Upload
novell
View
2.669
Download
3
Tags:
Embed Size (px)
DESCRIPTION
Come and see how Subscription Management Tool for SUSE Linux Enterprise 11 can help you achieve your goals. If you:- Want one tool to manage updates for SUSE Linux Enterprise 9, 10 and 11, Novell Open Enterprise Server and Red Hat Enterprise Linux servers ...- Want to be on top of your company's licensing compliance, but for bandwidth and/or security reasons can't connect all of your machines to Novell Customer Center to register and retrieve updates ...- Have servers or desktops in isolated networks that are difficult to update ...- Want to integrate additional software update repositories (either external or internal) into your update solution ...- Want an out-of-the box staging solution for testing updates before releasing them to users ...- Want to get a quick overview of the patch status of your SUSE Linux Enterprise 11 servers and desktops ...... Then this is the session for you.This session will discuss:An overview of Subscription Management ToolInstallation and basic configurationHow to manage Subscription Management Tool repositoriesConfiguring clients to use Subscription Management ToolJobs and client status monitoringStagingCompliance monitoringSupportconfig proxyMirroring other products and repositoriesDisconnected Subscription Management Tool serversTips and tricks
Citation preview
Update Management and Compliance Monitoring with the Subscription Management Tool 11
Andreas TaschnerSr. Technical Support [email protected]
© Novell, Inc. All rights reserved.2
Agenda
Introduction to Subscription Management Tool (SMT) 11
Installation and Basic Configuration
Managing SMT
Configuring Clients to Use SMT
Jobs and Client Status Monitoring
Staging
© Novell, Inc. All rights reserved.3
Agenda (continued)
Compliance Monitoring with SMT Reports
Supportconfig Proxy
Mirroring Other Products/Repositories
Disconnected SMT Servers
Upgrading from SMT 1.0
Tips and Tricks
Introduction
© Novell, Inc. All rights reserved.5
Why Do We Have SMT?
• Challenges:
– Every SUSE® Linux Enterprise (SLE) 10/11 based machine connects to Novell® Customer Center (NCC) for registration and download of updates
– Difficult to maintain security perimeter at the firewall
– Compliance monitoring is difficult
– Devices with no internet access require homemade update solutions
– Need to streamline updates for non-SLE components
© Novell, Inc. All rights reserved.6
Updating SUSE® Linux Enterprise 10/11
Novell®
CustomerCenter
Customer Network
© Novell, Inc. All rights reserved.7
Solution:Subscription Management Tool
• Novell® SLES 11 add-on to mirror all you need :– SUSE® Linux Enterprise Desktop and Server 10/11, SLES 9– Open Enterprise Server 2– SLE 10/11 SDK– Other SLE based products (NLD, SLEPOS, VMDP++)– Red Hat™ Enterprise servers 3.9, 4.7, 5.2– Third-party repositories (custom, ati, vlc, nvidia etc.)
• Allows for more restrictive firewall policies• Bandwidth optimization• Reporting - compliance monitoring• Fast and scalable
© Novell, Inc. All rights reserved.8
SubscriptionManagement
Tool Novell®
CustomerCenter
Customer Network
High-level Architecture
© Novell, Inc. All rights reserved.9
LAMP Architecture
443 443/80
443/80
443/80
Novell® Customer
Center
Local servers
Perl
Apache
My SQL
Updates
Subscription Management Tool Server
Installation
© Novell, Inc. All rights reserved.11
Requirements
• Active Maintenance Subscriptions• SUSE® Linux Enterprise Server (SLES) 11• System requirements same as SLES• Valid DNS host name such as smt.mycompany.com• ~10 GB storage space per product and architecture
– More if also mirroring sources
Managing SMT
© Novell, Inc. All rights reserved.13
Managing SMT
• YaST modules– SMT server configuration (yast2 smt-server)
> Only used for initial and global configuration
» Reporting addressees
» Job schedules
– SMT server management (yast2 smt)> Day-to-day management
» Repositories
» Staging
» Client status monitoring
© Novell, Inc. All rights reserved.14
Managing SMT (continued)
• SMT console commands
– Command syntax : smt subcommand
> Use smt-subcmd instead of smt subcommand
> man smt-subcommand / smt-subcommand -h
– Examples :
> smt-mirror -L /var/log/smt/smt-mirror.log -d
> smt-client -n sled
© Novell, Inc. All rights reserved.15
YaST SMT Module
Repositories
© Novell, Inc. All rights reserved.16
YaST SMT Module (continued)
Staging
© Novell, Inc. All rights reserved.17
YaST SMT Module (continued)
Clients
Configuring Clients
© Novell, Inc. All rights reserved.19
Registering Clients with SMT Server
• Registration process uses https – SMT server CA needs to be installed onto clients
• /etc/suseRegister.conf needs to point to SMT server• Setting up SUSE® Linux Enterprise 10 SP2+ clients
– During installation : > Advanced | Local registration server in NCC dialog (interactive install)> regurl and regcert kernel parameters (interactive install)> AutoYaST – add a section in AutoYaST profile (autoinstall) :
» suse_register (SLE 11) or customer_center (SLE 10)
– Post installation time :> Run clientSetup4SMT.sh script to import SMT server CA, configure
suse_register and perform the registration
© Novell, Inc. All rights reserved.20
Registering Clients (continued)
xsles11a:~ # zypper ls
# | Alias | Name | Enabled | Refresh | Type
--+--------------------------+--------------------------+---------+---------+------
1 | SMT-http_xsmt11a_nts_com | SMT-http_xsmt11a_nts_com | Yes | No | ris
2 | CD1 | CD1 | Yes | Yes | yast2
xsles11a:~ # zypper lr
# | Alias | Name | Enabled | Refresh
--+-----------------------------------------+----------------+---------+--------
1 | CD1 | CD1 | Yes | Yes
2 | SMT-http_xsmt11a_nts_com:SLES11-Extras | SLES11-Extras | No | Yes
3 | SMT-http_xsmt11a_nts_com:SLES11-Updates | SLES11-Updates | Yes | Yes
Reporting/Compliance Monitoring
© Novell, Inc. All rights reserved.22
Reporting
• To assist in compliance monitoring SMT generates weekly reports with info like
– Statistics of the registered machines and products used
– Active, expiring, or missing subscriptions
– Alerts if the number of registered machines and products exceeds the number of purchased subscriptions
• Flexible configuration options like mail recipients of reports, type of reports and attachments
• Can be in plain text, CSV, XML or PDF format• On-demand reports
© Novell, Inc. All rights reserved.23
Reporting (continued)
t61srvsp2:~ # smt-report --local
Downloading Subscription information
Downloading Registration information
Subscription Report based on a local calculation
================================================
Alerts:
13 Machines use too many 'SUSE Linux Enterprise Server 10 / SUSE LINUX Enterprise Server 9' subscriptions. please log in to the Novell Customer Center (http://www.novell.com/center) and assign or purchase matching entitlements.
...
Footer
Generated on: t61srvsp2.nts.com
Site ID: 142723
SMT ID: 3aba20eea2884ea8a17c70e92bc323b3
Jobs and Client Status Monitoring
© Novell, Inc. All rights reserved.25
Job Queue and Client Status
• Enables – Patchstatus reporting– Software update and pushing– Execution of commands, reboot, eject
• Consists of server and client side components– Server
> Jobs - defined in the SMT database with smt-job command> Clients patch status reporting tools
» Clients tab in YaST SMT module
» smt-client command
– Client > smt-client package (SUSE® Linux Enterprise 11 only)
© Novell, Inc. All rights reserved.26
Job Queue and Client Status (continued)
• Client client and SMT server communicate in SSL• Management of client jobs is command-line based• All clients get a persistent patch status job
assigned during registration• Jobs
– Must be assigned to individual clients specifying their GUID during creation
– Can be queried/modified/deleted after submission
– Can have dependency on other job(parent/child relationship)
© Novell, Inc. All rights reserved.27
Job Queue and Client Status (continued)
• SMT-job command
– Wealth of parameters to the command
> See man smt-job
• Example of update job creation
– # smt-job --create -type update -guid <client-guid>
– # smt-job -c -t update -g <client-guid>
© Novell, Inc. All rights reserved.28
Job Queue and Client Status (continued)
• SMT-client command– Examples
> smt-client
» Overview
> smt-client status -n sles11 -L /var/log/smt/smt-client.log
» Details on selected clients
• Keep in mind that Package Manager patches can hide security and other categories of patches
– This is because the client "can not see" the patches that will become applicable after updating the package manager until after it has been updated
© Novell, Inc. All rights reserved.29
Job Queue and Client Status (continued)
xsmt11a:~ # smt-client
.------------------------------------------------------------------------------------------.
| GUID | Hostname | Patch Status | Patch Status Date |
+----------------------------------+-------------+-------------------+---------------------+
| 7a4df09998da498b8de8f769585daea0 | xres47a | Unknown | |
| 122b33b92f7f4b62a06404156e6719fe | xres52a | Unknown | |
| 9dedbca2c3df4c04946bbf3216053a29 | xsled11a | Up-to-date | 2010-01-29 09:52:35 |
| 623a1864464e4b57a1afe8504504114b | xsles10sp3a | Unknown | |
| 1559a785c49d4289a6a79c2646b15f14 | xsles11a | Critical | 2010-01-29 10:50:59 |
| 7e5d68f953e24d0599d9eb3163e441a7 | xsles11b | Unknown | |
| c92d8213d7394cb0b7476b55e746ec64 | xsles11f | Updates available | 2010-02-03 15:11:29 |
| d16b02e6c6a04d3f878063fd0b85aaf7 | xsmt11a | Up-to-date | 2010-02-03 12:02:07 |
'----------------------------------+-------------+-------------------+---------------------'
© Novell, Inc. All rights reserved.30
Job Queue and Client Status (continued)
The GUI Version
Staging
© Novell, Inc. All rights reserved.32
Staging
• Mirror all patches, but only publish approved ones to clients
• GUI and command-line based management
– YaST2 smt module
> Repositories and staging tabs
– smt-repos command
– smt-staging command (only for geeks)
• Management tools only fully support SUSE® Linux Enterprise 11 and newer repositories
© Novell, Inc. All rights reserved.33
Staging (continued)
• Repositories are mirrored to different directories depending to their staging flag
• Administrator
– Selects patches and creates a testing snapshot of these
– Redirects selected clients to testing repos
> E.g. by using execution jobs
– When patches in testing snapshot have been approved
> Create production snapshot
> Reconfigure test clients if desired
© Novell, Inc. All rights reserved.34
Staging (continued)
Novell®
CustomerCenter
Mirror
Non-staged
Staged
Testing
Production
Full
Testing snapshot
Production snapshot
Clients
© Novell, Inc. All rights reserved.35
Staging (continued)
Supportconfig Proxy
© Novell, Inc. All rights reserved.37
SMT Support
• SMT server can act as proxy for supportconfig archives
• supportconfig files can be uploaded to SMT server– # supportconfig -U 'http[s]://mysmt/upload?file={tarball}'
-r 12345678901– Tarball then named nts_$SR_NUM_hostname_date_time.tbz– Stored in /var/spool/smt-support on SMT server
• Default upload target in /etc/supportconfig.conf– Configured with clientSetup4SMT.sh or AutoYaST post script
© Novell, Inc. All rights reserved.38
SMT Support (continued)
• (SMT) administrator can then
– Process supportconfig archive files
> Run Novell® Support Advisor against the uploaded files
> Add contact information to individual archives during upload
> Upload to open service requests
• Run smt-support -h to get details on options
– Upload a specific archive - e.g. :
» smt-support -u nts_SR10588349999_xsles11a_100127_0917.tbz
Mirroring Other Products/Repositories
© Novell, Inc. All rights reserved.40
Mirroring Other Products/Repositories
• Standard tool to distribute updates for – In-house developed applications
– Third-party repositories
• Must be repomd based > See Software Repositories at OpenSUSE® for details
• To enable non-interactive subscription to non-Novell® repositories (not signed by Novell)
– Place the key used to sign the repodata in repo/keys/ of SMT server
> Will be imported (prompt) during registration and clientSetup4SMT.sh
> # rpm --import <url-of-repo-signing-key>
© Novell, Inc. All rights reserved.41
Mirroring SUSE® Linux Enterprise 9
• Having a SLES 9 server running only for YOU?
• smt-mirror-sle9 is the answer
• Enables mirroring of
– SUSE Linux Enterprise Server 9
– Novell® Linux Desktop 9
– SUSE Linux Enterprise 9 Software Development Kit
– Novell Linux Point of Service
• Check out the deployment guide on how to optimize it
© Novell, Inc. All rights reserved.42
Updating RedHat Enterprise Linux
• Red Hat Enterprise Linux Server repositories as part of the Novell® Expanded Support offering
– Novell makes selected packages available in repositories on NCC (nu.novell.com)
• Setup– Mirror the relevant repositories on SMT server– Install the signing-key and import it on the key
Red Hat servers– Configure yum/up2date client – Register the Red Hat servers against SMT (optional)
• TID 7004324 describes– How to update Red Hat Enterprise Linux with SMT 11
Disconnected SMT Servers
© Novell, Inc. All rights reserved.44
Open Network
Isolated SMT Servers
RestrictedNetwork
SMT(external)
Mobiledisk
Nonetworkconn.
Novell®
CustomerCenter
SMT (internal)
Upgrading from SMT 1.0
© Novell, Inc. All rights reserved.46
Upgrading SMT from 1.0
• SMT 11 is not designed to upgrade• If SMT 11 is installed during the SUSE® Linux
Enterprise Server upgrade to 11, then it minimizes the need for extra work
• Cool solution explains the procedure :– Upgrading SMT from version 1.0 to 1.1
– Transfer settings from smt.conf to smt.conf.rpmnew and swap the files
– Kick off a mirror to update the new fields in the DB
– (Optional) create patchstatus jobs for SLE 11 clients
Tips and Tricks
© Novell, Inc. All rights reserved.48
Tips and Tricks
• Patches get mirrored, but are not visible to the clients– Check if staging is involved
• Disaster recovery– Plan and survive - see TID 7004986
• If deploying multiple SMT servers– Repositories can be preloaded
• http://forums.novell.com → SUSE® Linux Enterprise Server → Updates
• SMT Master TID 7005002– Links to what is known of good stuff
© Novell, Inc. All rights reserved.49
The End
• This was a lot of details about SMT• Many cool features• But deployment can be really simple :
– Install it
– Find and enter your mirror credentials
– Mirror the repositories you need
– Configure the clients
– Voila !
• And remember : SMT is FREE of charge !
Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.