

  1. Install SUSE Linux Enterprise Server (SLES) with the SMT packages as per the documentation on the respective products.

  2. During SMT setup, use organization credentials that have access to Novell-provided RHEL update repositories.

  3. Verify that the organization credentials have access to download updates for the Red Hat products with

    smt-repos -m | grep RES
  4. Enable mirroring of the RHEL update repositories for the desired architecture(s):

    smt-repos -e REPO-NAME ARCHITECTURE
  5. Mirror the updates and log verbose output:

    smt-mirror -d -L /var/log/smt/smt-mirror.log

    The updates for RHEL will also be mirrored automatically as part of the default nightly SMT mirroring cron job. When the mirror process of the repositories for your RHEL products has completed, the updates are available via

    http://smt-server.your-domain.top/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/
  6. To enable GPG checking of the repositories, the key used to sign the repositories needs to be made available to the RHEL clients. This key is now available in the res-signingkeys package, which is included in the SMT 11 installation source.

    • Install the res-signingkeys package with the command

      zypper in -y res-signingkeys
    • The installation of the package stores the key file as /srv/www/htdocs/repo/keys/res-signingkeys.key.

    • Now the key is available to the clients and can be imported into their RPM database as described later.

9.9.2 How to Configure the YUM Client on RHEL 5.2 to Receive Updates from SMT

  1. Import the repository signing key downloaded above into the local RPM database with

    rpm --import http://smt.example.com/repo/keys/res-signingkeys.key
  2. Create a file in /etc/yum.repos.d/ and name it RES5.repo.

  3. Edit the file and enter the repository data, and point to the repository on the SMT server as follows:

    [smt]
    name=SMT repository
    baseurl=http://smt.example.com/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/
    enabled=1
    gpgcheck=1

    Example of base URL:

    http://smt.mycompany.com/repo/$RCE/RES5/i386/
  4. Save the file.

  5. Disable standard Red Hat repositories by setting

    enabled=0

    in the repository entries in other files in /etc/yum.repos.d/ (if any are enabled).

    Both YUM and the update notification applet should work correctly now and notify of available updates when applicable. You may need to restart the applet.

9.9.3 How to Configure the UP2DATE Client on RHEL 3.9 and 4.7 to Receive Updates from SMT

  1. Import the repository signing key downloaded above into the local RPM database with

    rpm --import http://smt.example.com/repo/keys/res-signingkeys.key
  2. Edit the file /etc/sysconfig/rhn/sources and make the following changes:

  3. Comment out any lines starting with up2date.

    Normally, there will be a line that says "up2date default".

  4. Add an entry pointing to the SMT repository (all in one line):

    yum REPO_NAME http://smt.example.com/repo/$RCE/REPOSITORY_NAME/ARCHITECTURE/

    where repo-name should be set to RES3 for 3.9 and RES4 for 4.7.

  5. Save the file.

Both up2date and the update notification applet should work correctly now, pointing to the SMT repository and indicating updates when available. In case of trouble, try to restart the applet.

To ensure correct reporting of the Red Hat Enterprise systems in SUSE Customer Center, they need to be registered against your SMT server. For this a special suseRegisterRES package is provided through the RES* repositories and it should be installed, configured and executed as described below.

9.9.4 How to Register RHEL 5.2 against SMT

  1. Install the suseRegisterRES package.

    yum install suseRegisterRES
    Note
    Note: Additional Packages

    You may need to install the perl-Crypt-SSLeay and perl-XML-Parser packages from the original RHEL media.

  2. Copy the SMT certificate to the system:

    wget http://smt.example.com/smt.crt
    cat smt.crt >> /etc/pki/tls/cert.pem
  3. Edit /etc/suseRegister.conf to point to SMT by changing the URL value to

    url: https://smt.example.com/center/regsvc/
  4. Register the system:

    suse_register

9.9.5 How to Register RHEL 4.7 and RHEL 3.9 against SMT

  1. Install the suseRegisterRES package:

    up2date --get suseRegisterRES
    up2date --get perl-XML-Writer
    rpm -ivh /var/spool/up2date/suseRegisterRES*.rpm /var/spool/up2date/perl-XML-Writer-0*.rpm
    Note
    Note: Additional Packages

    You may need to install the perl-Crypt-SSLeay and perl-XML-Parser packages from the original RHEL media.

  2. Copy the SMT certificate to the system:

    wget http://smt.example.com/smt.crt
    cat smt.crt >> /usr/share/ssl/cert.pem
  3. Edit /etc/suseRegister.conf to point to SMT by changing the URL value to

    url = https://smt.example.com/center/regsvc/

    or (for SUSE Customer Center)

    url = https://smt.example.com
  4. Register the system:

    suse_register