Documente Academic
Documente Profesional
Documente Cultură
---
Teaser :
● You don't want to let/have all your machines connect to Novell Customer Center to register
and retrieve updates for bandwidth and / or security reasons.
● You have servers or desktops in isolated networks that are difficult to update without having
to invent your own update management solutions.
● You are using the the "yup" (Yum Update Proxy) package from the SLE 10 Software
Development Kit (SLE 10 SDK) to mirror updates to work around the problems above, but are
concerned that yup is not an integrated, supported solution.
● You would like to have one tool to mirror both SLE 9 and SLE 10 updates (and maybe miss
the SLES 9 YOU server on SLES 10).
● You have additional software update repositories (either external or internal) that need to be
available to your clients.
Then your prayers might have been answered with Subscription Management Tool for SUSE Linux
Enterprise.
---
Besides an overview this article will cover the following subjects :
● Installation and basic configuration
● Important files and directories
● Commands and tools
● Configuring clients
● Registration data synchronization with Novell Customer Center
● Using the test environment
● SMT reports
● Mirroring SLE 9
● Mirroring updates for Red Hat Enterprise Linux
● Custom catalogs
● Preloading repositories
● Server tuning
● Disconnected SMT servers
● Backup of SMT server
This article is targeted against medium experienced SUSE Linux Enterprise administrators.
The current document is v. 1.4 - refer to the changelog at the end of it for information about
changes.
SMT addresses the above issues and the reporting feature provides means for license tracking across
large deployments as well as effective measurement of subscription to ease determining how many
entitlements are in need of renewal at the end of a billing cycle.
SMT supports SLE 10 SP2 and later based products and for a six months period after its release it
also supports SLE 10 SP1. Besides this SMT also supports the SLE 9 based products.
So at the time of writing it is able to mirror the following products :
SUSE Linux Enterprise 10 :
● SUSE Linux Enterprise Server 10
Depending on workload a single server scales up to handling 1000+ clients, although it may require
some minor tuning efforts (discussed in a later section).
The product is mostly written in perl and plain shell scripts, creates a mysql database and publishes
its repositories via apache. It communicates with NCC in https and the clients are served via https
(registration process) and http (update retrieval).
SMT is provided as an add-on product to SLES 10. While it can also be installed during the initial SLES
installation phase (see section 1.1 in the SMT guide) this article will discuss installing it on top of an
already installed system.
The installation ISO image can be downloaded from http://download.novell.com/
Before starting the installation, you should have the mirroring credentials to use available. How to
find them is described in section 3.1 of the SMT guide. Until SMT has been installed, the guide is
unfortunately only available in an rpm package on the SMT installation medium
(CD1/suse/noarch/sle-smt_en-10.1-0.4.noarch.rpm). During installation this package installs the guide
as PDF and HTML in /usr/share/doc/manual/sle-smt_en/. It has been requested to be put on the
Novell online documentation web site.
The installation is described in section 1.2 and 1.3 of the SMT guide and flows as follows :
● Start it by invoking the Add-on module in the Software group in the YaST Control Center
(yast2 add-on).
● Select the SMT medium you have downloaded as installation source and start the installation.
● Accept the GPL licence prompt
● The software management dialog appears. If selecting Patterns from the Filter drop-down
menu and then selecting the SMT: Subscription Management Tool for SLE pattern at the
bottom of the list, the three packages that constitute SMT will be shown as marked for
installation.
Now the configuration is written and an initial synchronization of products and entitlements from
Novell Customer Center is performed in the background.
This may take a few minutes.
Besides /etc/smt.conf, other files and directories worth knowing about are :
File/Directory Description
/etc/smt.d/novell.com-smt Cron file - symlinked into /etc/cron.d/
/etc/smt.d/smt-cron.conf Parameters for cron jobs
/srv/www/htdocs/smt.crt Server certificate copied from
/etc/ssl/certs/YaST-CA.pem
In some scenarios it is not feasible to place the Subscription Management Tool (SMT) certificate and
repository directories inside the apache2 DocumentRoot structure. It can for instance be security
policies that prohibit even creating symbolic links to the SMT data within the DocumentRoot.
Check out the article How to clean SMT completely out of apache DocumentRoot for instructions on
how to achieve such a setup.
● List all sles-10-x86_64 based catalogs for that you are entitled to mirror
# smt-catalogs -m '' sles-10-x86_64 (single quotes)
● Enable mirroring of a catalog
# smt-catalogs -e SLES10-SP2-Updates sles-10-x86_64
● Show the catalogs that are marked for mirroring
# smt-catalogs -o
● Perform a mirror of the enabled SLE 10 catalogs with verbose output and logging
# smt-mirror -d -L /var/log/smt-mirror.log
● Perform mirroring of the SLE 9 products with verbose output and logging
# smt-mirror-sle9 -d -L /var/log/smt-mirror-sle9.log
● Create a report of SMT and NCC data based on information in the local datase.
# smt-report --local
● List the products in the database and their IDs
# smt-list-products
● Configure a non-Novell Update catalog for mirroring
# smt-setup-custom-catalogs --productid 431 --name 'VLC_SLED_10_SP1' --exturl \
'http://download.videolan.org/pub/videolan/vlc/SuSE/10.1' \
--description 'VideoLAN repository for SLED 10 SP1'
For information on which catalogs to enable for mirroring see TID 7001199 - Which software
catalogs to mirror with Subscription Management Tool
2. AutoYaST profile
This method is much less error-prone and the preferred way for new clients to be installed.
It is possible to use the Autoinstallation GUI frontend in YaST to create a customer_center
section in an AutoYaST profile. Basically it creates an xml block like the following to include in
the profiles used to install SP2 based clients :
<customer_center>
<do_registration config:type="boolean">true</do_registration>
<reg_server>https://smt2.nts.com/center/regsvc</reg_server>
<reg_server_cert></reg_server_cert>
<register_regularly config:type="boolean">false</register_regularly>
<registration_data/>
<submit_hwdata config:type="boolean">false</submit_hwdata>
<submit_optional config:type="boolean">false</submit_optional>
</customer_center>
Adapt the reg_server and reg_server_cert as the corresponding kernel parameters
described above.
The script first downloads the SMT server's CA certificate and prompts for acceptance of it
before installing it in the certificate store. Then it modifies the url parameter in
/etc/suseRegister.conf to point to the specified SMT server.
Now the client is ready to register against the SMT server by running suse_register or the
YaST Novell Customer Center Configuration module (yast2 inst_suse_register), but this
task must be performed manually.
I usually publish clientSetup4SMT.sh in the repo/ directory of my SMT servers and have
created this tiny script to execute on the clients to perform all three steps with a single
command :
#!/bin/bash
wget -O /tmp/clientSetup4SMT.sh smt2.nts.com/repo/clientSetup4SMT.sh
bash /tmp/clientSetup4SMT.sh --host smt2.nts.com<<EOF
Y
EOF
suse_register
rm /tmp/clientSetup4SMT.sh
Now testing can begin. Perform the desired level of testing and once you are done testing, deploy
the contents of the testing environment. This could effectively be done with an rsync command like
# rsync -av /srv/www/htdocs/testing/repo/* to /srv/www/htdocs/repo/.
● Then reconfigure the test clients to use the production environment by setting the register
command back to default in /etc/suseRegister.conf :
register = command=register
● Run suse_register / yast inst_suse_register to register back against the production
service/catalogs and verify that the service has changed back to normal with the same rug
commands as above.
SMT reports
To assist customers in monitoring their license compliance SMT once a week generates a report
based on SMT and Novell Customer Center data containing information about statistics of the
registered machines, products used and of the active, expiring, or missing license subscriptions. In
case subscriptions are about to expire and/or lack of licenses is observed (e.g. more SLES 10
machines are registered than you have purchased licenses for) the report contains warnings about
this.
In order to be able to calculate the compliance the smt-report tool by default downloads
information about the subscriptions and registrations (this can be disabled).
The addresses to send the reports to can be configured on the Database and Reporting tab of the
YaST SMT Configuration module. All of the e-mail configuration options are located in the [REPORT]
part of /etc/smt.conf and explained in section 6.2.1 of the SMT guide.
The scheduling of the reports is configured in /etc/smt.d/novell.com-smt and the parameters to use
with the cron jobs are set in REPORT_PARAMS in /etc/smt.d/smt-cron.conf file.
The content of the reports is too comprehensive to cover in this article, but a set of reports can be
broken down to five individual parts, which by default are attached as CSV files a single file to the
mail on the weekly report run.
To generate a set of reports in CSV files based on local data and display them on stdout, a command
like this would work :
# smt-report --local --csv --file /tmp/smt-local-rep
Generates
/tmp/smt-local-rep-product_subscription_active.csv
/tmp/smt-local-rep-product_subscription_alerts.txt
/tmp/smt-local-rep-product_subscription_expired.csv
/tmp/smt-local-rep-product_subscription_expiresoon.csv
/tmp/smt-local-rep-product_subscription_summary.csv
Note that if you have multiple SMT servers deployed in your environment, the reports may not
represent all of the SMT servers or machines in your environment. For the complete statistics of all
Mirroring SLE 9
Although SMT is primarily designed to manage SLE 10 based update repositories Novell has added
basic functionality to enable mirroring of SLE 9 based products as well.
It is not as slick as the SLES 9 YaST Online Update (YOU) Server, but the smt-mirror-sle9 tool creates
a structure in $MirrorTo/repo/YOU9 that is similar to
/var/lib/YaST2/you/mnt on a SLES 9 YOU server and stores the updates there.
The catalogs to mirror are configured in /etc/smt.conf and by default it mirrors everything accessible
on https://you.novell.com/update/ for each product.
Noteworthy is that - since _all_ updates and sources for a product since it was released get mirrored
- the repositories may consume up to 10+ times as much as what is needed by a freshly configured
YOU server (e.g. 27G for SUSE-CORE 9 versus 2G respectively)
Custom catalogs
SMT also includes functionality to mirror catalogs that are not available at the Novell Customer
Center - custom catalogs. It might be your own in-house developed applications or third-party
driver/software repositories like close-source hardware drivers that Novell for legal reasons are not
shipping with their products.
If you would like to create your own catalog with updates and publish it with SMT, the article
Creating a YUM repository and publishing it with SMT explains you all the steps.
When configuring custom catalogs to be mirrored with smt-mirror all catalogs must be associated to
one or more Novell product IDs. This ID can be determined using the smt-list-products command :
# smt-list-products | grep SUSE-Linux-Enterprise-Server-SP2 | grep x86
| 824 | SUSE-Linux-Enterprise-Server-SP2 | 10 | x86_64 | - | 5 |
| 839 | SUSE-Linux-Enterprise-Server-SP2 | 10 | x86_64 | online | 0 |
| 809 | SUSE-Linux-Enterprise-Server-SP2-migration | 10 | x86_64 | - | 1 |
As can be seen from the output above there can be multiple IDs for the same product depending on
the release, which basically represents the way that the SLE product has been installed. Base is
installed directly and online is an upgraded product - eg. a machine originally installed from SLES 10
SP1 medium and then online updated to SP2.
To determine the release of a SLE 10 SP2 product execute
To associate a catalog with multiple product IDs, just add more --productid ID# parameters - e.g. :
# smt-setup-custom-catalogs --productid 824 --productid 839 \
--name "My_own_SLES10_SP2_APP_UPDATES" \
--exturl "http://download.my.company/SLES10-SP2" \
--description "Private SLES updates"
If the custom catalog/repository is unsigned, the clients may fail to subscribe to them for the
following reason. In its default configuration SUSE Linux Enterprise 10 does not allow the use of
unsigned repositories. Therefore, if you want to mirror unsigned repositories and use them on client
machines, you have to allow this explicitly by executing the following command on the client
machines:
#rug set security-level checksum
This may or may not be a securiy concern of your company, but custom catalogs are beyond control
of Novell and it is something that you need to work out how to deal with.
When deleting a custom catalog, the ID to provide is the GUID. Find it with the smt-catalogs
command :
# smt-catalogs -v VLC_SLED10_SP2 |grep ID
CatalogID: 657e1ad399d8cf69a8f7202baeb05db8c8835c93
and then delete the catalog from the local SMT database with
# smt-setup-custom-catalogs –delete \ 657e1ad399d8cf69a8f7202baeb05db8c8835c93
For more on setting up custom catalogs refer to smt-setup-custom-catalogs -h or section 2.5 in the
SMT guide.
Preloading repositories
Although the nu.novell.com servers are accellerated as mentioned previously and you may have lots
of internet bandwidth, deploying multiple SMT servers may become time consuming if each new
SMT server must mirror the same repositories.
If you today are deploying the YUM Update Proxy package (yup) from the SUSE Linux Enterprise 10
Software Development Kit, you may already have most of the update repository packages and
metadata in place.
To save time when deploying new SMT servers, the catalogs can be preloaded from another
server/disk instead.
The steps involved in doing that are :
● Enable the catalogs to be mirrored with SMT – e.g. :
# smt-catalogs -e SLES10-SP2-Online sles-10-i586
● Perform a dry-run of smt-mirror to get the repository directories created
Server tuning
The /usr/share/doc/packages/smt/Server-Tuning.txt contains very useful tips on different ways of
tuning SMT server performance.
Here you will find tips on increasing number of clients for apache2, increasing mysqld connections
and also how to speed up database connection by installing the perl-Apache-DBI module from the
SUSE Linux Enterprise 10 Software Development Kit.
Daily operation :
● Connect the mobile disk to the external server
● Perform a mirror based on the file on the mobile disk and to a directory on the mobile disk
○ # smt-mirror --dbreplfile /path-to-dbrepl-file-on-mobile-disk \
--directory /path-to-repository-on-mobile-disk \
-L /var/log/smt-mirror-disconnected-01.log
● Scan the mobile disk for virus and other if desired
● Connect the mobile disk to the internal SMT server and copy/rsync the updated repository to
the local disk/storage on the server - e.g.
○ # rsync -av /media/disk/smt-01/repo/. /srv/www/htdocs/repo
If you are operating many isolated SMT servers much of the above can be automated by scripting
and the daily update mirroring could be optimized.
For instance let us say that we are operating 5 isolated SMT servers with the same catalogs and
architecture targets. It would still be recommended to perform the initial setup and creation of
Due to the fact that isolated SMT servers do not have a connection to Novell Customer Center /
nu.novell.com, they do not get subscribed to the SLES10-SP2-Updates and SLE10-SP2-SMT-Updates
catalogs
SMT is currently not designed to be able to update itself, but you can work around that by following
the instructions in TID 7001350 - How to configure isolated SMT servers for updating.
Hopefully this article has helped demystify the Subscription Management Tool for SUSE Linux
Enterprise and equipped you with some tips that can be useful when deploying SMT in your
networks to keep your SUSE Linux Enterprise 10, OpenEnterpriseServer 2 and SUSE Linux Enterprise 9
based products up to date with updates from Novell Customer Center.
References :
Subscription Management Tool Guide - available online and in /usr/share/doc/manual/sle-smt_en/.
Documents in /usr/share/doc/packages/smt/.
Frequently Asked Questions for Subscription Management Tool for SUSE Linux Enterprise.
Changelog
20081120 v. 1.4 :
Added references to article "Creating a YUM repository and publishing it with SMT", TID 1001751 -