Getting Started with Trento #

Trento is the official version of the Trento community project. It is a comprehensive monitoring solution consisting of two main components: the Trento Server and the Trento Agent. Trento provides the following functionality and features:

The Trento Server is an independent, distributed system designed to run on a Kubernetes cluster or as a regular systemd stack. The Trento Server provides a Web front-end for user interaction. The Trento Server consists of the following components:

The Trento Agent is a single background process (trento agent) running on each monitored host of the SAP infrastructure.

See Figure 1, “Architectural overview” for additional details.

Figure 1: Architectural overview #

  

Trento is available at no extra cost for SUSE Linux Enterprise Server for SAP applications 15 subscribers. Particularly, Trento's two main components have the following product lifecycles:

This section describes requirements for the Trento Server and its Trento Agents.

Before you can install a Trento Agent, you must obtain the API key of your Trento Server. Proceed as follows:

To install the Trento Agent on an SAP host and register it with the Trento Server, repeat the steps in Procedure 2, “Installing Trento Agents”:

Trento provides a local permission-based user management feature with optional multi-factor authentication. This feature enables segregation of duties in the Trento interface and ensures that only authorized users with the right permissions can access it.

User management actions are performed in the Users view in the left-hand panel of the Trento Web console.

By default, a newly created user is granted display access rights except for the Users view. Where available, a user with default access can configure filters and pagination settings matching their preferences.

To perform protected actions, the user must have additional permissions added to their user profile. Below is the list of currently available permissions:

Using the described permissions, it is possible to create the following types of users:

The default admin user created during the installation process is granted all:all permissions and cannot be modified or deleted. Use it only to create the first user manager (a user with all:users permissions who creates all the other required users). Once a user with all:users permissions is created, the default admin user must be treated as a fallback user in case all other access to the console is lost. If the password of the default admin user is lost, it can be reset by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User passwords, including the default admin user password, must follow the rules below:

The Create User and Edit User views provide a built-in password generation button that allows user managers to easily generate secure and compliant passwords. The user manager must provide the user with their password through an authorized secure channel.

A user can reset their password in the Profile view. In this view, they can also update their name and email address as well as activate multi-factor authentication using an authenticator app. Multi-factor authentication increases the security of a user account by requesting a temporary second password or code when logging in the console. User managers can disable multi-factor authentication for any given user that has it enabled. However, user managers cannot enable multi-factor authentication on their behalf. The default admin user cannot enable its own multi-factor authentication.

Note: Security Tip for Multi-Factor Authentication

Since multi-factor authentication cannot be enabled for the default admin user, keeping its password safe is imperative. If the default admin user's password is compromised, reset it immediately by updating the Helm chart or the web component configuration, depending on which deployment method was used to install Trento Server.

User managers can enable and disable users. When a user logged in the console is disabled by a user admin, their session is terminated immediately.

Trento can be integrated for Single Sign-On with a third-party identity provider (IDP).

Note

Trento cannot start with multiple SSO options together, so only one can be chosen.

The following protocols are supported:

7.4 Using SAML #

  

Trento integrates with an IDP that uses the SAML protocol to authenticate users accessing the Trento web console. Trento will behave as a Service Provider (SP) in this case.

Commonly, SAML protocol messages are signed with SSL. This is optional using Trento, and the signing is not required (even though it is recommended). If the IDP signs the messages and expects signed messages back, certificates used by the SP (Trento in this case) must be provided to the IDP, the public certificate file in this case.

To use an existing SAML IDP, follow the next instructions to meet the specific requirements. You need:

1. Obtain metadata content from the IDP

2. Start Trento to generate the certificates and get them (SAML must be enabled for this)

3. Provide the generated certificate to the IDP

4. Configure SAML IDP and user profiles

See the following subsections for details.

7.4.1 Obtaining metadata content from the IDP #

  

The metadata.xml file defines the agreement between SP and IDP during SAML communications. It is used to identify the SAML client as well. The content of this file must be provided to Trento. Options SAML_METADATA_URL and SAML_METADATA_CONTENT are available for that.

If the SAML_METADATA_CONTENT option is being used, the content of this variable must be updated with the IDP metadata as a single-line string. On the other hand, if SAML_METADATA_URL is used, the new metadata is automatically fetched when Trento starts. If neither of these steps are completed, communication will fail because the message signatures will not be recognized.

If the used IDP has the endpoint to provide the metadata.xml file content, prefer the variable SAML_METADATA_URL. Trento will automatically fetch metadata when started.

7.4.2 Getting certificates from Trento #

  

Trento provides a set of certificates created during installation. Regardless of the installation mode, when Trento is installed the first time and SAML is enabled the certificates are created and the public certificate file content is available in the https://#{TRENTO_WEB_ORIGIN}/api/public_keys route.

Use the following command to get the certificate content:

curl https://#{TRENTO_WEB_ORIGIN}/api/public_keys

Copy the content of the certificate from there and provide it to the IDP. This way, the IDP will sign its messages and verify the messages received from Trento.

Note

To get the certificate using this route, Trento must be configured to start with SAML enabled.

7.4.3 Configuring SAML IDP setup #

  

Configure the existing IDP with the next minimum options to be able to connect with Trento as a Service Provider (SP).

7.4.3.1 Providing certificates #

  

As commented previously, a set of certificates is needed to enable signed communication. Provide the certificate generated by Trento to the IDP (each IDP has a different way to do this). Make sure that the configured certificate is used for signing and encrypting messages.

7.4.3.2 Configuring SAML user profile #

  

Users provided by the SAML installation must have some few mandatory attributes to login in Trento. The required attributes are: username, email, first name and last name. All of them are mandatory, even though their field names are configurable.

By default, Trento expects the username, email, firstName and lastName attribute names. All these 4 attribute names are configurable using the next environment variables, following the same order: SAML_USERNAME_ATTR_NAME, SAML_EMAIL_ATTR_NAME, SAML_FIRSTNAME_ATTR_NAME and SAML_LASTNAME_ATTR_NAME.

Both IDP and Trento must know how these 4 fields are mapped. To do this, follow the next instructions:

1. Add the attributes if they do not exist in the IDP user profile. If they already exist, do not change the attributes and keep their original values.

2. Configure Trento to use the IDP attribute field names. To do this, set the SAML_USERNAME_ATTR_NAME, SAML_EMAIL_ATTR_NAME, SAML_FIRSTNAME_ATTR_NAME and SAML_LASTNAME_ATTR_NAME environment values with the values configured in the IDP. For example, if the IDP user profile username is defined as attr:username use SAML_USERNAME_ATTR_NAME=attr:username.

7.4.3.3 Checking SAML redirect URI #

  

After a successful login, the IDP redirects the user's session back to Trento and redirected at https://trento.example.com/sso/sp/consume/saml. To ensure seamless SSO, this URI must be configured as valid within the IDP.

7.4.4 Enabling SAML when using Kubernetes deployment #

  

To enable SAML when using Kubernetes deployment with helm, proceed as follows:

1. Add the following variables to the previously documented helm installation command:

   HELM_EXPERIMENTAL_OCI=1 helm ... \
      --set trento-web.saml.enabled=true \
      --set trento-web.saml.idpId=<SAML_IDP_ID> \
      --set trento-web.saml.spId=<SAML_SP_ID> \
      --set trento-web.saml.metadataUrl=<SAML_METADATA_URL>

   To use the SAML_METADATA_CONTENT option rather than SAML_METADATA_URL use:

   HELM_EXPERIMENTAL_OCI=1 helm ... \
      --set trento-web.saml.enabled=true \
      --set trento-web.saml.idpId=<SAML_IDP_ID> \
      --set trento-web.saml.spId=<SAML_SP_ID> \
      --set trento-web.saml.metadataContent=<SAML_METADATA_CONTENT>

   Additionally, the following optional values are available:

   HELM_EXPERIMENTAL_OCI=1 helm ... \
      --set trento-web.saml.idpNameIdFormat=<SAML_IDP_NAMEID_FORMAT> \
      --set trento-web.saml.spDir=<SAML_SP_DIR> \
      --set trento-web.saml.spEntityId=<SAML_SP_ENTITY_ID> \
      --set trento-web.saml.spContactName=<SAML_SP_CONTACT_NAME> \
      --set trento-web.saml.spContactEmail=<SAML_SP_CONTACT_EMAIL> \
      --set trento-web.saml.spOrgName=<SAML_SP_ORG_NAME> \
      --set trento-web.saml.spOrgDisplayName=<SAML_SP_ORG_DISPLAYNAME> \
      --set trento-web.saml.spOrgUrl=<SAML_SP_ORG_URL> \
      --set trento-web.saml.usernameAttrName=<SAML_USERNAME_ATTR_NAME> \
      --set trento-web.saml.emailAttrName=<SAML_EMAIL_ATTR_NAME> \
      --set trento-web.saml.firstNameAttrName=<SAML_FIRSTNAME_ATTR_NAME> \
      --set trento-web.saml.lastNameAttrName=<SAML_LASTNAME_ATTR_NAME> \
      --set trento-web.saml.signRequests=<SAML_SIGN_REQUESTS> \
      --set trento-web.saml.signMetadata=<SAML_SIGN_METADATA> \
      --set trento-web.saml.signedAssertion=<SAML_SIGNED_ASSERTION> \
      --set trento-web.saml.signedEnvelopes=<SAML_SIGNED_ENVELOPES>

7.4.5 Enabling SAML when using RPM packages #

  

To enable SAML when using RPM packages, proceed as follows:

1. Open the file /etc/trento/trento-web.

2. Add the following environment variables to this file. Required variables are:

   # Required:
   ENABLE_SAML=true
   SAML_IDP_ID=<SAML_IDP_ID>
   SAML_SP_ID=<SAML_SP_ID>
   # Only SAML_METADATA_URL or SAML_METADATA_CONTENT must by provided
   SAML_METADATA_URL=<SAML_METADATA_URL>
   SAML_METADATA_CONTENT=<SAML_METADATA_CONTENT>
   
   # Optional:
   SAML_IDP_NAMEID_FORMAT=<SAML_IDP_NAMEID_FORMAT>
   SAML_SP_DIR=<SAML_SP_DIR>
   SAML_SP_ENTITY_ID=<SAML_SP_ENTITY_ID>
   SAML_SP_CONTACT_NAME=<SAML_SP_CONTACT_NAME>
   SAML_SP_CONTACT_EMAIL=<SAML_SP_CONTACT_EMAIL>
   SAML_SP_ORG_NAME=<SAML_SP_ORG_NAME>
   SAML_SP_ORG_DISPLAYNAME=<SAML_SP_ORG_DISPLAYNAME>
   SAML_SP_ORG_URL=<SAML_SP_ORG_URL>
   SAML_USERNAME_ATTR_NAME=<SAML_USERNAME_ATTR_NAME>
   SAML_EMAIL_ATTR_NAME=<SAML_EMAIL_ATTR_NAME>
   SAML_FIRSTNAME_ATTR_NAME=<SAML_FIRSTNAME_ATTR_NAME>
   SAML_LASTNAME_ATTR_NAME=<SAML_LASTNAME_ATTR_NAME>
   SAML_SIGN_REQUESTS=<SAML_SIGN_REQUESTS>
   SAML_SIGN_METADATA=<SAML_SIGN_METADATA>
   SAML_SIGNED_ASSERTION=<SAML_SIGNED_ASSERTION>
   SAML_SIGNED_ENVELOPES=<SAML_SIGNED_ENVELOPES>

3. Restart the application.

7.4.6 Enabling SAML when using Docker images #

  

To enable SAML when using Docker images, proceed as follows:

1. If trento-web container is already running stop and delete the container before continuing. For that run:

   docker stop trento-web
   docker rm trento-web

2. Use the following environment variables to the Docker container via the -e option:

   docker run -d \
   -p 4000:4000 \
   --name trento-web \
   --network trento-net \
   --add-host "host.docker.internal:host-gateway" \
   
   ...[other settings]...
   
   -e ENABLE_SAML=true
   -e SAML_IDP_ID=<SAML_IDP_ID> \
   -e SAML_SP_ID=<SAML_SP_ID> \
   # Only SAML_METADATA_URL or SAML_METADATA_CONTENT must by provided
   -e SAML_METADATA_URL=<SAML_METADATA_URL> \
   -e SAML_METADATA_CONTENT=<SAML_METADATA_CONTENT> \
   
   # Optional:
   -e SAML_IDP_NAMEID_FORMAT=<SAML_IDP_NAMEID_FORMAT> \
   -e SAML_SP_DIR=<SAML_SP_DIR> \
   -e SAML_SP_ENTITY_ID=<SAML_SP_ENTITY_ID> \
   -e SAML_SP_CONTACT_NAME=<SAML_SP_CONTACT_NAME> \
   -e SAML_SP_CONTACT_EMAIL=<SAML_SP_CONTACT_EMAIL> \
   -e SAML_SP_ORG_NAME=<SAML_SP_ORG_NAME> \
   -e SAML_SP_ORG_DISPLAYNAME=<SAML_SP_ORG_DISPLAYNAME> \
   -e SAML_SP_ORG_URL=<SAML_SP_ORG_URL> \
   -e SAML_USERNAME_ATTR_NAME=<SAML_USERNAME_ATTR_NAME> \
   -e SAML_EMAIL_ATTR_NAME=<SAML_EMAIL_ATTR_NAME> \
   -e SAML_FIRSTNAME_ATTR_NAME=<SAML_FIRSTNAME_ATTR_NAME> \
   -e SAML_LASTNAME_ATTR_NAME=<SAML_LASTNAME_ATTR_NAME> \
   -e SAML_SIGN_REQUESTS=<SAML_SIGN_REQUESTS> \
   -e SAML_SIGN_METADATA=<SAML_SIGN_METADATA> \
   -e SAML_SIGNED_ASSERTION=<SAML_SIGNED_ASSERTION> \
   -e SAML_SIGNED_ENVELOPES=<SAML_SIGNED_ENVELOPES> \
   
   ...[other settings]...

7.4.7 Available variables for SAML #

  

SAML_IDP_ID

SAML IDP id

SAML_SP_ID

SAML SP id

SAML_METADATA_URL

URL to retrieve the SAML metadata xml file. One of SAML_METADATA_URL or SAML_METADATA_CONTENT is required

SAML_METADATA_CONTENT

One line string containing the SAML metadata xml file content (SAML_METADATA_URL has precedence over this)

SAML_IDP_NAMEID_FORMAT

SAML IDP name id format, used to interpret the attribute name. Whole urn string must be used (default value: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified)

SAML_SP_DIR

SAML SP directory, where SP specific required files (such as certificates and metadata file) are placed (default value: /etc/trento/saml)

SAML_SP_ENTITY_ID

SAML SP entity id. If it is not given, value from the metadata.xml file is used

SAML_SP_CONTACT_NAME

SAML SP contact name (default value: Trento SP Admin)

SAML_SP_CONTACT_EMAIL

SAML SP contact email (default value: admin@trento.suse.com)

SAML_SP_ORG_NAME

SAML SP organization name (default value: Trento SP)

SAML_SP_ORG_DISPLAYNAME

SAML SP organization display name (default value: SAML SP build with Trento)

SAML_SP_ORG_URL

SAML SP organization url (default value: https://www.trento-project.io/)

SAML_USERNAME_ATTR_NAME

SAML user profile "username" attribute field name. This attribute must exist in the IDP user (default value: username)

SAML_EMAIL_ATTR_NAME

SAML user profile "email" attribute field name. This attribute must exist in the IDP user (default value: email)

SAML_FIRSTNAME_ATTR_NAME

SAML user profile "first name" attribute field name. This attribute must exist in the IDP user (default value: firstName)

SAML_LASTNAME_ATTR_NAME

SAML user profile "last name" attribute field name. This attribute must exist in the IDP user (default value: lastName)

SAML_SIGN_REQUESTS

Sign SAML requests in the SP side (default value: true)

SAML_SIGN_METADATA

Sign SAML metadata documents in the SP side (default value: true)

SAML_SIGNED_ASSERTION

Require receiving SAML assertion signed from the IDP. Set to false if the IDP does not sign the assertion (default value: true)

SAML_SIGNED_ENVELOPES

Require receiving SAML envelopes signed from the IDP. Set to false if the IDP does not sign the envelopes (default value: true)

Trento collects system events and user actions in the Activity Log. It can be accessed from the left-hand panel of the Trento console.

Each entry in the Activity Log includes the following:

Clicking on the chevron icon in the activity log entry opens a modal window containing the activity metadata.

The Activity Log allows to filter by the type of event or user action (commonly referred to as resource type) and by the user that triggered the event or performed the action. Only active users are available for filtering. The Activity Log also allows you to filter out entries that are newer and/or older than a specific date and time (server time).

Once a filter has been set, click Apply to filter out the undesired entries and Reset to remove all the filters.

Entries related to user management can only be displayed by users that have the all:all or all:users permissions. This includes the following:

Entries in the Activity Log are sorted from newer to older. Click Refresh to update the Activity Log view with entries generated since they accessed the view or after the last refresh

The pagination features at the bottom of the Activity Log allow you to specify the number of entries to display in a page, go to the next or previous page of the view, and jump to the last page and back to the first one.

The default retention time for entries in the Activity Log is one month. This can be changed in the Activity Log section under Settings. Changing the retention time requires the all:settings permissions. Entries older than the specified retention time are deleted every day at midnight (server time).

Trento provides configuration checks that ensure your infrastructure setup adheres to our or other vendor's Best Practices, and it does not diverge with time. Configuration checks are available for HANA clusters, ASCS/ERS clusters and hosts. The following procedure is specific to a HANA cluster. The procedure for an ASCS/ERS cluster or a host would be exactly the same, except it starts from the corresponding Details view.

When checks for a given cluster have been selected, Trento executes them automatically every five minutes, updating the results. A spinning check execution result icon means that an execution is running.

The left sidebar in the Trento Web console contains the following entries:

10.1 Getting the global health state #

  

The dashboard allows you to determine at a glance the health status of your SAP environment. It is the main page of the Trento Web console, and you can always switch to it by clicking on Dashboard in the left sidebar.

The health status of a registered SAP system is the sum of its health status at three different layers representing the SAP architecture:

• Hosts. Reflects the heartbeat of the Trento Agent and the tuning status returned by saptune (where applicable).

• Pacemaker Clusters. The status based on the running status of the cluster and the results of the configuration checks.

• Database. Collects the status of the HANA instances as returned by sapcontrol.

• Application instances. Summarizes the status of the application instances as returned by sapcontrol.

In addition to the operating system layer, there is also information about the health status of the HA components where they exist:

• Database cluster. The status based on the running status of the database cluster and the results of the selected configuration checks.

• Application cluster. The status based on the running status of the ASCS/ERS cluster and, eventually, the results of the selected configuration checks.

The dashboard groups systems in three different health boxes (see Figure 6, “Dashboard with the global health state”):

Figure 6: Dashboard with the global health state #

  

The three different health states #

  

Passing

Shows the number of systems with all layers with passing (green) status.

Warning

Shows the number of systems with at least one layer with warning (yellow) status and the rest with passing (green) status.

Critical

Shows the number of systems with at least one layer with critical (red) status.

The health boxes in the dashboard are clickable. Clicking on a box filters the dashboard by systems with the corresponding health status. In large SAP environments, this feature can help the SAP administrator to determine which systems are in a given status.

The icons representing the health summary of a particular layer contain links to the views in the Trento console that can help determine the source of the issue:

• Hosts health icon:Link to the Hosts overview filtered by SID equal to the SAPSID and the DBSID of the corresponding SAP system.

• Database cluster health icon:Link to the corresponding SAP HANA Cluster Details view.

• Database health icon:Link to the corresponding HANA Database Details view.

• Application cluster health icon:Link to the corresponding ASCS/ERS Cluster Details view.

• Application Instances health icon:Link to the corresponding SAP System Details view.

Gray status is returned when either a component does not exist, or it is stopped (as returned by sapcontrol), or its status is unknown (for instance, if a command to determine the status fails).

Gray statuses are not yet counted in the calculation of the global health status.

When the heartbeat of an agent fails, an option to clean-up the corresponding host is displayed in the Hosts overview and the corresponding Host details view.

Figure 15: Clean up button in Hosts overview #

  

Figure 16: Clean up button in Host details view #

  

Use the Clean up button to remove all the components discovered by the agent in the host (including the host itself and other components that might depend on the ones running on the host) from the console.

For example, when cleaning up the host where the primary application server of an SAP System is registered, the entire SAP System is removed from the console.

Similarly, when a registered application or SAP HANA instance is no longer discovered, an option to clean it up is displayed in the corresponding overview and the corresponding details view.

Figure 17: Clean up button SAP systems overview #

  

Figure 18: Clean up button in SAP system details view #

  

Use the Clean up button to remove the instance and any dependencies from the console.

For example, cleaning up the ASCS instance of an SAP system removes the entire SAP system from the console.

Tags are used to label specific objects with location, owner, etc. The objects can be hosts, clusters, databases or SAP systems. Tags make it easier to distinguish and show all these different objects, making your lists more readable and searchable. You can use any text you like to create your tags except blank spaces and special characters other than + - = . , _ : and @.

The following subsection shows how you can add, remove, and filter objects based on your tags.

Trento can be integrated with SUSE Multi-Linux Manager to provide the SAP administrator with information about relevant patches and upgradable packages for any host that is registered with both applications.

The user must enter the connection settings for SUSE Multi-Linux Manager in the Settings view:

Figure 19: SUSE Multi-Linux Manager settings #

  

When the SUSE Multi-Linux Manager settings are configured, the SAP Basis administrator can test the connection by clicking the Test button. If the connection is successful, the Host Details view of each host managed by SUSE Multi-Linux Manager displays a summary of available patches and upgradable packages:

Figure 20: Available software updates in the Host Details view #

  

Click Relevant Patches to open the Relevant Patches overview containing a list of patches available for the host:

Figure 21: Available Patches overview #

  

Click Upgradable Packages to open the Upgradable Packages overview containing a list of packages that can be upgraded on that particular host:

Figure 22: Upgradable Packages overview #

  

Click an advisory or patch link to access the corresponding details view with relevant information, such us whether it requires a reboot or not, associated vulnerabilities, or a list of affected hosts:

Figure 23: Advisory Details view #

  

There are three types of patches or advisories: security advisories, bug fixes and feature enhancements. Security advisories are considered critical. If an advisory is available, the health of the host is set to critical. If there are available patches but none of them is a security one, the health of the host switches to warning. When a host cannot be found in SUSE Multi-Linux Manager, or there is a problem retrieving the data for it, its health is set to unknown.

You can clear the SUSE Multi-Linux Manager settings from the Settings view at any time. When you do this, all information about available software updates disappears from the console, and the status of the hosts is adjusted accordingly.

Communication from the Trento Agent to the Trento Server is secured by an API key that must be provided in the agent configuration file.

By default, the API key does not have an expiration date. You can set up a custom expiration date to increase the overall security of the setup and meet internal security requirements.

To do this, go to the Settings view and click the Generate Key button in the API Key section:

Figure 24: Checks catalog #

  

Whenever a new key is generated, the configuration of all the reporting agents must be updated accordingly.

The procedure to update Trento Server depends on the chosen deployment option: Kubernetes, systemd, or containerized.

Consider the following when performing an update:

In a Kubernetes deployment, you can use Helm to update Trento Server:

helm upgrade \
   --install trento-server oci://registry.suse.com/trento/trento-server \
   --set trento-web.trentoWebOrigin=TRENTO_SERVER_HOSTNAME \
   --set trento-web.adminUser.password=ADMIN_PASSWORD

If you have configured options like email alerting, the Helm command must be adjusted accordingly. In this case, consider the following:

In a system deployment, you can use zypper to update Trento Server:

 zypper refresh
 zypper update trento-web
 zypper update trento-wanda
 systemctl restart trento-web
 systemctl restart trento-wanda

In a containerized deployment, you can use the same Docker commands as for the installation. Keep in mind that the volume for the Trento checks already exists, so there is no need to create it. Also, the web and wanda containers must be stopped and removed before they can be redeployed with the latest version. Also make sure to include in the Docker commands any other options that you have enabled after the original installation.

To update the Trento Agent, follow the procedure below:

Configuration checks are an integral part of the checks engine, but they are delivered separately. This allows customers to update the checks catalog in their setup whenever updates to existing checks and new checks are released, without waiting for a new version release cycle.

The procedure of updating the configuration checks depends on the Trento Server deployment type: Kubernetes, systemd or containerized.

In a Kubernetes deployment, checks are delivered as a container image, and you can use Helm with the following options to pull the latest image:

  helm ... \
 --set trento-wanda.checks.image.tag=latest \
 --set trento-wanda.checks.image.repository=registry.suse.com/trento/trento-checks  \
 --set trento-wanda.checks.image.pullPolicy=Always \
 ...

In a systemd deployment, checks are delivered as an RPM package, and you can use zypper to update your checks catalog:

> sudo zypper ref
> sudo zypper update trento-checks

In a containerized deployment, checks are delivered as a container image, and you can use Docker to pull the latest version into the trento-checks volume created during the installation process:

> docker run \
-v trento-checks:/usr/share/trento/checks \
registry.suse.com/trento/trento-checks:latest

The procedure to uninstall the Trento Server depends on the deployment type: Kubernetes, systemd or containerized. The section covers Kubernetes deployments.

If Trento Server was deployed manually, you need to uninstall it manually. If Trento Server was deployed using the Helm chart, you can also use Helm to uninstall it as follows:

helm uninstall trento-server

SUSE customer with registered SUSE Linux Enterprise Server for SAP applications 15 (SP3 or higher) distributions can report Trento issues either directly in the SUSE Customer Center or through the corresponding vendor, depending on their licensing model. Problems must be reported under SUSE Linux Enterprise Server for SAP applications 15 and component trento.

When opening a support case for Trento, provide the relevant deployment option for Trento Server: Kubernetes, systemd or containerized.

In the case of a Kubernetes deployment, provide the output of the Trento support plugin and the scenario dump, as explained in Section 20, “Problem Analysis”.

In the case of a systemd deployment, provide the status and the journal of the trento-web and trento-wanda services.

In the case of a containerized deployment, provide the logs of the trento-web and trento-wanda containers. Use docker ps to retrieve the IDs of both containers, then docker logs CONTAINER_ID to retrieve the corresponding logs.

For issues with a particular Trento Agent, or a component discovered by a particular Trento Agent, also provide the following:

This section covers common problems and how to analyze them.

> sudo systemctl status trento-agent

Below is a list of the most important user-facing features in the different versions of Trento. For a more detailed information about the changes included in each new version, visit https://github.com/trento-project.