From Idea to Working Deployment: A Practical Guide for Deploying SUSE® Manager
Alessandro RennaSales Engineer
Christophe Le DorzeSales Engineer
2
Agenda
• SUSE Manager overview
• Requirements
• Setup Process
• Post-installation Tasks
• Initial Configuration
• Client Registration
• Backup
4
• Reduce complexity with automation
• Control, standardize and optimize converged, virtualized and cloud data centers
• Reduce risk and avoidable downtime through better change control, discovery and compliance tracking
SUSE Manager
Automated Linux systems management that enables you to comprehensively manage SUSE Linux Enterprise and Red Hat Enterprise Linux systems with a single, centralized solution across physical, virtual and cloud environments.
6
SUSE® Manager
Operational Benefits
• Transparency‒ See what is installed on your servers
‒ Compare servers to servers/profiles
• Organizational‒ Divide and manage sub-organizations
• Provisioning‒ Initial deployment directly into proven stage
• Maintenance‒ Central controlled package/patch management
• Upgrade‒ Automated Service Pack Migration
‒ Automated Major Release Upgrade
8
Management pack for System Center Operations Manager 2007/2012.
Provide SCOM user a single console to manage and update Windows & Linux servers in the datacenter
Up2date & YUM
RHEL update and patch repository
LinuxServers
SUSE Manager
SUSE CustomerCenter
<><>
SUSE® Manager
Microsoft SCOM Integration
9
SUSE® Manager
System Components
SUSE Manager Server
Python, Java, Tomcat, Apache Application Server
SUSE Manager Server
Python, Perl, Java, Tomcat, Apache Application Server
Jabber
InstantDeployment
Cobbler
Bare MetalProvisioning
API
Scripting,Third-party
Proxy
Load Balancing,Branches
Oracle Database 10g or 11gPostgreSQL 9.1
11
SUSE® Manager
Hardware Requirements• x86_64 server only
• Supported virtual environments: KVM, Vmware, Hyper-v
• Intel Pentium 4 or later or AMD Opteron or later‒ 2GHz, 512K cache or equivalent
‒ Recommended: Intel or AMD multi-core processor, 2.4GHz
• 4 GB of memory‒ Recommended for production use: 16 GB
• 20 GB of free disk space for base installation‒ Additionally at least 25 GB for caching per distribution or channel
• 20 GB of storage for the database
• Separate partition for storing backups
12
Disk Sizing RequirementsExample: SLES®11 SP2 with SP3 migration
• Base system = 20 GB
• Database = 20 GB
• Channels:
‒ SLES 11 SP1 Pool = 4 GB
‒ SLES 11 SP1 Updates = 20 GB
‒ SLES 11 SP2 Core = 4GB
‒ SLES 11 SP2 Updates = 20 GB
‒ SLES 11 SP3 Pool = 4 GB
‒ SLES 11 SP3 Updates = 20 GB
• + appropriate SUSE Manager Tools channels = 112 GB + <2 Service Packs (~25GB each) reserve> = ~175GB disk space
See: https://www.suse.com/support/kb/doc.php?id=7015050
13
SUSE® Manager
Supported Client OS• SUSE
‒ SUSE Linux Enterprise Server 12 (x86-64, Power, System Z)
‒ SUSE Linux Enterprise Server 11 SP1 to SP3(x86, x86-64, Itanium, Power, System Z)
‒ SUSE Linux Enterprise Server 10 SP3 to SP4(x86, x86-64, Itanium, Power, System Z)
• Novell‒ Open Enterprise Server 11 SP1
• Red Hat‒ Red Hat Enterprise Linux 5 (x86, x86-64)
‒ Red Hat Enterprise Linux 6 (x86, x86-64)
‒ Red Hat Enterprise Linux 7 (x86_64)
14
SUSE® Manager
Other Important Requirements
• Working DNS‒ You need to have a working DNS environment. At least
maintained /etc/hosts on each involved server.
• Full Qualified Domain Hostname‒ SUSE Manager Server needs a FQDN to be able to create
self-signed root CA and common server certificate.
‒ linux.site is no option :-)
• Hostname‒ No special characters like underscore!
‒ Avoid uppercase letters (can cause jabberd to fail)
• NTP (for jabberd connection)
15
SUSE® Manager
Port RequirementsInbound Connections
67Open this port to configure SUSE Manager as a DHCP server for systems requesting IP addresses
69 Open this port to configure SUSE Manager as a PXE server and allow installation and re-installation of PXE-boot enabled systems
80 WebUI and client requests come in via either http or https
443 WebUI and client requests come in via either http or https
4545 Monitoring
5222 Connect clients with SUSE Manager for pushing actions to clients
5269 Connect proxies with SUSE Manager for pushing actions to proxies and clients via proxy
Outbound Connections
80 Connecting to SUSE Customer Center
443 Connecting to SUSE Customer Center
4545 Monitoring
5269 Proxies Pushing
1630
SUSE Customer
Center
Internet
Firewall/proxy
Managed systems(Pull+RHNSD)
SUSE Manager
Managed systems(Pull+OSAD)
Managed systems(Push)
Managed systems(Push+SSH Tunel)
1 2 3 4443 5222, 443 443
22 22
443
SUSE® Manager
Client Connection Types
17
SUSE® Manager
Topologies
• SUSE Manager can be set up in multiple ways, depending on a number of factors like the following:
‒ The total number of client systems to be served by SUSE Manager
‒ The maximum number of clients expected to connect concurrently to SUSE Manager
‒ The number of custom packages and channels to be served by SUSE Manager
‒ The number of SUSE Manager servers used in the customer environment
18
SUSE® Manager
Topologies
Single SUSE Manager Topology SUSE Manager + SUSE Manager Proxy
SUSE Manager Servers Horizontally Tiered SUSE Manager + Proxies Vertically Tiered
20
Deployment of SUSE Manager
Prepare Your Subscriptions
1. Download SUSE Manager from https://download.suse.com
2. Take note of SUSE Manager reg code from Customer Center
3. Take note of org credentials to mirror your SUSE channels
21
SUSE® Manager
Setup Phases
• 1st Setup Phase‒ Setup operating system
Language, Keyboard, Root Password, License Agreement, Clock, Timezone, NTP, IP, Proxy, Product Registration
• 2nd Setup Phase‒ SUSE Manager Setup
Migration from Satellite/Spacewalk/SUSE Manager,Notification eMail, SSL Certificate, Database,Admin Password, Mirror Credentials
• Fueling with Packages‒ Mirror software channels from Customer Center
22
SUSE® Manager
Installation Best Practice
• Do some customizing depending on your environment before running second phase
‒ Install VMware Tools
‒ After registering and updating SUSE Manager (see below)
‒ Install additional agents (Backup/Monitoring/...)
• Manually restart SUSE Manager‒ spacewalk-service restart
• Register your SUSE Manager and update the installed packages before running the setup wizard
24
Update SUSE Manager
1. Log in as root user to the SUSE Manager server.
2. Stop the Spacewalk service: spacewalk-service stop
3. Apply the patch using either zypper patch or YaST Online Update.
4. Upgrade the database schema with spacewalk-schema-upgrade
5. Start the Spacewalk service: spacewalk-service start
25
SUSE Manager Setup Wizard
checkthis box
1. Log in as root user to the SUSE Manager server.
2. Run the setup wizard: yast2 susemanager_setup
27
SUSE® Manager
First Steps After Installation
• Open SUSE Manager homepage
• Create SUSE Manager Admin (first user)
• Basic Configuration‒ Admin → SUSE Manager Configuration
‒ Enable In-App HTTP Proxy for parent SU.Ma server, if any
‒ Do not use protocol prefix in this configuration
‒ Example: my.proxy.server:8080
‒ Review and Update Bootstrap Script
• Create additional admin users
• Start populating software channels
28
SUSE® Manager
Bootstrap Script Basics
• Automates reconfiguration of clients‒ Import custom GPG keys
‒ Install SSL certificates
‒ Register system to SUSE Manager
‒ Perform post-configuration activities
• Master script saved as /srv/www/htdocs/pub/bootstrap/bootstrap.sh
‒ some manual configuration may still be required
‒ It is recommended to disable “fully_update_this_box”
30
SUSE® Manager
Using Multiple Mirror Credentials
Required in case product entitlements are spread out to multiple Customer Center sites
32
SUSE® Manager
Things to Remember About Mirroring
• The mirror process is scheduled within the database and runs in background
‒ spacewalk-repo-sync
• Each software channel syncronization is logged‒ /var/log/rhn/reposync
• Only one software channel syncronization at once
• To manually start mirroring:‒ mgr-ncc-sync
34
SUSE® Manager
Organizations Basics
• Single (flat) Organization vs. Multiple Child Organizations‒ Reflects real org hierarchy into SUSE Manager
‒ Other scenarios
• Software and System entitlements are added at the Base Organization and then assigned to child Organizations
• Administration of Child Organizations is delegate to other users
• It is recommended to define at least one new organization‒ Assign system and software entitlements
35
Scenario 1: Multi-Department org
Sub-Organizations
• Org Admin manages entire org
• System & group management
• User creation & management
• Content management:
‒ Sw channels, autoinstall prof
‒ Config channels, activation keys ..
36
Sub-Organizations
• Org Admin manages entire org
• System & group management
• User creation & management
• Content management:
‒ Sw channels, autoinstall prof
‒ Config channels, activation keys ..
Scenario 2: Multiple 3d Party orgs
37
SUSE® Manager
System Groups
System group
• A group of systems
• Membership is based on some common attribute
• Create as many groups as needed
• Unions and intersections
Examples‒ Hardware vendor
‒ Software stack:LAMP, J2EE, DB, etc.
‒ Dev, Test, Prod, etc.
‒ Virtualization:VMware, KVM, XEN, Hyper-V, etc.
‒ IT Service: Corporate Site, CRM
38
SUSE® Manager
Role Based Access
• SUSE Manager Administrator
• Organization Administrator
• Activation Key Administrator
• Monitoring Administrator
• Configuration Administrator
• Channel Administrator
• System Group Administrator
40
SUSE® Manager
Register Clients with a Key
SoftwareChannels
SoftwarePackages
ConfigurationChannels
Server Group BActivationKey
Server
Server Group A
Server Group C
42
SUSE® Manager
Activation Keys Best Practice
• Channels to include‒ suse-manager-tools
• Packages to include‒ osad (Pushing Tasks)
‒ Will install python-jabberpy and pyxml as dependency
‒ rhncfg-actions (Remote Command, Config Mgmt.)
‒ Will install rhncfg and rhncfg-client as dependency
‒ rhnmd (Monitoring)
43
SUSE® Manager
Registering Clients = Bootstrapping
• Create bootstrap scripts on server‒ /srv/www/htdocs/pub/bootstrap
• Register from Client‒ curl -Sks https://server_hostname/pub/bootstrap/bootstrap-
edited.sh | /bin/bash
• Register from Server‒ cat /srv/www/htdocs/pub/bootstrap/bootstrap-edited.sh | ssh
root@client_hostname /bin/bash
44
Monitoring
• Executing probes
• Gathering the output of these probes to store in the SUSE Manager database
• Monitoring of systems with SUSE Manager requires:‒ Monitoring service to be enabled on the SUSE Manager server
‒ A monitoring agent to be installed and enabled on the clients (rhnmd or sshd)
‒ Probes package to be installed on the clients
46
Important Directories
• /rhnsat/
• /etc/sysconfig/rhn/
• /etc/rhn/
• /etc/sudoers
• /etc/tnsnames.ora
• /srv/www/htdocs/pub/
• /var/spacewalk/packages/1
• /root/.gnupg/
• /root/ssl-build/
• /etc/dhcp.conf
• /tftpboot/
• /var/lib/cobbler/
• /var/lib/rhn/kickstarts/
• /srv/www/cobbler
• /var/lib/nocpulse/
Recommendation: /var/spacewalk/
47
SUSE® Manager
Backing Up the Database
• Oracle‒ smdba backup-hot
‒ located in /opt/apps/oracle/flash_recovery_area/uppercase SID/
• PostgreSQL‒ smdba backup-hot --enable=on –backup-dir=/<dir>
Restore with: smdba backup-restore force
‒ it will select the most recent backup and purge the rest
48
Links
https://www.suse.com/products/suse-manager/https://www.suse.com/documentation/suse_manager/https://wiki.novell.com/index.php/SUSE_Managerhttps://www.suse.com/support/kb/doc.php?id=7012610https://www.suse.com/support/update/https://download.suse.com/patch/finder/http://support.novell.com/security/cve/index.htmlhttp://cve.mitre.org/
52
SUSE® Manager
Software Channel Rules
• Base/Parent Channels‒ Each client system will be assigned to one parent channel
‒ Base/Parent channels represent main installation media
• Child Channels‒ A parent channel can have multiple child channels
‒ A child channel is assigned to one parent channel
‒ Child channels typically contains additional third-party packages, own packages and updates
• Repositories‒ Importing YUM repositories and assign them to channel(s)
54
Concepts
• Software package‒ Pre-packaged software, incl:
‒ Executables
‒ Configuration
‒ Scripts (install, remove etc.)
‒ Data
‒ Vendor
‒ Dependencies
‒ Vendor support level
• Patch‒ Relates to:
‒ Functional defect
‒ Vulnerability
‒ Urgency categories: Security, Bug fix, Enhancement
‒ Contains references to:
‒ Bugzilla issue
‒ CVE number
‒ 1:many relationship to packages
56
Patch Staging Support
Vendor Software ChannelAs is from vendor – no changes
DevelopmentFrozen vendor channel – changes possible
TestingFrozen development channel – changes possible
ProductionFrozen testing channel – changes possible
58
Clone Channels
• Are custom channels
• Used to provide software at a certain stage‒ Avoid sync
‒ Development > Testing > Production cycle
• Do not space for repositories
• Can be cloned in 3 ways: ‒ Current state of the channel
‒ Original state of the channel
‒ Select patches
59
Locked Channels
spacewalk-clone-by-date
• Included in spacewalk-utils.rpm
• Create clones of software channels based on a point in time
• Clones all the patches up to a given date
• Runs a dependency resolution routine to add in any missing packages!
60
Patch Lifecycle Management
Spacewalk-manage-channel-lifecycle
• Included in spacewalk-utils.rpm
• Create dev, test and prod cloned channels by default
• Once the patches have been validated in the dev environment, you can promote these patches into the prod env with --promote
Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.