SUSE® Manager 4 is a best-in-class, open source infrastructure management solution that lowers costs, enhances availability and reduces complexity for lifecycle management of Linux systems in large, complex and dynamic IT landscapes. You can use SUSE® Manager to configure, deploy and administer thousands of Linux systems running on hypervisors, as containers, on bare metal systems, IoT devices and third-party cloud platforms. SUSE® Manager also allows you to easily monitor your entire deployment of systems, across locations.
Why Monitor Your Systems?
One of a system administrator’s most challenging tasks is keeping tabs on every system in the company. When a company’s IT landscape is multi-tenant and multi-region, that task becomes exponentially more difficult. That’s where a monitor becomes a must-have tool. With the right monitor, an administrator will always be on top of their systems.
SUSE® Manager 4 includes very powerful monitoring options (which can be added on for an additional fee), with the ability to install two additional very powerful monitoring and visualization tools: Prometheus (for monitoring) and Grafana (for visualization). These tools add real-time monitoring capability to the SUSE® Manager 4 system. On top of that, you can monitor a number of other events and system states found within the SUSE® Manager 4 framework.
Some of the most basic monitoring you’ll find is on the SUSE® Manager 4 Overview page. Here (Figure 1), you’ll find a dashboard that gives you immediate access to information like Tasks, Most Critical Systems, Recently Scheduled Actions, Relevant Security Patches, System Groups and Recently Registered Systems.
Figure 1: The SUSE® Manager 4 Overview page.
The Overview page should be one of the first pages looked at by the SUSE® Manager 4 administrator. It is also possible to configure what you see on the Overview (or “Start”) page. To do this, log into SUSE® Manager 4 and go to Home | My Preferences. In this new window (Figure 2), you can enable/disable various options (such as receiving email/taskomatic notifications, various types of viewable information on the Overview page, Time Zone and CVS file data delineator).
Figure 2: The Overview configuration options page.
Set the SUSE® Manager 4 Overview as your web browser’s home page, and you’ll always be on top of what’s going on with your systems.
Patch and Event Alerts
Alerts are one of the first lines of defense with SUSE® Manager 4. You can configure alerts to be sent to a specific email address, so you will always be in the know when patches, relevant to your systems, are released, as well as daily emails capable of summarizing a number of events that have occurred on your systems.
Knowing when patches are made available is crucial to keeping your systems up to date. This is especially true when security patches are ready. When a vulnerability is discovered, you don’t want to hold off on patching affected systems; otherwise, they could be compromised.
The first thing you’ll want to do is configure an email address to which those alerts are to be sent. For that, log into SUSE® Manager 4 and go to Home | User Account | My Account. In the resulting window (Figure 3), configure the email address to be used.
Figure 3: Configuring the email to be used for alerts.
Once you’ve configured this email address, make sure you have access to incoming email on desktop, laptop and mobile devices. As a busy administrator, you want to have 24/7 access to those alerts, no matter where you are.
One form of monitoring you should put at the top of your list is the running of Common Vulnerability and Exposure (CVE) scans. This will scan all of your servers and images for CVE issues and report back to you if any of them are affected.
This does require you to be up on your CVE vulnerabilities. For example, you could get your vulnerabilities from the Published SUSE Security Advisories or Linux Kernel CVEs. Wherever you get your information about CVEs, you’ll want to know the CVE number for a particular vulnerability. With that number in hand, log into your SUSE® Manager 4 instance and go to Audit | CVE Audit. In the resulting window (Figure 4), select the date of the CVE from the drop-down and then enter the CVE number in the text area to the right. Click the Audit Servers button to scan your systems, or click Audit Images to scan the images used to deploy systems.
Figure 4: Scanning for known CVE vulnerabilities.
If any CVE issues are found in any of your deployed servers, they’ll be listed in the window’s main pane. You’ll see either No action required or a warning to install a specific patch on the affected system. Click the patch number listed, select the affected system (Figure 5) and click Apply Patches.
Figure 5: Applying a patch to a specific system.
And that’s all there is to monitoring for and patching specific CVE vulnerabilities.
You can monitor your SUSE® Manager 4 environment using Prometheus. SUSE® Manager Server and Proxy are able to provide self-health metrics. Server and Proxy can also install and manage a number of Prometheus exporters on Salt clients. Prometheus is an open source monitoring tool used to record real-time metrics in such a way that allows for higher performance and scalability. Prometheus fetches metrics using a pull mechanism, so the server must be able to establish network communications to monitored clients. Clients must have an open port and be reachable on the network.
In order to take advantage of Prometheus, you must first install it. Prometheus can be installed on any SLES instances with the command:
zypper in golang-github-prometheus-prometheus
Prometheus can also be installed via the SUSE® Manager 4 (Figure 6).
Figure 6: Installing Prometheus via the SUSE® Manager GUI.
By installing Prometheus via the SUSE® Manager GUI, you are able to create a formula to deploy a particular Prometheus package to any system.
Once installed, you must enable the service with the command:
systemctl enable –now prometheus
Once installed and enabled, you are ready to configure and enable Prometheus-based self-monitoring within SUSE® Manager 4: Log into SUSE® Manager and go to Admin | Manager Configuration | Monitoring. Click Enable services (Figure 7) and wait for the services to be enabled.
Figure 7: Once the services are enabled, the button will be listed as Disable services.
Once you have monitoring enabled, you can then configure monitoring formulas by following these steps:
- Log into SUSE® Manager 4 Web UI and locate/open the details page of the system to be monitored.
- Navigate to the Formulas
- Select the Monitoring checkbox to enable all monitoring formulas (Figure 8), and activate the Prometheus exporters if this is a client system.
- Continue filling in the formula and then apply the highstate.
Figure 8: Configuring monitor formulas for a system.
Next you must configure the exporters with the following steps:
- In the SUSE® Manager Web UI, open the details page of the system to be monitored, and navigate to the Formulas | Prometheus Exporters
- Check the Enabled checkbox for both Node and Postgres Exporter (Figure 9). Make sure to only activate the exporters that you need (for example, if there is no Postgres database, you won’t need to activate the Postgres exporter)
- In the Postgres Exporter section, in the Data Source Name field, enter the path to your data source (for example, postgresql://user:passwd@localhost:5432/database?sslmode=disable).
- Click Save Formula.
- Apply the highstate.
Figure 9: Configuring the Prometheus exporter.
Finally, open the Prometheus static configuration file /etc/prometheus/prometheus.yml and add or update the following section:
Where SERVER is the IP address or domain of your SUSE® Manager server, and APIUSER and PASSWORD match your authentication information. Save and close the file and then restart Prometheus with the command:
systemctl restart prometheus
Of course, you will also have to do a bit of heavy lifting with the Prometheus configuration. For this, make sure to read the official Prometheus documentation.
Prometheus metrics exporters can also be used on Salt clients. The packages are available from the SUSE® Manager 4 client tools channels and can be enabled and configured directly in the SUSE® Manager 4 Web UI. Currently, only two exporters are supported:
- Node exporter: golang-github-prometheus-node_exporter. See https://github.com/prometheus/node_exporter.
- PostgreSQL exporter: golang-github-wrouesnel-postgres_exporter. See https://github.com/wrouesnel/postgres_exporter.
Installing and configuring exporters is done using a Salt formula. When you have the exporters installed and configured, you can begin using Prometheus to scrape metrics from monitored systems. Service discovery instructs Prometheus to automatically scrape metrics from systems as they are enabled.
The one thing we haven’t mentioned yet is the monitoring of the SUSE® Manager 4 server itself. Fortunately, there’s an application for that in Grafana. Grafana is an open source tool that allows you to visualize data from a number of services (such as Graphite, MySQL, InfluxDB, Prometheus, Elasticsearch and CloudWatch). With this tool, you can customize your dashboard such that it will keep tabs on your SUSE® Manager 4 server.
Grafana must first be installed. On smaller setups, Grafana can be installed on the same server as Prometheus. On larger rollouts, it should be deployed to its own server. It is possible to install Grafana with the command:
zypper in grafana
The best practice, however, is to install Grafana via the SUSE® Manager GUI.
Once installed, start and enable the service with the command:
systemctl enable –now grafana-server
You can then reach Grafana at http://SERVER:3000 (where SERVER is either the domain or IP address of the hosting server). During the creation of the Grafana formula, a new data source will be automatically configured (which would point to the Prometheus server at port 9090). With this configuration complete, you should start seeing real-time data for your SUSE® Manager 4 server (Figure 10).
Figure 10: Grafana monitoring SUSE® Manager 4 by way of Prometheus.
With everything in place, you now have the means to monitor all of the servers and patches deployed by SUSE® Manager 4, as well as the SUSE® Manager 4 server itself, all from within your web browser. That’s power. That’s the SUSE way.