将 SUSE Multi-Linux Manager 服务器迁移到容器化环境

1. Requirements and considerations

1.1. General requirements

  • 要将 SUSE Multi-Linux Manager 4.3 服务器迁移到容器,需要一台安装了 SL Micro 6.1 或 SUSE Linux Enterprise Server 15 SP7 和 mgradm 的新计算机。

  • 无论所选主机操作系统是 SL Micro 6.1 还是 SUSE Linux Enterprise Server 15 SP7,均不支持从 SUSE Multi-Linux Manager 4.3 就地迁移到 5.1。

Before migrating from SUSE Multi-Linux Manager 4.3 to 5.1, any existing traditional clients including the traditional proxies must be migrated to Salt. For more information about migrating traditional SUSE Multi-Linux Manager 4.3 clients to Salt clients, see Migrate Traditional Clients to Salt Clients.

  • SUSE Multi-Linux Manager 5.0 及更高版本不再支持传统联系协议。

This guide only covers the migration from SUSE Multi-Linux Manager 4.3 to 5.1.

Migrating an existing SUSE Multi-Linux Manager 5.1 instance to the same version while switching the host operating system from SL Micro 6.1 to SUSE Linux Enterprise Server 15 SP7, or vice versa, is not handled by the mgradm migrate command.

1.2. 主机名

  • Current migration procedure does not include functionality for renaming hostnames. As a result, fully qualified domain name (FQDN) of the new server will remain the same as that of the old server.

  • IP 地址必须保持不变,以确保客户端可以连接到服务器。

After the migration, it is necessary to manually update the DHCP and DNS records to point to the new server.

1.3. GPG keys

  • Self-trusted GPG keys are not migrated.

  • GPG keys that are trusted in the RPM database only are not migrated. Thus, synchronizing channels with spacewalk-repo-sync can fail.

  • 在完成服务器的实际迁移后,管理员必须手动将这些密钥从所安装的 4.3 系统迁移到容器主机。

    Procedure: Manual migration of the 4.3 GPG keys to the new server

    1. 将 4.3 服务器中的密钥复制到新服务器的容器主机。

    2. 稍后,使用命令 mgradm gpg add <PATH_TO_KEY_FILE> 将每个密钥添加到迁移的服务器。

1.4. SSL certificates

SSL certificates are needed at a later stage. If not using the self-signed generated CA and certificates, ensure you have the following before starting:

  • A certificate authority (CA) SSL public certificate. If you are using a CA chain, all intermediate CAs must also be available.

  • An SSL database private key.

  • An SSL database certificate.

All files must be in PEM format.

The hostname of the SSL server certificate must match the fully qualified hostname of the machine you deploy them on. You can set the hostnames in the X509v3 Subject Alternative Name section of the certificate. You can also list multiple hostnames if your environment requires it. Supported Key types are RSA and EC (Elliptic Curve).

Database SSL certificate requires reportdb and db and the FQDN used to access the report database as Subject Alternative Name.

During a migration the server SSL certificate and CA chain are copied from the source server, meaning that only the database certificates are required

2. 迁移

2.1. Prepare SUSE Multi-Linux Manager 5.1 server host

请勿在已准备好的 SL Micro 6.1 或 SUSE Linux Enterprise Server 15 SP7 系统上预先安装 SUSE Multi-Linux Manager。

迁移流程设计为自动执行服务器安装。不支持先运行 mgradm install 再运行 mgradm migrate,此操作将导致系统处于不受支持的状态。

在以下步骤中,我们只会准备主机系统,而不实际安装 SUSE Multi-Linux Manager 5.1 服务器。

You can use VM images based on SL Micro 6.1 as a migration target. In such a scenario, you can prepare the host system as described in

However, at the end the last step is executing the command mgradm migrate <FQDN> instead of mgradm install <FQDN>.

2.1.1. 准备 SL Micro 6.1 主机

2.1.1.1. 下载安装媒体
Procedure: Downloading the installation media

  1. 访问 https://www.suse.com/download/sle-micro/,找到 SL Micro 6.1 的安装媒体,并下载相应媒体文件。

  2. 将下载下来的 .iso 映像放入一个 DVD 或 USB 闪存盘以进行安装。

2.1.1.2. 安装 SL Micro 6.1

有关虚拟机或物理机的准备工作详细信息,请参见 SL Micro 部署指南

过程:安装 SL Micro 6.1

  1. 插入包含 SLE Micro 6.1 安装映像的 DVD 或 USB 闪存盘(USB 磁盘或密钥)。

  2. 引导或重引导您的系统。

  3. 使用箭头键选择安装

  4. 调整键盘和语言。

  5. 单击复选框接受许可协议。

  6. 单击下一步继续。

  7. 选择注册方法。在本示例中,我们将在 SUSE Customer Center 中注册服务器。

    SUSE Multi-Linux Manager 5.1 容器会安装为扩展。根据以下列出的所需特定扩展,您还需要有各个扩展的 SUSE Customer Center 注册代码。

    • SUSE Multi-Linux Manager 5.1 服务器

    • SUSE Multi-Linux Manager 5.1 代理

    • SUSE Multi-Linux Manager 5.1 零售分支服务器

    SL Micro 6.1 权利包含在 SUSE Multi-Linux Manager 权利中,因此不需要单独的注册代码。

  8. 输入您的 SUSE Customer Center 电子邮件地址。

  9. 输入您的 SL Micro 6.1 注册代码。

  10. 单击下一步继续。

  11. 要安装代理,请选中 SUSE Multi-Linux Manager 5.1 代理扩展;要安装服务器,请选中 SUSE Multi-Linux Manager 5.1 服务器扩展对应的复选框

  12. 单击下一步继续。

  13. 输入您的 SUSE Multi-Linux Manager 5.1 扩展注册代码。

  14. 单击 下一步 继续。

  15. NTP 配置页面上,单击 下一步

  16. 系统身份验证页面上,输入 root 用户的口令。单击 下一步

  17. 安装设置页面上单击 安装

将 SL Micro 6.1 和 SUSE Multi-Linux Manager 5.1 安装为扩展的过程到此完成。

2.1.1.3. 从命令行注册(可选)

如果您在安装 SL Micro 6.1 期间已将 SUSE Multi-Linux Manager 5.1 添加为扩展,则可以跳过此过程。不过,您也可以选择在安装 SL Micro 6.1 期间单击 跳过注册 按钮来跳过注册。本节提供了在安装 SL Micro 6.1 后注册产品的步骤。

以下步骤将注册 x86-64 体系结构的 SUSE Multi-Linux Manager 5.1 扩展,因此需要提供适用于 x86-64 体系结构的注册代码。要注册 ARM 或 s390x 体系结构,请使用正确的注册代码。
Procedure: Registering from the command line

  1. 运行以下命令列出可用扩展:

    transactional-update --quiet register --list-extensions

  2. 从可用扩展列表中选择一个要安装的扩展:

    1. 如果要安装服务器,请使用您的 SUSE Multi-Linux Manager Server Extension 5.1 x86_64 注册代码运行以下命令:

      transactional-update register -p Multi-Linux-Manager-Server/5.1/x86_64 -r <reg_code>

    2. 如果要安装代理,请使用您的 SUSE Multi-Linux Manager Proxy Extension 5.1 x86_64 注册代码运行以下命令:

    transactional-update register -p Multi-Linux-Manager-Proxy/5.1/x86_64 -r <reg_code>

  3. 重引导。

2.1.1.4. 更新系统
Procedure: Updating the system

  1. root 身份登录。

  2. 运行 transactional-update

    transactional-update

  3. 重引导。

SL Micro 设计为默认自动更新,并会在应用更新后重引导。但是,这种行为对于 SUSE Multi-Linux Manager 环境而言是不利的。为了防止服务器自动更新,SUSE Multi-Linux Manager 会在引导过程中禁用 transactional-update 计时器。

如果您希望保留 SL Micro 的默认行为,请运行以下命令来启用计时器:

systemctl enable --now transactional-update.timer

2.1.2. Prepare SUSE Linux Enterprise Server 15 SP7 host

或者,您也可以在 SUSE Linux Enterprise Server 15 SP7 上部署 SUSE Multi-Linux Manager。

The following procedures describe the main steps of the installation process.

2.1.2.1. Install SUSE Multi-Linux Manager extensions on SUSE Linux Enterprise Server
Procedure: Installing SUSE Multi-Linux Manager Extensions on SUSE Linux Enterprise Server

  1. 访问 https://www.suse.com/download/sles/,找到并下载 SUSE Linux Enterprise Server 15 SP7 .iso

  2. 确保您拥有宿主操作系统 (SUSE Linux Enterprise Server 15 SP7) 和扩展的注册代码

  3. 启动 SUSE Linux Enterprise Server 15 SP7 的安装流程。

    1. 语言、键盘和产品选择中选择要安装的产品。

    2. 许可协议中,阅读协议并选中我同意许可条款

  4. 选择注册方法。在本示例中,我们将在 SUSE Customer Center 中注册服务器。

  5. 输入您的 SUSE Customer Center 电子邮件地址。

  6. 输入 SUSE Linux Enterprise Server 15 SP7 的注册代码。

  7. 单击下一步继续。

    请注意,对于 SUSE Linux Enterprise Server 15 SP7,您需要拥有有效的 SUSE Linux Enterprise Server 订阅及相应的注册代码,并在此界面提供。您还需要在下方输入 SUSE Multi-Linux Manager 扩展的注册代码。

  8. 扩展和模块选择屏幕中,选中以下几项:

    • 选择 SUSE Multi-Linux Manager 服务器扩展以安装服务器,或选择 SUSE Multi-Linux Manager 代理扩展以安装代理。

    • Basesystem 模块

    • Containers 模块

  9. 单击下一步继续。

  10. 输入您的 SUSE Multi-Linux Manager 5.1 扩展注册代码。

  11. 单击 下一步 继续。

  12. 完成安装。

  13. 安装完成后,以 root 身份登录新安装的服务器。

  14. 更新系统(可选,如果在安装期间未将系统设置为自动下载更新):

    zypper up

  15. 重引导。

2.1.2.2. 从命令行注册(可选)

If you added SUSE Multi-Linux Manager 5.1 as an extension during SUSE Linux Enterprise Server installation then you can skip this procedure.

However, optionally you may skip registration during SUSE Linux Enterprise Server installation by selecting the Skip Registration button. This section provides steps on registering your products after SUSE Linux Enterprise Server installation.

The following steps register a SUSE Multi-Linux Manager 5.1 extension with the x86-64 architecture and thus require a registration code for the x86-64 architecture.

To register ARM or s390x architectures use the correct registration code.
Procedure: Registering from the command line

  1. 运行以下命令列出可用扩展:

    SUSEConnect --list-extensions

    From the list of available extensions, select the one you wish to install. If installing the Server, use your SUSE Multi-Linux Manager Server Extension 5.1 x86_64 registration code. For example for SUSE Linux Enterprise 15 SP7, use the following commands:

    SUSEConnect -r <regcode>
SUSEConnect -p sle-module-containers/15.7/x86_64
SUSEConnect -p Multi-Linux-Manager-Server-SLE/5.1/x86_64 -r <regcode>

    • If installing the Proxy, use your SUSE Multi-Linux Manager Proxy Extension 5.1 x86_64 registration code with the following command:

    SUSEConnect -p Multi-Linux-Manager-Proxy-SLE/5.1/x86_64 -r <regcode>
2.1.2.3. Install and enable podman
Procedure: Installing podman

  1. Log in as root and install the product package.

    • On the server:

      zypper in podman
zypper in -t product SUSE-Multi-Linux-Manager-Server

    • On the proxies:

      zypper in podman
zypper in -t product SUSE-Multi-Linux-Manager-Proxy

      Make sure that package podman is installed. Additionally, on the server mgradm and mgradm-bash-completion or on the proxies, mgrpxy and mgrpxy-bash-completion also need to be installed.

  2. 重引导系统或运行以下命令,以启动 Podman 服务:

    systemctl enable --now podman.service

2.2. SSH connection preparation

此步骤可确保新的 SUSE Multi-Linux Manager 5.1 服务器无需口令便可通过 SSH 连接至现有 4.3 服务器。操作包括生成和配置 SSH 密钥、设置 SSH 代理,以及将公共密钥复制到旧服务器。要使迁移流程在没有人工干预的情况下运行,必须进行该设置。

过程:准备 SSH 连接

  1. 确保对于 root,新 5.1 服务器上存在 SSH 密钥。如果不存在密钥,请使用以下命令创建一个:

    ssh-keygen -t rsa

  2. 新服务器上的 SSH 配置和代理应准备就绪,这样在连接 4.3 服务器时就不会提示输入口令。

    eval $(ssh-agent); ssh-add

    迁移脚本依赖新服务器上运行的 SSH 代理来建立不提示输入口令的连接。如果该代理尚未激活,请运行 eval $(ssh-agent) 将其启动。然后,使用 ssh-add(后跟私用密钥的路径)将 SSH 密钥添加到正在运行的代理。在此过程中,系统将提示您输入私用密钥的口令。

  3. 使用 ssh-copy-id 将公共 SSH 密钥复制到 SUSE Multi-Linux Manager 4.3 服务器 (<oldserver.fqdn>)。将 <oldserver.fqdn> 替换为 4.3 服务器的 FQDN:

    ssh-copy-id <old server.fqdn>

    SSH 密钥将会被复制到旧服务器的 ~/.ssh/authorized_keys 文件中。有关详细信息,请参见 ssh-copy-id 手册页。

  4. 在新服务器上与旧的 SUSE Multi-Linux Manager 服务器建立 SSH 连接,检查是否不需要口令。此外,主机指纹不得有任何问题。如果遇到问题,请从 ~/.ssh/known_hosts 文件中去除旧指纹。然后重试。指纹将存储在本地 ~/.ssh/known_hosts 文件中。

2.3. Perform the migration

When planning your migration from SUSE Manager 4.3 to SUSE Multi-Linux Manager 5.1, ensure that your target instance meets or exceeds the specifications of the old setup.

这包括但不限于内存 (RAM)、CPU 核心、存储和网络带宽。

SUSE Multi-Linux Manager server hosts that are hardened for security may restrict execution of files from the /tmp folder. In such cases, as a workaround, export the TMPDIR environment variable to another existing path before running mgradm.

例如:

export TMPDIR=/path/to/other/tmp

在 SUSE Multi-Linux Manager 的后续更新中,相关工具将进行优化,届时无需再使用此临时解决方案。

When migrating from SUSE Manager 4.3, you will be prompted for the Password for the CA key to generate. It is essential to enter the same CA password that was used in your SUSE Manager 4.3 installation.

Entering the wrong password will result in a failure to generate the database certificate and will cause the migration to abort with the following error:

Error: cannot configure db container: Cannot generate database certificate: CA validation failed!

Make sure the correct CA password is available before starting the migration process.
Procedure: Performing the migration

  1. 此步骤并非强制性步骤。如果您的基础架构需要自定义的永久性存储空间,请使用 mgr-storage-proxy 工具。有关 mgr-storage-server 的详细信息,请参见 installation-and-upgrade:hardware-requirements.adoc#install-hardware-requirements-storage

  2. Execute the following command to migrate and set up a new SUSE Multi-Linux Manager 5.1 server. Replace <oldserver.fqdn> with the FQDN of the 4.3 server:

    请务必在开始迁移前升级 4.3 服务器并应用所有可用更新。此外,还需去除所有不必要的通道,以便缩短总迁移时间。

    The migration can take a very long time depending on the amount of data that needs to be replicated. To reduce downtime it is possible to run the migration multiple times in a process of initial replication, re-replication, or final replication and switch over while all the services on the old 4.3 server can stay up and running.

    Only during the final migration, the processes on the old 4.3 server need to be stopped.

    For all non-final replications add the parameter --prepare to prevent the automatic stopping of services on the old 4.3 server.

    		 
    mgradm migrate podman <oldserver.fqdn> --prepare
Procedure: Final migration

  1. Stop the SUSE Manager services on 4.3 Server:

    spacewalk-service stop

  2. 停止 4.3 服务器上的 PostgreSQL 服务:

    systemctl stop postgresql

  3. Perform the final migration on SUSE Multi-Linux Manager 5.1 Server

    mgradm migrate podman <oldserver.fqdn>

  4. 迁移可信 SSL CA 证书。

2.3.1. Migration of the certificates

Trusted SSL CA certificates that were installed as part of an RPM and stored on SUSE Multi-Linux Manager 4.3 in the /usr/share/pki/trust/anchors/ directory will not be migrated. Because SUSE does not install RPM packages in the container, the administrator must migrate these certificate files manually from the SUSE Manager 4.3 server after the migration.

Procedure: Migrating the certificates

  1. Copy the file from the SUSE Manager 4.3 Server to the new SUSE Multi-Linux Manager 5.1 Server. 例如,复制为 /local/ca.file

  2. 使用以下命令将文件复制到容器中:

    mgrctl cp /local/ca.file server:/etc/pki/trust/anchors/

成功运行 mgradm migrate 命令后,所有客户端上的 Salt 设置仍会指向旧的 4.3 服务器。

要将其重定向到 5.1 服务器,需要在基础架构级别(DHCP 和 DNS)重命名新服务器,以使用与 4.3 服务器相同的 FQDN 和 IP 地址。

如果客户端上安装了最新版本的受控端,则可避免调整 IP 地址,因为较新版本仅通过 FQDN 即可自动重新连接服务器。

3. Client tools rebranding

SUSE Multi-Linux Manager 5.1 introduces a rebranded set of client tools for all supported operating systems. This transition is seamless, and users performing a new product synchronization should only notice the updated channel names.

Channels named SUSE Manager Client Tools for XYZ, used by clients previously registered with SUSE Multi-Linux Manager 4.3 or 5.0, are no longer available in version 5.1 and will no longer receive updates in 5.1.

尽管迁移后旧版通道仍会分配给现有客户端,但对应的储存库已被去除。

为确保客户端能持续接收更新,用户必须执行以下操作:

  • Mirror the new SUSE Multi-Linux Manager Client Tools for XYZ channels for the relevant products and assign them to the appropriate clients.

  • Unassign the outdated SUSE Manager Client Tools for XYZ channels.

这也意味着,任何基于旧客户端工具的 CLM 项目都必须相应调整。

For example workflow, see Switch to new client tools channels.