From Idea to Working Deployment:

From Idea to Working Deployment: A Practical Guide for Deploying SUSE Manager Alessandro Renna Christophe Le Dorze Sales Engineer arenna@suse.com Sales Engineer cledorze@suse.com

Agenda 2 SUSE Manager overview Requirements Setup Process Post-installation Tasks Initial Configuration Client Registration Backup

SUSE Manager Introduction

SUSE Manager Automated Linux systems management that enables you to comprehensively manage SUSE Linux Enterprise and Red Hat Enterprise Linux systems with a single, centralized solution across physical, virtual and cloud environments. 4 Reduce complexity with automation Control, standardize and optimize converged, virtualized and cloud data centers Reduce risk and avoidable downtime through better change control, discovery and compliance tracking

SUSE Manager Manage the Entire Lifecycle Optimize 5 Control Innovate

SUSE Manager Operational Benefits Transparency See what is installed on your servers Compare servers to servers/profiles Organizational Provisioning 6 Initial deployment directly into proven stage Maintenance Divide and manage sub-organizations Central controlled package/patch management Upgrade Automated Service Pack Migration Automated Major Release Upgrade

SUSE Manager Highlevel Architecture SUSE Customer Center Update channels Custom Chn 7

SUSE Manager Microsoft SCOM Integration < > Management pack for System Center Operations Manager 2007/2012. Provide SCOM user a single console to manage and update Windows & Linux servers in the datacenter RHEL update and patch repository Up2date & YUM Linux Servers 8 SUSE Customer Center SUSE Manager

SUSE Manager System Components Jabber Cobbler API Proxy Instant Deployment Bare Metal Provisioning Scripting, Third-party Load Balancing, Branches SUSE Manager Server SUSE Manager Server Python, Perl, Java, Tomcat, Apache Application Server Python, Java, Tomcat, Apache Application Server Oracle Database 10g or 11g PostgreSQL 9.1 9

Planning the Installation Requirements

SUSE Manager Hardware Requirements x86_64 server only Supported virtual environments: KVM, Vmware, Hyper-v Intel Pentium 4 or later or AMD Opteron or later 2GHz, 512K cache or equivalent Recommended: Intel or AMD multi-core processor, 2.4GHz 4 GB of memory 20 GB of free disk space for base installation 11 Recommended for production use: 16 GB Additionally at least 25 GB for caching per distribution or channel 20 GB of storage for the database Separate partition for storing backups

Disk Sizing Requirements Example: SLES 11 SP2 with SP3 migration Base system = 20 GB Database = 20 GB Channels: SLES 11 SP1 Pool = 4 GB SLES 11 SP1 Updates = 20 GB SLES 11 SP2 Core = 4GB SLES 11 SP2 Updates = 20 GB SLES 11 SP3 Pool = 4 GB SLES 11 SP3 Updates = 20 GB + appropriate SUSE Manager Tools channels = 112 GB + <2 Service Packs (~25GB each) reserve> = ~175GB disk space See: https://www.suse.com/support/kb/doc.php?id=7015050 12

SUSE Manager Supported Client OS SUSE SUSE Linux Enterprise Server 12 (x86-64, Power, System Z) SUSE Linux Enterprise Server 11 SP1 to SP3 (x86, x86-64, Itanium, Power, System Z) SUSE Linux Enterprise Server 10 SP3 to SP4 (x86, x86-64, Itanium, Power, System Z) Novell 13 Open Enterprise Server 11 SP1 Red Hat Red Hat Enterprise Linux 5 (x86, x86-64) Red Hat Enterprise Linux 6 (x86, x86-64) Red Hat Enterprise Linux 7 (x86_64)

SUSE Manager Other Important Requirements Working DNS 14 You need to have a working DNS environment. At least maintained /etc/hosts on each involved server. Full Qualified Domain Hostname SUSE Manager Server needs a FQDN to be able to create self-signed root CA and common server certificate. linux.site is no option :-) Hostname No special characters like underscore! Avoid uppercase letters (can cause jabberd to fail) NTP (for jabberd connection)

SUSE Manager Port Requirements Inbound Connections 67 Open this port to configure SUSE Manager as a DHCP server for systems requesting IP addresses 69 Open this port to configure SUSE Manager as a PXE server and allow installation and re-installation of PXE-boot enabled systems 80 WebUI and client requests come in via either http or https 443 WebUI and client requests come in via either http or https 4545 Monitoring 5222 Connect clients with SUSE Manager for pushing actions to clients 5269 Connect proxies with SUSE Manager for pushing actions to proxies and clients via proxy Outbound Connections 15 80 Connecting to SUSE Customer Center 443 Connecting to SUSE Customer Center 4545 Monitoring 5269 Proxies Pushing

SUSE Manager Client Connection Types Internet SUSE Customer Center Firewall/ proxy 443 443 1 Managed systems (Pull+RHNSD) 30 16 SUSE Manager 22 5222, 443 2 Managed systems (Pull+OSAD) 22 443 3 Managed systems (Push) 4 Managed systems (Push+SSH Tunel)

SUSE Manager Topologies 17 SUSE Manager can be set up in multiple ways, depending on a number of factors like the following: The total number of client systems to be served by SUSE Manager The maximum number of clients expected to connect concurrently to SUSE Manager The number of custom packages and channels to be served by SUSE Manager The number of SUSE Manager servers used in the customer environment

SUSE Manager Topologies Single SUSE Manager Topology SUSE Manager Servers Horizontally Tiered 18 SUSE Manager + SUSE Manager Proxy SUSE Manager + Proxies Vertically Tiered

Setup Process

Deployment of SUSE Manager Prepare Your Subscriptions 1. Download SUSE Manager from https://download.suse.com 2. Take note of SUSE Manager reg code from Customer Center 3. Take note of org credentials to mirror your SUSE channels 20

SUSE Manager Setup Phases 1st Setup Phase 2nd Setup Phase SUSE Manager Setup Migration from Satellite/Spacewalk/SUSE Manager, Notification email, SSL Certificate, Database, Admin Password, Mirror Credentials Fueling with Packages 21 Setup operating system Language, Keyboard, Root Password, License Agreement, Clock, Timezone, NTP, IP, Proxy, Product Registration Mirror software channels from Customer Center

SUSE Manager Installation Best Practice Do some customizing depending on your environment before running second phase Install VMware Tools 22 Install additional agents (Backup/Monitoring/...) Manually restart SUSE Manager After registering and updating SUSE Manager (see below) spacewalk-service restart Register your SUSE Manager and update the installed packages before running the setup wizard

Register SUSE Manager check this box 23

Update SUSE Manager 1. Log in as root user to the SUSE Manager server. 2. Stop the Spacewalk service: spacewalk-service stop 3. Apply the patch using either zypper patch or YaST Online Update. 4. Upgrade the database schema with spacewalkschema-upgrade 5. Start the Spacewalk service: spacewalk-service start 24

SUSE Manager Setup Wizard 1. Log in as root user to the SUSE Manager server. 2. Run the setup wizard: yast2 susemanager_setup check this box 25

Post-Installation Tasks

SUSE Manager First Steps After Installation Open SUSE Manager homepage Create SUSE Manager Admin (first user) Basic Configuration Admin SUSE Manager Configuration Enable In-App HTTP Proxy for parent SU.Ma server, if any 27 Do not use protocol prefix in this configuration Example: my.proxy.server:8080 Review and Update Bootstrap Script Create additional admin users Start populating software channels

SUSE Manager Bootstrap Script Basics 28 Automates reconfiguration of clients Import custom GPG keys Install SSL certificates Register system to SUSE Manager Perform post-configuration activities Master script saved as /srv/www/htdocs/pub/bootstrap/bootstrap. sh some manual configuration may still be required It is recommended to disable fully_update_this_box

SUSE Manager Generate the Bootstrap Script 29

SUSE Manager Using Multiple Mirror Credentials Required in case product entitlements are spread out to multiple Customer Center sites 30

SUSE Manager Setup Wizard to Mirror channels 31

SUSE Manager Things to Remember About Mirroring The mirror process is scheduled within the database and runs in background Each software channel syncronization is logged /var/log/rhn/reposync Only one software channel syncronization at once To manually start mirroring: 32 spacewalk-repo-sync mgr-ncc-sync

Perform the Initial Configuration Organizations System Groups User Roles

SUSE Manager Organizations Basics Single (flat) Organization vs. Multiple Child Organizations Reflects real org hierarchy into SUSE Manager Other scenarios Software and System entitlements are added at the Base Organization and then assigned to child Organizations Administration of Child Organizations is delegate to other users It is recommended to define at least one new organization 34 Assign system and software entitlements

Scenario 1: Multi-Department org Sub-Organizations 35 Org Admin manages entire org System & group management User creation & management Content management: Sw channels, autoinstall prof Config channels, activation keys..

Scenario 2: Multiple 3d Party orgs Sub-Organizations 36 Org Admin manages entire org System & group management User creation & management Content management: Sw channels, autoinstall prof Config channels, activation keys..

SUSE Manager System Groups System group A group of systems Hardware vendor Membership is based on some common attribute Software stack: LAMP, J2EE, DB, etc. Create as many groups as needed Dev, Test, Prod, etc. Virtualization: VMware, KVM, XEN, HyperV, etc. IT Service: Corporate Site, CRM 37 Examples Unions and intersections

SUSE Manager Role Based Access 38 SUSE Manager Administrator Organization Administrator Activation Key Administrator Monitoring Administrator Configuration Administrator Channel Administrator System Group Administrator

Configure Activation Keys Register Clients to SUSE Manager

SUSE Manager Register Clients with a Key Configuration Channels Software Packages Server Group A Activation Key Software Channels Server Group C Server 40 Server Group B

SUSE Manager Activation Keys 41

SUSE Manager Activation Keys Best Practice Channels to include suse-manager-tools Packages to include osad (Pushing Tasks) rhncfg-actions (Remote Command, Config Mgmt.) 42 Will install python-jabberpy and pyxml as dependency Will install rhncfg and rhncfg-client as dependency rhnmd (Monitoring)

SUSE Manager Registering Clients = Bootstrapping Create bootstrap scripts on server Register from Client curl -Sks https://server_hostname/pub/bootstrap/bootstrapedited.sh /bin/bash Register from Server 43 /srv/www/htdocs/pub/bootstrap cat /srv/www/htdocs/pub/bootstrap/bootstrap-edited.sh ssh root@client_hostname /bin/bash

Monitoring 44 Executing probes Gathering the output of these probes to store in the SUSE Manager database Monitoring of systems with SUSE Manager requires: Monitoring service to be enabled on the SUSE Manager server A monitoring agent to be installed and enabled on the clients (rhnmd or sshd) Probes package to be installed on the clients

Backup SUSE Manager

Important Directories /rhnsat/ /root/ssl-build/ /etc/sysconfig/rhn/ /etc/dhcp.conf /etc/rhn/ /tftpboot/ /etc/sudoers /var/lib/cobbler/ /etc/tnsnames.ora /var/lib/rhn/kickstarts/ /srv/www/htdocs/pub/ /srv/www/cobbler /var/spacewalk/packages/1 /var/lib/nocpulse/ /root/.gnupg/ Recommendation: /var/spacewalk/ 46

SUSE Manager Backing Up the Database Oracle smdba backup-hot located in /opt/apps/oracle/flash_recovery_area/uppercase SID/ PostgreSQL smdba backup-hot --enable=on backup-dir=/<dir> Restore with: smdba backup-restore force 47 it will select the most recent backup and purge the rest

Links https://www.suse.com/products/suse-manager/ https://www.suse.com/documentation/suse_manager/ https://wiki.novell.com/index.php/suse_manager https://www.suse.com/support/kb/doc.php?id=7012610 https://www.suse.com/support/update/ https://download.suse.com/patch/finder/ http://support.novell.com/security/cve/index.html http://cve.mitre.org/ 48

It's SHOWTIME! Thank you. 49

Appendix

Software Channels

SUSE Manager Software Channel Rules Base/Parent Channels Each client system will be assigned to one parent channel Base/Parent channels represent main installation media Child Channels A parent channel can have multiple child channels A child channel is assigned to one parent channel Child channels typically contains additional third-party packages, own packages and updates Repositories 52 Importing YUM repositories and assign them to channel(s)

Package and Patch Management

Concepts Software package Pre-packaged software, incl: Patch Executables Functional defect Configuration Vulnerability Scripts (install, remove etc.) Data Urgency categories: Security, Bug fix, Enhancement Contains references to: Vendor Dependencies Vendor support level 54 Relates to: Bugzilla issue CVE number 1:many relationship to packages

Understand Staging of Software Channels

Patch Staging Support Vendor Software Channel As is from vendor no changes Development Frozen vendor channel changes possible Testing Frozen development channel changes possible Production Frozen testing channel changes possible 56

Clone Channels Custom Channels

Clone Channels 58 Are custom channels Used to provide software at a certain stage Avoid sync Development > Testing > Production cycle Do not space for repositories Can be cloned in 3 ways: Current state of the channel Original state of the channel Select patches

Locked Channels spacewalk-clone-by-date 59 Included in spacewalk-utils.rpm Create clones of software channels based on a point in time Clones all the patches up to a given date Runs a dependency resolution routine to add in any missing packages!

Patch Lifecycle Management Spacewalk-manage-channel-lifecycle 60 Included in spacewalk-utils.rpm Create dev, test and prod cloned channels by default Once the patches have been validated in the dev environment, you can promote these patches into the prod env with --promote

61

Unpublished Work of SUSE LLC. All Rights Reserved. This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC. Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability. General Disclaimer This document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for SUSE products remains at the sole discretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.