SuSE Manager: Difference between revisions
From Lolly's Wiki
Jump to navigationJump to search
No edit summary |
|||
| Line 1: | Line 1: | ||
[[ | [[category :Linux]] | ||
[[ | [[category:SuSE]] | ||
=SuSE Manager= | =SuSE Manager= | ||
| Line 210: | Line 210: | ||
<source lang=bash> | <source lang=bash> | ||
# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash | # /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash | ||
</source> | |||
==Update SuSE Manager certificate== | |||
=== Generate CSR === | |||
<source lang=bash> | |||
# declare -a hosts=( "susemgr.tld.de" "susemgr-web.tld.de" ) | |||
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration' | |||
# emailAddress='suselinux-admin@tld.de' | |||
</source> | |||
<source lang=bash> | |||
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}")) | |||
Generating a RSA private key | |||
...............................................++++ | |||
.................................................................................................................................................................++++ | |||
writing new private key to 'server.key' | |||
----- | |||
</source> | |||
<source lang=bash> | |||
# openssl req -noout -verify -subject -in server.csr | |||
verify OK | |||
subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de | |||
</source> | </source> | ||
Revision as of 12:27, 17 November 2021
SuSE Manager
Channels
Refresh channle list
# mgr-sync refresh
List available channels
# mgr-sync list channels
Add Channel
# mgr-sync add channel <channel>
Delete Channel
# spacewalk-remove-channel -c <channel>
Create a frozen channel
Clone a channel (which is like a snapshot) and add a timestamp at the end of the name:
# spacecmd softwarechannel_clonetree -s '<source channel or pool>' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
e.g.:
# spacecmd softwarechannel_clonetree -s 'sles12-sp3-pool-x86_64' -x "s/\$/-$(date '+%Y-%m-%d_%H:%M:%S')/"
will result in a new channel pool named e.g. sles12-sp3-pool-x86_64-2017-11-22_14:26:42
Compose your own channel
# spacecmd
spacecmd {SSM:0}> softwarechannel_create -n OpenSuSE -l opensuse -a x86_64 -c sha256
spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp2-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP2/
spacecmd {SSM:0}> repo_create -n opensuse-database-sles12-sp3-x86_64 -u https://download.opensuse.org/repositories/server:/database/SLE_12_SP3/
spacecmd {SSM:0}> repo_list
opensuse-database-sles12-sp2-x86_64
opensuse-database-sles12-sp3-x86_64
spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp2-x86_64
spacecmd {SSM:0}> softwarechannel_addrepo opensuse opensuse-database-sles12-sp3-x86_64
spacecmd {SSM:0}> quit
# spacewalk-repo-sync -c opensuse
Bootstrap
Create bootstrap repo
Do it for each channel!
# mgr-create-bootstrap-repo
Create bootstrap shell scripts in /srv/www/htdocs/pub/bootstrap
Do not forget to lookup the available activation keys
# spacecmd -s susemanager.server.de -u mytestuser -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-default
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
6-sles12-sp4-x86_64
6-sles12-sp5-x86_64
6-sles15-sp0-x86_64
6-sles15-sp1-x86_64
6-sles15-sp2-x86_64
# mgr-bootstrap --traditional --script=My-New-SLES11-SP4.sh --activation-keys=6-sles11-sp4-x86_64
Activation keys
List available activation keys
web: Systems -> Activation Keys
# spacecmd -q activationkey_list
6-sles11-sp3-x86_64
6-sles11-sp4-x86_64
6-sles12-sp0-x86_64
6-sles12-sp1-x86_64
6-sles12-sp2-x86_64
6-sles12-sp3-x86_64
spacecmd
Just some useful space commands
# spacecmd system_list
rhn-search
Cleanup the search index
# rhn-search cleanindex
Troubleshooting
Clients
Error code: Curl error 59 / Error message: failed setting cipher list: DEFAULT_SUSE
# zypper refresh
...
Error code: Curl error 59
Error message: failed setting cipher list: DEFAULT_SUSE
...
The reason is that zypper in newer versions calls curl with a specific cipher list named "DEFAULT_SUSE" which is not defined in curl version 7.37.0-37.17.1 (version 7.37.0-28.1 is OK).
Now get any kind of repository bound to your SuSE like the ISO this version was installed with:
# zypper addrepo --check --type yast2 'iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso' 'SLES12-SP2-12.2-0'
Adding repository 'SLES12-SP2-12.2-0' ...........................................................................................................[done]
Repository 'SLES12-SP2-12.2-0' successfully added
Enabled : Yes
Autorefresh : No
GPG Check : Yes
Priority : 99
URI : iso:///?iso=/install/OS/suse/iso/SLE-12-SP2-Server-DVD-x86_64-GM-DVD1.iso
or enable it:
# zypper modifyrepo --enable SLES12-SP2-12.2-0
Reinstall zypper in the old version that does not call curl with the cipher list SUSE_DEFAULT:
# zypper install --force --repo SLES12-SP2-12.2-0 $(rpm --query --all *curl* --queryformat '%{NAME} ')
And disable the ISO repository:
# zypper modifyrepo --disable SLES12-SP2-12.2-0
Done.
Note: After some further debugging we found that the system path forces a wrong openssl library to come in place.
# curl --version ; zypper --version
curl 7.37.0 (x86_64-suse-linux-gnu) libcurl/7.37.0 OpenSSL/1.0.2h zlib/1.2.8 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP
zypper 1.13.40
In our version of curl it should be OpenSSL/1.0.2j.
# rpm -qv openssl
openssl-1.0.2j-60.24.1.x86_64
# openssl version
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL 1.0.2j-fips 26 Sep 2016 (Library: OpenSSL 1.0.2h-fips 3 May 2016)
Ha! Ok... then after lookin at the system library path, we got a clue ;-):
# ldconfig -p | grep ssl
libssl.so.1.0.0 (libc6,x86-64) => /usr/lib/nsr/lib64/libssl.so.1.0.0
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libssl.so.1.0.0 (libc6) => /usr/lib/nsr/libssl.so.1.0.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
libcommonssl.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl.so
libcommonssl.so (libc6) => /usr/lib/nsr/libcommonssl.so
libcommonssl-9.2.1.so (libc6,x86-64) => /usr/lib/nsr/lib64/libcommonssl-9.2.1.so
The problem was a file in /etc/ld.so.conf.d/ which brought /usr/lib/nsr/lib64 in the system library path. There was another libssl.so.1.0.0 which was version 1.0.2h. OK. What to do?
# rm /etc/ld.so.conf.d/problematic.conf
# rm /etc/ld.so.cache
# ldconfig
Check the success:
# ldconfig -p | grep ssl
libssl.so.1.0.0 (libc6,x86-64) => /lib64/libssl.so.1.0.0
libgnutls-xssl.so.0 (libc6,x86-64) => /usr/lib64/libgnutls-xssl.so.0
libevent_openssl-2.0.so.5 (libc6,x86-64) => /usr/lib64/libevent_openssl-2.0.so.5
Now you just have to find a way to get your other stuff running without the manipulation at the system library path.
Last check for our case. Does our networker use it's own ssl libraries?
# ls -al /proc/$(pgrep --full /usr/sbin/nsrexecd)/map_files | egrep "lib(ssl|crypto)"
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bb73000-7f9d1bdc7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bdc7000-7f9d1bec7000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bec7000-7f9d1bef3000 -> /usr/lib/nsr/lib64/libcrypto.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1bfab000-7f9d1c00c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c00c000-7f9d1c10c000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
lr-------- 1 root root 64 17. Jul 11:31 7f9d1c10c000-7f9d1c116000 -> /usr/lib/nsr/lib64/libssl.so.1.0.0
Yep. Great!
Remove spacewalk from client
So the way to get rid spacewalk is:
# zypper remove --clean-deps spacewalksd spacewalk-check zypp-plugin-spacewalk spacewalk-client-tools
Register at SuSE Manager
After that reregister your server with the SuSE Manager like this:
# /usr/bin/wget --no-check-certificate -O - https://susemgr.server.tld/pub/bootstrap/yourbootstrap.sh | bash
Update SuSE Manager certificate
Generate CSR
# declare -a hosts=( "susemgr.tld.de" "susemgr-web.tld.de" )
# subject_without_cn='/C=DE/ST=Hamburg/L=Hamburg/O=Hosting/OU=Administration'
# emailAddress='suselinux-admin@tld.de'
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout server.key -out server.csr -batch -subj "${subject_without_cn}/CN=${hosts[0]}/emailAddress=${emailAddress}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:${hosts[0]}${hosts[1]:+,DNS:${hosts[1]}}${hosts[2]:+,DNS:${hosts[2]}}${hosts[3]:+,DNS:${hosts[3]}}${hosts[4]:+,DNS:${hosts[4]}}"))
Generating a RSA private key
...............................................++++
.................................................................................................................................................................++++
writing new private key to 'server.key'
-----
# openssl req -noout -verify -subject -in server.csr
verify OK
subject=C = DE, ST = Hamburg, L = Hamburg, O = Hosting, OU = Administration, CN = susemgr.tld.de, emailAddress = suselinux-admin@tld.de
