Jump to content

Getting Started

Publication Date: 2019-09-03

1 Introduction

This Getting Started Guide provides guidance on setting up SUSE Manager server with KVM. You will learn the fundamentals of managing both traditional and Salt clients.

This guide is intended for system administrators.

Note: SUSE Manager Version Information

In this manual if not other specified, SUSE Manager version 3.2 is assumed and this version is required if a feature is discussed. SUSE Manager 3.2 and SUSE Manager 3.2 Proxy were originally released as a SLES 12 SP3 extension. With the next maintenance update (December 2018), SUSE Manager 3.2 and SUSE Manager 3.2 Proxy will be based on SLES 12 SP4 and support SLE 12 SP4 clients officially. In the following sections and chapters, it is highly recommended to use SLE 12 SP4 instead of SP3. Whenever features of the SUSE Manager 3.2 host operating system are documented and not other specified version 12 SP4 is assumed.

1.1 Introduction to SUSE Manager

SUSE Manager is a solution for organizations that require absolute control over maintenance and package deployment on their servers. It lets you manage large sets of Linux systems and keep them up to date, with automated software management, asset management, and system provisioning. SUSE Manager allows you to maintain a high level of security while effectively managing system life-cycle requirements.

SUSE Manager uses Salt to provide event-driven configuration and management control. The Salt-master orchestrates thousands of Salt-minions (SUSE Manager Clients) using remote execution.

SUSE Manager is fully compatible with Red Hat Satellite Server and offers seamless management of both SUSE Linux Enterprise and Red Hat Enterprise Linux client systems.

SUSE Manager can be integrated with your network infrastructure in multiple ways. This book will guide you through an initial proof-of-concept setup, using these steps:

  1. Install an operating system (either JeOS or SLES) for use with SUSE Manager

  2. Install SUSE Manager Server

  3. Register SUSE Manager with SUSE Customer Center

  4. Perform initial setup of your SUSE Manager Server

  5. Register a traditional client

  6. Register a Salt minion

The book also contains a section about getting started with Salt.

1.2 Prerequisites for Installation

Before you begin your installation, ensure you have fulfilled these prerequisites:

  • Current SUSE Customer Center organization credentials

  • Access to installation media for your chosen operating system

  • Your environment meets the hardware and networking requirements

  • You understand the supported client operating systems

This section contains more information on each of these prerequisites.


SUSE Manager 3.2 is based on SLES 12 SP4 as the host operating system.

1.2.1 Obtaining your SUSE Customer Center Credentials

You will need to create an account with SUSE Customer Center before you install SUSE Linux Enterprise Server and SUSE Manager. To obtain your SUSE Customer Center credentials:

Procedure: Obtaining Your SCC Organization Credentials
  1. Open a browser and direct it to https://scc.suse.com/login.

  2. If you have not done so, create an account now.

  3. Log in to your new SCC account.

  4. Under the Management tools widget select Manage Users.

  5. Click the Organization Credentials tab.

  6. Record your login information for use during SUSE Manager setup.

1.2.2 Obtaining Installation Media

This book describes installation methods for both JeOS and SUSE Linux Enterprise Server. The JeOS image provides the quickest installation and setup, and is suitable for a test or proof of concept installation. Alternatively, SUSE Linux Enterprise Server provides a more robust installation, which requires a larger initial download. Choose your preferred operating system based on the type of environment you want to install, and the amount of bandwidth and time you have available.

You can find installation images for JeOS and SLES in your SUSE Customer Center account. Log in, then navigate to the URL for your chosen operating system:

1.2.3 Hardware Requirements

This table outlines hardware and software requirements on x86_64 and IBM Power PC architecture. For installation on z Systems, see:

  • Book “Advanced Topics”, Chapter 1 “SUSE Manager on IBM z Systems”

Table 1.1: Hardware Requirements for x86_64 Architecture


Multi-core 64-bit CPU


Test Server Minimum 8 GB


Base Installation Minimum 16 GB


Production Server Minimum 32 GB

Disk Space:

/ (root) The default JeOS root partition size of 24 GB is sufficient for this guide


/var/lib/pgsql Minimum 50 GB


/var/spacewalk Minimum 50 GB per SUSE product and 250 GB per Red Hat product

Table 1.2: Hardware Requirements for IBM POWER8 or POWER9 Architecture


Minimum 4 dedicated cores


Test Server Minimum 8 GB


Base Installation Minimum 16 GB


Production Server Minimum 32 GB

Disk Space:

/ Minimum 100 GB


/var/lib/pgsql Minimum 50 GB


/var/spacewalk Minimum 50 GB per SUSE product and 250 GB per Red Hat product

1.2.4 Network Requirements

This section details the networking and port requirements for SUSE Manager.

Fully Qualified Domain Name (FQDN)

The SUSE Manager server must resolve its FQDN correctly or cookies will not work properly on the WebUI. For more information about configuring the hostname and DNS, see SUSE Linux Enterprise Server Documentation - Configuring Host Name and DNS

Hostname and IP Address

To ensure that the SUSE Manager domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. For more information about setting up a DNS server, see SUSE Linux Enterprise Server Documentation - The Domain Name System

Using a Proxy When Installing from SUSE Linux Enterprise Media

If you are on an internal network and do not have access to SUSE Customer Center, you can set up and use a proxy during installation. For more information about configuring a proxy for access to SUSE Customer Center during a SUSE Linux Enterprise installation, see SUSE Linux Enterprise Server Documentation - Using a Proxy During Installation

Important: Naming Your Server

The hostname of SUSE Manager must not contain uppercase letters as this may cause jabberd to fail. Choose the hostname of your SUSE Manager server carefully. Although changing the server name is possible, it is a complex process and unsupported.

In a production environment, SUSE Manager server and its clients should always use a firewall. This table gives an overview of required ports, to be used when you are setting up your firewall rules.

Table 1.3: Required Server Ports









TFTP, used to support PXE services



HTTP, used in some bootstrap cases



NTP time service



HTTPS, used for Web UI, client, Proxy server, and API traffic



Salt, used by the Salt-master to accept communication requests from minions



Salt, used by the Salt-master to accept communication requests from minions



XMPP client, used for communications with the osad daemon on traditional client systems



XMPP server, used for pushing actions to SUSE Manager Proxy

For more information on disconnected setup and port configuration, see:

  • Book “Best Practices”, Chapter 2 “Managing Your Subscriptions”, Section 2.2 “Disconnected Setup with RMT or SMT (DMZ)”

  • Book “Advanced Topics”, , Section A.1 “SUSE Manager Server”

1.2.5 Supported Client Systems

Supported operating systems for traditional and Salt clients are listed in this table.

Table 1.4: Supported Client Systems
Operating SystemsArchitectureTraditional ClientsSalt Clients

SUSE Linux Enterprise 11 SP4

x86, x86_64, Itanium, IBM POWER, z Systems



SUSE Linux Enterprise 12 SP3, 12 SP4

x86_64, IBM POWER (IBM Power PC), z Systems, ARM



SUSE Linux Enterprise 15

x86_64, IBM POWER (IBM Power PC), z Systems, ARM



Latest minor release Red Hat Enterprise Linux Server 6

x86, x86_64



Latest minor release Red Hat Enterprise Linux Server 7




Open Enterprise Server 2015, 2015 SP1, 2018




Note: Supported Versions and SP Levels

Client operating system versions and SP levels must be under general support (normal or LTSS) to be supported with SUSE Manager. For details on supported product versions, see https://www.suse.com/lifecycle.

2 JeOS Installation

2.1 Virtual Machine Manager (virt-manager) Settings

This chapter provides the required (KVM) settings for installation of SUSE Linux Enterprise Just Enough Operating System (JeOS) 12 as the base for SUSE Manager. A kernel virtual machine (KVM) combined with Virtual Machine Manager (virt-manager) will be used as a sandbox for your first installation.

Tip: SUSEVirtualization Guide

For more information on virtualization, see: SUSE Linux Enterprise Virtualization Guide

Enter the following settings when creating a new virtual machine using virt-manager. In the following table replace version with the actual product version string.

KVM Settings

Installation Method

Import Existing Disk Image






4096 MB



Storage Format:

.qcow2 24 GB (Default) JeOS Root Partition

Virtual Disks:


VirtIO Disk 2

101 GB for /var/spacewalk

VirtIO Disk 3

50 GB for /var/lib/pgsql

VirtIO Disk 4

4 GB for swap




Bridge br0

Tip: SUSE Virtualization Guide

For more information on virtualization, see: SUSE Linux Enterprise Virtualization Guide

2.2 JeOS KVM Settings

Create three additional virtual disks required for the SUSE Manager storage partitions.

Procedure: Creating the Required Partitions with KVM
  1. Create a new virtual machine using the downloaded JeOS KVM image and select Import existing disk image .

  2. Configure RAM and number of CPUs (At least 4 GB RAM and 2 CPUs).

  3. Name your KVM machine and select the Customize configuration before install check box.

  4. Select the Add Hardware button and create three new virtual disks with the following specifications. These disks will be partitioned and mounted in Procedure: Preparing JeOS for SUSE Manager Installation.

    VirtIO Storage DisksNameSizing

    VirtIO Disk 2


    101 GB

    VirtIO Disk 3


    50 GB

    VirtIO Disk 4


    4 GB

  5. Click Begin Installation and your new VM will boot from the JeOS image.

Proceed through the basic JeOS installation prompts until you reach the command line.

Tip: Root Password

During the basic installation prompts you are asked to enter the root password. Select a strong password and then in the next message box Confirm root Password.

2.3 Preparing JeOS for SUSE Manager

Procedure: Preparing JeOS for SUSE Manager Installation
  1. Register with SCC:

  2. Add SUSE Manager repositories:

    SUSEConnect -p SUSE-Manager-Server/<productnumber>/x86_64 -r`SUSE_MANAGER_CODE`
  3. Install yast2-storage with all required dependencies (approx. 40 packages, 30 MB when installed). This basic administration package is required for preparing storage partitions:

    zypper in -t package yast2-storage
  4. Partition and mount the virtual disks at the following locations using YaST Partitioner (yast2 disk).

    VirtIO Storage DisksNameStorage SizeFile System Type

    VirtIO Disk 2


    101 GB


    VirtIO Disk 3


    50 GB


    VirtIO Disk 4


    4 GB


  5. SLES by default uses the BTRFS file system. A mount point is created automatically for /var/lib/pgsql/ (even when not installed). This must be removed or commented out from the /etc/fstab entries. As root, edit /etc/fstab and comment out or remove the line:

    /var/lib/pgsql btrfs subvol=@/var/lib/pgsql 0 0
    Warning: Remove pgsql from the fstab Configuration File

    If you do not remove this line from fstab the first time you shut down the server you will lose your database. This occurs because you will have duplicate entries in the fstab file. Updated tools shipped with recent SPs will no longer require human intervention.

  6. Exit the partitioner and install the SUSE Manager pattern:

    zypper in -t pattern suma_server

For proceeding with SUSE Manager setup, see SUSE Manager Setup.

3 SUSE Linux Enterprise Server Installation

This chapter provides the required KVM settings for installation of SUSE Linux Enterprise Server media as the base for SUSE Manager. A kernel virtual machine KVM combined with Virtual Machine Manager (virt-manager) will be used as a sandbox for this installation.

3.1 SLES KVM Requirements

Enter the following settings when creating a new virtual machine using virt-manager (replace version with the actual version string):

KVM Settings for SLESInstallation Method:

Local install media (ISO image or CDROM)






4096 MB



Storage Format:


Disk Space:

234 GB split between 4 GB swap and 130 GB mounted at /var/spacewalk/


(Virtual Disk 1) and 50 GB mounted at /var/lib/pgsql


(Virtual Disk 2). The rest for the root partition (100 GB+).




3.1.1 SLES KVM Settings

This section provides guidance on installation of SUSE Manager utilizing the full installation media with KVM and virt-manager. This section assumes you have previously setup an account with SCC and downloaded the SLES full installation media.

Procedure: Preparing for SLES Installation
  1. In virt-manager select File › New Virtual Machine.

  2. Select Local install media (ISO image or CDROM).

  3. Ensure Use ISO Image is selected then click Browse and locate the full SLES image you downloaded from your SCC account.

  4. Configure your machine with at least 4096 MB RAM and a minimum of 2 CPUs.

  5. Create a storage device with a minimum of 234 GB storage space for the installation. During the partitioning setup of the SLES installation this disk should be partitioned into the following disks:

    Disk Space Requirements

    4 GB Swap space

    130 GB XFS partition (or dedicated virtual disk) for /var/spacewalk/

    50 GB XFS partition (or dedicated virtual disk) for /var/lib/pgsql/

  6. The remaining storage space will be used by the operating system for the root partition. Select Finish to begin the installation.

Installation of SUSE Linux Enterprise Server will begin. For more information on completing an installation of SUSE Linux Enterprise Server, see: SUSE Linux Enterprise Installation Quickstart.

3.2 Selecting the SUSE Manager Extension

  1. During the SUSE Linux Enterprise Server installation you will be presented with the Extension and Module Selection.

  2. Select the SUSE Manager Extension and then click the Next button.

  3. Complete the SUSE Linux Enterprise Server installation.

manager extension

4 SUSE Manager Setup

4.1 Topics

This section covers SUSE Manager setup. You will perform the following procedures:

  • Start SUSE Manager setup via YaST or command line

  • Create the main administration account with the SUSE Manager Web UI

  • Name your base organization and add login credentials

  • Sync the SUSE Linux Enterprise product channel from SUSE Customer Center

4.2 SUSE Manager Setup

Warning: Third Party Software

SUSE Manager is an extension of SUSE Linux Enterprise Server and compatible with the software shipped with SUSE Linux Enterprise Server.

SUSE Manager is a complex system, and therefore installing third party is not allowed. Installing monitoring software provided by a third party vendor is allowed only if you do not exchange basic libraries such as SSL, cryptographic software, and similar tools. In case of emergency, SUSE reserves the right to ask to remove any third party software (and associated configuration changes) and then to reproduce the problem on a clean system.

This section will guide you through SUSE Manager setup procedures.

Procedure: SUSE Manager Setup
  1. Login to the SUSE Manager server desktop and perform one of the following actions to begin setup:

    • Select Applications › System Tools › YaST › SUSE Manager Setup.

    • Open a terminal as root and type yast2 susemanager_setup to begin setup.

  2. From the introduction screen select SUSE Manager Setup › Setup SUSE Manager from scratch. Then click Next to continue.

  3. Enter the email address that should receive status notifications about SUSE Manager. The number of emails sent from SUSE Manager can be extensive, therefore notifications via email may be disabled from the Web UI after setup. Then click Next to continue.

  4. Enter your certificate information and a password. The password should be stored in a secure location.

    Important: Certificate Password

    Without this password it will not be possible to set up a SUSE Manager Proxy Server.

  5. Click Next to continue.

    quickstart mgr setup4
  6. From the SUSE Manager Setup › Database Settings screen, enter a database user and password. This password should be stored in a secure location. Then click Next to continue.

    quickstart mgr setup5
  7. Enter your SUSE Customer Center Organization Credentials. Open https://scc.suse.com/login to register or access to your organization credentials.

    Note: Skip

    If you are using SUSE Enterprise products, SUSE Manager requires that you connect to SUSE Customer Center for software, updates and patches. You will not be able to synchronize or provide Enterprise channels to your clients without this information.

    However if you would like to work with open source software channels and repositories then click the Skip button to continue. You can setup your SUSE Customer Center credentials or configure inter-server sync at a later time.

    quickstart mgr setup9
  8. Click Next to continue.

  9. Click Yes to run setup when prompted.

  10. Once setup has completed, click Next to continue. You will see the address of the SUSE Manager Web UI.

  11. Click Finish to complete SUSE Manager setup.

In the next section you will create the administrator’s account and synchronize with SUSE Customer Center.

4.2.1 Creating the Main Administration Account

This section will walk you through creating your organizations main administration account for SUSE Manager.

Warning: Admin and User Accounts

The main administration account is the highest authority account within SUSE Manager and therefore account access information should be stored in a secure location.

For security it is recommended that the main administrator creates low level admin accounts designated for administration of organizations and individual groups.

Procedure: Setup the Main Administration Account
  1. In the browser, enter the address provided after completing setup and open the SUSE Manager Web UI.

  2. Add your organization name to the Create Organization › Organization Name field.

  3. Add your username and password to the Create Organization › Desired Login and Create Organization › Desired Password fields.

  4. Fill in the Account Information fields including an email for system notifications.

  5. Select Create Organization to finish creating your administration account.

    quickstart mgr setup admin1

You should now be presented with the SUSE Manager Front Page. In the next section you will prepare the server for connecting the first client.

4.2.2 Syncing Products from SUSE Customer Center

SUSE Customer Center (SCC) maintains a collection of repositories which contain packages, software and updates for all supported enterprise client systems. These repositories are organized into channels each of which provide software specific to a distribution, release and architecture. After synchronizing with SCC clients may receive updates, and be organized into groups and assigned to specific product software channels.

This section covers synchronizing with SCC from the Web UI and adding your first client channel.

Procedure: Synchronizing with SUSE Customer Center
  1. From the SUSE Manager Web UI start page select Admin › Setup Wizard.

  2. From the Main Menu › Admin › Setup Wizard page select the SUSE Products tab. Wait a moment for the products list to populate. If you previously registered with SUSE Customer Center a list of products will populate the table. This table lists architecture, channels, and status information. For more information, see: Book “Reference Manual”, Chapter 17 “Admin”, Section 17.1 “Main Menu › Admin › Setup Wizard

    admin suse products
  3. Since Your SUSE Linux Enterprise client is based on x86_64 architecture scroll down the page and select the check box for this channel now.

    • Add channels to SUSE Manager by selecting the check box to the left of each channel. Click the arrow symbol to the left of the description to unfold a product and list available modules.

    • Start product synchronization by clicking the Add Products button.

After adding the channel SUSE Manager will schedule the channel to be copied. This can take a long time as SUSE Manager will copy channel software sources from the SUSE repositories located at SUSE Customer Center to local /var/spacewalk/ directory of your server.

Tip: PostgreSQL and Transparant Huge Pages

In some environments, Transparent Huge Pages provided by the kernel may slow down PostgreSQL workloads significantly.

To disable Transparant Huge Pages set the transparent_hugepage kernel parameter to never. This has to be changed in /etc/default/grub and added to the line GRUB_CMDLINE_LINUX_DEFAULT, for example:

GRUB_CMDLINE_LINUX_DEFAULT="resume=/dev/sda1 splash=silent quiet showopts elevator=noop transparent_hugepage=never"

To write the new configuration run grub2-mkconfig -o /boot/grub2/grub.cfg. To update the grub2 during boot run grub2-install /dev/sda.

Monitor channel synchronization process in real-time by viewing channel log files located in the directory /var/log/rhn/reposync:

tailf /var/log/rhn/reposync/<CHANNEL_NAME>.log

After the channel sync process has completed proceed to: Chapter 5, Registering Clients

5 Registering Clients

5.1 Introduction

For SUSE Manager 3 and later, you can choose to use either traditional or Salt client management framework, or a mixture of both, depending on your environment and requirements.


Is an end-to-end data-center automation tool which may also be used outside the scope of SUSE Manager to introduce reactive, real-time orchestration, and configuration management.

5.2 Creating Activation Keys

Activation keys are used with both traditional and Salt clients to ensure that your clients have the correct software entitlements, are connecting to the appropriate channels, and are subscribed to the relevant groups. Each activation key is bound to an organization, which you can set when you create the key.

This section contains information on how to create activation keys for both traditional and Salt clients, and provides some best practices for working with activation keys.

Procedure: Creating Activation Keys
  1. As the administrator login to the SUSE Manager Web UI.

  2. Navigate to Systems › Activation Keys.

  3. To open the Activation Key Details page click the Create Key button in the upper right corner.

    systems create activation key
  4. On the Activation Key Details page in the Description field, enter a name for the activation key.

  5. In the Key field, enter the distribution and service pack associated with the key. For example, SLES12-SP4 for SUSE Linux Enterprise Server 12 SP4.

    Warning: Allowed Characters

    Do not use commas in the Key field for any SUSE products. However, you must use commas for Red Hat Products. For more information, see Book “Reference Manual”, Chapter 7 “Systems”, Section 7.9 “Systems > Activation Keys”.

  6. In the Base Channels drop-down box, select the SUSE Linux Enterprise channel that you added during First Channel Sync.

  7. When the base channel is selected the list of available child channels will get fetched and displayed in real time below the base channel. Select the child channels you need (for example, the SUSE Manager tools and the updates channels that are actually mandatory).

    systems create activation key childchannels
  8. We recommend you leave the Contact Method set to Default.

  9. We recommend you leave the Universal Default setting unchecked.

  10. Click Update Activation Key to create the activation key.

  11. Check the Configuration File Deployment check box to enable configuration management for this key, and click Update Activation Key to save this change.

When you create activation keys, keep these best practices in mind:

  • Avoid using the SUSE Manager Default parent channel. This setting forces SUSE Manager to choose a parent channel that best corresponds to the installed operating system, which can sometimes lead to unexpected behavior. Instead, we recommend you create activation keys specific to each distribution and architecture.

  • If you are using bootstrap scripts, consider creating an activation key for each script. This will help you align channel assignments, package installation, system group memberships, and configuration channel assignments. You will also need less manual interaction with your system after registration.

  • If you do not enter a human-readable name for your activation keys, the system will automatically generate a number string, which can make it difficult to manage your keys. Consider a naming scheme for your activation keys to help you keep track of them.

  • Note that the Configuration File Deployment check box does not appear until after you have created the activation key. Ensure you go back and check the box if you need to enable configuration management.

5.3 Creating the SUSE Manager Tools Repository

In this section you will create a tools repository on the SUSE Manager Server for providing client tools. The client tools repository contains packages for installing Salt on minions as well as required packages for registering traditional clients during the bootstrapping procedure. These packages will be installed from the newly generated repository during the registration process. In the following procedure you will create the SUSE Linux Enterprise tools repository.

Important: Creating a Tools Repository when an SCC Channel has not been Synced

Before following the procedure to create the tools repository make sure the SUSE vendor channel you will be using with your client has been completely synced. You can check this by running tail -f /var/log/rhn/reposync/<CHANNEL_NAME>.log as root. In the following example replace version with the actual version string:

# tail -f /var/log/rhn/reposync/sles`version`-pool-x86_64.log

Once completed you should see the following output in your terminal:

2017/12/12 15:20:32 +02:00 Importing packages started.
2017/12/12 15:22:02 +02:00 1.07 %
2017/12/12 15:34:25 +02:00 86.01 %
2017/12/12 15:35:49 +02:00 Importing packages finished.
2017/12/12 15:35:49 +02:00 Linking packages to channel.
2017/12/12 15:35:59 +02:00 Sync completed.
Procedure: Generating the Tools Repository for SUSE Linux Enterprise
  1. Open a terminal on the server as root and enter the following command to list available bootstrap repositories:

    mgr-create-bootstrap-repo -l SLE-`version`-x86_64
  2. Then invoke the same command using the listed repository as the product label to actually create the bootstrap repository:

    mgr-create-bootstrap-repo -c SLE-`version`-x86_64
  3. SUSE Manager will create and add the client tools to the newly created repositories directory located at /srv/www/htdocs/pub/repositories/.

This repository is suitable for both Server and Desktop of SUSE Linux Enterprise.

Note: Support for SUSE Linux Enterprise 15 Products

If you have mirrored more than one SUSE Linux Enterprise 15 Product (for example, SLES, {slda}, and SLES for SAP Application), you can specify the one you are actually interested in. First check what is avaiable:

mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-custom-channel
Multiple options for parent channel found. Please use option
--with-parent-channel <label> and choose one of:
- sle-product-sles15-pool-x86_64
- sle-product-sles_sap15-pool-x86_64
- sle-product-sled15-pool-x86_64

Then specify it with --with-parent-channel:

mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-parent-channel sle-product-sled15-pool-x86_64

5.4 Registering Traditional Clients

5.4.1 Generating a Bootstrap Script

This section goes over generating a template bootstrap script which will be copied and modified for use with traditional clients. Traditional clients register with SUSE Manager via a bootstrap script executed on the client which deploys all necessary packages to it. The bootstrap script contains parameters which assigns a client system to its base channel. Two of these important parameters are:

  • Activation Keys

  • GNU Privacy Guard (GPG) Keys

Note: SLES 15 and Python 3

SLES 15 utilizes Python 3 by default. Because of this change any older bootstrap scripts (based on python 2) must be re-created for SLES 15 systems. Attempting to register SLES 15 systems with SUSE Manager using Python 2 versions of the bootstrap script will fail.

The following procedure will guide you through generating a bootstrap script.

Procedure: Creating a Bootstrap Script
  1. From the SUSE Manager Web UI, browse to Main Menu › Admin › Manager Configuration › Bootstrap Script. For more information, see Book “Reference Manual”, Chapter 17 “Admin”, Section 17.4 “Main Menu › Admin › Manager Configuration”, Section 17.4.2 “Manager Configuration › Bootstrap Script.

  2. In the SUSE Manager Configuration - Bootstrap dialog disable Bootstrap using Salt. Use default settings and click the Update button.

    mgr configuration bootstrap trad
    Warning: Using SSL

    Unchecking Enable SSL in the Web UI or setting USING_SSL=0 in the bootstrap script is not recommended. If you disable SSL nevertheless you will need to manage custom CA certificates to be able to run the registration process successfully.

  3. A template bootstrap script is generated and stored on the server’s file system in the /srv/www/htdocs/pub/bootstrap directory.

    cd /srv/www/htdocs/pub/bootstrap

    The bootstrap script is also available at https://example.com/pub/bootstrap/bootstrap.sh .

Section 5.4.2, “Editing the Bootstrap Script” will cover copying and modifying your bootstrap template for use with each client.

5.4.2 Editing the Bootstrap Script

In this section you will copy and modify the template bootstrap script you created from Section 5.4.1, “Generating a Bootstrap Script”.

A minimal requirement when modifying a bootstrap script for use with SUSE Manager is the inclusion of an activation key. Depending on your organizations security requirements it is strongly recommended to include one or more (GPG) keys (for example, your organization key, and package signing keys). For this tutorial you will be registering with the activation keys created in the previous section.

Procedure: Modifying the Bootstrap Script
  1. Login as root from the command line on your SUSE Manager server.

  2. Navigate to the bootstrap directory with:

    cd /srv/www/htdocs/pub/bootstrap/
  3. Create and rename two copies of the template bootstrap script for use with each of your clients.

    cp bootstrap.sh bootstrap-sles11.sh
    cp bootstrap.sh bootstrap-sles12.sh
  4. Open sles12.sh for modification. Scroll down and modify both lines marked in green. You must comment out exit 1 with a hash mark (#) to activate the script and then enter the name of the key for this script in the ACTIVATION_KEYS= field as follows:

    echo "Enable this script: comment (with #'s) this block (or, at least just"
    echo "the exit below)"
    #exit 1
    # can be edited, but probably correct (unless created during initial install):
    # NOTE: ACTIVATION_KEYS *must* be used to bootstrap a client machine.
  5. Once you have completed your modifications save the file and repeat this procedure for the second bootstrap script. Proceed to Section 5.4.3, “Connecting Clients”.

Note: Finding Your Keys

To find key names you have created: In the Web UI, click Home › Overview › Manage Activation keys › Key Field. All keys created for channels are listed on this page. You must enter the full name of the key you wish to use in the bootstrap script exactly as presented in the key field.

5.4.3 Connecting Clients

This section covers connecting your clients to SUSE Manager with the modified bootstrap script.

Procedure: Running the Bootstrap Script
  1. From your SUSE Manager Server command line as root navigate to the following directory:

    cd /srv/www/htdocs/pub/bootstrap/
  2. Run the following command to execute the bootstrap script on the client:

    cat MODIFIED-SCRIPT.SH | ssh root@example.com /bin/bash
  3. The script will execute and proceed to download the required dependencies located in the repositories directory you created earlier. Once the script has finished running, log in to the Web UI and click Systems › Overview to see the new client listed.

This concludes the bootstrap section of this guide. Section 5.5, “Registering Salt Clients” will go over registering Salt minions for use with SUSE Manager.

5.4.4 Package Locks

Package locks are used to prevent unauthorized installation or upgrades to software packages on traditional clients. When a package has been locked, it will display to users with a padlock icon, indicating that it can not be installed. Any attempt to install a locked package will be reported as an error in the event log.

Locked packages can not be installed, upgraded, or removed, either through the SUSE Manager Web UI, or directly on the client machine using a package manager. Locked packages will also indirectly lock any dependent packages.


Package locks can only be used on traditional clients that use the Zypper package manager. The feature is not currently supported on Red Hat Enterprise Linux or Salt clients.

Procedure: Using Package Locks
  1. On the client machine, install the zypp-plugin-spacewalk package:

    # zypper in zypp-plugin-spacewalk
  2. Navigate to the Software › Packages › Lock tab on the managed system to see a list of all available packages.

  3. Select the packages to lock, and click Request Lock. You can also choose to enter a date and time for the lock to activate. Note that even if you do not select a date and time, the lock might not activate immediately.

  4. To remove a package lock, select the packages to unlock and click Request Unlock. You can also choose to enter a date and time for the lock to deactivate. Note that even if you do not select a date and time, the lock might not deactivate immediately.

5.5 Registering Salt Clients

There are currently three methods for registering Salt minions. This section describes the first method and uses a bootstrap repository. The second method uses the bootstrap script, and is mostly similar to the procedure described in Section 5.4, “Registering Traditional Clients”-the difference is enabling Bootstrap using Salt and the activation key option Configuration File Deployment that applies highstate automatically. The third method uses the Web UI, and is described in Book “Reference Manual”, Chapter 7 “Systems”, Section 7.6 “Bootstrapping (Salt)”.

You can also use these methods to change existing traditional clients into Salt minions.

The rest of this section assumes you have created a SUSE Manager tools repository. You can review creating a tools repository in Section 5.3, “Creating the SUSE Manager Tools Repository”.

When you have fully synchronized a base channel from the Web UI for clients to obtain software packages from (for example: SLES12-SP4-Pool_for_x86_64) perform the following procedure to register a Salt minion.

Procedure: Registering Salt Minions
  1. On your minion as root enter the following command:

    zypper ar http://FQDN.server.example.com/pub/repositories/sle/12/4/bootstrap/ \

    Do not use HTTPS. Use HTTP instead to avoid errors.

  2. After adding the repository containing the necessary Salt packages execute:

    zypper in salt-minion
  3. Modify the minion configuration file to point to the fully qualified domain name (FQDN) of the SUSE Manager server (master):

    vi /etc/salt/minion

    Find and change the line:

    master: salt


    master: FQDN.server.example.com
  4. Restart the Salt minion with:

    systemctl restart salt-minion

Your newly registered minion should now show up within the Web UI under Salt › Keys. Accept the pending key to begin management.

5.6 Troubleshooting Salt Clients

5.6.1 Mounting /tmp with noexec

Salt runs remote commands from /tmp of the client’s filesystem. Therefore you must not mount /tmp with the noexec option.

5.6.2 Cloned Salt Clients

If you have used your hypervisor clone utility, and attempted to register the cloned Salt client, you might get this error:

We're sorry, but the system could not be found.

This is caused by the new, cloned, system having the same machine ID as an existing, registered, system. You can adjust this manually to correct the error and register the cloned system successfully.

6 Getting Started with Salt

6.1 Introduction

This section introduces you to the new Salt features added in SUSE Manager 3. This chapter assumes you have completed all previous Getting Started sections. At a minimum have the following setup:

  • A freshly installed SUSE Manager server with a main admin account and a synced product channel

  • Preferably two registered Salt minions to experiment with.

If you find yourself stuck at any point refer to the SaltStack Get Started tutorial located at https://docs.saltstack.com/en/getstarted/fundamentals/index.html.


This guide does not attempt to cover all that Salt has to offer. This guide is a primer for using Salt with SUSE Manager. For comprehensive Salt documentation, see https://docs.saltstack.com/en/latest/contents.html.

The current version of Salt in SUSE Manager is 2018.3.0.

6.2 Understanding Salt Calls

Salt Calls

Salt calls are defined by three main properties:

salt 'target' <function> [arguments]

Use the second property in a Salt call to target a single machine or group of machines. Specify the minion or group of minions you would like to run a function on.

General Targeting

List available grains on all minions:

salt '*' grains.ls

Ping a specific minion:

salt 'web1.example.com' test.ping
Glob Targeting

Ping all minions using a domain:

salt '*example.com' test.ping

Display the OS name of all minions with the webserver label:

salt 'webserver*' grains.item oscodename
List Targeting
salt -L 'webserver.example.com,db.example.com' test.ping
Regular Expression Targeting

You may use PCRE-compliant regular expressions:

salt -E '(?!web)' test.ping
IP Address Targeting

List minion IP addresses:

salt '*' network.ip_addrs

Ping a specific minion IP address:

salt -S '' test.ping

Ping all minions on a subnet:

salt -S test.ping
Tip: Lookup a Subnet Using the ip Command

You can use the ip command to find the subnet mask in the format of

ip -o -f inet addr show | awk '/scope global/ {print $4}'

Once you have specified a target, provide the function you would like to call. Functions also accept arguments. Arguments are space-delimited, for example:

salt '*' cmd.run 'echo "Hello: $FIRST_NAME"' env='{FIRST_NAME: "John"}'
Locating Additional Minion Functions

Find more functions which can be called on minions by running:

salt '*' sys.doc

A full list of callable functions are located here: https://docs.saltstack.com/en/2015.8/ref/modules/all/index.html


Provides the extra data needed by a function you are calling. The command pkg.install requires an argument specifying a package to install. YaST has been selected for installation, for example:

salt '*' pkg.install yast2

6.3 Common Salt Terminology


Grains provide information about the hardware of a minion. For example, the operating system, IP addresses, network interfaces, memory, etc. When running a Salt command from keep in mind any modules and functions called are run locally from the system being called. Salt modules are stored on minions and master within the following directory:


List all available grains with the grains.ls function:

salt '*' grains.ls

List collected grain system data by using the grains.ls function:

salt '*' grains.items

For more information on grains, see https://docs.saltstack.com/en/latest/topics/grains/.


States are templates which place systems into a known configuration, for example which applications and services are installed and running on those systems. States are a way for you to describe what each of your systems should look like. Once written, states are applied to target systems automating the process of managing and maintaining a large numbers of systems into a known state. For more information on states, see https://docs.saltstack.com/en/latest/topics/tutorials/starting_states.html.

Warning: Updating Salt

Do not update salt itself using Salt states. First update all other system packages using Salt states then update salt as a separate stand-alone step from the SUSE Manager Web UI.


Pillars unlike grains are created on the master. Pillar files contain information about a minion or group of minions. Pillars allow you to send confidential information to a targeted minion or group of minions. Pillars are useful for sensitive data, configuration of minions, variables, and any arbitrary data which should be defined. For more information on pillars, see https://docs.saltstack.com/en/latest/topics/tutorials/pillar.html.


Beacons allow an admin to use the event system in Salt to monitor non-Salt processes. Minions may use beacons to hook into many types of system proceses for constant monitoring. Once a targeted monitored activity occurs an event is sent on the Salt event bus that may be used to trigger a reactor.

Important: Enabling Beacons

To work with beacons on Salt minions the package python-pyinotify must be installed for SUSE systems. For RES systems install python-inotify. This package is not installed automatically during the salt minion package installation.

Note: Peer Communication with salt-broker

The salt-broker acts like a switch and not like a hub, therefore Peer communication will only work for minions behind the same broker/Proxy. For more information on Salt and peer communication see: https://docs.saltstack.com/en/latest/ref/peer.html

6.4 Useful Salt Commands

The following list provides several useful Salt commands.


Print a list of all minions that are up:

salt-run manage.up

Print a list of all minions that are down:

salt-run manage.down

Print a list with the current status of all Salt minions:

salt-run manage.status

Check the version of Salt running on the master and active minions:

salt-run manage.versions

Copy a file to a minion or set of minions.

salt-cp '*' foo.conf /root

For more information, see https://docs.saltstack.com/en/latest/ref/cli/salt-cp.html.

salt-key -l

List public keys:

salt-key -l
salt-key -A

Accept all pending keys:

salt-key -A

6.5 Salt File Locations and Structure

The following screen describes Salt file structures and their locations used by the SUSE Manager Server. These files are listed in /etc/salt/master.d/susemanager.conf:

# Configure different file roots

    - /usr/share/susemanager/salt    #Should not be touched by a user
    - /srv/susemanager/salt          #Should not be touched by a user
    - /srv/salt                      #Your custom states go here

# Configure different pillar roots

    - /usr/share/susemanager/pillar  #Should not be touched by a user
    - /srv/pillar                    #Custom pillars go here

# Extension modules path

extension_modules: /usr/share/susemanager/modules

# Master top configuration

  mgr_master_tops: True

The following tips should be kept in mind when working with /etc/salt/master.d/susemanager.conf.

  • Files listed are searched in the order they appear.

  • The first file found is called.

6.5.1 file_roots

SUSE Manager as the Salt master reads its state data from three specific file root directories.


This directory is created by SUSE Manager and its content generated by the /usr/share/susemanager/modules/tops/mgr_master_tops.py python module. It is shipped and updated together with SUSE Manager and includes certificate setup and common state logic that will be applied to packages and channels.

Warning: Do Not Edit

You should not edit or add custom Salt data to this directory.


This directory is created by SUSE Manager and contains assigned channels and packages for minions, groups, and organizations. These files will be overwritten and regenerated. A good analogy for this directory would be the SUSE Manager database translated into Salt directives.

Warning: Do Not Edit

You should not edit or add custom Salt data to this directory.


The directory /srv/salt is for your custom state data, salt modules etc. SUSE Manager does not perform any actions on this directory. However the state data placed here affects the Highstate of minions and is merged with the result generated by SUSE Manager.

Note: Editable

Place custom Salt data here.

6.5.2 pillar_roots

SUSE Manager as the Salt master reads its pillar data from two specific pillar root directories.


This directory is generated by SUSE Manager. It is shipped and updated together with SUSE Manager.

Warning: Do Not Edit

You should not edit or add custom Salt data to this directory.


SUSE Manager by default does not touch or do anything with this directory. However the custom pillar data placed here is merged with the pillar result created by SUSE Manager.

Tip: Editable Directory

Place your custom Salt pillar data here.

6.6 Install the SUSE Manager Locale Formula

The following section provides guidance on installing and using SUSE provided Salt formulas.

Procedure: Installing the Locale Formula
  1. Install the locale formula with:

    zypper install locale-formula

    This installs the package contents to /usr/share/susemanager/formulas/{metadata,states}

  2. After installing the RPM, log in to the SUSE Manager Web UI.

  3. Browse to the Main Menu › System Details page of any minion you would like to apply the formula to.

  4. On the Main Menu › System Details page you will see a new Formulas tab. Select it to view a list of installed formulas.

  5. From the Formulas list select Formulas › Locale and click Save.

  6. A new tab will appear next to the Formula › Locale subtab. Select the new Formulas › Locale tab.

  7. The Formalas › Locale tab contains options for setting the language, keyboard layout, timezone, and whether hardware clock is set to UTC. Select the desired options and click Save.

  8. Run the following command to verify pillar settings. The output has been truncated.

    salt '$your_minion' pillar.items
               English (US)
               English (US)
       org_id:alt '$your_minion_here'
  9. Apply this state to your minion by applying the highstate from the command line with:

    salt '$your_minion' state.highstate

    You can also apply the highstate from the previous formula tab from the SUSE Manager Web UI by selecting System Details › States and clicking Apply Highstate.

6.7 Use Pillars to Set the Package Download Endpoint

By default, SUSE Manager assumes that the download endpoint to use is the FQDN of the SUSE Manager server, or the SUSE Manager Proxy. However, there are some cases where you might like to use a different FQDN as the download endpoint. The most common example is if you need to use load balancing, caching proxies, or in environments with complicated networking requirements.

To change the package download endpoint, you can manually adjust three salt pillars: * pkg_download_point_protocol, defaults to https. * pkg_download_point_host, defaults to the FQDN of the SUSE Manager Server (or Proxy, if in use). * pkg_download_point_port, defaults to 443.

If you do not adjust these pillars directly, SUSE Manager will fall back to the default values.

Procedure: Changing the package download endpoint pillar
  1. Navigate to /srv/pillar/ and create a file called top.sls with these contents:

        - pkg_download_endpoints

    This example directs Salt to look at the pkg_download_endpoints.sls file to determine the base URL to use. You can adjust this file to target different minions or groups, depending on your environment.

  2. Remain in /srv/pillar/ and create a file called pkg_download_endpoints.sls with the base URLs you want to use. For example:

    pkg_download_point_protocol: http
    pkg_download_point_host: example.com
    pkg_download_point_port: 444
  3. OPTIONAL: You can use grains to set conditional values, for example:

{% if grains['fqdn'] == 'minion1.example.com' %}
    pkg_download_point: example1.com
{% elif grains['fqdn'] == 'minion2.example.com' %}
    pkg_download_point: example2.com
{% else %}
    pkg_download_point: example.com
{% endif %}
  1. OPTIONAL: If you want to use external pillars, for example Group IDs, open the master configuration file and set the ext_pillar_first parameter to true. You can then use Group IDs to set conditional values, for example:

    {% if pillar['group_ids'] is defined and Group_ID in pillar['group_ids'] %}
      pkg_download_point_protocol: http
      pkg_download_point_host: example.com
      pkg_download_point_port: 444
    {% else %}
      pkg_download_point_protocol: ftp
      pkg_download_point_host: example.com
      pkg_download_point_port: 445
    {% endif %}

6.8 Disabling the Salt Mine

In older versions, SUSE Manager used a tool called Salt mine to check minion availability. The Salt mine would cause minions to contact the server every hour, which created significant load. With the introduction of a more efficient mechanism in SUSE Manager 3.2, the Salt mine is no longer required. Instead, the SUSE Manager server uses Taskomatic to ping only the minions that appear to have been offline for twelve hours or more, with all minions being contacted at least once in every twenty four hour period by default. You can adjust this by changing the web.system_checkin_threshold parameter in rhn.conf. The value is expressed in days, and the default value is 1.

Newly registered Salt minions will have the Salt mine disabled by default. If the Salt mine is running on your system, you can reduce load by disabling it. This is especially effective if you have a large number of minions.

Disable the Salt mine by running this command on the server:

salt '*' state.sls util.mgr_mine_config_clean_up

This will restart the minions and generate some Salt events to be processed by the server. If you have a large number of minions, handling these events could create excessive load. To avoid this, you can execute the command in batch mode with this command:

salt --batch-size 50 '*' state.sls util.mgr_mine_config_clean_up

You will need to wait for this command to finish executing. Do not end the process with CtrlC.

Print this page