From Idea to Working Deployment: A Practical Guide for Deploying SUSE® Manager

Alessandro RennaSales Engineer

arenna@suse.com

Christophe Le DorzeSales Engineer

cledorze@suse.com

2

Agenda

• SUSE Manager overview

• Requirements

• Setup Process

• Post-installation Tasks

• Initial Configuration

• Client Registration

• Backup

SUSE® ManagerIntroduction

4

• Reduce complexity with automation

• Control, standardize and optimize converged, virtualized and cloud data centers

• Reduce risk and avoidable downtime through better change control, discovery and compliance tracking

SUSE Manager

Automated Linux systems management that enables you to comprehensively manage SUSE Linux Enterprise and Red Hat Enterprise Linux systems with a single, centralized solution across physical, virtual and cloud environments.

5

✔ Optimize ✔ Control ✔ Innovate

SUSE® Manager

Manage the Entire Lifecycle

6

SUSE® Manager

Operational Benefits

• Transparency‒ See what is installed on your servers

‒ Compare servers to servers/profiles

• Organizational‒ Divide and manage sub-organizations

• Provisioning‒ Initial deployment directly into proven stage

• Maintenance‒ Central controlled package/patch management

• Upgrade‒ Automated Service Pack Migration

‒ Automated Major Release Upgrade

7

SUSE® Manager

Highlevel Architecture

SUSE Customer Center Update channels

CustomChn

8

Management pack for System Center Operations Manager 2007/2012.

Provide SCOM user a single console to manage and update Windows & Linux servers in the datacenter

Up2date & YUM

RHEL update and patch repository

LinuxServers

SUSE Manager

SUSE CustomerCenter

<><>

SUSE® Manager

Microsoft SCOM Integration

9

SUSE® Manager

System Components

SUSE Manager Server

Python, Java, Tomcat, Apache Application Server

SUSE Manager Server

Python, Perl, Java, Tomcat, Apache Application Server

Jabber

InstantDeployment

Cobbler

Bare MetalProvisioning

API

Scripting,Third-party

Proxy

Load Balancing,Branches

Oracle Database 10g or 11gPostgreSQL 9.1

Planning the Installation

Requirements

11

SUSE® Manager

Hardware Requirements• x86_64 server only

• Supported virtual environments: KVM, Vmware, Hyper-v

• Intel Pentium 4 or later or AMD Opteron or later‒ 2GHz, 512K cache or equivalent

‒ Recommended: Intel or AMD multi-core processor, 2.4GHz

• 4 GB of memory‒ Recommended for production use: 16 GB

• 20 GB of free disk space for base installation‒ Additionally at least 25 GB for caching per distribution or channel

• 20 GB of storage for the database

• Separate partition for storing backups

12

Disk Sizing RequirementsExample: SLES®11 SP2 with SP3 migration

• Base system = 20 GB

• Database = 20 GB

• Channels:

‒ SLES 11 SP1 Pool = 4 GB

‒ SLES 11 SP1 Updates = 20 GB

‒ SLES 11 SP2 Core = 4GB

‒ SLES 11 SP2 Updates = 20 GB

‒ SLES 11 SP3 Pool = 4 GB

‒ SLES 11 SP3 Updates = 20 GB

• + appropriate SUSE Manager Tools channels = 112 GB + <2 Service Packs (~25GB each) reserve> = ~175GB disk space

See: https://www.suse.com/support/kb/doc.php?id=7015050

13

SUSE® Manager

Supported Client OS• SUSE

‒ SUSE Linux Enterprise Server 12 (x86-64, Power, System Z)

‒ SUSE Linux Enterprise Server 11 SP1 to SP3(x86, x86-64, Itanium, Power, System Z)

‒ SUSE Linux Enterprise Server 10 SP3 to SP4(x86, x86-64, Itanium, Power, System Z)

• Novell‒ Open Enterprise Server 11 SP1

• Red Hat‒ Red Hat Enterprise Linux 5 (x86, x86-64)

‒ Red Hat Enterprise Linux 6 (x86, x86-64)

‒ Red Hat Enterprise Linux 7 (x86_64)

14

SUSE® Manager

Other Important Requirements

• Working DNS‒ You need to have a working DNS environment. At least

maintained /etc/hosts on each involved server.

• Full Qualified Domain Hostname‒ SUSE Manager Server needs a FQDN to be able to create

self-signed root CA and common server certificate.

‒ linux.site is no option :-)

• Hostname‒ No special characters like underscore!

‒ Avoid uppercase letters (can cause jabberd to fail)

• NTP (for jabberd connection)

15

SUSE® Manager

Port RequirementsInbound Connections

67Open this port to configure SUSE Manager as a DHCP server for systems requesting IP addresses

69 Open this port to configure SUSE Manager as a PXE server and allow installation and re-installation of PXE-boot enabled systems

80 WebUI and client requests come in via either http or https

443 WebUI and client requests come in via either http or https

4545 Monitoring

5222 Connect clients with SUSE Manager for pushing actions to clients

5269 Connect proxies with SUSE Manager for pushing actions to proxies and clients via proxy

Outbound Connections

80 Connecting to SUSE Customer Center

443 Connecting to SUSE Customer Center

4545 Monitoring

5269 Proxies Pushing

1630

SUSE Customer

Center

Internet

Firewall/proxy

Managed systems(Pull+RHNSD)

SUSE Manager

Managed systems(Pull+OSAD)

Managed systems(Push)

Managed systems(Push+SSH Tunel)

1 2 3 4443 5222, 443 443

22 22

443

SUSE® Manager

Client Connection Types

17

SUSE® Manager

Topologies

• SUSE Manager can be set up in multiple ways, depending on a number of factors like the following:

‒ The total number of client systems to be served by SUSE Manager

‒ The maximum number of clients expected to connect concurrently to SUSE Manager

‒ The number of custom packages and channels to be served by SUSE Manager

‒ The number of SUSE Manager servers used in the customer environment

18

SUSE® Manager

Topologies

Single SUSE Manager Topology SUSE Manager + SUSE Manager Proxy

SUSE Manager Servers Horizontally Tiered SUSE Manager + Proxies Vertically Tiered

Setup Process

20

Deployment of SUSE Manager

Prepare Your Subscriptions

1. Download SUSE Manager from https://download.suse.com

2. Take note of SUSE Manager reg code from Customer Center

3. Take note of org credentials to mirror your SUSE channels

21

SUSE® Manager

Setup Phases

• 1st Setup Phase‒ Setup operating system

Language, Keyboard, Root Password, License Agreement, Clock, Timezone, NTP, IP, Proxy, Product Registration

• 2nd Setup Phase‒ SUSE Manager Setup

Migration from Satellite/Spacewalk/SUSE Manager,Notification eMail, SSL Certificate, Database,Admin Password, Mirror Credentials

• Fueling with Packages‒ Mirror software channels from Customer Center

22

SUSE® Manager

Installation Best Practice

• Do some customizing depending on your environment before running second phase

‒ Install VMware Tools

‒ After registering and updating SUSE Manager (see below)

‒ Install additional agents (Backup/Monitoring/...)

• Manually restart SUSE Manager‒ spacewalk-service restart

• Register your SUSE Manager and update the installed packages before running the setup wizard

23

Register SUSE Manager

checkthis box

24

Update SUSE Manager

1. Log in as root user to the SUSE Manager server.

2. Stop the Spacewalk service: spacewalk-service stop

3. Apply the patch using either zypper patch or YaST Online Update.

4. Upgrade the database schema with spacewalk-schema-upgrade

5. Start the Spacewalk service: spacewalk-service start

25

SUSE Manager Setup Wizard

checkthis box

1. Log in as root user to the SUSE Manager server.

2. Run the setup wizard: yast2 susemanager_setup

Post-Installation Tasks

27

SUSE® Manager

First Steps After Installation

• Open SUSE Manager homepage

• Create SUSE Manager Admin (first user)

• Basic Configuration‒ Admin → SUSE Manager Configuration

‒ Enable In-App HTTP Proxy for parent SU.Ma server, if any

‒ Do not use protocol prefix in this configuration

‒ Example: my.proxy.server:8080

‒ Review and Update Bootstrap Script

• Create additional admin users

• Start populating software channels

28

SUSE® Manager

Bootstrap Script Basics

• Automates reconfiguration of clients‒ Import custom GPG keys

‒ Install SSL certificates

‒ Register system to SUSE Manager

‒ Perform post-configuration activities

• Master script saved as /srv/www/htdocs/pub/bootstrap/bootstrap.sh

‒ some manual configuration may still be required

‒ It is recommended to disable “fully_update_this_box”

29

SUSE® Manager

Generate the Bootstrap Script

30

SUSE® Manager

Using Multiple Mirror Credentials

Required in case product entitlements are spread out to multiple Customer Center sites

31

SUSE® Manager

Setup Wizard to Mirror channels

32

SUSE® Manager

Things to Remember About Mirroring

• The mirror process is scheduled within the database and runs in background

‒ spacewalk-repo-sync

• Each software channel syncronization is logged‒ /var/log/rhn/reposync

• Only one software channel syncronization at once

• To manually start mirroring:‒ mgr-ncc-sync

Perform the Initial Configuration

OrganizationsSystem Groups

User Roles

34

SUSE® Manager

Organizations Basics

• Single (flat) Organization vs. Multiple Child Organizations‒ Reflects real org hierarchy into SUSE Manager

‒ Other scenarios

• Software and System entitlements are added at the Base Organization and then assigned to child Organizations

• Administration of Child Organizations is delegate to other users

• It is recommended to define at least one new organization‒ Assign system and software entitlements

35

Scenario 1: Multi-Department org

Sub-Organizations

• Org Admin manages entire org

• System & group management

• User creation & management

• Content management:

‒ Sw channels, autoinstall prof

‒ Config channels, activation keys ..

36

Sub-Organizations

• Org Admin manages entire org

• System & group management

• User creation & management

• Content management:

‒ Sw channels, autoinstall prof

‒ Config channels, activation keys ..

Scenario 2: Multiple 3d Party orgs

37

SUSE® Manager

System Groups

System group

• A group of systems

• Membership is based on some common attribute

• Create as many groups as needed

• Unions and intersections

Examples‒ Hardware vendor

‒ Software stack:LAMP, J2EE, DB, etc.

‒ Dev, Test, Prod, etc.

‒ Virtualization:VMware, KVM, XEN, Hyper-V, etc.

‒ IT Service: Corporate Site, CRM

38

SUSE® Manager

Role Based Access

• SUSE Manager Administrator

• Organization Administrator

• Activation Key Administrator

• Monitoring Administrator

• Configuration Administrator

• Channel Administrator

• System Group Administrator

Configure Activation KeysRegister Clients to SUSE Manager

40

SUSE® Manager

Register Clients with a Key

SoftwareChannels

SoftwarePackages

ConfigurationChannels

Server Group BActivationKey

Server

Server Group A

Server Group C

41

SUSE® Manager

Activation Keys

42

SUSE® Manager

Activation Keys Best Practice

• Channels to include‒ suse-manager-tools

• Packages to include‒ osad (Pushing Tasks)

‒ Will install python-jabberpy and pyxml as dependency

‒ rhncfg-actions (Remote Command, Config Mgmt.)

‒ Will install rhncfg and rhncfg-client as dependency

‒ rhnmd (Monitoring)

43

SUSE® Manager

Registering Clients = Bootstrapping

• Create bootstrap scripts on server‒ /srv/www/htdocs/pub/bootstrap

• Register from Client‒ curl -Sks https://server_hostname/pub/bootstrap/bootstrap-

edited.sh | /bin/bash

• Register from Server‒ cat /srv/www/htdocs/pub/bootstrap/bootstrap-edited.sh | ssh

root@client_hostname /bin/bash

44

Monitoring

• Executing probes

• Gathering the output of these probes to store in the SUSE Manager database

• Monitoring of systems with SUSE Manager requires:‒ Monitoring service to be enabled on the SUSE Manager server

‒ A monitoring agent to be installed and enabled on the clients (rhnmd or sshd)

‒ Probes package to be installed on the clients

Backup SUSE Manager

46

Important Directories

• /rhnsat/

• /etc/sysconfig/rhn/

• /etc/rhn/

• /etc/sudoers

• /etc/tnsnames.ora

• /srv/www/htdocs/pub/

• /var/spacewalk/packages/1

• /root/.gnupg/

• /root/ssl-build/

• /etc/dhcp.conf

• /tftpboot/

• /var/lib/cobbler/

• /var/lib/rhn/kickstarts/

• /srv/www/cobbler

• /var/lib/nocpulse/

Recommendation: /var/spacewalk/

47

SUSE® Manager

Backing Up the Database

• Oracle‒ smdba backup-hot

‒ located in /opt/apps/oracle/flash_recovery_area/uppercase SID/

• PostgreSQL‒ smdba backup-hot --enable=on –backup-dir=/<dir>

Restore with: smdba backup-restore force

‒ it will select the most recent backup and purge the rest

48

Links

https://www.suse.com/products/suse-manager/https://www.suse.com/documentation/suse_manager/https://wiki.novell.com/index.php/SUSE_Managerhttps://www.suse.com/support/kb/doc.php?id=7012610https://www.suse.com/support/update/https://download.suse.com/patch/finder/http://support.novell.com/security/cve/index.htmlhttp://cve.mitre.org/

Thank you.

49

It's SHOWTIME!

Appendix

Software Channels

52

SUSE® Manager

Software Channel Rules

• Base/Parent Channels‒ Each client system will be assigned to one parent channel

‒ Base/Parent channels represent main installation media

• Child Channels‒ A parent channel can have multiple child channels

‒ A child channel is assigned to one parent channel

‒ Child channels typically contains additional third-party packages, own packages and updates

• Repositories‒ Importing YUM repositories and assign them to channel(s)

Package and Patch Management

54

Concepts

• Software package‒ Pre-packaged software, incl:

‒ Executables

‒ Configuration

‒ Scripts (install, remove etc.)

‒ Data

‒ Vendor

‒ Dependencies

‒ Vendor support level

• Patch‒ Relates to:

‒ Functional defect

‒ Vulnerability

‒ Urgency categories: Security, Bug fix, Enhancement

‒ Contains references to:

‒ Bugzilla issue

‒ CVE number

‒ 1:many relationship to packages

Understand Staging of Software Channels

56

Patch Staging Support

Vendor Software ChannelAs is from vendor – no changes

DevelopmentFrozen vendor channel – changes possible

TestingFrozen development channel – changes possible

ProductionFrozen testing channel – changes possible

Clone ChannelsCustom Channels

58

Clone Channels

• Are custom channels

• Used to provide software at a certain stage‒ Avoid sync

‒ Development > Testing > Production cycle

• Do not space for repositories

• Can be cloned in 3 ways: ‒ Current state of the channel

‒ Original state of the channel

‒ Select patches

59

Locked Channels

spacewalk-clone-by-date

• Included in spacewalk-utils.rpm

• Create clones of software channels based on a point in time

• Clones all the patches up to a given date

• Runs a dependency resolution routine to add in any missing packages!

60

Patch Lifecycle Management

Spacewalk-manage-channel-lifecycle

• Included in spacewalk-utils.rpm

• Create dev, test and prod cloned channels by default

• Once the patches have been validated in the dev environment, you can promote these patches into the prod env with --promote

61

Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.