Getting Started #
1 Introduction #
This Getting Started Guide provides guidance on setting up SUSE Manager server with KVM. You will learn the fundamentals of managing both traditional and Salt clients.
This guide is intended for system administrators.
Note: SUSE Manager Version Information
In this manual if not other specified, SUSE Manager version 3.2 is assumed and this version is required if a feature is discussed. SUSE Manager 3.2 and SUSE Manager 3.2 Proxy were originally released as a SLES 12 SP3 extension. With the next maintenance update (December 2018), SUSE Manager 3.2 and SUSE Manager 3.2 Proxy will be based on SLES 12 SP4 and support SLE 12 SP4 clients officially. In the following sections and chapters, it is highly recommended to use SLE 12 SP4 instead of SP3. Whenever features of the SUSE Manager 3.2 host operating system are documented and not other specified version 12 SP4 is assumed.
1.1 Introduction to SUSE Manager #
SUSE Manager is a solution for organizations that require absolute control over maintenance and package deployment on their servers. It lets you manage large sets of Linux systems and keep them up to date, with automated software management, asset management, and system provisioning. SUSE Manager allows you to maintain a high level of security while effectively managing system life-cycle requirements.
SUSE Manager uses Salt to provide event-driven configuration and management control. The Salt-master orchestrates thousands of Salt-minions (SUSE Manager Clients) using remote execution.
SUSE Manager is fully compatible with Red Hat Satellite Server and offers seamless management of both SUSE Linux Enterprise and Red Hat Enterprise Linux client systems.
SUSE Manager can be integrated with your network infrastructure in multiple ways. This book will guide you through an initial proof-of-concept setup, using these steps:
Install an operating system (either JeOS or SLES) for use with SUSE Manager
Install SUSE Manager Server
Register SUSE Manager with SUSE Customer Center
Perform initial setup of your SUSE Manager Server
Register a traditional client
Register a Salt minion
The book also contains a section about getting started with Salt.
1.2 Prerequisites for Installation #
Before you begin your installation, ensure you have fulfilled these prerequisites:
Current SUSE Customer Center organization credentials
Access to installation media for your chosen operating system
Your environment meets the hardware and networking requirements
You understand the supported client operating systems
This section contains more information on each of these prerequisites.
Note
SUSE Manager 3.2 is based on SLES 12 SP4 as the host operating system.
1.2.1 Obtaining your SUSE Customer Center Credentials #
You will need to create an account with SUSE Customer Center before you install SUSE Linux Enterprise Server and SUSE Manager. To obtain your SUSE Customer Center credentials:
Procedure: Obtaining Your SCC Organization Credentials #
Open a browser and direct it to https://scc.suse.com/login.
If you have not done so, create an account now.
Log in to your new SCC account.
Under the widget select .
Click the tab.
Record your login information for use during SUSE Manager setup.
1.2.2 Obtaining Installation Media #
This book describes installation methods for both JeOS and SUSE Linux Enterprise Server. The JeOS image provides the quickest installation and setup, and is suitable for a test or proof of concept installation. Alternatively, SUSE Linux Enterprise Server provides a more robust installation, which requires a larger initial download. Choose your preferred operating system based on the type of environment you want to install, and the amount of bandwidth and time you have available.
You can find installation images for JeOS and SLES in your SUSE Customer Center account. Log in, then navigate to the URL for your chosen operating system:
1.2.3 Hardware Requirements #
This table outlines hardware and software requirements on x86_64 and IBM Power PC architecture. For installation on z Systems, see:
Book “Advanced Topics”, Chapter 1 “SUSE Manager on IBM z Systems”
Table 1.1: Hardware Requirements for x86_64 Architecture #
| Hardware | Recommended |
|---|---|
CPU | Multi-core 64-bit CPU |
RAM: | Test Server Minimum 8 GB |
Base Installation Minimum 16 GB | |
Production Server Minimum 32 GB | |
Disk Space: |
|
| |
|
Table 1.2: Hardware Requirements for IBM POWER8 or POWER9 Architecture #
| Hardware | Recommended |
|---|---|
CPU | Minimum 4 dedicated cores |
RAM: | Test Server Minimum 8 GB |
Base Installation Minimum 16 GB | |
Production Server Minimum 32 GB | |
Disk Space: |
|
| |
|
1.2.4 Network Requirements #
This section details the networking and port requirements for SUSE Manager.
- Fully Qualified Domain Name (FQDN)
The SUSE Manager server must resolve its FQDN correctly or cookies will not work properly on the WebUI. For more information about configuring the hostname and DNS, see SUSE Linux Enterprise Server Documentation - Configuring Host Name and DNS
- Hostname and IP Address
To ensure that the SUSE Manager domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. For more information about setting up a DNS server, see SUSE Linux Enterprise Server Documentation - The Domain Name System
- Using a Proxy When Installing from SUSE Linux Enterprise Media
If you are on an internal network and do not have access to SUSE Customer Center, you can set up and use a proxy during installation. For more information about configuring a proxy for access to SUSE Customer Center during a SUSE Linux Enterprise installation, see SUSE Linux Enterprise Server Documentation - Using a Proxy During Installation
Important: Naming Your Server
The hostname of SUSE Manager must not contain uppercase letters as this may cause jabberd to fail. Choose the hostname of your SUSE Manager server carefully. Although changing the server name is possible, it is a complex process and unsupported.
In a production environment, SUSE Manager server and its clients should always use a firewall. This table gives an overview of required ports, to be used when you are setting up your firewall rules.
Table 1.3: Required Server Ports #
| Port | Protocol | Description |
|---|---|---|
22 | TCP | SSH |
67 | UDP | DHCP |
69 | UDP | TFTP, used to support PXE services |
80 | TCP | HTTP, used in some bootstrap cases |
123 | UDP | NTP time service |
443 | TCP | HTTPS, used for Web UI, client, Proxy server, and API traffic |
4505 | TCP | Salt, used by the Salt-master to accept communication requests from minions |
4506 | TCP | Salt, used by the Salt-master to accept communication requests from minions |
5222 | TCP | XMPP client, used for communications with the |
5269 | TCP | XMPP server, used for pushing actions to SUSE Manager Proxy |
For more information on disconnected setup and port configuration, see:
Book “Best Practices”, Chapter 2 “Managing Your Subscriptions”, Section 2.2 “Disconnected Setup with RMT or SMT (DMZ)”
Book “Advanced Topics”, , Section A.1 “SUSE Manager Server”
1.2.5 Supported Client Systems #
Supported operating systems for traditional and Salt clients are listed in this table.
Table 1.4: Supported Client Systems #
| Operating Systems | Architecture | Traditional Clients | Salt Clients |
|---|---|---|---|
SUSE Linux Enterprise 11 SP4 | x86, x86_64, Itanium, IBM POWER, z Systems | Supported | Supported |
SUSE Linux Enterprise 12 SP3, 12 SP4 | x86_64, IBM POWER (IBM Power PC), z Systems, ARM | Supported | Supported |
SUSE Linux Enterprise 15 | x86_64, IBM POWER (IBM Power PC), z Systems, ARM | Supported | Supported |
Latest minor release Red Hat Enterprise Linux Server 6 | x86, x86_64 | Supported | Supported |
Latest minor release Red Hat Enterprise Linux Server 7 | x86_64 | Supported | Supported |
Open Enterprise Server 2015, 2015 SP1, 2018 | x86_64 | Supported | Supported |
Note: Supported Versions and SP Levels
Client operating system versions and SP levels must be under general support (normal or LTSS) to be supported with SUSE Manager. For details on supported product versions, see https://www.suse.com/lifecycle.
2 JeOS Installation #
2.1 Virtual Machine Manager (virt-manager) Settings #
This chapter provides the required (KVM) settings for installation of SUSE Linux Enterprise Just Enough Operating System (JeOS) 12 as the base for SUSE Manager. A kernel virtual machine (KVM) combined with Virtual Machine Manager (virt-manager) will be used as a sandbox for your first installation.
Tip: SUSEVirtualization Guide
For more information on virtualization, see: SUSE Linux Enterprise Virtualization Guide
Enter the following settings when creating a new virtual machine using virt-manager. In the following table replace version with the actual product version string.
| KVM Settings | |
|---|---|
Installation Method | Import Existing Disk Image |
OS: | Linux |
Version: | SLES<VERSION>-JeOS-for-kvm-and-xen.x86_64-GM.qcow2 |
Memory: | 4096 MB |
CPU’s: | 2 |
Storage Format: | .qcow2 24 GB (Default) JeOS Root Partition |
Virtual Disks: | |
VirtIO Disk 2 | 101 GB for |
VirtIO Disk 3 | 50 GB for |
VirtIO Disk 4 | 4 GB for swap |
Name: | test-setup |
Network | Bridge br0 |
Tip: SUSE Virtualization Guide
For more information on virtualization, see: SUSE Linux Enterprise Virtualization Guide
2.2 JeOS KVM Settings #
Create three additional virtual disks required for the SUSE Manager storage partitions.
Procedure: Creating the Required Partitions with KVM #
Create a new virtual machine using the downloaded JeOS KVM image and select .
Configure RAM and number of CPUs (At least 4 GB RAM and 2 CPUs).
Name your KVM machine and select the check box.
Select the button and create three new virtual disks with the following specifications. These disks will be partitioned and mounted in Procedure: Preparing JeOS for SUSE Manager Installation.
VirtIO Storage Disks Name Sizing VirtIO Disk 2
spacewalk
101 GB
VirtIO Disk 3
pgsql
50 GB
VirtIO Disk 4
swap
4 GB
Click and your new VM will boot from the JeOS image.
Proceed through the basic JeOS installation prompts until you reach the command line.
Tip: Root Password
During the basic installation prompts you are asked to enter the root password. Select a strong password and then in the next message box .
2.3 Preparing JeOS for SUSE Manager #
Procedure: Preparing JeOS for SUSE Manager Installation #
Register with SCC:
SUSEConnect -e`EMAIL_ADDRESS`-r`SUSE_MANAGER_CODE`
Add SUSE Manager repositories:
SUSEConnect -p SUSE-Manager-Server/<productnumber>/x86_64 -r`SUSE_MANAGER_CODE`
Install yast2-storage with all required dependencies (approx. 40 packages, 30 MB when installed). This basic administration package is required for preparing storage partitions:
zypper in -t package yast2-storage
Partition and mount the virtual disks at the following locations using YaST Partitioner (
yast2 disk).VirtIO Storage Disks Name Storage Size File System Type VirtIO Disk 2
/var/spacewalk101 GB
XFS
VirtIO Disk 3
/var/lib/pgsql50 GB
XFS
VirtIO Disk 4
swap4 GB
swap
SLES by default uses the BTRFS file system. A mount point is created automatically for
/var/lib/pgsql/(even when not installed). This must be removed or commented out from the/etc/fstabentries. As root, edit/etc/fstaband comment out or remove the line:/var/lib/pgsql btrfs subvol=@/var/lib/pgsql 0 0
Warning: Remove
pgsqlfrom the fstab Configuration FileIf you do not remove this line from fstab the first time you shut down the server you will lose your database. This occurs because you will have duplicate entries in the fstab file. Updated tools shipped with recent SPs will no longer require human intervention.
Exit the partitioner and install the SUSE Manager pattern:
zypper in -t pattern suma_server
For proceeding with SUSE Manager setup, see SUSE Manager Setup.
3 SUSE Linux Enterprise Server Installation #
This chapter provides the required KVM settings for installation of SUSE Linux Enterprise Server media as the base for SUSE Manager.
A kernel virtual machine KVM combined with Virtual Machine Manager (virt-manager) will be used as a sandbox for this installation.
3.1 SLES KVM Requirements #
Enter the following settings when creating a new virtual machine using virt-manager (replace version with the actual version string):
| KVM Settings for SLES | Installation Method: |
|---|---|
Local install media (ISO image or CDROM) | OS: |
Linux | Version: |
| Memory: |
4096 MB | CPUs: |
2 | Storage Format: |
ISO 3 GB | Disk Space: |
234 GB split between 4 GB swap and 130 GB mounted at | |
(Virtual Disk 1) and 50 GB mounted at | |
(Virtual Disk 2). The rest for the root partition (100 GB+). | Name: |
example-server | Network |
3.1.1 SLES KVM Settings #
This section provides guidance on installation of SUSE Manager
utilizing the full installation media with KVM and virt-manager.
This section assumes you have previously setup an account with SCC and downloaded the SLES full installation media.
Procedure: Preparing for SLES Installation #
In
virt-managerselect › .Select .
Ensure is selected then click and locate the full SLES image you downloaded from your SCC account.
Configure your machine with at least 4096 MB RAM and a minimum of 2 CPUs.
Create a storage device with a minimum of 234 GB storage space for the installation. During the partitioning setup of the SLES installation this disk should be partitioned into the following disks:
Disk Space Requirements 4 GB Swap space
130 GB XFS partition (or dedicated virtual disk) for
/var/spacewalk/50 GB XFS partition (or dedicated virtual disk) for
/var/lib/pgsql/The remaining storage space will be used by the operating system for the root partition. Select to begin the installation.
Installation of SUSE Linux Enterprise Server will begin. For more information on completing an installation of SUSE Linux Enterprise Server, see: SUSE Linux Enterprise Installation Quickstart.
3.2 Selecting the SUSE Manager Extension #
During the SUSE Linux Enterprise Server installation you will be presented with the .
Select the SUSE Manager Extension and then click the button.
Complete the SUSE Linux Enterprise Server installation.
4 SUSE Manager Setup #
4.1 Topics #
This section covers SUSE Manager setup. You will perform the following procedures:
Start SUSE Manager setup via YaST or command line
Create the main administration account with the SUSE Manager Web UI
Name your base organization and add login credentials
Sync the SUSE Linux Enterprise product channel from SUSE Customer Center
4.2 SUSE Manager Setup #
Warning: Third Party Software
SUSE Manager is an extension of SUSE Linux Enterprise Server and compatible with the software shipped with SUSE Linux Enterprise Server.
SUSE Manager is a complex system, and therefore installing third party is not allowed. Installing monitoring software provided by a third party vendor is allowed only if you do not exchange basic libraries such as SSL, cryptographic software, and similar tools. In case of emergency, SUSE reserves the right to ask to remove any third party software (and associated configuration changes) and then to reproduce the problem on a clean system.
This section will guide you through SUSE Manager setup procedures.
Procedure: SUSE Manager Setup #
Login to the SUSE Manager server desktop and perform one of the following actions to begin setup:
Select › › › .
Open a terminal as root and type
yast2 susemanager_setupto begin setup.
From the introduction screen select › . Then click to continue.
Enter the email address that should receive status notifications about SUSE Manager. The number of emails sent from SUSE Manager can be extensive, therefore notifications via email may be disabled from the Web UI after setup. Then click to continue.
Enter your certificate information and a password. The password should be stored in a secure location.
Important: Certificate Password
Without this password it will not be possible to set up a SUSE Manager Proxy Server.
Click to continue.
From the › screen, enter a database user and password. This password should be stored in a secure location. Then click to continue.
Enter your SUSE Customer Center
Organization Credentials. Open https://scc.suse.com/login to register or access to your organization credentials.Note:
If you are using SUSE Enterprise products, SUSE Manager requires that you connect to SUSE Customer Center for software, updates and patches. You will not be able to synchronize or provide Enterprise channels to your clients without this information.
However if you would like to work with open source software channels and repositories then click the button to continue. You can setup your SUSE Customer Center credentials or configure inter-server sync at a later time.
Click to continue.
Click to run setup when prompted.
Once setup has completed, click to continue. You will see the address of the SUSE Manager Web UI.
Click to complete SUSE Manager setup.
In the next section you will create the administrator’s account and synchronize with SUSE Customer Center.
4.2.1 Creating the Main Administration Account #
This section will walk you through creating your organizations main administration account for SUSE Manager.
Warning: Admin and User Accounts
The main administration account is the highest authority account within SUSE Manager and therefore account access information should be stored in a secure location.
For security it is recommended that the main administrator creates low level admin accounts designated for administration of organizations and individual groups.
Procedure: Setup the Main Administration Account #
In the browser, enter the address provided after completing setup and open the SUSE Manager Web UI.
Add your organization name to the › field.
Add your username and password to the › and › fields.
Fill in the Account Information fields including an email for system notifications.
Select to finish creating your administration account.
You should now be presented with the SUSE Manager Front Page. In the next section you will prepare the server for connecting the first client.
4.2.2 Syncing Products from SUSE Customer Center #
SUSE Customer Center (SCC) maintains a collection of repositories which contain packages, software and updates for all supported enterprise client systems. These repositories are organized into channels each of which provide software specific to a distribution, release and architecture. After synchronizing with SCC clients may receive updates, and be organized into groups and assigned to specific product software channels.
This section covers synchronizing with SCC from the Web UI and adding your first client channel.
Procedure: Synchronizing with SUSE Customer Center #
From the SUSE Manager Web UI start page select › .
From the › › page select the tab. Wait a moment for the products list to populate. If you previously registered with SUSE Customer Center a list of products will populate the table. This table lists architecture, channels, and status information. For more information, see: Book “Reference Manual”, Chapter 17 “Admin”, Section 17.1 “ › › ”
Since Your SUSE Linux Enterprise client is based on
x86_64architecture scroll down the page and select the check box for this channel now.Add channels to SUSE Manager by selecting the check box to the left of each channel. Click the arrow symbol to the left of the description to unfold a product and list available modules.
Start product synchronization by clicking the button.
After adding the channel SUSE Manager will schedule the channel to be copied.
This can take a long time as SUSE Manager will copy channel software sources from the SUSE repositories located at SUSE Customer Center to local /var/spacewalk/ directory of your server.
Tip: PostgreSQL and Transparant Huge Pages
In some environments, Transparent Huge Pages provided by the kernel may slow down PostgreSQL workloads significantly.
To disable Transparant Huge Pages set the transparent_hugepage kernel parameter to never.
This has to be changed in /etc/default/grub and added to the line GRUB_CMDLINE_LINUX_DEFAULT, for example:
GRUB_CMDLINE_LINUX_DEFAULT="resume=/dev/sda1 splash=silent quiet showopts elevator=noop transparent_hugepage=never"
To write the new configuration run grub2-mkconfig -o /boot/grub2/grub.cfg.
To update the grub2 during boot run grub2-install /dev/sda.
Monitor channel synchronization process in real-time by viewing channel log files located in the directory /var/log/rhn/reposync:
tailf /var/log/rhn/reposync/<CHANNEL_NAME>.log
After the channel sync process has completed proceed to: Chapter 5, Registering Clients
5 Registering Clients #
5.1 Introduction #
For SUSE Manager 3 and later, you can choose to use either traditional or Salt client management framework, or a mixture of both, depending on your environment and requirements.
- Salt
Is an end-to-end data-center automation tool which may also be used outside the scope of SUSE Manager to introduce reactive, real-time orchestration, and configuration management.
5.2 Creating Activation Keys #
Activation keys are used with both traditional and Salt clients to ensure that your clients have the correct software entitlements, are connecting to the appropriate channels, and are subscribed to the relevant groups. Each activation key is bound to an organization, which you can set when you create the key.
This section contains information on how to create activation keys for both traditional and Salt clients, and provides some best practices for working with activation keys.
Procedure: Creating Activation Keys #
As the administrator login to the SUSE Manager Web UI.
Navigate to › .
To open the
Activation Key Detailspage click the button in the upper right corner.
On the
Activation Key Detailspage in theDescriptionfield, enter a name for the activation key.In the
Keyfield, enter the distribution and service pack associated with the key. For example,SLES12-SP4for SUSE Linux Enterprise Server 12 SP4.Warning: Allowed Characters
Do not use commas in the
Keyfield for any SUSE products. However, you must use commas for Red Hat Products. For more information, see Book “Reference Manual”, Chapter 7 “Systems”, Section 7.9 “Systems > Activation Keys”.In the
Base Channelsdrop-down box, select the SUSE Linux Enterprise channel that you added during First Channel Sync.When the base channel is selected the list of available child channels will get fetched and displayed in real time below the base channel. Select the child channels you need (for example, the SUSE Manager tools and the updates channels that are actually mandatory).
We recommend you leave the
Contact Methodset toDefault.We recommend you leave the
Universal Defaultsetting unchecked.Click to create the activation key.
Check the
Configuration File Deploymentcheck box to enable configuration management for this key, and click to save this change.
When you create activation keys, keep these best practices in mind:
Avoid using the
SUSE Manager Defaultparent channel. This setting forces SUSE Manager to choose a parent channel that best corresponds to the installed operating system, which can sometimes lead to unexpected behavior. Instead, we recommend you create activation keys specific to each distribution and architecture.If you are using bootstrap scripts, consider creating an activation key for each script. This will help you align channel assignments, package installation, system group memberships, and configuration channel assignments. You will also need less manual interaction with your system after registration.
If you do not enter a human-readable name for your activation keys, the system will automatically generate a number string, which can make it difficult to manage your keys. Consider a naming scheme for your activation keys to help you keep track of them.
Note that the
Configuration File Deploymentcheck box does not appear until after you have created the activation key. Ensure you go back and check the box if you need to enable configuration management.
5.3 Creating the SUSE Manager Tools Repository #
In this section you will create a tools repository on the SUSE Manager Server for providing client tools. The client tools repository contains packages for installing Salt on minions as well as required packages for registering traditional clients during the bootstrapping procedure. These packages will be installed from the newly generated repository during the registration process. In the following procedure you will create the SUSE Linux Enterprise tools repository.
Important: Creating a Tools Repository when an SCC Channel has not been Synced
Before following the procedure to create the tools repository make sure the SUSE vendor channel you will be using with your client has been completely synced.
You can check this by running tail -f /var/log/rhn/reposync/<CHANNEL_NAME>.log as root.
In the following example replace version with the actual version string:
# tail -f /var/log/rhn/reposync/sles`version`-pool-x86_64.log
Once completed you should see the following output in your terminal:
2017/12/12 15:20:32 +02:00 Importing packages started. 2017/12/12 15:22:02 +02:00 1.07 % ... 2017/12/12 15:34:25 +02:00 86.01 % 2017/12/12 15:35:49 +02:00 Importing packages finished. 2017/12/12 15:35:49 +02:00 Linking packages to channel. ... 2017/12/12 15:35:59 +02:00 Sync completed.
Procedure: Generating the Tools Repository for SUSE Linux Enterprise #
Open a terminal on the server as root and enter the following command to list available bootstrap repositories:
mgr-create-bootstrap-repo -l SLE-`version`-x86_64
Then invoke the same command using the listed repository as the product label to actually create the bootstrap repository:
mgr-create-bootstrap-repo -c SLE-`version`-x86_64
SUSE Manager will create and add the client tools to the newly created
repositoriesdirectory located at/srv/www/htdocs/pub/repositories/.
This repository is suitable for both Server and Desktop of SUSE Linux Enterprise.
Note: Support for SUSE Linux Enterprise 15 Products
If you have mirrored more than one SUSE Linux Enterprise 15 Product (for example, SLES, {slda}, and SLES for SAP Application), you can specify the one you are actually interested in. First check what is avaiable:
mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-custom-channel Multiple options for parent channel found. Please use option --with-parent-channel <label> and choose one of: - sle-product-sles15-pool-x86_64 - sle-product-sles_sap15-pool-x86_64 - sle-product-sled15-pool-x86_64
Then specify it with --with-parent-channel:
mgr-create-bootstrap-repo -c SLE-15-x86_64 --with-parent-channel sle-product-sled15-pool-x86_64
5.4 Registering Traditional Clients #
5.4.1 Generating a Bootstrap Script #
This section goes over generating a template bootstrap script which will be copied and modified for use with “traditional” clients. Traditional clients register with SUSE Manager via a bootstrap script executed on the client which deploys all necessary packages to it. The bootstrap script contains parameters which assigns a client system to its base channel. Two of these important parameters are:
Activation Keys
GNU Privacy Guard (GPG) Keys
Note: SLES 15 and Python 3
SLES 15 utilizes Python 3 by default. Because of this change any older bootstrap scripts (based on python 2) must be re-created for SLES 15 systems. Attempting to register SLES 15 systems with SUSE Manager using Python 2 versions of the bootstrap script will fail.
The following procedure will guide you through generating a bootstrap script.
Procedure: Creating a Bootstrap Script #
From the SUSE Manager Web UI, browse to › › › . For more information, see Book “Reference Manual”, Chapter 17 “Admin”, Section 17.4 “ › › ”, Section 17.4.2 “ › ”.
In the
SUSE Manager Configuration - Bootstrapdialog disableBootstrap using Salt. Use default settings and click the button.
Warning: Using SSL
Unchecking in the Web UI or setting
USING_SSL=0in the bootstrap script is not recommended. If you disable SSL nevertheless you will need to manage custom CA certificates to be able to run the registration process successfully.A template bootstrap script is generated and stored on the server’s file system in the
/srv/www/htdocs/pub/bootstrapdirectory.cd /srv/www/htdocs/pub/bootstrap
The bootstrap script is also available at
https://example.com/pub/bootstrap/bootstrap.sh.
Section 5.4.2, “Editing the Bootstrap Script” will cover copying and modifying your bootstrap template for use with each client.
5.4.2 Editing the Bootstrap Script #
In this section you will copy and modify the template bootstrap script you created from Section 5.4.1, “Generating a Bootstrap Script”.
A minimal requirement when modifying a bootstrap script for use with SUSE Manager is the inclusion of an activation key. Depending on your organizations security requirements it is strongly recommended to include one or more (GPG) keys (for example, your organization key, and package signing keys). For this tutorial you will be registering with the activation keys created in the previous section.
Procedure: Modifying the Bootstrap Script #
Login as root from the command line on your SUSE Manager server.
Navigate to the bootstrap directory with:
cd /srv/www/htdocs/pub/bootstrap/
Create and rename two copies of the template bootstrap script for use with each of your clients.
cp bootstrap.sh bootstrap-sles11.sh cp bootstrap.sh bootstrap-sles12.sh
Open
sles12.shfor modification. Scroll down and modify both lines marked in green. You must comment outexit 1with a hash mark (#) to activate the script and then enter the name of the key for this script in theACTIVATION_KEYS=field as follows:echo "Enable this script: comment (with #'s) this block (or, at least just" echo "the exit below)" echo #exit 1 # can be edited, but probably correct (unless created during initial install): # NOTE: ACTIVATION_KEYS *must* be used to bootstrap a client machine. ACTIVATION_KEYS=1-sles12 ORG_GPG_KEY=
Once you have completed your modifications save the file and repeat this procedure for the second bootstrap script. Proceed to Section 5.4.3, “Connecting Clients”.
Note: Finding Your Keys
To find key names you have created: In the Web UI, click › › › . All keys created for channels are listed on this page. You must enter the full name of the key you wish to use in the bootstrap script exactly as presented in the key field.
5.4.3 Connecting Clients #
This section covers connecting your clients to SUSE Manager with the modified bootstrap script.
Procedure: Running the Bootstrap Script #
From your SUSE Manager Server command line as root navigate to the following directory:
cd /srv/www/htdocs/pub/bootstrap/
Run the following command to execute the bootstrap script on the client:
cat MODIFIED-SCRIPT.SH | ssh root@example.com /bin/bash
The script will execute and proceed to download the required dependencies located in the repositories directory you created earlier. Once the script has finished running, log in to the Web UI and click › to see the new client listed.
This concludes the bootstrap section of this guide. Section 5.5, “Registering Salt Clients” will go over registering Salt minions for use with SUSE Manager.
5.4.4 Package Locks #
Package locks are used to prevent unauthorized installation or upgrades to software packages on traditional clients. When a package has been locked, it will display to users with a padlock icon, indicating that it can not be installed. Any attempt to install a locked package will be reported as an error in the event log.
Locked packages can not be installed, upgraded, or removed, either through the SUSE Manager Web UI, or directly on the client machine using a package manager. Locked packages will also indirectly lock any dependent packages.
Note
Package locks can only be used on traditional clients that use the Zypper package manager. The feature is not currently supported on Red Hat Enterprise Linux or Salt clients.
Procedure: Using Package Locks #
On the client machine, install the
zypp-plugin-spacewalkpackage:# zypper in zypp-plugin-spacewalk
Navigate to the › › tab on the managed system to see a list of all available packages.
Select the packages to lock, and click . You can also choose to enter a date and time for the lock to activate. Note that even if you do not select a date and time, the lock might not activate immediately.
To remove a package lock, select the packages to unlock and click . You can also choose to enter a date and time for the lock to deactivate. Note that even if you do not select a date and time, the lock might not deactivate immediately.
5.5 Registering Salt Clients #
There are currently three methods for registering Salt minions.
This section describes the first method and uses a bootstrap repository.
The second method uses the bootstrap script, and is mostly similar to the procedure described in Section 5.4, “Registering Traditional Clients”-the difference is enabling Bootstrap using Salt and the activation key option Configuration File Deployment that applies highstate automatically.
The third method uses the Web UI, and is described in Book “Reference Manual”, Chapter 7 “Systems”, Section 7.6 “Bootstrapping (Salt)”.
You can also use these methods to change existing traditional clients into Salt minions.
The rest of this section assumes you have created a SUSE Manager tools repository. You can review creating a tools repository in Section 5.3, “Creating the SUSE Manager Tools Repository”.
When you have fully synchronized a base channel from the Web UI for clients to obtain software packages from (for example: SLES12-SP4-Pool_for_x86_64) perform the following procedure to register a Salt minion.
Procedure: Registering Salt Minions #
On your minion as root enter the following command:
zypper ar http://FQDN.server.example.com/pub/repositories/sle/12/4/bootstrap/ \ sles12-sp4
Note
Do not use
HTTPS. UseHTTPinstead to avoid errors.After adding the repository containing the necessary Salt packages execute:
zypper in salt-minion
Modify the minion configuration file to point to the fully qualified domain name (
FQDN) of the SUSE Manager server (master):vi /etc/salt/minion
Find and change the line:
master: salt
to:
master: FQDN.server.example.com
Restart the Salt minion with:
systemctl restart salt-minion
Your newly registered minion should now show up within the Web UI under › .
Accept the pending key to begin management.
5.6 Troubleshooting Salt Clients #
5.6.1 Mounting /tmp with noexec #
Salt runs remote commands from /tmp of the client’s filesystem.
Therefore you must not mount /tmp with the noexec option.
5.6.2 Cloned Salt Clients #
If you have used your hypervisor clone utility, and attempted to register the cloned Salt client, you might get this error:
We're sorry, but the system could not be found.
This is caused by the new, cloned, system having the same machine ID as an existing, registered, system. You can adjust this manually to correct the error and register the cloned system successfully.
6 Getting Started with Salt #
6.1 Introduction #
This section introduces you to the new Salt features added in SUSE Manager 3. This chapter assumes you have completed all previous Getting Started sections. At a minimum have the following setup:
A freshly installed SUSE Manager server with a main admin account and a synced product channel
Preferably two registered Salt minions to experiment with.
If you find yourself stuck at any point refer to the SaltStack Get Started tutorial located at https://docs.saltstack.com/en/getstarted/fundamentals/index.html.
Note
This guide does not attempt to cover all that Salt has to offer. This guide is a primer for using Salt with SUSE Manager. For comprehensive Salt documentation, see https://docs.saltstack.com/en/latest/contents.html.
The current version of Salt in SUSE Manager is 2018.3.0.
6.2 Understanding Salt Calls #
- Salt Calls
Salt calls are defined by three main properties:
salt 'target' <function> [arguments]
- Target
Use the second property in a Salt call to target a single machine or group of machines. Specify the minion or group of minions you would like to run a function on.
- General Targeting
List available grains on all minions:
salt '*' grains.ls
Ping a specific minion:
salt 'web1.example.com' test.ping
- Glob Targeting
Ping all minions using a domain:
salt '*example.com' test.ping
Display the OS name of all minions with the
webserverlabel:salt 'webserver*' grains.item oscodename
- List Targeting
salt -L 'webserver.example.com,db.example.com' test.ping
- Regular Expression Targeting
You may use PCRE-compliant regular expressions:
salt -E '(?!web)' test.ping
- IP Address Targeting
List minion IP addresses:
salt '*' network.ip_addrs
Ping a specific minion IP address:
salt -S '172.31.60.74' test.ping
Ping all minions on a subnet:
salt -S 172.31.0.0/16 test.ping
Tip: Lookup a Subnet Using the
ipCommandYou can use the
ipcommand to find the subnet mask in the format of192.168.1.1/24:ip -o -f inet addr show | awk '/scope global/ {print $4}'
- Function
Once you have specified a target, provide the function you would like to call. Functions also accept arguments. Arguments are space-delimited, for example:
salt '*' cmd.run 'echo "Hello: $FIRST_NAME"' env='{FIRST_NAME: "John"}'- Locating Additional Minion Functions
Find more functions which can be called on minions by running:
salt '*' sys.doc
A full list of callable functions are located here: https://docs.saltstack.com/en/2015.8/ref/modules/all/index.html
- Arguments
Provides the extra data needed by a function you are calling. The command
pkg.installrequires an argument specifying a package to install. YaST has been selected for installation, for example:salt '*' pkg.install yast2
6.3 Common Salt Terminology #
- Grains
Grains provide information about the hardware of a minion. For example, the operating system, IP addresses, network interfaces, memory, etc. When running a Salt command from keep in mind any modules and functions called are run locally from the system being called. Salt modules are stored on minions and master within the following directory:
/usr/lib/python2.7/site-packages/salt/
List all available grains with the
grains.lsfunction:salt '*' grains.ls
List collected grain system data by using the
grains.lsfunction:salt '*' grains.items
For more information on grains, see https://docs.saltstack.com/en/latest/topics/grains/.
- States
States are templates which place systems into a known configuration, for example which applications and services are installed and running on those systems. States are a way for you to describe what each of your systems should look like. Once written, states are applied to target systems automating the process of managing and maintaining a large numbers of systems into a known state. For more information on states, see https://docs.saltstack.com/en/latest/topics/tutorials/starting_states.html.
Warning: Updating Salt
Do not update salt itself using Salt states. First update all other system packages using Salt states then update salt as a separate stand-alone step from the SUSE Manager Web UI.
- Pillar
Pillars unlike grains are created on the master. Pillar files contain information about a minion or group of minions. Pillars allow you to send confidential information to a targeted minion or group of minions. Pillars are useful for sensitive data, configuration of minions, variables, and any arbitrary data which should be defined. For more information on pillars, see https://docs.saltstack.com/en/latest/topics/tutorials/pillar.html.
- Beacons
Beacons allow an admin to use the event system in Salt to monitor non-Salt processes. Minions may use beacons to hook into many types of system proceses for constant monitoring. Once a targeted monitored activity occurs an event is sent on the Salt event bus that may be used to trigger a reactor.
Important: Enabling Beacons
To work with beacons on Salt minions the package python-pyinotify must be installed for SUSE systems. For RES systems install python-inotify. This package is not installed automatically during the salt minion package installation.
Note: Peer Communication with salt-broker
The salt-broker acts like a switch and not like a hub, therefore Peer communication will only work for minions behind the same broker/Proxy. For more information on Salt and peer communication see: https://docs.saltstack.com/en/latest/ref/peer.html
6.4 Useful Salt Commands #
The following list provides several useful Salt commands.
- salt-run
Print a list of all minions that are up:
salt-run manage.up
Print a list of all minions that are down:
salt-run manage.down
Print a list with the current status of all Salt minions:
salt-run manage.status
Check the version of Salt running on the master and active minions:
salt-run manage.versions
- salt-cp
Copy a file to a minion or set of minions.
salt-cp '*' foo.conf /root
For more information, see https://docs.saltstack.com/en/latest/ref/cli/salt-cp.html.
- salt-key -l
List public keys:
salt-key -l
- salt-key -A
Accept all pending keys:
salt-key -A
6.5 Salt File Locations and Structure #
The following screen describes Salt file structures and their locations used by the SUSE Manager Server.
These files are listed in /etc/salt/master.d/susemanager.conf:
# Configure different file roots
file_roots:
base:
- /usr/share/susemanager/salt #Should not be touched by a user
- /srv/susemanager/salt #Should not be touched by a user
- /srv/salt #Your custom states go here
# Configure different pillar roots
pillar_roots:
base:
- /usr/share/susemanager/pillar #Should not be touched by a user
- /srv/pillar #Custom pillars go here
# Extension modules path
extension_modules: /usr/share/susemanager/modules
# Master top configuration
master_tops:
mgr_master_tops: TrueThe following tips should be kept in mind when working with /etc/salt/master.d/susemanager.conf.
Files listed are searched in the order they appear.
The first file found is called.
6.5.1 file_roots #
SUSE Manager as the Salt master reads its state data from three specific file root directories.
- /usr/share/susemanager/salt
This directory is created by SUSE Manager and its content generated by the
/usr/share/susemanager/modules/tops/mgr_master_tops.pypython module. It is shipped and updated together with SUSE Manager and includes certificate setup and common state logic that will be applied to packages and channels.Warning: Do Not Edit
You should not edit or add custom Salt data to this directory.
- /srv/susemanager/salt
This directory is created by SUSE Manager and contains assigned channels and packages for minions, groups, and organizations. These files will be overwritten and regenerated. A good analogy for this directory would be the SUSE Manager database translated into Salt directives.
Warning: Do Not Edit
You should not edit or add custom Salt data to this directory.
- /srv/salt
The directory
/srv/saltis for your custom state data, salt modules etc. SUSE Manager does not perform any actions on this directory. However the state data placed here affects the Highstate of minions and is merged with the result generated by SUSE Manager.Note: Editable
Place custom Salt data here.
6.5.2 pillar_roots #
SUSE Manager as the Salt master reads its pillar data from two specific pillar root directories.
- /usr/share/susemanager/pillar
This directory is generated by SUSE Manager. It is shipped and updated together with SUSE Manager.
Warning: Do Not Edit
You should not edit or add custom Salt data to this directory.
- /srv/pillar
SUSE Manager by default does not touch or do anything with this directory. However the custom pillar data placed here is merged with the pillar result created by SUSE Manager.
Tip: Editable Directory
Place your custom Salt pillar data here.
6.6 Install the SUSE Manager Locale Formula #
The following section provides guidance on installing and using SUSE provided Salt formulas.
Procedure: Installing the Locale Formula #
Install the locale formula with:
zypper install locale-formula
Note
This installs the package contents to
/usr/share/susemanager/formulas/{metadata,states}After installing the RPM, log in to the SUSE Manager Web UI.
Browse to the › page of any minion you would like to apply the formula to.
On the › page you will see a new tab. Select it to view a list of installed formulas.
From the list select › and click .
A new tab will appear next to the › subtab. Select the new › tab.
The › tab contains options for setting the language, keyboard layout, timezone, and whether hardware clock is set to UTC. Select the desired options and click .
Run the following command to verify pillar settings. The output has been truncated.
salt '$your_minion' pillar.items
... keyboard_and_language: ---------- keyboard_layout: English (US) language: English (US) machine_password: foobar mgr_server: manager_server org_id:alt '$your_minion_here' 1 timezone: ---------- hardware_clock_set_to_utc: True name: CET ...Apply this state to your minion by applying the highstate from the command line with:
salt '$your_minion' state.highstate
Note
You can also apply the highstate from the previous formula tab from the SUSE Manager Web UI by selecting › and clicking .
6.7 Use Pillars to Set the Package Download Endpoint #
By default, SUSE Manager assumes that the download endpoint to use is the FQDN of the SUSE Manager server, or the SUSE Manager Proxy. However, there are some cases where you might like to use a different FQDN as the download endpoint. The most common example is if you need to use load balancing, caching proxies, or in environments with complicated networking requirements.
To change the package download endpoint, you can manually adjust three salt pillars:
* pkg_download_point_protocol, defaults to https.
* pkg_download_point_host, defaults to the FQDN of the SUSE Manager Server (or Proxy, if in use).
* pkg_download_point_port, defaults to 443.
If you do not adjust these pillars directly, SUSE Manager will fall back to the default values.
Procedure: Changing the package download endpoint pillar #
Navigate to
/srv/pillar/and create a file calledtop.slswith these contents:base: '*': - pkg_download_endpointsThis example directs Salt to look at the
pkg_download_endpoints.slsfile to determine the base URL to use. You can adjust this file to target different minions or groups, depending on your environment.Remain in
/srv/pillar/and create a file calledpkg_download_endpoints.slswith the base URLs you want to use. For example:pkg_download_point_protocol: http pkg_download_point_host: example.com pkg_download_point_port: 444
OPTIONAL: You can use grains to set conditional values, for example:
{% if grains['fqdn'] == 'minion1.example.com' %}
pkg_download_point: example1.com
{% elif grains['fqdn'] == 'minion2.example.com' %}
pkg_download_point: example2.com
{% else %}
pkg_download_point: example.com
{% endif %}OPTIONAL: If you want to use external pillars, for example Group IDs, open the master configuration file and set the
ext_pillar_firstparameter totrue. You can then use Group IDs to set conditional values, for example:{% if pillar['group_ids'] is defined and Group_ID in pillar['group_ids'] %} pkg_download_point_protocol: http pkg_download_point_host: example.com pkg_download_point_port: 444 {% else %} pkg_download_point_protocol: ftp pkg_download_point_host: example.com pkg_download_point_port: 445 {% endif %}
6.8 Disabling the Salt Mine #
In older versions, SUSE Manager used a tool called Salt mine to check minion availability.
The Salt mine would cause minions to contact the server every hour, which created significant load.
With the introduction of a more efficient mechanism in SUSE Manager 3.2, the Salt mine is no longer required.
Instead, the SUSE Manager server uses Taskomatic to ping only the minions that appear to have been offline for twelve hours or more, with all minions being contacted at least once in every twenty four hour period by default.
You can adjust this by changing the web.system_checkin_threshold parameter in rhn.conf.
The value is expressed in days, and the default value is 1.
Newly registered Salt minions will have the Salt mine disabled by default. If the Salt mine is running on your system, you can reduce load by disabling it. This is especially effective if you have a large number of minions.
Disable the Salt mine by running this command on the server:
salt '*' state.sls util.mgr_mine_config_clean_up
This will restart the minions and generate some Salt events to be processed by the server. If you have a large number of minions, handling these events could create excessive load. To avoid this, you can execute the command in batch mode with this command:
salt --batch-size 50 '*' state.sls util.mgr_mine_config_clean_up
You will need to wait for this command to finish executing. Do not end the process with Ctrl–C.