SUSE Manager Proxy Setup
SUSE Manager Proxy requires additional configuration.
It is possible to arrange Salt proxies in a chain.
In such a case, the upstream proxy is named |
Make sure the TCP ports 4505
and 4506
are open on the proxy.
The proxy must be able to reach the SUSE Manager Server or a parent proxy on these ports.
1. Copy Server Certificate and Key
The proxy will share some SSL information with the SUSE Manager Server. Copy the certificate and its key from the SUSE Manager Server or the parent proxy.
As root, enter the following commands on the proxy using your SUSE Manager Server or parent Proxy (named PARENT
):
mkdir -m 700 /root/ssl-build cd /root/ssl-build scp root@PARENT:/root/ssl-build/RHN-ORG-PRIVATE-SSL-KEY . scp root@PARENT:/root/ssl-build/RHN-ORG-TRUSTED-SSL-CERT . scp root@PARENT:/root/ssl-build/rhn-ca-openssl.cnf .
To keep the security chain intact, the SUSE Manager Proxy functionality requires the SSL certificate to be signed by the same CA as the SUSE Manager Server certificate. Using certificates signed by different CAs for proxies and server is not supported. |
2. Run configure-proxy.sh
The configure-proxy.sh
script finalizes the setup of your SUSE Manager Proxy.
Execute the interactive configure-proxy.sh
script.
Pressing Enter without further input will make the script use the default values provided between brackets []
.
Here is some information about the requested settings:
- SUSE Manager Parent
-
The SUSE Manager parent can be either another proxy or the SUSE Manager Server.
- HTTP Proxy
-
A HTTP proxy enables your SUSE Manager proxy to access the Web. This is needed if direct access to the Web is prohibited by a firewall.
- Traceback Email
-
An email address where to report problems.
- Use SSL
-
For safety reasons, press
Y
. - Do You Want to Import Existing Certificates?
-
Answer
N
. This ensures using the new certificates that were copied previously from the SUSE Manager server. - Organization
-
The next questions are about the characteristics to use for the SSL certificate of the proxy. The organization might be the same organization that was used on the server, unless of course your proxy is not in the same organization as your main server.
- Organization Unit
-
The default value here is the proxy’s hostname.
- City
-
Further information attached to the proxy’s certificate.
- State
-
Further information attached to the proxy’s certificate.
- Country Code
-
In the
country code
field, enter the country code set during the SUSE Manager installation. For example, if your proxy is in the US and your SUSE Manager is in DE, enterDE
for the proxy.The country code must be two upper case letters. For a complete list of country codes, see https://www.iso.org/obp/ui/#search.
- Cname Aliases (Separated by Space)
-
Use this if your proxy can be accessed through various DNS CNAME aliases. Otherwise it can be left empty.
- CA Password
-
Enter the password that was used for the certificate of your SUSE Manager Server.
- Do You Want to Use an Existing SSH Key for Proxying SSH-Push Salt Minion?
-
Use this option if you want to reuse a SSH key that was used for SSH-Push Salt clients on the server.
- Create and Populate Configuration Channel rhn_proxy_config_1000010001?
-
Accept default
Y
. - SUSE Manager Username
-
Use same user name and password as on the SUSE Manager server.
If parts are missing, such as CA key and public certificate, the script prints commands that you must execute to integrate the needed files.
When the mandatory files are copied, run configure-proxy.sh
again.
If you receive an HTTP error during script execution, run the script again.
configure-proxy.sh
activates services required by SUSE Manager Proxy, such as squid
, apache2
, salt-broker
, and jabberd
.
To check the status of the proxy system and its clients, click the proxy system’s details page on the Web UI (Connection
and Proxy
subtabs display various status information.
3. Enable PXE Boot
3.1. Synchronize Profiles and System Information
To enable PXE boot through a proxy, additional software must be installed and configured on both the SUSE Manager Proxy and the SUSE Manager Server.
-
On the SUSE Manager Proxy, install the
susemanager-tftpsync-recv
package:zypper in susemanager-tftpsync-recv
-
On the SUSE Manager Proxy, run the
configure-tftpsync.sh
setup script and enter the requested information:configure-tftpsync.sh
You need to provide the hostname and IP address of the SUSE Manager Server and the proxy. You also need to enter the path to the tftpboot directory on the proxy.
-
On the SUSE Manager Server, install
susemanager-tftpsync
:zypper in susemanager-tftpsync
-
On the SUSE Manager Server, run
configure-tftpsync.sh
. This creates the configuration, and uploads it to the SUSE Manager Proxy:configure-tftpsync.sh FQDN_of_Proxy
-
Start an initial synchronization on the SUSE Manager Server:
cobbler sync
It can also be done after a change within Cobbler that needs to be synchronized immediately. Otherwise Cobbler synchronization will run automatically when needed. For more information about autoinstallation powered by Cobbler, Operating System Installation.
3.2. Configure DHCP for PXE through SUSE Manager Proxy
SUSE Manager uses Cobbler for client provisioning. PXE (tftp) is installed and activated by default. Clients must be able to find the PXE boot on the SUSE Manager Proxy using DHCP. Use this DHCP configuration for the zone that contains the clients to be provisioned:
next-server: <IP_Address_of_Proxy> filename: "pxelinux.0"
4. Replace the SUSE Manager Proxy
You can replace a proxy at any time, as it does not store any information about the clients that are connected to it. This process is handled using a reactivation key, which prevents you from losing the history of the proxy. If you do not use a reactivation key, the replacement proxy will become a new one with a new ID. The replacement proxy must have the same name and IP address as its predecessor.
You can also reinstall a proxy to change it from a traditional proxy to a Salt proxy.
During the installation of the proxy, clients will not be able to reach the SUSE Manager Server. After you have deleted a proxy, the systems list can be temporarily incorrect. All clients that were previously connected to the proxy will show as being directly connected to the server instead. After the first successful operation on a client, such as execution of a remote command or installation of a package or patch, this information will automatically be corrected. This may take some hours. |
4.1. Replace a Proxy
Shut down the old proxy, and leave it installed while you prepare the replacement. Create a reactivation key for this system and then register the new proxy using the reactivation key. If you do not use the reactivation key, you will need to re-register all the clients against the new proxy.
-
Before starting the migration, save the data from the old proxy, if needed. Consider copying important or custom data to a central place that can also be accessed by the new proxy.
-
Shut down the old proxy.
-
Install a new SUSE Manager Proxy. For installation instructions, see Proxy Installation.
-
In the SUSE Manager Web UI, select the newly installed SUSE Manager Proxy, and delete it from the systems list.
-
In the Web UI, create a reactivation key for the old proxy system. On the
System Details
tab of the old proxy clickReactivation
. ClickGenerate New Key
, and make a note of the new key. -
Register the new proxy with a bootstrap script as described in SUSE Manager Proxy Registration. In the bootstrap script, set the reactivation key with the
REACTIVATION_KEY
parameter. -
Restore the proxy data from the backup you made earlier. See step 1 of this procedure.
For Salt proxies, you need to do some additional steps before you bootstrap the new proxy.
-
Before starting the migration, save the data from the old proxy, if needed. Consider copying important or custom data to a central place that can also be accessed by the new proxy.
-
Shut down the old proxy.
-
In the Web UI, create a reactivation key for the old proxy system. On the
System Details
tab of the old proxy clickReactivation
. ClickGenerate New Key
, and make a note of the new key. -
In the Web UI, navigate to
, locate the Salt key associated with the old proxy, and click delete. -
Install a new SUSE Manager Proxy. For installation instructions, see Proxy Installation.
-
Register the new proxy with a bootstrap script as described in SUSE Manager Proxy Registration. In the bootstrap script, set the reactivation key with the
REACTIVATION_KEY
parameter. -
Restore the proxy data from the backup you made earlier. See step 1 of this procedure.
For more information about using reactivation keys, see Activation Keys.
After the installation of the new proxy, you might also need to:
-
Copy the centrally saved data to the new proxy system
-
Install any other needed software
-
Set up TFTP synchronization if the proxy is used for autoinstallation
4.2. Change a Proxy from Traditional to Salt
You can reinstall the proxy to switch from a traditional to a Salt proxy. In this method, instead of a reactivation key, reuse the same activation key you used to originally register the proxy. This means you do not have to re-register the clients.
-
Before starting the migration, save the data from the old proxy, if needed. Consider copying important or custom data to a central place that can also be accessed by the new proxy.
-
Shut down the proxy.
-
Install a new SUSE Manager Proxy, and ensure it has the same IP address as the proxy you are replacing. For installation instructions, see Proxy Installation.
-
Register the proxy with a bootstrap script as described in SUSE Manager Proxy Registration. In the bootstrap script set the activation key used with the old proxy with the
ACTIVATION_KEYS
parameter.
After the installation of the new proxy, you might also need to:
-
Copy the centrally saved data to the new proxy system
-
Install any other needed software
-
Set up TFTP synchronization if the proxy is used for autoinstallation
4.3. Serving big files
If you need to distribute big files such as ISO images to your network through the proxy, go to PROXY_HOSTNAME system and copy the big files to the /srv/www/htdocs/pub
directory.
Afterwards, the files can be downloaded from
http://PROXY_HOSTNAME/pub