update management and compliance monitoring with the subscription management tool 11

Update Management and Compliance Monitoring with the Subscription Management Tool 11

Andreas TaschnerSr. Technical Support [email protected]

mailto:[email protected]

© Novell, Inc. All rights reserved.2

Agenda

Introduction to Subscription Management Tool (SMT) 11

Installation and Basic Configuration

Managing SMT

Configuring Clients to Use SMT

Jobs and Client Status Monitoring

Staging


Agenda (continued)

Compliance Monitoring with SMT Reports

Supportconfig Proxy

Mirroring Other Products/Repositories

Disconnected SMT Servers

Upgrading from SMT 1.0

Tips and Tricks

Introduction


Why Do We Have SMT?

• Challenges:

– Every SUSE® Linux Enterprise (SLE) 10/11 based machine connects to Novell® Customer Center (NCC) for registration and download of updates

– Difficult to maintain security perimeter at the firewall

– Compliance monitoring is difficult

– Devices with no internet access require homemade update solutions

– Need to streamline updates for non-SLE components


Updating SUSE® Linux Enterprise 10/11

Novell®

CustomerCenter

Customer Network


Solution:Subscription Management Tool

• Novell® SLES 11 add-on to mirror all you need :– SUSE® Linux Enterprise Desktop and Server 10/11, SLES 9– Open Enterprise Server 2– SLE 10/11 SDK– Other SLE based products (NLD, SLEPOS, VMDP++)– Red Hat™ Enterprise servers 3.9, 4.7, 5.2– Third-party repositories (custom, ati, vlc, nvidia etc.)

• Allows for more restrictive firewall policies• Bandwidth optimization• Reporting - compliance monitoring• Fast and scalable


SubscriptionManagement

Tool Novell®

CustomerCenter

Customer Network

High-level Architecture


LAMP Architecture

443 443/80

443/80

443/80

Novell® Customer

Center

Local servers

Perl

Apache

My SQL

Updates

Subscription Management Tool Server

Installation


Requirements

• Active Maintenance Subscriptions• SUSE® Linux Enterprise Server (SLES) 11• System requirements same as SLES• Valid DNS host name such as smt.mycompany.com• ~10 GB storage space per product and architecture

– More if also mirroring sources

Managing SMT


Managing SMT

• YaST modules– SMT server configuration (yast2 smt-server)

> Only used for initial and global configuration

» Reporting addressees

» Job schedules

– SMT server management (yast2 smt)> Day-to-day management

» Repositories

» Staging

» Client status monitoring


Managing SMT (continued)

• SMT console commands

– Command syntax : smt subcommand

> Use smt-subcmd instead of smt subcommand

> man smt-subcommand / smt-subcommand -h

– Examples :

> smt-mirror -L /var/log/smt/smt-mirror.log -d

> smt-client -n sled


YaST SMT Module

Repositories


YaST SMT Module (continued)

Staging


YaST SMT Module (continued)

Clients

Configuring Clients


Registering Clients with SMT Server

• Registration process uses https – SMT server CA needs to be installed onto clients

• /etc/suseRegister.conf needs to point to SMT server• Setting up SUSE® Linux Enterprise 10 SP2+ clients

– During installation : > Advanced | Local registration server in NCC dialog (interactive install)> regurl and regcert kernel parameters (interactive install)> AutoYaST – add a section in AutoYaST profile (autoinstall) :

» suse_register (SLE 11) or customer_center (SLE 10)

– Post installation time :> Run clientSetup4SMT.sh script to import SMT server CA, configure

suse_register and perform the registration


Registering Clients (continued)

xsles11a:~ # zypper ls

# | Alias | Name | Enabled | Refresh | Type

--+--------------------------+--------------------------+---------+---------+------

1 | SMT-http_xsmt11a_nts_com | SMT-http_xsmt11a_nts_com | Yes | No | ris

2 | CD1 | CD1 | Yes | Yes | yast2

xsles11a:~ # zypper lr

# | Alias | Name | Enabled | Refresh

--+-----------------------------------------+----------------+---------+--------

1 | CD1 | CD1 | Yes | Yes

2 | SMT-http_xsmt11a_nts_com:SLES11-Extras | SLES11-Extras | No | Yes

3 | SMT-http_xsmt11a_nts_com:SLES11-Updates | SLES11-Updates | Yes | Yes

Reporting/Compliance Monitoring


Reporting

• To assist in compliance monitoring SMT generates weekly reports with info like

– Statistics of the registered machines and products used

– Active, expiring, or missing subscriptions

– Alerts if the number of registered machines and products exceeds the number of purchased subscriptions

• Flexible configuration options like mail recipients of reports, type of reports and attachments

• Can be in plain text, CSV, XML or PDF format• On-demand reports


Reporting (continued)

t61srvsp2:~ # smt-report --local

Downloading Subscription information

Downloading Registration information

Subscription Report based on a local calculation

================================================

Alerts:

13 Machines use too many 'SUSE Linux Enterprise Server 10 / SUSE LINUX Enterprise Server 9' subscriptions. please log in to the Novell Customer Center (http://www.novell.com/center) and assign or purchase matching entitlements.

...

Footer

Generated on: t61srvsp2.nts.com

Site ID: 142723

SMT ID: 3aba20eea2884ea8a17c70e92bc323b3

Jobs and Client Status Monitoring


Job Queue and Client Status

• Enables – Patchstatus reporting– Software update and pushing– Execution of commands, reboot, eject

• Consists of server and client side components– Server

> Jobs - defined in the SMT database with smt-job command> Clients patch status reporting tools

» Clients tab in YaST SMT module

» smt-client command

– Client > smt-client package (SUSE® Linux Enterprise 11 only)


Job Queue and Client Status (continued)

• Client client and SMT server communicate in SSL• Management of client jobs is command-line based• All clients get a persistent patch status job

assigned during registration• Jobs

– Must be assigned to individual clients specifying their GUID during creation

– Can be queried/modified/deleted after submission

– Can have dependency on other job(parent/child relationship)



• SMT-job command

– Wealth of parameters to the command

> See man smt-job

• Example of update job creation

– # smt-job --create -type update -guid <client-guid>

– # smt-job -c -t update -g <client-guid>



• SMT-client command– Examples

> smt-client

» Overview

> smt-client status -n sles11 -L /var/log/smt/smt-client.log

» Details on selected clients

• Keep in mind that Package Manager patches can hide security and other categories of patches

– This is because the client "can not see" the patches that will become applicable after updating the package manager until after it has been updated



The GUI Version

Staging


Staging

• Mirror all patches, but only publish approved ones to clients

• GUI and command-line based management

– YaST2 smt module

> Repositories and staging tabs

– smt-repos command

– smt-staging command (only for geeks)

• Management tools only fully support SUSE® Linux Enterprise 11 and newer repositories


Staging (continued)

• Repositories are mirrored to different directories depending to their staging flag

• Administrator

– Selects patches and creates a testing snapshot of these

– Redirects selected clients to testing repos

> E.g. by using execution jobs

– When patches in testing snapshot have been approved

> Create production snapshot

> Reconfigure test clients if desired


Staging (continued)

Novell®

CustomerCenter

Mirror

Non-staged

Staged

Testing

Production

Full

Testing snapshot

Production snapshot

Clients


Staging (continued)

Supportconfig Proxy


SMT Support

• SMT server can act as proxy for supportconfig archives

• supportconfig files can be uploaded to SMT server– # supportconfig -U 'http[s]://mysmt/upload?file={tarball}'

-r 12345678901– Tarball then named nts_$SR_NUM_hostname_date_time.tbz– Stored in /var/spool/smt-support on SMT server

• Default upload target in /etc/supportconfig.conf– Configured with clientSetup4SMT.sh or AutoYaST post script


SMT Support (continued)

• (SMT) administrator can then

– Process supportconfig archive files

> Run Novell® Support Advisor against the uploaded files

> Add contact information to individual archives during upload

> Upload to open service requests

• Run smt-support -h to get details on options

– Upload a specific archive - e.g. :

» smt-support -u nts_SR10588349999_xsles11a_100127_0917.tbz



• Standard tool to distribute updates for – In-house developed applications

– Third-party repositories

• Must be repomd based > See Software Repositories at OpenSUSE® for details

• To enable non-interactive subscription to non-Novell® repositories (not signed by Novell)

– Place the key used to sign the repodata in repo/keys/ of SMT server

> Will be imported (prompt) during registration and clientSetup4SMT.sh

> # rpm --import <url-of-repo-signing-key>

http://en.opensuse.org/Software_Repositories


Mirroring SUSE® Linux Enterprise 9

• Having a SLES 9 server running only for YOU?

• smt-mirror-sle9 is the answer

• Enables mirroring of

– SUSE Linux Enterprise Server 9

– Novell® Linux Desktop 9

– SUSE Linux Enterprise 9 Software Development Kit

– Novell Linux Point of Service

• Check out the deployment guide on how to optimize it

http://www.novell.com/rc/docrepository/public/37/basedocument.2009-11-19.5951661187


Updating RedHat Enterprise Linux

• Red Hat Enterprise Linux Server repositories as part of the Novell® Expanded Support offering

– Novell makes selected packages available in repositories on NCC (nu.novell.com)

• Setup– Mirror the relevant repositories on SMT server– Install the signing-key and import it on the key

Red Hat servers– Configure yum/up2date client – Register the Red Hat servers against SMT (optional)

• TID 7004324 describes– How to update Red Hat Enterprise Linux with SMT 11

http://www.novell.com/support/search.do?usemicrosite=true&searchString=7004324

Disconnected SMT Servers


Open Network

Isolated SMT Servers

RestrictedNetwork

SMT(external)

Mobiledisk

Nonetworkconn.

Novell®

CustomerCenter

SMT (internal)

Upgrading from SMT 1.0


Upgrading SMT from 1.0

• SMT 11 is not designed to upgrade• If SMT 11 is installed during the SUSE® Linux

Enterprise Server upgrade to 11, then it minimizes the need for extra work

• Cool solution explains the procedure :– Upgrading SMT from version 1.0 to 1.1

– Transfer settings from smt.conf to smt.conf.rpmnew and swap the files

– Kick off a mirror to update the new fields in the DB

– (Optional) create patchstatus jobs for SLE 11 clients

http://www.novell.com/communities/node/9387/

Tips and Tricks


Tips and Tricks

• Patches get mirrored, but are not visible to the clients– Check if staging is involved

• Disaster recovery– Plan and survive - see TID 7004986

• If deploying multiple SMT servers– Repositories can be preloaded

• http://forums.novell.com → SUSE® Linux Enterprise Server → Updates

• SMT Master TID 7005002– Links to what is known of good stuff




The End

• This was a lot of details about SMT• Many cool features• But deployment can be really simple :

– Install it

– Find and enter your mirror credentials

– Mirror the repositories you need

– Configure the clients

– Voila !

• And remember : SMT is FREE of charge !

Unpublished Work of Novell, Inc. All Rights Reserved.This work is an unpublished work and contains confidential, proprietary, and trade secret information of Novell, Inc. Access to this work is restricted to Novell employees who have a need to know to perform tasks within the scope of their assignments. No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.

General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. Novell, Inc. makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. The development, release, and timing of features or functionality described for Novell products remains at the sole discretion of Novell. Further, Novell, Inc. reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.

update management and compliance monitoring with the subscription management tool 11

Documents

smt subcommand use smtsubcmd

com smthttp

d smtclient

registration19 novell

yast smt module repositories

https smt server ca

n sled14 novell

demand reports22 novell