8 Installation steps #

This section provides an overview of all installation steps. Each step contains a link to a more detailed description.

During the installation and upgrade process, YaST can update itself to solve bugs in the installer that were discovered after the release. This functionality is enabled by default; to disable it, set the boot parameter self_update to 0. For more information, see Section 7.4.6, “Enabling the installer self-update”.

Important: Quarterly media update: self-update disabled

The installer self-update is only available if you use the GM images of the Unified Installer and Packages ISOs. If you install from the ISOs published as quarterly update (they can be identified by the string QU in the name), the installer cannot update itself, because this feature has been disabled in the update media.

Important: Networking during self-update

To download installer updates, YaST needs network access. By default, it tries to use DHCP on all network interfaces. If there is a DHCP server in the network, it will work automatically.

If you need a static IP setup, you can use the ifcfg boot argument. For more details, see the linuxrc documentation at https://en.opensuse.org/Linuxrc.

Tip: Language selection

The installer self-update is executed before the language selection step. This means that progress and errors which happen during this process are displayed in English by default.

To use another language for this part of the installer, use the language boot parameter if available for your architecture, for example, language=de_DE. On machines equipped with a traditional BIOS, alternatively, press F2 in the boot menu and select the language from the list.

Although this feature was designed to run without user intervention, it is worth knowing how it works. If you are not interested, you can jump directly to Section 8.3, “ Language, keyboard, and product selection ” and skip the rest of this section.

8.2.1 Self-update process #

  

The process can be broken down into two different parts:

1. Determine the update repository location.

2. Download and apply the updates to the installation system.

8.2.1.1 Determining the update repository location #

  

Installer Self-Updates are distributed as regular RPM packages via a dedicated repository, so the first step is to find out the repository URL.

Important: Installer self-update repository only

No matter which of the following options you use, only the installer self-update repository URL is expected, for example:

self_update=https://www.example.com/my_installer_updates/

Do not supply any other repository URL—for example the URL of the software update repository.

YaST will try the following sources of information:

1. The self_update boot parameter. (For more details, see Section 7.4.6, “Enabling the installer self-update”.) If you specify a URL, it will take precedence over any other method.

2. The /general/self_update_url profile element in case you are using AutoYaST.

3. A registration server. YaST will query the registration server for the URL. The server to be used is determined in the following order:

   1. By evaluating the regurl boot parameter (Section 7.4.1, “Providing data to access an RMT server”).

   2. By evaluating the /suse_register/reg_server profile element if you are using AutoYaST.

   3. By performing an SLP lookup. If an SLP server is found, YaST will ask you whether it should be used because there is no authentication involved and everybody on the local network could announce a registration server.

   4. By querying the SUSE Customer Center.

4. If none of the previous attempts worked, the fallback URL (defined in the installation media) will be used.

8.2.1.2 Downloading and applying the updates #

  

When the updates repository is determined, YaST will check whether an update is available. If so, all the updates will be downloaded and applied to the installation system.

Finally, YaST will be restarted to load the new version and the welcome screen will be shown. If no updates were available, the installation will continue without restarting YaST.

Note: Update integrity

Update signatures will be checked to ensure integrity and authorship. If a signature is missing or invalid, you will be asked whether you want to apply the update.

8.2.1.3 Temporary self-update add-on repository #

  

Some packages distributed in the self-update repository provide additional data for the installer, like the installation defaults, system role definitions and similar. If the installer finds such packages in the self-update repository, a local temporary repository is created, to which those packages are copied. They are used during the installation process, but at the end of the installation, the temporary local repository is removed. Its packages are not installed onto the target system.

This additional repository is not displayed in the list of add-on products, but during installation it may still be visible as SelfUpdate0 repository in the package management.

8.2.2 Custom self-update repositories #

  

YaST can use a user-defined repository instead of the official repository by specifying a URL through the self_update boot parameter.

• HTTP/HTTPS and FTP repositories are supported.

• Starting with yast2-installation-4.4.30, the relurl:// schema is supported, as a boot parameter or in an AutoYaST profile. The URL is relative to the main installation repository, and you may navigate the file tree with the usual ../ notation, for example relurl://../self_update. This is useful when serving the packages via a local installation server, or when building a custom installation medium which includes a self-update repository.

  The following examples assume the installation repository is at the medium root (/), and the self-update repository in the self_update subdirectory. This structure makes the relurl:// portable, and it will work anywhere without changes as a boot parameter, copied to an USB stick, hard disk, network server, or in an AutoYaST profile.

  Custom DVD/USB medium

  Add the self_update=relurl://self_update boot option directly to the default boot parameters, and it will work properly even if the medium is copied to an USB stick, hard disk, or a network server.

  Installation server

  Assume that the installation packages are available via http://example.com/repo and a self-update repository is available at http://example.com/self_update.

  Then you can use the http://example.com/repo and http://example.com/self_update boot parameters, without having to change the self_update parameter when the repositories are moved to a different location.

• Only RPM-MD repositories are supported (required by RMT).

• Packages are not installed in the usual way: They are uncompressed only and no scripts are executed.

• No dependency checks are performed. Packages are installed in alphabetical order.

• Files from the packages override the files from the original installation media. This means that the update packages might not need to contain all files, only files that have changed. Unchanged files are omitted to save memory and download bandwidth.

Note: Only one repository

Currently, it is not possible to use more than one repository as source for installer self-updates.

Figure 8.1: Language, keyboard, and product selection #

  

The Language and Keyboard Layout settings are initialized with the language you chose on the boot screen. If you did not change the default, it will be English (US). Change the settings here, if necessary.

Changing the language will automatically preselect a corresponding keyboard layout. Override this proposal by selecting a different keyboard layout from the drop-down box. Use the Keyboard Test text box to test the layout. The language selected here is also used to assume a time zone for the system clock. This setting can be modified later in the installed system as described in Chapter 5, Changing language and country settings with YaST.

With the Unified Installer you can install all SUSE Linux Enterprise base products:

Select a product for installation. You need to have a registration code for the respective product. In this document it is assumed you have chosen SUSE Linux Enterprise Server. Proceed with Next.

Tip: Light and high-contrast themes

If you have difficulties reading the labels in the installer, you can change the widget colors and theme.

Click the button or press Shift–F3 to open a theme selection dialog. Select a theme from the list and Close the dialog.

Shift–F4 switches to the color scheme for vision-impaired users. Press the buttons again to switch back to the default scheme.

Figure 8.2: License agreement #

  

Read the License Agreement. It is presented in the language you have chosen on the boot screen. Translations are available via the License Language drop-down box. If you agree to the terms, check I Agree to the License Terms and click Next to proceed with the installation. If you do not agree to the license agreement, you cannot install SUSE Linux Enterprise Server; click Abort to terminate the installation.

When installing on IBM Z platforms, the language selection dialog is followed by a dialog to configure the attached hard disks.

Figure 8.3: Disk activation #

  

Select DASD, Fibre Channel Attached SCSI Disks (zFCP), or iSCSI for installation of SUSE Linux Enterprise Server. The DASD and zFCP configuration buttons are only available if the corresponding devices are attached. For instructions on how to configure iSCSI disks, refer to Section 15.3, “Configuring iSCSI initiator”.

You can also change the Network Configuration in this screen by launching the Network Settings dialog. Choose a network interface from the list and click Edit to change its settings. Use the tabs to configure DNS and routing. See Section 23.4, “Configuring a network connection with YaST” for more details.

8.5.1 Configuring DASD disks #

  

Skip this step if you are not installing on IBM Z hardware.

Figure 8.4: DASD disk management #

  

After selecting Configure DASD Disks, an overview lists all available DASDs. To get a clearer picture of the available devices, use the text box located above the list to specify a range of channels to display. To filter the list according to such a range, select Filter.

Specify the DASDs to use for the installation by selecting the corresponding entries in the list. Use Select All to select all DASDs currently displayed. Activate and make the selected DASDs available for the installation by selecting Perform Action › Activate. To format the DASDs, select Perform Action › Format. Alternatively, use the YaST partitioner later as described in Section 10.1, “Using the Expert Partitioner”.

8.5.2 Configuring zFCP disks #

  

Skip this step if you are not installing on IBM Z hardware.

Figure 8.5: Configured zFCP Devices #

  

After selecting Configure zFCP Disks, a dialog with a list of the zFCP disks available on the system opens. In this dialog, select Add to open another dialog in which to enter zFCP parameters.

To make a zFCP disk available for the SUSE Linux Enterprise Server installation, choose an available Channel Number from the drop-down box. Get WWPNs (World Wide Port Number) and Get LUNs (Logical Unit Number) return lists with available WWPNs and FCP-LUNs, respectively, to choose from. Automatic LUN scanning only works with NPIV enabled.

When completed, exit the zFCP dialog with Next and the general hard disk configuration dialog with Finish to continue with the rest of the configuration.

After booting into the installation, the installation routine is set up. During this setup, an attempt to configure at least one network interface with DHCP is made. In case this attempt has failed, the Network Settings dialog launches now.

Figure 8.6: Network settings #

  

Choose a network interface from the list and click Edit to change its settings. Use the tabs to configure DNS and routing. See Section 23.4, “Configuring a network connection with YaST” for more details. On IBM Z this dialog does not start automatically. It can be started in the Disk Activation step.

In case DHCP was successfully configured during installation setup, you can also access this dialog by clicking Network Configuration at the SUSE Customer Center Registration and the Installation Settings step. It lets you change the automatically provided settings.

Note: Network configuration with boot parameters

If at least one network interface has been configured via boot parameters (see Section 7.3.2, “Configuring the network interface”), automatic DHCP configuration is disabled and the boot parameter configuration is imported and used.

Tip: Accessing network storage or local RAID

To access a SAN or a local RAID during the installation, you can use the libstorage command line client for this purpose:

1. Switch to a console with Ctrl–Alt–F2.

2. Install the libstoragemgmt extension by running extend libstoragemgmt.

3. Now you have access to the lsmcli command. For more information, run lsmcli --help.

4. To return to the installer, press Alt–F7

Supported are Netapp Ontap, all SMI-S compatible SAN providers, and LSI MegaRAID.

To get technical support and product updates, you need to register and activate SUSE Linux Enterprise Server with the SUSE Customer Center or a local registration server. Registering your product at this stage also grants you immediate access to the update repository. This enables you to install the system with the latest updates and patches available.

When registering, repositories and dependencies for the modules and extensions, which you install with the next step, are loaded from the registration server.

From this dialog, you can switch to the YaST Network Settings module by clicking Network Configuration. For details, see Section 23.4, “Configuring a network connection with YaST”.

If you are offline or want to skip registration, activate Skip Registration. See Section 8.7.3, “Installing without registration” for instructions.

8.7.1 Registering manually #

  

To register with the SUSE Customer Center, enter the E-mail Address associated with your SCC account and the Registration Code for SUSE Linux Enterprise Server..

If your organization provides a local registration server, you may alternatively register there. Activate Register System via local SMT Server and either choose a URL from the drop-down box or type in an address. Proceed with Next.

To register with the SUSE Customer Center, enter your Registration Code for SUSE Linux Enterprise Server. If your organization provides a local registration server, you may alternatively register there. Activate Register System via local RMT Server and either choose a URL from the drop-down box or type in an address.

Start the registration process with Next.

Figure 8.7: SUSE Customer Center registration #

  

Tip: Installing product patches at installation time

After SUSE Linux Enterprise Server has been successfully registered, you are asked whether to install the latest available online updates during the installation. If choosing Yes, the system will be installed with the most current packages without having to apply the updates after installation. Activating this option is recommended.

Note: Firewall settings for receiving updates

By default, the firewall on SUSE Linux Enterprise Server only blocks incoming connections. If your system is behind another firewall that blocks outgoing traffic, make sure to allow connections to https://scc.suse.com/ and https://updates.suse.com on ports 80 and 443 in order to receive updates.

If the system was successfully registered during installation, YaST will disable repositories from local installation media such as CD/DVD or flash disks when the installation has been completed. This prevents problems if the installation source is no longer available and ensures that you always get the latest updates from the online repositories.

8.7.2 Loading registration codes from USB storage #

  

To make the registration more convenient, you can also store your registration codes on a USB storage device such as a flash disk. YaST will automatically pre-fill the corresponding text box. This is particularly useful when testing the installation or if you need to register many systems or extensions.

Create a file named regcodes.txt or regcodes.xml on the USB disk. If both are present, the XML takes precedence.

In that file, identify the product with the name returned by zypper search --type product and assign it a registration code as follows:

Example 8.1: regcodes.txt #

  

SLES    cc36aae1
SLED    309105d4

sle-we  5eedd26a
sle-live-patching 8c541494

Example 8.2: regcodes.xml #

  

<?xml version="1.0"?>
<profile xmlns="http://www.suse.com/1.0/yast2ns"
 xmlns:config="http://www.suse.com/1.0/configns">
  <suse_register>
    <addons config:type="list">
      <addon>
<name>SLES</name>
<reg_code>cc36aae1</reg_code>
      </addon>
      <addon>
<name>SLED</name>
<reg_code>309105d4</reg_code>
      </addon>
      <addon>
<name>sle-we</name>
<reg_code>5eedd26a</reg_code>
      </addon>
      <addon>
<name>sle-live-patching</name>
<reg_code>8c541494</reg_code>
      </addon>
    </addons>
  </suse_register>
</profile>

Note that SLES and SLED are not extensions, but listing them as add-ons allows for combining several base product registration codes in a single file. See Section 4.3.1, “Extensions” for details.

Note: Limitations

Currently flash disks are only scanned during installation or upgrade, but not when registering a running system.

8.7.3 Installing without registration #

  

If you are offline or want to skip registration, activate Skip Registration. Accept the warning with OK and proceed with Next.

Important: Skipping the registration

Your system and extensions need to be registered to retrieve updates and to be eligible for support. Skipping the registration is only possible when installing from the SLE-15-SP4-Full-ARCH-GM-media1.iso image.

Figure 8.8: Installing without registration #

  

Note: Registering SUSE Linux Enterprise Server

Your system and extensions need to be registered to retrieve updates and to be eligible for support. If you do not register during the installation, you can do so at any time later from the running system. To do so, run YaST › Product Registration.

Tip: Copying the installation media image to a removable flash disk

Use the following command to copy the contents of the installation image to a removable flash disk.

> sudo dd if=IMAGE of=FLASH_DISK bs=4M && sync

IMAGE needs to be replaced with the path to the SLE-15-SP4-Online-ARCH-GM-media1.iso or SLE-15-SP4-Full-ARCH-GM-media1.iso image file. FLASH_DISK needs to be replaced with the flash device. To identify the device, insert it and run:

# grep -Ff <(hwinfo --disk --short) <(hwinfo --usb --short)
     disk:
     /dev/sdc             General USB Flash Disk

Make sure the size of the device is sufficient for the desired image. You can check the size of the device with:

# fdisk -l /dev/sdc | grep -e "^/dev"
     /dev/sdc1  *     2048 31490047 31488000  15G 83 Linux

In this example, the device has a capacity of 15 GB. The command to use for the SLE-15-SP4-Full-ARCH-GM-media1.iso would be:

dd if=SLE-15-SP4-Full-ARCH-GM-media1.iso of=/dev/sdc bs=4M && sync

The device must not be mounted when running the dd command. Note that all data on the partition will be erased!

In this dialog the installer lists modules and extensions that are available for SUSE Linux Enterprise Server. Modules are components which allow you to shape the product according to your needs. They are free of charge. Extensions add functionality to your product. They are offered as subscriptions and require a registration key that is liable for costs.

The availability of certain modules or extensions depends on the product you chose in the first step of this installation. For a description of the modules and their lifecycles, select a module to see the accompanying text. More detailed information is available in the Modules and Extensions Quick Start.

The selection of modules indirectly affects the scope of the installation, because it defines which software sources (repositories) are available for installation and in the running system.

Figure 8.9: Extension and module selection #

  

The following modules and extensions are available for SUSE Linux Enterprise Server:

Some modules depend on the installation of other modules. Therefore, when selecting a module, other modules may be selected automatically to fulfill dependencies.

Depending on the product, the registration server can mark modules and extensions as recommended. Recommended modules and extensions are preselected for registration and installation. To avoid installing these recommendations, deselect them manually.

Select the modules and extension you want to install and proceed with Next. In case you have chosen one or more extensions, you will be prompted to provide the respective registration codes. Depending on your choice, it may also be necessary to accept additional license agreements.

Important: Default modules for offline installation

When performing an offline installation from the SLE-15-SP4-Full-ARCH-GM-media1.iso, only the Basesystem Module is selected by default. To install the complete default package set of SUSE Linux Enterprise Server, additionally select the Server Applications Module.

The Add On Product dialog allows you to add additional software sources (so-called “repositories”) to SUSE Linux Enterprise Server, that are not provided by the SUSE Customer Center. Such add-on products may include third-party products and drivers or additional software for your system.

Figure 8.10: Add-on product #

  

From this dialog, you can switch to the YaST Network Settings module by clicking Network Configuration. For details, see Section 23.4, “Configuring a network connection with YaST”.

Tip: Adding drivers during the installation

You can also add driver update repositories via the Add On Product dialog. Driver updates for SUSE Linux Enterprise are provided at http://drivers.suse.com/. These drivers have been created via the SUSE SolidDriver Program.

If you do not want to install add-ons, proceed with Next. Otherwise activate I would like to install an additional Add On Product. Specify the Media Type by choosing from CD, DVD, Hard Disk, USB Mass Storage, a Local Directory or a Local ISO Image. If network access has been configured you can choose from additional remote sources such as HTTP, SLP, FTP, etc. Alternatively you may directly specify a URL. Check Download repository description files to download the files describing the repository now. If deactivated, they will be downloaded after the installation starts. Proceed with Next and insert a CD or DVD if required.

Depending on the add-on's content, it may be necessary to accept additional license agreements.

SUSE Linux Enterprise Server supports a broad range of features. To simplify the installation, the installer offers predefined use cases which adjust the system to be installed so it is tailored for the selected scenario.

Figure 8.11: System role #

  

Choose the System Role that meets your requirements best. The availability of system roles depends on your selection of modules and extensions. Therefore, the dialog is omitted under the following conditions:

With the default selection, the following system roles are available:

In this dialog, select your region and time zone. Both are preselected according to the installation language.

Figure 8.13: Clock and time zone #

  

To change the preselected values, either use the map or the drop-down boxes for Region and Time Zone. When using the map, point the cursor at the rough direction of your region and left-click to zoom. Now choose your country or region by left-clicking. Right-click to return to the world map.

To set up the clock, choose whether the Hardware Clock is Set to UTC. If you run another operating system on your machine, such as Microsoft Windows, it is likely your system uses local time instead. If you run Linux on your machine, set the hardware clock to UTC and have the switch from standard time to daylight saving time performed automatically.

Important: Set the hardware clock to UTC

The switch from standard time to daylight saving time (and vice versa) can only be performed automatically when the hardware clock (CMOS clock) is set to UTC. This also applies if you use automatic time synchronization with NTP, because automatic synchronization will only be performed if the time difference between the hardware and system clock is less than 15 minutes.

Since a wrong system time can cause serious problems (missed backups, dropped mail messages, mount failures on remote file systems, etc.), it is strongly recommended to always set the hardware clock to UTC.

POWER, AMD/Intel If a network is already configured, you can configure time synchronization with an NTP server. Click Other Settings to either alter the NTP settings or to Manually set the time. See Chapter 38, Time synchronization with NTP for more information on configuring the NTP service. When finished, click Accept to continue the installation.

POWER, AMD/Intel If running without NTP configured, consider setting SYSTOHC=no (sysconfig variable) to avoid saving unsynchronized time into the hardware clock.

Note: Time cannot be changed on IBM Z

Since the operating system is not allowed to change time and date directly, the Other Settings option is not available on IBM Z.

Create a local user in this step.

Figure 8.14: Create new user #

  

After entering the first name and last name, either accept the proposal or specify a new User name that will be used to log in. Only use lowercase letters (a-z), digits (0-9) and the characters . (dot), - (hyphen) and _ (underscore). Special characters, umlauts and accented characters are not allowed.

Finally, enter a password for the user. Re-enter it for confirmation (to ensure that you did not type something else by mistake). To provide effective security, a password should be at least six characters long and consist of uppercase and lowercase letters, numbers and special characters (7-bit ASCII). Umlauts or accented characters are not allowed. Passwords you enter are checked for weakness. When entering a password that is easy to guess (such as a dictionary word or a name) you will see a warning. It is a good security practice to use strong passwords.

Important: User name and password

Remember both your user name and the password because they are needed each time you log in to the system.

If you install SUSE Linux Enterprise Server on a machine with one or more existing Linux installations, YaST allows you to import user data such as user names and passwords. Select Import User Data from a Previous Installation and then Choose Users for import.

If you do not want to configure any local users (for example when setting up a client on a network with centralized user authentication), skip this step by choosing Next and confirming the warning. Network user authentication can be configured at any time later in the installed system; refer to Chapter 6, Managing users with YaST for instructions.

Two additional options are available:

Warning: Automatic login

With the automatic login enabled, the system boots straight into your desktop with no authentication. If you store sensitive data on your system, you should not enable this option if the computer can also be accessed by others.

In an environment where users are centrally managed (for example by NIS or LDAP) you should skip the creation of local users. Select Skip User Creation in this case.

If you have not chosen Use this Password for System Administrator in the previous step, you will be prompted to enter a password for the system administrator root or provide a public SSH key. Otherwise, this configuration step is skipped.

Figure 8.15: Authentication for the system administrator root #

  

Enter the password for the system administrator root. For verification purposes, the password for root must be entered twice. Do not forget the password as it cannot be retrieved later.

Tip: Passwords and keyboard layout

It is recommended to only use US ASCII characters. In case of a system error or when you need to start your system in rescue mode, the keyboard may not be localized.

To change the root password later in the installed system, run YaST and start Security and Users › User and Group Management.

Important: The root user

root is the name of the system administrator or superuser. Its user ID (uid) is 0. Unlike regular users, root account has unlimited privileges.

Do not forget the root password

Only root has the privileges to change the system configuration, install programs, manage users and set up new hardware. To carry out such tasks, the root password is required. Do not forget the password as it cannot be retrieved later.

Do not use the root user for daily work

Logging in as root for daily work is rather risky: Commands from root are usually executed without additional confirmation, so a single mistake can lead to an irretrievable loss of system files. Only use the root account for system administration, maintenance and repair.

Do not rename the root user account

YaST will always name the system administrator root. While it is technically possible to rename the root account, certain applications, scripts or third-party products may rely on the existence of a user called root. While such a configuration always targets individual environments, necessary adjustments could be overwritten by vendor updates, so this becomes an ongoing task, not a one-time setting. This is especially true in very complex setups involving third-party applications, where it needs to be verified with every involved vendor whether a rename of the root account is supported.

As the implications for renaming the root account cannot be foreseen, SUSE does not support renaming the root account.

Usually, the idea behind renaming the root account is to hide it or make it unpredictable. However, /etc/passwd requires 644 permissions for regular users, so any user of the system can retrieve the login name for the user ID 0. For better ways to secure the root account, refer to Section 14.5, “Restricting root logins” and Section 14.5.3, “Restricting SSH logins”.

If you want to access the system remotely via SSH using a public key, import a key from a removable storage device or an existing partition. After the installation is finished, you can log in through SSH using the provided SSH key.

If you have both set a password and added a public SSH key, and need remote access right after the installation, do not forget to open the SSH port in the Security section of the Installation Settings summary. If you set no password but only add a key, the port will be opened automatically to prevent you from being locked out of the newly installed system.

On the last step before the real installation takes place, you can alter installation settings suggested by the installer. To modify the suggestions, click the respective headline. After having made changes to a particular setting, you are always returned to the Installation Settings window, which is updated accordingly.

If you have added an SSH key for your root as mentioned in Procedure 8.1, make sure to open the SSH port in the Security settings.

Figure 8.16: Installation settings #

  

8.15.1 Software #

  

SUSE Linux Enterprise Server contains several software patterns for various application purposes. The available choice of patterns and packages depends on your selection of modules and extensions.

Click Software to open the Software Selection and System Tasks screen where you can modify the pattern selection according to your needs. Select a pattern from the list and see a description in the right-hand part of the window.

Each pattern contains several software packages needed for specific functions (for example Web and LAMP server or a print server). For a more detailed selection based on software packages to install, select Details to switch to the YaST Software Manager.

Figure 8.17: Software selection and system tasks #

  

You can also install additional software packages or remove software packages from your system at any later time with the YaST Software Manager. For more information, refer to Chapter 8, Installing or removing software.

If you choose to install GNOME, SUSE Linux Enterprise Server is installed with the X.org display server. As an alternative to GNOME, the lightweight window manager IceWM can be installed. Select Details from the Software Selection and System Tasks screen and search for icewm.

Tip: IBM Z: Hardware cryptography support

The hardware cryptography stack is not installed by default. To install it, select System z HW crypto support in the Software Selection and System Tasks screen.

Tip: Adding secondary languages

The language you selected with the first step of the installation will be used as the primary (default) language for the system. You can add secondary languages from within the Software dialog by choosing Details › View › Languages.

8.15.2 Booting #

  

The installer proposes a boot configuration for your system. Other operating systems found on your computer, such as Microsoft Windows or other Linux installations, will automatically be detected and added to the boot loader. However, SUSE Linux Enterprise Server will be booted by default. Normally, you can leave these settings unchanged. If you need a custom setup, modify the proposal according to your needs. For information, see Section 18.3, “Configuring the boot loader with YaST”.

Important: Software RAID 1

Booting a configuration where /boot resides on a software RAID 1 device is supported, but it requires to install the boot loader into the MBR (Boot Loader Location › Boot from Master Boot Record). Having /boot on software RAID devices with a level other than RAID 1 is not supported. Also see Chapter 8, Configuring software RAID for the root partition.

8.15.3 Security #

  

The CPU Mitigations refer to kernel boot command line parameters for software mitigations that have been deployed to prevent CPU side-channel attacks. Click the selected entry to choose a different option. For details, see CPU Mitigations.

By default, the Firewall is enabled on all configured network interfaces. To completely disable firewalld, click disable (not recommended).

Note: Firewall settings

When the firewall is activated, all interfaces are assigned to the public zone, where all ports are closed by default, ensuring maximum security. The only port you can open during the installation is port 22 (SSH), to allow remote access. Other services requiring network access (such as FTP, Samba, Web server, etc.) will only work after having adjusted the firewall settings. Refer to Chapter 23, Masquerading and firewalls for configuration details.

Note: Firewall settings for receiving updates

By default, the firewall on SUSE Linux Enterprise Server only blocks incoming connections. If your system is behind another firewall that blocks outgoing traffic, make sure to allow connections to https://scc.suse.com/ and https://updates.suse.com on ports 80 and 443 in order to receive updates.

The SSH service is enabled by default, but its port (22) is closed in the firewall. Click open to open the port or disable to disable the service. Note that if SSH is disabled, remote logins will not be possible. Refer to Chapter 22, Securing network operations with OpenSSH for more information.

Tip: Existing SSH host keys

If you install SUSE Linux Enterprise Server on a machine with existing Linux installations, the installation routine imports an SSH host key. It chooses the host key with the most recent access time by default. See also Section 8.15.9, “Import SSH host keys and configuration”.

If you are performing a remote administration over VNC, you can also specify whether the machine should be accessible via VNC after the installation. Note that enabling VNC also requires you to set the Default systemd Target to graphical.

The default Major Linux Security Module is AppAmpor. To disable it, selese None as module in the Security settings. This allows you to deselect the AppAmor pattern in the Software settings (Section 8.15.1, “Software”).

8.15.4 Security Profiles #

  

Important: Availability in SUSE Linux Enterprise 15 SP4

This feature is available for SUSE Linux Enterprise 15 SP4 GM via installer self-update or using the QU2 media.

This category allows hardening your system with OpenSCAP security policies. The first policy that was implemented is the Security Technical Implementation Guide (STIG) by the Defense Information Systems Agency (DISA).

Click to enable the security policy. Incompliant installation settings will be listed with the rule they violate. Some settings can be adjusted automatically by clicking fix rule. For settings that require user input, click modify settings to open the respective settings screen.

Tip: Checking policy compliance during installation

If you do not want to wait for the Installation Settings screen but want the installer to check the settings from the beginning of the installation process, boot the system with the boot parameter YAST_SECURITY_POLICY=POLICY. To check for compliance with the DISA STIG, use YAST_SECURITY_POLICY=stig. For more information about boot parameters, refer to Chapter 7, Boot parameters.

The installer does not check all rules of the profile but only those necessary for the installation or that are hard to fix afterward. To apply the remaining rules, a full SCAP remediation is performed on first boot. You can also perform a scan only or do nothing and manually remediate the system later with OpenSCAP. For more information, refer to the articles Hardening SUSE Linux Enterprise with STIG and Hardening SUSE Linux Enterprise with OpenSCAP.

8.15.5 Network configuration #

  

This category displays the current network settings, as automatically configured after booting into the installation (see Section 8.6) or as manually configured during the installation process. By default, wicked is used for server installations and NetworkManager for desktop workloads.

If you want to check or adjust the network settings, click Network Configuration. This takes you to the YaST Network Settings module. For details, see Section 23.4, “Configuring a network connection with YaST”.

Important: Support for NetworkManager

SUSE only supports NetworkManager for desktop workloads with SLED or the Workstation extension. All server certifications are done with wicked as the network configuration tool, and using NetworkManager may invalidate them. NetworkManager is not supported by SUSE for server workloads.

After configuring all installation settings, click Install in the Installation Settings window to start the installation. Some software may require a license confirmation. If your software selection includes such software, license confirmation dialogs are displayed. Click Accept to install the software package. When not agreeing to the license, click I Disagree and the software package will not be installed. In the dialog that follows, confirm with Install again.

The installation usually takes between 15 and 30 minutes, depending on the system performance and the selected software scope. After having prepared the hard disk and having saved and restored the user settings, the software installation starts. Choose Details to switch to the installation log or Release Notes to read important up-to-date information that was not available when the manuals were printed.

After the software installation has completed, the system reboots into the new installation where you can log in. To customize the system configuration or to install additional software packages, start YaST.

http://IP_OF_INSTALLED_SYSTEM:5801/