SUSE Template Jan 2014 V2 Ks
SUSE ManagerTUT17530 Patching / Troubleshooting / Best PracticesJack HodgeSascha WeberGTS Backline EngineerJack.Hodge@suse.comTechnical Support EngineerSaWeber@suse.comJeff PricePrincipal ArchitectJPrice@suse.com
Summary – Installation & Patching Evaluation Keys & ISO download Licensing overview Installation of SUSE Manager Appliance /var/log/susemanager setup.err/var/log/susemanager setup.log2 Requirements (RAM, disc space, etc.) Installation of patches Database schema upgrade Installation of PTF (Program Temporary Fix) How to run SQL files provided by R&D Adding products / repositories Custom channels / Clones / Clone-by-date Activation keys / bootstrap script
Summary – Troubleshooting Debuggins SUSE Manager (spacewalk-debug) Architecture overview / important log files Apache2 (access.log / error.log) vs. Tomcat (catalina.out) vs.rhn (rhn server xmlrpc.log)3 /etc/rhn/rhn.conf OSAD vs. SSH push jabberd Repo-sync Apache tuning (/etc/apache2/server-tuning.conf) Taskomatic Configuration Management cobbler
Summary – Best Practices4 PostgreSQL database backup (smdba backup-hot) How to tune PostgreSQL database with pgtune Lifecycle Management (patch archive, clone-by-date, etc.) SUSE Customer Center migration Using multiple mirror credentials Service Pack Migration Synching channels from SMT SUSE Manager Proxy SUSE Manager Inter-Server Synchronization
SUSE Manager - Patching
Evaluation Key6 https://www.suse.com/products/suse-manager/ SUSE Customer Center Account needed https://scc.suse.com/login
Download ISO Images 7https://download.suse.com/index.jsp
Licensing overview -buy/
How to register During installation in GUI: Command line:suse register -a email email -a regcode-sms reg-code 9
SUSE Manager - Requirements 10https://www.suse.com/documentation/suse manager/book susemanager install/data/ch-installation.html
SUSE Manager – Ports to open11
SUSE ManagerPatching & Database schema upgrade Stop services via spacewalk-service stop via YaST online update via zypper: run zypper patch twice If the update contained a postgreSQL update it is necessaryto restart postgreq before starting the schema update:rcpostgresql restart Perform database schema upgrade via:spacewalk-schema-upgrade Start services via spacewalk-service restartPlease note:If a Kernel update was part of the patching processa reboot is always neccessary12
SUSE ManagerPTF installation & SQL execution https://www.suse.com/support/kb/doc.php?id 7016640 PTF Program Temporary Fix Download the RPMs and install these via rpm -Fvh Restart Services via spacewalk-service restart Run mgr-sync refresh In case R&D has provided you with a SQL script pleaseexecute it via spacewalk-sql --select-mode If you got a file: spacewalk-sql --select-mode file.sql If you have a SQL statement:spacewalk-sql --select-mode - "select *frompg stat activity;"Important: do not miss the trailing “-”13
SUSE ManagerAdding products/channels14 mgr-sync add product or mgr-sync add channel Using the Web-Interface Admin Setup Wizard SUSE Products:
SUSE ManagerCustom channels / clones / clone-by-date15 spacewalk-manager-channel-lifecycle spacecmd softwarechannel clone spacecmd softwarechannel clonetree Web-Interface Channels Manage Software Channels spacewalk-clone-by-date (part of spacewalk-utilspackage)
SUSE ManagerActivation Keys16 https://wiki.microfocus.com/index.php/SUSE Manager/System Activation Keys Avoid using the “SUSE Manager Default” parent channels Create one Activation key per distribution & architecture Create bootstrap script/Activation Key "pairs" - designed towork together for proper channel, group, and configassignments Web Interface Systems Activation Keys:
SUSE ManagerActivation Keys 17Use something “human readable” for the Key:
SUSE ManagerActivation Keys continues Select the corresponding “Child Channels”, these shouldcontain (for SLES sSLES12-Updates 18Make sure to add additional packages as needed:
SUSE ManagerBootstrap mgr-create-bootstrap-repo Make sure to re-run this command from time to time (orcreate a cron job) SUSE Manager 3 will do this itselfwhen there is an update Check in path /srv/www/htdocs/pub/repositories/ mgr-bootstrap to create a new bootstrap script:mgr-bootstrap --activation-keys KEY1,KEY2 \--gpg-key /srv/www/htdocs/pub/MY CORPORATE PUBLIC KEY \--allow-config-actions –allow-remote-commands Make sure the bootstrap script contains the needed GPGKeys:ORG GPG KEY 9DB7C82.key 19The bootstrap scripts are stored in /srv/www/htdocs/pub/bootstrap
SUSE Manager - Troubleshooting
SUSE ManagerDebugging SUSE Manager spacewalk-debugThis tool collects several pieces of information and stores them in atarball at /tmp/spacewalk-debug.tar.bz2For SLES 11 SP3 and greater / SLES 12 the spacewalk-debug is partof the supportconfig utility Set debug level in /etc/rhn/rhn.conf:debug 5 To debug spacewalk-repo-sync problems: export URLGRABBER DEBUG DEBUG /usr/bin/spacewalk-repo-sync --channel channel-label --typeyum To disable the debug mode of spacewalk-repo-sync: unset URLGRABBER DEBUG21
SUSE ManagerArchitecture overview – important log files https://www.suse.com/documentation/suse manager/singlehtml/book susemanager install/book susemanager install.html#tb-log-files Apache config files: /etc/apache2/conf.d/*.conf Apache log ccess.log Tomcat config file: /etc/apache2/conf.d/zz-spacewalk-www.conf Tomcat log out Client-Server communication:/var/log/rhn/rhn server xmlrpc.log22
SUSE Managerrhn.conf Main SUSE Manager config file is /etc/rhn/rhn.conf Set debug levels (e.g. debug x / osa-dispatcher.debug 5) Adjust taskomatic memory (taskomatic.maxmemory 4096) If you used embedded or external database, rhn.conf will keep theconnection details:db backend postgresqldb user susemanagerdb password ***db name susemanagerdb host localhostdb port 5432 Forwarding registrations to SCC / NCC:server.susemanager.forward registration 023
SUSE ManagerOSAD OSAD requires all clients to have different credentials in/etc/sysconfig/rhn/osad-auth.conf On a cloned system, make sure to delete the NCCcredentials file first(/etc/zypp/credentials.d) Do not install the osad package on the SUSE Manager but only on theclient sideosad on the client sideosa-dispatcher on the server side Config files areClient: /etc/sysconfig/rhn/up2date & /etc/sysconfig/rhn/osad.confServer: osa-dispatcher is configured via /etc/rhn/rhn.conf24
SUSE Managerjabberd If jabberd services fail to start (during spacewalk-servicerestart):Starting spacewalk services.Initializing jabberd processes.Starting routerStarting sm startproc: exit status of parent of /usr/bin/sm: 2Terminating jabberd processes.Simply delete the jabberd database:spacewalk-service stoprm -Rf /var/lib/jabberd/db/*spacewalk-service start25donefailed
SUSE ManagerSSH Server Push For tunneling connections via SSH, two available high port numbers ( 1024) are needed: one is for tunneling HTTP and one for HTTPS(default 1232 and 1233) In order to overwrite these, edit values in /etc/rhn/rhn.conf:ssh push port http high port 1 ssh push port https high port 2 By default only 2 simultaneous SSH session are initiated. For largerenvironments the number of session can be changed with the followingoption in /etc/rhn/rhn.conf:taskomatic.ssh push workers 1026
SUSE ManagerRepo-sync spacewalk-repo-sync is scheduled by taskomatic Channel sync logs are in /var/log/rhn/reposync Taskomatic log is in /var/log/rhn/rhn taskomatic-daemon.log To troubleshoot repo-sync problems it is very helpful toview the HTTP protocol. To achieve this: export URLGRABBER DEBUG DEBUGTo manually start repo-sync: /usr/bin/spacewalk-repo-sync --channel channel-label --type yumTo disable the debug mode of spacewalk-repo-sync: unset URLGRABBER DEBUG27
SUSE ManagerPostgreSQL & Apache tuning Only do this if the host has enough memory. Can cause otherperformance issues! Check your # of connections:rhn-db-stats /tmp/db-stats.log cat /tmp/db-stats.log grepmax connections Increase number of connections with pgtune:/usr/bin/pgtune -T Mixed -c 200 -i postgresql.conf -opostgresql.conf.pgtuneRestart postgres with rcpostgresql restart 28In /etc/apache2/server-tuning.conf:ServerLimit200# max number of server processesMaxClients200# max number of requests a server process serves
SUSE ManagerPostgreSQL & Apache tuning By default taskomatic (the central scheduler for all actions withinSUSE Manager) reserves 2 GB of memory. In most environments this is simply not enough. As an easy rule: 50%of the available memory should be allocated. To allocate more RAM to the taskomatic scheduler edit/etc/rhn/rhn.conf and add:taskomatic.maxmemory 4096 Memory recommendations:Less than 100 systems connecting to SUSE Manager: 8GBBetween 100 and 200 systems: 12 GBAbove 200 systems: 16 GBWhen planning to use RedHat Expanded Support: 16 GB29
SUSE Manager – Best Practices
SUSE ManagerPostgreSQL database backup – restoring backup If the backup is running correctly you should now have the following filesin /mnt/backup:-rw------- 1 postgres postgres16777216 Sep 13 09:46 000000010000001000000035 -rw------- 1 postgres postgres16777216 Sep 14 01:36 000000010000001000000039 -rw------- 1 postgres postgres16777216 Sep 15 05:18 000000010000001000000040 -rw------- 1 postgres postgres16777216 Oct -rw-r--r-- 1 postgres postgres 1464526433 Jul 22 12:51 base.tar.gz drwxr-xr-x 2 postgres postgres4096 Jul 22 12:35 database drwx------ 2 postgres postgres4096 Jul 22 12:51 tmp5 02:23 000000010000001000000041 Use smdba backup-restore to restore to an earlier point in time. To restore the backup, proceed as follows: 31 Shutdown the database: smbda db-stop Start the restore process: smdba backup-restore start Restart the database: smbda db-startsmdba backup-restore force
SUSE ManagerPostgreSQL database backup (smdba backup-hot) Backup is not automatically active Allocate permanent space (on remove storage if needed), e.g.: /mnt/backup This directory should always be the same, do not change Create a directory with the correct permissions: sudo -u postgres mkdir /mnt/backup/database Alternatively as root: Or: mkdirinstall -d -o postgres /mnt/backup/database/mnt/backup/database & chown postgres:postgres/mnt/backup/database For the first time run: Perform hot backup: 32smdba backup-hot –enable on –backup-dir /mnt/backupsmdba backup-hot –backup-dir /mnt/backup/database
SUSE ManagerHow to tune PostgreSQL database with pgtune We have the tool pgtune installed on SUSE Manager.Usage: pgtune [options]Options:-M TOTALMEMORY, --memory TOTALMEMORYTotal system memory, will attempt to detect if unspecified-c CONNECTIONS, --connections CONNECTIONSMaximum number of expected connections, defaultdepends on database type So if you want to increated the number of connections: /usr/bin/pgtune -T Mixed -c 1500 -i postgresql.conf -o postgresql.conf.pgtune Recommended values for number of connections are either 200 or 400. Stop all spacewalk services and the database, then swap the configurationfiles and start everything again:33 spacewalk-service stop & rcpostgresql stop mv postgresql.conf postgresql.conf.bak mv postgresql.conf.pgtune postgresql.conf rcpostgresql start & spacewalk-service start
SUSE ManagerSUSE Customer Center migration To be able to get access to the SLES 12 repos you have to migrate from NCCto SCC ( SUSE Customer Center). There is two options available:34 mgr-ncc-sync –enable-scc Web Interface Admin SUSE Manager Configuration
SUSE ManagerMultiple Mirror Credentials With SUSE Manager 2.1 the handling of multiple mirror credentials does nothappy in /etc/rhn/rhn.conf anymore. There is two ways now:35 mgr-sync list credentials mgr-sync add credentials mgr-sync remove credentials Using the Web-Interface Admin Setup Wizar Mirror Credentials:
SUSE ManagerService Pack Migration Supported migration paths are: SLES 11 SP1 SLES 11 SP2 SLES 11 SP3 SLES 11 SP4 SLE 10 SP2 SLE 10 SP3 SLE 10 SP4Service Pack migration can be done via the Web-Interface: Systems select a system Software SP Migration:36
SUSE ManagerSynching channels from local SMT37 In the Web-Interfact, create new repository pointing to SMT repo: Add this repo to a (custom) channel
SUSE ManagerSUSE Manager Proxy Requirements 64bit multicore processor 16 GB Memory recommended in production environments 20 GB Minimum free disk space Additional disk space required depends on amount of channels cached fromSUSE Manager Server NTPInstallation Installed as an appliance Registration to the SUSE Manager Server via bootstrapping Proxy Servers can be tiered:SUSE Manager Server Proxy 1 (California) Proxy 2 (L.A.) Proxy 3 (Server Farm 1)38 Proxy 1 bootstrapped to SUSE Manager Server Proxy 2 bootstrapped to Proxy 1 Proxy 3 bootstrapped to Proxy 2
SUSE ManagerSUSE Manager Proxy39
SUSE ManagerSUSE Manager Proxy40
SUSE ManagerSUSE Manager Proxy Benefits Efficiency and bandwidth Offload file updates taking load off of SUSE Manager Server Packages are delivered significantly faster over a local area network 2000 - 5000 Clients per SUSE Manager Proxy Server Scalability Proxy Servers can be built from inexpensive hardware and/or VmsTroubleshooting Slow file performance, missing files, etc Clear the proxy cachespacewalk-proxy stoprm -rf /var/cache/squid/*squid -zspacewalk-proxy start41
SUSE ManagerSUSE Manager Proxy Troubleshooting (cont.) Metadata errors Disable caching of metadata on proxy:Edit the file /etc/squid/squid.conf on the proxy and change the following line:refresh pattern /XMLRPC/GET-REQ/.*/repodata/.*\.xml.* 0 1% 525960torefresh pattern /XMLRPC/GET-REQ/.*/repodata/.*\.xml.* 0 0% 0* Note: This will cause increased network traffic 42Check NTP settings
SUSE ManagerInter-Server Synchronization https://www.suse.com/documentation/suse manager/book susemanager install/data/s1-sync-iss.htmlWeb interface Admin ISS Configuration Master SetupSlave Fully Qualified Domain Name Allow Slave to Sync? Sync all orgs to Slave? 43Choosing this field will allow the slave SUSE Manager to access this masterChecking this field will synchronize all organizations to the slave SUSE Manager.
SUSE ManagerInter-Server Synchronization Continued Perform the corresponding steps on the Slave Use mgr-inter-sync command to sync channels:sumaslave: # mgr-inter-sync -l19:25:35 SUSE Manager - live synchronization19:25:35url: https://suma21.weber.dus19:25:35debug/output level: 119:25:35db:19:25:36sles12-pool-x86 64:susemanager/ password @susemanager19:25:36. sle-manager-tools12-pool-x86 6419:25:36. sle-manager-tools12-updates-x86 6419:25:36. sle-sdk12-pool-x86 6419:25:3619:25:3634full import from Wed Sep 16 04:56:22 201577full import from Wed Sep 16 04:56:23 20152290full import from Tue Sep 15 04:56:38 2015. sle-sdk12-updates-x86 64536full import from Wed Sep 16 04:56:21 2015. sle-we12-pool-x86 64926full import from Wed Sep 16 04:56:22 201519:25:36. sle-we12-updates-x86 64278full import from Wed Sep 16 04:56:22 201519:25:36. sles12-updates-x86 641348full import from Wed Sep 16 04:56:22 2015 To add channel run mgr-inter-sync -c channelname Enable the inter-server synchronization in the /etc/rhn/rhn.conf:disable iss 0 44Make sure to restart httpd service: service httpd restart
Advanced Patch Lifecycle Management
SUSE Manager – Motivation.Advanced Patch Lifecycle Management46 Most company security policies are based on a public,published, regulation that requires “compliance” Compliance normally dictates a process of “proofs” orapproved exceptions – aka compensating controls The process of proof requires a flexible tool, a documentedand repetitive set of procedures, and people to performthem
SUSE Manager - Common RequestsAdvanced Patch Lifecycle ManagementThere are some common requests from our customers. “How can I ?” 47.Automatically create and archive “patch sets” by quarter (or any othertime period).Leverage a consistent method of patch promotion and deliverythrough numerous landscapes and environments.Develop an exception process for handling patches that need to beexcluded from a patch cycle.Create an test/lab environment using historical patch sets.remove the need of host channel subscription manipulation fromcradle-to-grave.do service-pack migration using my own custom child channels andcurrent patch sets.
SUSE Manager – How do you roll-out?Advanced Patch Lifecycle ManagementMost companies have “landscapes” like DEV,TEST, QA, UAT, Pre-Prod, Sandbox, or similar Patch deployment often requires avetting process to validateeffectiveness and reduce risk This is typically – deploy, evaluateand promote. 48Rinse & Repeat
SUSE Manager – Process FlowAdvanced Patch Lifecycle Management 49
SUSE Manager – Channel SetsAdvanced Patch Lifecycle ManagementHere is an example “Channel Set”:Base : SLES 12 Pool for x86 64DEV - Current Patch Set - SLES 12 Updates for x86 64QA - Current Patch Set - SLES 12 Updates for x86 64PROD - Current Patch Set - SLES 12 Updates for x86 64Patch Exceptions - SLES 12 x86 64Security ASAP Exceptions - SLES 12 x86 64They can be clone-sets of the SUSE Channels –including a prefix- like a company name.Repeat for each version of SLES you have.50
SUSE Manager – Channel Sets (cont.)Advanced Patch Lifecycle ManagementFrom the UI:51
SUSE Manager – The Missing Link.Advanced Patch Lifecycle ManagementThe “Merge” Command:#!/usr/bin/pythonimport xmlrpclibimport sysimport getpassMANAGER URL "https://suma01.chameleoncorp.com/rpc/api"MANAGER LOGIN raw input("Please Enter the SUSE Manager Login Name:")MANAGER PASSWORD getpass.getpass("Please Enter the Password: ")MERGE SOURCE raw input("Enter the SOURCE channel label to MergeFROM: ")MERGE TARGET raw input("Enter the TARGET channel label to MergeINTO: ")print("This tool is going to take all packages and errata from theSOURCE")print("Channel : " MERGE SOURCE)print("and merge it into the TARGET ")print("Channel : " MERGE TARGET).client xmlrpclib.Server(MANAGER URL, verbose 0)key client.auth.login(MANAGER LOGIN, MANAGER , MERGE SOURCE, MERGE TARGET)client.channel.software.mergeErrata(key, MERGE SOURCE, MERGE TARGET)client.auth.logout(key)52
SUSE Manager – More Info.Advanced Patch Lifecycle ManagementGrab a copy of the new document:“Advanced Patch Lifecycle Management withSUSE Manager”Full Descriptions, Examples, Scripts, Automation,PICTURES!!, etc.53
More System Management @SUSECon54 CAS18158: How to use SUSE Manager and CVEs FUT20721: SUSE Manager Roadmap HO20098: Install and Configure SMT and SUSEManager for Dummies TUT18400: Architecting your SUSE ManagerDeployment TUT20514: SaltStack and SUSE TUT20516: Using SUSE Manager in HeterogeneousEnvironments TUT20829: Implementation of a SUSE-based Solutionwith SUSE Manager at Apollo-Optik
QUESTIONS?Thank you.55
56Corporate Headquarters 49 911 740 53 0 (Worldwide)Join us on:Maxfeldstrasse 590409 NurembergGermanywww.suse.comwww.opensuse.org
Unpublished Work of SUSE LLC. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary and trade secret information of SUSE LLC.Access to this work is restricted to SUSE employees who have a need to know to perform tasks within the scope oftheir assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated,abridged, condensed, expanded, collected, or adapted without the prior written consent of SUSE.Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market aproduct. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in makingpurchasing decisions. SUSE makes no representations or warranties with respect to the contents of this document,and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Thedevelopment, release, and timing of features or functionality described for SUSE products remains at the solediscretion of SUSE. Further, SUSE reserves the right to revise this document and to make changes to its content, atany time, without obligation to notify any person or entity of such revisions or changes. All SUSE marks referenced inthis presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. Allthird-party trademarks are the property of their respective owners.
TUT17530 Patching / Troubleshooting / Best Practices Jack Hodge GTS Backline Engineer Jack.Hodge@suse.com Jeff Price . How to run SQL files provided by R&D . Server: osa-dispatcher is
OpenStack Juno Big Data service SUSE Storage integration SUSE Linux Enterprise Server 12 Compute Node GA GA GA SUSE Cloud 5 High Availability Guests Docker support (tech preview) SUSE Cloud 6 OpenStack Kilo Install
QRP Fox Hunt 0200Z-0330Z, Jan 6 NCCC Sprint 0230Z-0300Z, Jan 6 PODXS 070 Club PSKFest 0000Z-2400Z, Jan 7 WW PMC Contest 1200Z, Jan 7 to 1200Z, Jan 8 SKCC Weekend Sprintathon 1200Z, Jan 7 to 2400Z, Jan 8 Original QRP Contest 1500Z, Jan 7 to 1500Z, Jan 8 Kid's Day Contest 1800Z-2359Z, Jan 7 ARRL RTTY Roundup 1800Z, Jan 7 to 2400Z, Jan 8
3 SUSE & Oracle Technology Partner Strong Partnership ‒800 certified Oracle Apps in SUSE ISV Catalog ‒Relationship since first Oracle version 8.0.5 on SUSE 6.0 ‒Testing, supporting partners/customers on technical issues ‒Bugs, customer problem escalation, future features, etc. ‒Combined testing efforts - service packs and Oracle patches Oracle products are certified to run .
Fast SAP HANA Fail Over Architecture with a SUSE High Availability Cluster in the AWS Cloud Dr. Stefan Schneider Partner Solutions Architect @ Amazon Webservices stsch@amazon.com Markus Gürtler Senior Architect SAP @ SUSE mguertler@suse.com. 2 Agenda
update the database, and restarts services. Example: 4.0.1 4.0.2. This means first you ensure that you have the latest version of all installed packages installed. Then you can upgrade the database schema. Procedure: Updating Packages on the SUSE Manager Server By default, several update channels are configured and enabled for the SUSE .
Hardening Guide SUSE Linux Enterprise Server 12 SP5 Deals with the particulars of installing and setting up a secure SUSE Linux Enter-prise Server, and additional post-installation processes required to further secure . The SUSE Linux Enterprise Server Security and Hardening Guide deals with the particulars of in-
historically elevated (and is expected to remain so). 150 250 350 450 550 650 750 850 950 Jan-07 Jan-09 Jan-11 Jan-13 Jan-15 Jan-17 Jan-19 Jan-21 /MT High-Analysis Phosphate Global Net Price Calculated from Published Weekly Spot Prices 0 100 200 300 400 500 600 700 800 900 1,000 Jan-20 Jul-20 Jan-21 Jul-21 Jan-22 /MT Global DAP/MAP Benchmark .
Lake Erie ‐ Niagara River Monthly Hydrology: 2004‐2013 relative to 1926‐2013 0 50 100 150 200 250 2004 Jan 2005 Jan 2006 Jan 2007 Jan 2008 Jan 2009 Jan 2010 Jan 2011 Jan 2012 Jan 2013 Jan Basin Precipitation [% of LTA] ‐0.30 ‐0.20 ‐0.10 0.00 0.10 0.20 0.30 0.40 0.50 Water Level [m from LTA] ‐1,000 ‐500 0 500 1,000 1,500
