SuSE Manager: Difference between revisions

From Lolly's Wiki
Jump to navigationJump to search
 
(12 intermediate revisions by the same user not shown)
Line 5: Line 5:
==Channels==
==Channels==
===Refresh channle list===
===Refresh channle list===
<source lang=bash>
<syntaxhighlight lang=bash>
# mgr-sync refresh
# mgr-sync refresh
</source>
</syntaxhighlight>
===List available channels===
===List available channels===
<source lang=bash>
<syntaxhighlight lang=bash>
# mgr-sync list channels
# mgr-sync list channels
</source>
</syntaxhighlight>
===Add Channel===
===Add Channel===
<source lang=bash>
<syntaxhighlight lang=bash>
# mgr-sync add channel <channel>
# mgr-sync add channel <channel>
</source>
</syntaxhighlight>
===Delete Channel===
===Delete Channel===
<source lang=bash>
<syntaxhighlight lang=bash>
# spacewalk-remove-channel -c <channel>
# spacewalk-remove-channel -c <channel>
</source>
</syntaxhighlight>
===Create a frozen channel===
===Create a frozen channel===
Clone a channel (which is like a snapshot) and add a timestamp at the end of the name:
Clone a channel (which is like a snapshot) and add a timestamp at the end of the name:
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd softwarechannel_clonetree -s '<source channel or pool>' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
# spacecmd softwarechannel_clonetree -s '<syntaxhighlight channel or pool>' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
</source>
</syntaxhighlight>
e.g.:
e.g.:
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd softwarechannel_clonetree -s 'sles12-sp3-pool-x86_64' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
# spacecmd softwarechannel_clonetree -s 'sles12-sp3-pool-x86_64' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
</source>
</syntaxhighlight>
will result in a new channel pool named e.g. sles12-sp3-pool-x86_64-2017-11-22_14:26:42
will result in a new channel pool named e.g. sles12-sp3-pool-x86_64-2017-11-22_14:26:42


===Compose your own channel===
===Compose your own channel===
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd
# spacecmd
spacecmd {SSM:0}> softwarechannel_create -n OpenSuSE -l opensuse -a x86_64 -c sha256
spacecmd {SSM:0}> softwarechannel_create -n OpenSuSE -l opensuse -a x86_64 -c sha256
Line 48: Line 48:
spacecmd {SSM:0}> quit
spacecmd {SSM:0}> quit
# spacewalk-repo-sync -c opensuse
# spacewalk-repo-sync -c opensuse
</source>
</syntaxhighlight>


==Bootstrap==
==Bootstrap==
===Create bootstrap repo===
===Create bootstrap repo===
Do it for each channel!
Do it for each channel!
<source lang=bash>
<syntaxhighlight lang=bash>
# mgr-create-bootstrap-repo
# mgr-create-bootstrap-repo
</source>
</syntaxhighlight>


===Create bootstrap shell scripts in /srv/www/htdocs/pub/bootstrap===
===Create bootstrap shell scripts in /srv/www/htdocs/pub/bootstrap===
Do not forget to lookup the available [[#List available activation keys|activation keys]]
Do not forget to lookup the available [[#List available activation keys|activation keys]]
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd -s susemanager.server.de -u mytestuser -q  activationkey_list
# spacecmd -s susemanager.server.de -u mytestuser -q  activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp3-x86_64
Line 74: Line 74:
6-sles15-sp2-x86_64
6-sles15-sp2-x86_64
# mgr-bootstrap --traditional --script=My-New-SLES11-SP4.sh --activation-keys=6-sles11-sp4-x86_64
# mgr-bootstrap --traditional --script=My-New-SLES11-SP4.sh --activation-keys=6-sles11-sp4-x86_64
</source>
</syntaxhighlight>


==Activation keys==
==Activation keys==
===List available activation keys===
===List available activation keys===
web: Systems -> Activation Keys
web: Systems -> Activation Keys
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd -q activationkey_list
# spacecmd -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp3-x86_64
Line 87: Line 87:
6-sles12-sp2-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
6-sles12-sp3-x86_64
</source>
</syntaxhighlight>


==spacecmd==
==spacecmd==
Just some useful space commands
Just some useful space commands
<source lang=bash>
<syntaxhighlight lang=bash>
# spacecmd system_list
# spacecmd system_list
</source>
</syntaxhighlight>
==rhn-search==
==rhn-search==
===Cleanup the search index===
===Cleanup the search index===
<source lang=bash>
<syntaxhighlight lang=bash>
# rhn-search cleanindex
# rhn-search cleanindex
</source>
</syntaxhighlight>




Line 104: Line 104:
===Clients===
===Clients===
====Error code: Curl error 59 / Error message: failed setting cipher list: DEFAULT_SUSE====
====Error code: Curl error 59 / Error message: failed setting cipher list: DEFAULT_SUSE====
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper refresh
# zypper refresh
...
...
Line 110: Line 110:
Error message: failed setting cipher list: DEFAULT_SUSE
Error message: failed setting cipher list: DEFAULT_SUSE
...
...
</source>
</syntaxhighlight>
The reason is that zypper in newer versions calls curl with a specific cipher list named "DEFAULT_SUSE" which is not defined in curl version 7.37.0-37.17.1 (version 7.37.0-28.1 is OK).
The reason is that zypper in newer versions calls curl with a specific cipher list named "DEFAULT_SUSE" which is not defined in curl version 7.37.0-37.17.1 (version 7.37.0-28.1 is OK).




Now get any kind of repository bound to your SuSE like the ISO this version was installed with:
Now get any kind of repository bound to your SuSE like the ISO this version was installed with:
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper addrepo --check --type yast2 'iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso' 'SLES12-SP2-12.2-0'
# zypper addrepo --check --type yast2 'iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso' 'SLES12-SP2-12.2-0'
Adding repository 'SLES12-SP2-12.2-0' ...........................................................................................................[done]
Adding repository 'SLES12-SP2-12.2-0' ...........................................................................................................[done]
Line 124: Line 124:
Priority    : 99                                                                       
Priority    : 99                                                                       
URI        : iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso
URI        : iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso
</source>
</syntaxhighlight>
or enable it:
or enable it:
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper modifyrepo --enable SLES12-SP2-12.2-0
# zypper modifyrepo --enable SLES12-SP2-12.2-0
</source>
</syntaxhighlight>


Reinstall zypper in the old version that does not call curl with the cipher list SUSE_DEFAULT:
Reinstall zypper in the old version that does not call curl with the cipher list SUSE_DEFAULT:
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper install --force --repo SLES12-SP2-12.2-0 $(rpm --query --all *curl* --queryformat '%{NAME} ')
# zypper install --force --repo SLES12-SP2-12.2-0 $(rpm --query --all *curl* --queryformat '%{NAME} ')
</source>
</syntaxhighlight>


And disable the ISO repository:
And disable the ISO repository:
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper modifyrepo --disable SLES12-SP2-12.2-0
# zypper modifyrepo --disable SLES12-SP2-12.2-0
</source>
</syntaxhighlight>


Done.
Done.


=====Note: After some further debugging we found that the system path forces a wrong openssl library to come in place.=====
=====Note: After some further debugging we found that the system path forces a wrong openssl library to come in place.=====
<source lang=bash>
<syntaxhighlight lang=bash>
# curl --version ; zypper --version
# curl --version ; zypper --version
curl 7.37.0 (x86_64-suse-linux-gnu) libcurl/7.37.0 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.28 libssh2/1.4.3
curl 7.37.0 (x86_64-suse-linux-gnu) libcurl/7.37.0 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Line 149: Line 149:
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP  
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP  
zypper 1.13.40
zypper 1.13.40
</source>
</syntaxhighlight>
In our version of curl it should be OpenSSL/1.0.2j.
In our version of curl it should be OpenSSL/1.0.2j.
<syntaxhighlight lang="bash" highlight="5">
<syntaxhighlight lang="bash" highlight="5">
Line 172: Line 172:
</syntaxhighlight>
</syntaxhighlight>
The problem was a file in /etc/ld.so.conf.d/ which brought /usr/lib/nsr/lib64 in the system library path. There was another libssl.so.1.0.0 which was version 1.0.2h. OK. What to do?
The problem was a file in /etc/ld.so.conf.d/ which brought /usr/lib/nsr/lib64 in the system library path. There was another libssl.so.1.0.0 which was version 1.0.2h. OK. What to do?
<source lang=bash>
<syntaxhighlight lang=bash>
# rm /etc/ld.so.conf.d/problematic.conf
# rm /etc/ld.so.conf.d/problematic.conf
# rm /etc/ld.so.cache
# rm /etc/ld.so.cache
# ldconfig
# ldconfig
</source>
</syntaxhighlight>
Check the success:
Check the success:
<source lang=bash>
<syntaxhighlight lang=bash>
# ldconfig -p | grep ssl
# ldconfig -p | grep ssl
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
</source>
</syntaxhighlight>


Now you just have to find a way to get your other stuff running without the manipulation at the system library path.
Now you just have to find a way to get your other stuff running without the manipulation at the system library path.


Last check for our case. Does our networker use it's own ssl libraries?
Last check for our case. Does our networker use it's own ssl libraries?
<source lang=bash>
<syntaxhighlight lang=bash>
# ls -al /proc/$(pgrep  --full /usr/sbin/nsrexecd)/map_files | egrep "lib(ssl|crypto)"
# ls -al /proc/$(pgrep  --full /usr/sbin/nsrexecd)/map_files | egrep "lib(ssl|crypto)"
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bb73000-7f9d1bdc7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bb73000-7f9d1bdc7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
Line 196: Line 196:
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c00c000-7f9d1c10c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c00c000-7f9d1c10c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c10c000-7f9d1c116000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c10c000-7f9d1c116000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
</source>
</syntaxhighlight>
Yep. Great!
Yep. Great!


Line 202: Line 202:


So the way to get rid spacewalk is:
So the way to get rid spacewalk is:
<source lang=bash>
<syntaxhighlight lang=bash>
# zypper remove --clean-deps spacewalksd spacewalk-check zypp-plugin-spacewalk spacewalk-client-tools
# zypper remove --clean-deps spacewalksd spacewalk-check zypp-plugin-spacewalk spacewalk-client-tools
</source>
</syntaxhighlight>


== Register at SuSE Manager ==
== Register at SuSE Manager ==
After that reregister your server with the SuSE Manager like this:
After that reregister your server with the SuSE Manager like this:
<source lang=bash>
<syntaxhighlight lang=bash>
# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash
# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash
</source>
</syntaxhighlight>


== Update SuSE Manager certificate ==
== Update SuSE Manager certificate ==


=== Create work place ===
=== Create work place ===
<source lang=bash>
<syntaxhighlight lang=bash>
# mkdir ~/ssl-build
# mkdir ~/ssl-build
# mkdir ~/ssl-build/$(hostname --short)
# mkdir ~/ssl-build/$(hostname --short)
# cd ~/ssl-build
# cd ~/ssl-build
</source>
</syntaxhighlight>


=== Build RHN-ORG-TRUSTED-SSL-CERT and rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm ===
=== Build RHN-ORG-TRUSTED-SSL-CERT and rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm ===


<source lang=bash>
<syntaxhighlight lang=bash>
# rhn-ssl-tool --gen-ca --rpm-only --dir="~/ssl-build" --from-ca-cert=<path to your CA certificate file>
# rhn-ssl-tool --gen-ca --rpm-only --dir="~/ssl-build" --from-ca-cert=<path to your CA certificate file>
# openssl x509 -noout -subject -dates -in ~/ssl-build/RHN-ORG-TRUSTED-SSL-CERT  
# openssl x509 -noout -subject -dates -in ~/ssl-build/RHN-ORG-TRUSTED-SSL-CERT  
Line 233: Line 233:
-rw-r--r--  1 root root 18262 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.noarch.rpm
-rw-r--r--  1 root root 18262 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.noarch.rpm
-rw-r--r--  1 root root 16672 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.src.rpm
-rw-r--r--  1 root root 16672 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.src.rpm
</source>
</syntaxhighlight>


=== Generate CSR ===
=== Generate CSR ===
<source lang=bash>
<syntaxhighlight lang=bash>
# cd ~/ssl-build/$(hostname --short)
# cd ~/ssl-build/$(hostname --short)
# declare -a hosts=( "susemgr.tld.de" "othername.tld.de" "anotheranothername.tld.de" )
# declare -a hosts=( "susemgr.tld.de" "othername.tld.de" "anotheranothername.tld.de" )
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration'
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration'
# emailAddress='suselinux-admin@tld.de'
# emailAddress='suselinux-admin@tld.de'
</source>
</syntaxhighlight>
<source lang=bash>
<syntaxhighlight lang=bash>
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn} ${emailAddress}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
Generating a RSA private key
Generating a RSA private key
...............................................++++
...............................................++++
Line 249: Line 249:
writing new private key to 'server.key'
writing new private key to 'server.key'
-----
-----
</source>
</syntaxhighlight>


<source lang=bash>
<syntaxhighlight lang=bash>
# openssl req -noout -verify -subject -in server.csr  
# openssl req -noout -in server.csr -text 2>/dev/null | grep -E "(CN|DNS:)"
verify OK
verify OK
subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de
        subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration suselinux-admin@tld.de, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de
</source>
                DNS:susemgr.tld.de, DNS:othername.tld.de , DNS:anotheranothername.tld.de
 
</syntaxhighlight>
=== Put certificate and key in the apache directories ===
<source lang=bash>
# ls -al /etc/apache2/ssl.key/server.key /etc/apache2/ssl.crt/server.crt
-rw-r--r-- 1 root root 5441 24. Nov 2020  /etc/apache2/ssl.crt/server.crt
-rw------- 1 root root 1704 24. Nov 2020  /etc/apache2/ssl.key/server.key
</source>


=== Generate RPMs from certificate and key ===
=== Generate RPMs from certificate and key ===
<source lang=bash>
<syntaxhighlight lang=bash>
# rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build" --from-server-key=/etc/apache2/ssl.key/server.key --from-server-cert=/etc/apache2/ssl.crt/server.crt
# rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build"
...working...
...working...


Line 285: Line 279:
     web server, or SUSE Manager, or SUSE Manager Proxy.
     web server, or SUSE Manager, or SUSE Manager Proxy.
     Presumably 'susemgr.tld.de'.
     Presumably 'susemgr.tld.de'.
</source>
</syntaxhighlight>


<source lang=bash>
=== Install certificate and key in the apache directories ===
</source>
Remove the previous version:


<source lang=bash>
Install latest version:
</source>
<syntaxhighlight lang=bash>
# cd /root/ssl-build/susemgr
# rpm -Uvh $(grep -E "rhn-org-httpd-ssl-key-pair-.*.noarch.rpm" latest.txt)
</syntaxhighlight>


<source lang=bash>
Check:
</source>
<syntaxhighlight lang=bash>
# openssl x509 -noout -in /etc/apache2/ssl.crt/server.crt -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT
</syntaxhighlight>
 
I don't know the SuSE way to make it, but this works:
<syntaxhighlight lang=bash>
# cp -p /etc/apache2/ssl.crt/server.crt /etc/pki/tls/certs/spacewalk.crt
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/spacewalk.key
 
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/pg-spacewalk.key
# chmod 0640 /etc/pki/tls/private/pg-spacewalk.key
# chgrp postgres /etc/pki/tls/private/pg-spacewalk.key
</syntaxhighlight>
 
<syntaxhighlight lang=bash>
# spacewalk-service restart
# echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT
</syntaxhighlight>

Latest revision as of 09:50, 23 November 2022


SuSE Manager

Channels

Refresh channle list

# mgr-sync refresh

List available channels

# mgr-sync list channels

Add Channel

# mgr-sync add channel <channel>

Delete Channel

# spacewalk-remove-channel -c <channel>

Create a frozen channel

Clone a channel (which is like a snapshot) and add a timestamp at the end of the name:

# spacecmd softwarechannel_clonetree -s '<syntaxhighlight channel or pool>' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"

e.g.:

# spacecmd softwarechannel_clonetree -s 'sles12-sp3-pool-x86_64' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"

will result in a new channel pool named e.g. sles12-sp3-pool-x86_64-2017-11-22_14:26:42

Compose your own channel

# spacecmd
spacecmd {SSM:0}> softwarechannel_create -n OpenSuSE -l opensuse -a x86_64 -c sha256

spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp2-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP2/
spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp3-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP3/

spacecmd {SSM:0}> repo_list
opensuse-database-sles12-sp2-x86_64
opensuse-database-sles12-sp3-x86_64

spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp2-x86_64
spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp3-x86_64

spacecmd {SSM:0}> quit
# spacewalk-repo-sync -c opensuse

Bootstrap

Create bootstrap repo

Do it for each channel!

# mgr-create-bootstrap-repo

Create bootstrap shell scripts in /srv/www/htdocs/pub/bootstrap

Do not forget to lookup the available activation keys

# spacecmd -s susemanager.server.de -u mytestuser -q  activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-default
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
6-sles12-sp4-x86_64
6-sles12-sp5-x86_64
6-sles15-sp0-x86_64
6-sles15-sp1-x86_64
6-sles15-sp2-x86_64
# mgr-bootstrap --traditional --script=My-New-SLES11-SP4.sh --activation-keys=6-sles11-sp4-x86_64

Activation keys

List available activation keys

web: Systems -> Activation Keys

# spacecmd -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64

spacecmd

Just some useful space commands

# spacecmd system_list

rhn-search

Cleanup the search index

# rhn-search cleanindex


Troubleshooting

Clients

Error code: Curl error 59 / Error message: failed setting cipher list: DEFAULT_SUSE

# zypper refresh
...
Error code: Curl error 59
Error message: failed setting cipher list: DEFAULT_SUSE
...

The reason is that zypper in newer versions calls curl with a specific cipher list named "DEFAULT_SUSE" which is not defined in curl version 7.37.0-37.17.1 (version 7.37.0-28.1 is OK).


Now get any kind of repository bound to your SuSE like the ISO this version was installed with:

# zypper addrepo --check --type yast2 'iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso' 'SLES12-SP2-12.2-0'
Adding repository 'SLES12-SP2-12.2-0' ...........................................................................................................[done]
Repository 'SLES12-SP2-12.2-0' successfully added
Enabled     : Yes                                                                      
Autorefresh : No                                                                       
GPG Check   : Yes                                                                      
Priority    : 99                                                                       
URI         : iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso

or enable it:

# zypper modifyrepo --enable SLES12-SP2-12.2-0

Reinstall zypper in the old version that does not call curl with the cipher list SUSE_DEFAULT:

# zypper install --force --repo SLES12-SP2-12.2-0 $(rpm --query --all *curl* --queryformat '%{NAME} ')

And disable the ISO repository:

# zypper modifyrepo --disable SLES12-SP2-12.2-0

Done.

Note: After some further debugging we found that the system path forces a wrong openssl library to come in place.
# curl --version ; zypper --version
curl 7.37.0 (x86_64-suse-linux-gnu) libcurl/7.37.0 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP 
zypper 1.13.40

In our version of curl it should be OpenSSL/1.0.2j.

# rpm -qv openssl
openssl-1.0.2j-60.24.1.x86_64
# openssl version
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.2j-fips  26 Sep 2016 (Library: OpenSSL 1.0.2h-fips  3 May 2016)

Ha! Ok... then after lookin at the system library path, we got a clue ;-):

# ldconfig -p | grep ssl
	libssl.so.1.0.0 (libc6,x86-64) => /usr/lib/nsr/lib64/libssl.so.1.0.0
	libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
	libssl.so.1.0.0 (libc6) => /usr/lib/nsr/libssl.so.1.0.0
	libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
	libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
	libcommonssl.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl.so
	libcommonssl.so (libc6) => /usr/lib/nsr/libcommonssl.so
	libcommonssl-9.2.1.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl-9.2.1.so

The problem was a file in /etc/ld.so.conf.d/ which brought /usr/lib/nsr/lib64 in the system library path. There was another libssl.so.1.0.0 which was version 1.0.2h. OK. What to do?

# rm /etc/ld.so.conf.d/problematic.conf
# rm /etc/ld.so.cache
# ldconfig

Check the success:

# ldconfig -p | grep ssl
	libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
	libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
	libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5

Now you just have to find a way to get your other stuff running without the manipulation at the system library path.

Last check for our case. Does our networker use it's own ssl libraries?

# ls -al /proc/$(pgrep  --full /usr/sbin/nsrexecd)/map_files | egrep "lib(ssl|crypto)"
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bb73000-7f9d1bdc7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bdc7000-7f9d1bec7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bec7000-7f9d1bef3000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bfab000-7f9d1c00c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c00c000-7f9d1c10c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c10c000-7f9d1c116000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0

Yep. Great!

Remove spacewalk from client

So the way to get rid spacewalk is:

# zypper remove --clean-deps spacewalksd spacewalk-check zypp-plugin-spacewalk spacewalk-client-tools

Register at SuSE Manager

After that reregister your server with the SuSE Manager like this:

# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash

Update SuSE Manager certificate

Create work place

# mkdir ~/ssl-build
# mkdir ~/ssl-build/$(hostname --short)
# cd ~/ssl-build

Build RHN-ORG-TRUSTED-SSL-CERT and rhn-org-trusted-ssl-cert-1.0-*.noarch.rpm

# rhn-ssl-tool --gen-ca --rpm-only --dir="~/ssl-build" --from-ca-cert=<path to your CA certificate file>
# openssl x509 -noout -subject -dates -in ~/ssl-build/RHN-ORG-TRUSTED-SSL-CERT 
subject=C = DE, O = Hosting, CN = My-CA
notBefore=Mar 22 12:28:05 2017 GMT
notAfter=Mar 22 12:38:05 2027 GMT
# ls -al ~/ssl-build/*.rpm
...
-rw-r--r--  1 root root 18262 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.noarch.rpm
-rw-r--r--  1 root root 16672 17. Nov 12:10 rhn-org-trusted-ssl-cert-1.0-17.src.rpm

Generate CSR

# cd ~/ssl-build/$(hostname --short)
# declare -a hosts=( "susemgr.tld.de" "othername.tld.de" "anotheranothername.tld.de" )
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration'
# emailAddress='suselinux-admin@tld.de'
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn} ${emailAddress}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
Generating a RSA private key
...............................................++++
.................................................................................................................................................................++++
writing new private key to 'server.key'
-----
# openssl req -noout -in server.csr -text 2>/dev/null | grep -E "(CN|DNS:)"
verify OK
        subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration suselinux-admin@tld.de, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de
                DNS:susemgr.tld.de, DNS:othername.tld.de , DNS:anotheranothername.tld.de

Generate RPMs from certificate and key

# rhn-ssl-tool --gen-server --rpm-only --dir="/root/ssl-build"
...working...

Generating web server's SSL key pair/set RPM:
    /root/ssl-build/susemgr/rhn-org-httpd-ssl-key-pair-susemgr-1.0-3.src.rpm
    /root/ssl-build/susemgr/rhn-org-httpd-ssl-key-pair-susemgr-1.0-3.noarch.rpm

The most current SUSE Manager Proxy installation process against SUSE Manager hosted
requires the upload of an SSL tar archive that contains the CA SSL public
certificate and the web server's key set.

Generating the web server's SSL key set and CA SSL public certificate archive:
    /root/ssl-build/susemgr/rhn-org-httpd-ssl-archive-susemgr-1.0-3.tar

Deploy the server's SSL key pair/set RPM:
    (NOTE: the SUSE Manager or Proxy installers may do this step for you.)
    The "noarch" RPM needs to be deployed to the machine working as a
    web server, or SUSE Manager, or SUSE Manager Proxy.
    Presumably 'susemgr.tld.de'.

Install certificate and key in the apache directories

Remove the previous version:

Install latest version:

# cd /root/ssl-build/susemgr
# rpm -Uvh $(grep -E "rhn-org-httpd-ssl-key-pair-.*.noarch.rpm" latest.txt)

Check:

# openssl x509 -noout -in /etc/apache2/ssl.crt/server.crt -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT

I don't know the SuSE way to make it, but this works:

# cp -p /etc/apache2/ssl.crt/server.crt /etc/pki/tls/certs/spacewalk.crt
# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/spacewalk.key

# cp -p /etc/apache2/ssl.key/server.key /etc/pki/tls/private/pg-spacewalk.key
# chmod 0640 /etc/pki/tls/private/pg-spacewalk.key
# chgrp postgres /etc/pki/tls/private/pg-spacewalk.key
# spacewalk-service restart
# echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -dates
notBefore=Nov 16 08:35:35 2022 GMT
notAfter=Nov 16 08:35:35 2023 GMT