System Locking

System locks are used to prevent actions from occurring on a client. For example, a system lock prevents a client from being updated or restarted. This is useful for clients running production software, or to prevent accidental changes. You can disable the system lock when you are ready to perform actions.

System locks are implemented differently on traditional and Salt clients.

1. System Locks on Traditional Clients

When a traditional client is locked, no actions can be scheduled using the Web UI, and a padlock icon is displayed next to the name of the client in the System  System List.

Procedure: System Locking a Traditional Client
  1. In the SUSE Manager Web UI, navigate to the System Details page for the client you want to lock.

  2. Under Lock Status, click Lock this system. The client remains locked until you click Unlock this system.

Some actions can still be completed on locked traditional clients, including remote commands, and automated patch updates. To stop automated patch updates, navigate to the System Details page for the client, and on the Properties tab, uncheck Auto Patch Update.

2. System Locks on Salt Clients

When a Salt client is locked, or put into blackout mode, no actions can be scheduled, Salt execution commands are disabled, and a yellow banner is displayed on the System Details page. In this mode, actions can be scheduled for the locked client using the Web UI or the API, but the actions fail.

The locking mechanism is not available for Salt SSH clients.

Procedure: System Locking a Salt Client
  1. In the SUSE Manager Web UI, navigate to the System Details page for the client you want to lock.

  2. Navigate to the Formulas tab, check the system lock formula, and click Save.

  3. Navigate to the Formulas  System Lock tab, check Lock system, and click Save. On this page, you can also enable specific Salt modules while the client is locked.

  4. When you have made your changes, you might need to apply the highstate. In this case, a banner in the Web UI notifies you. The client remains locked until you remove the system lock formula.

For more information about blackout mode in Salt, see https://docs.saltstack.com/en/latest/topics/blackout/index.html.

3. Package Locks

Package locking can be used on several clients, but different feature sets are available. You must differentiate between:

  1. SUSE Linux Enterprise and openSUSE (zypp-based) versus Red Hat Enterprise Linux or Debian clients, and

  2. Traditional versus Salt clients.

3.1. Package Locks on Zypp-based Systems

Package locks are used to prevent unauthorized installation or upgrades to software packages. When a package has been locked, it shows a padlock icon, indicating that it cannot be installed. Any attempt to install a locked package is reported as an error in the event log.

Locked packages cannot be installed, upgraded, or removed, neither through the SUSE Manager Web UI, nor directly on the client machine using a package manager. Locked packages also indirectly lock any dependent packages.

Systems with the Zypper package manager have package locking available on traditional and Salt clients.

Procedure: Using Package Locks
  1. Navigate to the Software  Packages  Lock tab on the managed system to see a list of all available packages.

  2. Select the packages to lock, and click Request Lock. Pick date and time for the lock to activate. By default, the lock is activated as soon as possible. Note that the lock might not activate immediately.

  3. To remove a package lock, select the packages to unlock and click Request Unlock. Pick date and time as with activating the lock.

3.2. Package Locks on Red Hat Enterprise Linux- and Debian-like Systems

Some Red Hat Enterprise Linux- and Debian-like systems have package locking available on Salt clients.

On Red Hat Enterprise Linux- and Debian-like systems, package locks are only used to prevent unauthorized upgrades or removals to software packages. When a package has been locked, it shows a padlock icon, indicating that it cannot be changed. Any attempt to change a locked package is reported as an error in the event log.

Locked packages cannot be upgraded or removed, neither through the SUSE Manager Web UI, nor directly on the client machine using a package manager. Locked packages also indirectly lock any dependent packages.

Procedure: Using Package Locks
  1. On the Red Hat Enterprise Linux 7 systems, install the yum-plugin-versionlock package as root. On the Red Hat Enterprise Linux 8 systems, install the python3-dnf-plugin-versionlock package as root. On Debian systems, the apt tool has the locking feature included.

  2. Navigate to the Software  Packages  Lock tab on the managed system to see a list of all available packages.

  3. Select the packages to lock, and click Request Lock. Pick date and time for the lock to activate. By default, the lock is activated as soon as possible. Note that the lock might not activate immediately.

  4. To remove a package lock, select the packages to unlock and click Request Unlock. Pick date and time as with activating the lock.