Difference between revisions of "SUSE Manager/InterServerSync"

From MicroFocusInternationalWiki
Jump to: navigation, search
(Inter Server Sync)
(Replaced content with "Please see the [https://www.suse.com/documentation/suse-manager-3/singlehtml/suse_manager21/book_susemanager_install/book_susemanager_install.html#s1-sync-iss SUSE Manager...")
 
Line 1: Line 1:
= New Features in SUSE Manager 1.7 =
+
Please see the [https://www.suse.com/documentation/suse-manager-3/singlehtml/suse_manager21/book_susemanager_install/book_susemanager_install.html#s1-sync-iss SUSE Manager 2.1 official manual, Installation & Troubleshooting Guide, Inter Server Synchronization].
 
+
This betatest comes with the latest upcoming features for SUSE Manager 1.7, which includes support for:
+
 
+
* Inter Server Sync - connect a SUSE Manager Server to another SUSE Manager Server instead of NCC for content distribution
+
* CVE Audit - find out which systems need to be patched for a given CVE identifier
+
* CSV Separator - for downloadable CSV files, choose a separator for better compatibility with the used spreadsheet software
+
 
+
= Installation Instructions =
+
 
+
Stop spacewalk services
+
  $> spacewalk-service stop
+
 
+
Update already installed packages
+
  $> zypper ar -f http://beta.suse.com/private/SUSE-Manager-beta/features/inter-server-sync manager-beta
+
  $> zypper dup --from manager-beta
+
 
+
Schema upgrade
+
  $> spacewalk-schema-upgrade
+
 
+
Start spacewalk services
+
  $> spacewalk-service start
+
 
+
= Inter Server Sync =
+
 
+
== Requirements ==
+
 
+
At least two fully patched SUSE Manager 1.7  or greater servers from
+
August 2013 or later are required; check that spacewalk-backend version
+
1.7.38.27 or later is installed.
+
 
+
== Configure the Master Server to Accept Connections From Slaves ==
+
 
+
A SUSE Manager Server does by default not allow any other SUSE Manager Server to connect, this needs to be allowed explicitly.
+
 
+
In order to do that, modify /etc/rhn/rhn.conf and add the hostnames of allowed slaves to '''allowed_iss_slaves''' options:
+
 
+
  # Use this option if this server is intended to be a master
+
  # Comma separated list of allowed iss slaves, like:
+
  allowed_iss_slaves=slave1.example.com,slave2.example.com
+
 
+
Additionally take care, that the option '''disable_iss''' is set to '0'.
+
 
+
After changing the config, please restart the SUSE Manager Server:
+
  $> spacewalk-service restart
+
 
+
Now you need to refresh the NCC Sync data with:
+
  $> mgr-ncc-sync --refresh
+
 
+
== Configure the SUSE Manager Slave Server ==
+
 
+
A SUSE Manager Slave Server connect only to its master server. A Connection to NCC is not needed.
+
 
+
=== During Initial Setup ===
+
 
+
We have enhanced the yast module which setup a SUSE Manager Server to be able to setup a Slave server.
+
To test this, please install a new SUSE Manager Server from the appliance ISO and update all the packages before you start the yast module:
+
 
+
Update already installed packages:
+
  $> zypper ar -f http://beta.suse.com/private/SUSE-Manager-beta/features/inter-server-sync manager-beta
+
  $> zypper dup --from manager-beta
+
 
+
Setup SUSE Manager Server:
+
  $> yast2 susemanager_setup
+
 
+
You will see that the screen with the NCC credentials has changed. You can select between
+
 
+
* Connect to NCC
+
* Connect to SUSE Manager for inter-server sync
+
 
+
Choose ''Connect to SUSE Manager for inter-server sync''.
+
The additional field ''Parent Server Name'' will be enabled. Enter the FQDN of the master server there.
+
 
+
The NCC Mirror Credential Username and Password needs to be the same as the first credential on the master Server.
+
 
+
Use the ''Test'' button to test if the credentials are working.
+
 
+
=== Manual Setup ===
+
 
+
If you have an already setup SUSE Manager Server you want to connect as a slave, you need to configure it manually.
+
 
+
Update the Server using the same steps as described above in '''Installation Instruction (Server)'''.
+
 
+
Modify /etc/rhn/rhn.conf and set '''iss_parent''' to the FQDN of the master server.
+
 
+
Check, if /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem already exists. If yes, you need to rename it:
+
  $> mv /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem /etc/ssl/certs/OWN-SUSE-MANAGER-TRUSTED-SSL-CERT.pem
+
  $> c_rehash /etc/ssl/certs/
+
 
+
Download the SSL CA Certificate:
+
  $> curl -o /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT "http://FQDN.ISS.PARENT/pub/RHN-ORG-TRUSTED-SSL-CERT"
+
 
+
Trust this certificate:
+
  $> ln -s /usr/share/rhn/RHN-ORG-TRUSTED-SSL-CERT /etc/ssl/certs/RHN-ORG-TRUSTED-SSL-CERT.pem
+
  $> c_rehash /etc/ssl/certs/
+
 
+
Restart the SUSE Manager Server
+
  $> spacewalk-service restart
+
 
+
Initialize the SUSE Manager Server
+
  $> mgr-ncc-sync --refresh
+
 
+
== Use Inter Server Sync ==
+
 
+
On a SUSE Manager Slave the functions of mgr-ncc-sync are limited. The tool you should use to sync channels is now
+
'''mgr-inter-sync'''. (This is a symlink to satellite-sync)
+
 
+
List available channels:
+
  $> mgr-inter-sync --list-channels
+
 
+
Sync a channel:
+
  $> mgr-inter-sync --channel <channel label>
+
 
+
Refresh all channels which are available in this server:
+
  $> mgr-inter-sync
+
 
+
== Forward Registrations to NCC ==
+
 
+
The Slave servers forward the registrations to NCC by using the parent as a proxy.
+
A SUSE Manager Server acting as a parent accepts ''register'' and ''de-register'' operations
+
and forwards them directly to its parent. The first SUSE Manager Server will send these
+
requests to NCC and return the answer back the chain to the originally requesting server.
+
 
+
There are some checks implemented that need to be passed before a SUSE Manager Server forwards
+
such a request. It checks, if the requesting slave is in the allowed list and it verifies
+
the user and password. These must match the first configured mirror credential.
+
 
+
== Known Issues ==
+
 
+
* Register a SUSE Manager Slave to its parent and get updates from the parent is currently not supported. Beta testers: please tell us if this is a valid scenario or use-case for you!
+
 
+
= CVE Audit =
+
 
+
== Post Installation ==
+
 
+
CVE Audit needs to refresh data needed for the search periodically in the background in order to produce correct results. This is scheduled, by default, at 11:00 PM every night. You should manually schedule a run, right after installation, in order to get proper results without waiting until the next day:
+
 
+
* Go to the "Admin" page
+
* Click on "Task schedules" from the left menu
+
* Click on the "cve-server-channels-default" schedule link
+
* Click on the "cve-server-channels-bunch" bunch link
+
* Click on the "Single Run Schedule" button
+
* After some minutes, refresh the page and check that the scheduled run status is FINISHED.
+
 
+
A direct link is also available in the CVE Audit for your convenience.
+
 
+
== Typical Usage ==
+
 
+
A typical use-case of this feature looks like that:
+
 
+
* Go to the Audit page
+
* Input a 13-char CVE identifier
+
* Optionally, uncheck patch statuses you are not interested in (see below)
+
* Click on "Audit systems"
+
 
+
A list of systems is displayed, where each system comes with a "Patch Status" describing its situation regarding the given CVE identifier.
+
Possible statuses are:
+
 
+
* '''Affected, patch available in a channel which is not assigned''': the system is affected by the vulnerability and SUSE Manager has a patch for it, but at this moment, that channel is not assigned to the system itself.
+
* '''Affected, patch available in an assigned channel''': the system is affected by the vulnerability, SUSE Manager has a patch for it in a channel that is directly assigned to the system.
+
* '''Not affected''': the system does not have any packages installed that would be patchable.
+
* '''Patched''': a patch has already been installed.
+
 
+
For a more precise definition of these statuses, see [[SUSE Manager/InterServerSync#Notes|Notes]]. If the CVE number is not known to SUSE Manager, an error notice is displayed, as Manager is not able to produce any audit data in that case.
+
 
+
For each system, the "Next Action" column contains suggestions on the steps to take in order to address vulnerabilities (installing a certain patch or assigning a new channel). When applicable, a list of "candidate" channels or patches is also displayed for your convenience.
+
 
+
You can also assign systems to a System Set for further batch work.
+
 
+
== API Usage ==
+
 
+
An API method is available to run CVE audits from custom scripts, <code>audit.listSystemsByPatchStatus</code>. Details on how to use it are available in the API guide.
+
 
+
== Notes ==
+
 
+
As stated above audit results are correct only if the assignment of channels to systems did not change since the last scheduled refresh (normally, at 23:00 every night). If a CVE audit is needed and channels were assigned or unassigned to any system during the day, a manual run is recommended.
+
 
+
Systems are said to be "affected", "not affected" or "patched" not in an absolute sense, but ''based on information that SUSE Manager knows about''.
+
This implies that concepts such as "affectedness to a vulnerability" have particular meanings in this context and more precisely, the following definitions apply:
+
* system affected by a certain vulnerability: a system which has an installed package with version lower than the version of the same package in a relevant patch marked for the vulnerability;
+
* system not affected by a certain vulnerability: a system which has no installed package that is also in a relevant patch marked for the vulnerability;
+
* system patched for a certain vulnerability: a system which has an installed package with version equal to or greater than the version of the same package in a relevant patch marked for the vulnerability;
+
* relevant patch: a patch known by SUSE Manager in a relevant channel;
+
* relevant channel: a channel managed by SUSE Manager which is either assigned to the system, the original of a cloned channel which is assigned to the system, a channel linked to a product which is installed to the system or a past or future service pack channel for the system.
+
 
+
A notable consequence of the above definitions is that results can be incorrect in cases of unmanaged channels, unmanaged packages and/or non-compliant systems.
+
 
+
== Known Issues ==
+
 
+
* Bug: The state of the page is lost (the page resets itself) when clearing the system set on top of the page using the "Clear" button.
+
 
+
* Bug: In the first version of the beta there is a bug that causes problems with deleting custom channels or even servers, because of foreign key constraints (see https://bugzilla.novell.com/show_bug.cgi?id=831047). This problem can be fixed by running a SQL script that is attached to the bug.
+
 
+
= CSV Separator =
+
 
+
The character that will be used as a delimiter in downloadable CSV files throughout SUSE Manager can now be configured per user. When navigating to "Your Preferences" on the "Overview" page, the following options are available:
+
 
+
* '''Comma''' (",", default)
+
* '''Semicolon''' (";", compatible with Microsoft® Excel®)
+
 
+
Whenever downloading a CSV file from anywhere within SUSE Manager, the configured separator character will be used as the delimiter.
+
 
+
== Known Issues ==
+
 
+
* None
+

Latest revision as of 13:29, 25 July 2016

Please see the SUSE Manager 2.1 official manual, Installation & Troubleshooting Guide, Inter Server Synchronization.