This SUSE product includes materials licensed to SUSE under the GNU General Public License (GPL). The GPL requires that SUSE makes available certain source code that corresponds to the GPL-licensed material. The source code is available for download.

For up to three years after SUSE’s distribution of the SUSE product, SUSE will mail a copy of the source code upon request. Requests should be sent by e-mail or as otherwise instructed here. SUSE may charge a fee to recover reasonable costs of distribution.

Version Revision History

  • August 28th, 2020: 4.1.1 release

  • July 21st, 2020: 4.1.0 release

About SUSE Manager 4.1

SUSE Manager 4.1, the latest release from SUSE, delivers a best-in-class open source infrastructure management and automation solution that lowers costs, identifies risk, enhances availability and reduces complexity.

As a key component of a software-defined infrastructure, SUSE Manager 4.1 delivers the following new or enhanced capabilities to your Edge, Cloud & Datacenter environments:

Expanded Operating System support and Cluster integration and management

Simplify management and regain control with SUSE Manager 4.1

You can now get even better control of complex heterogeneous IT environments with extended target operating system support now including: Red Hat Enterprise Linux 8 (including modular repositories flattening), CentOS 6, 7 and 8, Oracle Linux 6, 7 and 8, openSUSE Leap 15.2 and Ubuntu 20.04 LTS.

Only SUSE Manager combines software content lifecycle management (CLM) with a centrally staged repository, class leading configuration management and automation, plus optional state of the art monitoring capabilities, for all major Linux distributions.

You can also significantly simplify your patch and configuration management stacks by standardizing on SUSE Manager across all Linux distributions and deployment modes (physical, virtual, and public cloud).

Simplify cluster operations with the first cluster-aware version of SUSE Manager

As you modernize your IT landscape and make use of Software Defined Infrastructure stacks based on technologies like Kubernetes and Ceph, your focus of managing the IT infrastructure has to move from managing individual Linux servers and VMs to managing infrastructure clusters. Multiple cluster types will be supported in coming releases, with SUSE Manager 4.1 initially providing support for managing SUSE CaaS Platform clusters.

Lower costs and streamline management with enhanced usability, virtual machine management and monitoring capabilities

Operations and DevOps staff can now streamline the setup, daily use and maintenance of SUSE Manager simplifying and automating routine tasks; such as the mass on boarding of rootless or password-less clients.

With enhanced virtual machine management capabilities the management of highly distributed virtualized server infrastructures becomes a lot easier. If you run virtual machine environments at the edge such as telco, manufacturing or retail, SUSE Manager now enables the efficient management of tens to thousands of VMs across an entire estate.

If you run SAP workloads virtualized on SLES, with SUSE Manager 4.1 you can eliminate complexity and simplify deployments by reducing the number of vendors in your software defined infrastructure management stack (OS, virtualization and virtualization management and monitoring all come from SUSE). SUSE Manager also significantly simplifies your environments where the frequent setup of virtualized test deployments of SAP workloads are required.

Need to virtualize Kubernetes to best leverage your powerful hardware? You can accelerate and maximize implementations by gaining higher scale from your container platform while simplifying deployments (no need for separate VMware layer, high automation from bare metal deployment to VMs to cluster). You can now also use virtualization to securely separate multiple clusters/tenants in a Kubernetes environment.

To keep your infrastructure safe and healthy SUSE Manager 4.1 expands the new Prometheus/Grafana-based monitoring stack introduced with version SUSE Manager 4 with enhanced support for large federated and non-routable network environments. Allowing your Linux systems and devices to be monitored wherever they reside and irrespective of how they are network connected.

Scale SUSE Manager 4.1 to tens of thousands of client devices without compromise

With ever growing Linux footprints you need your management tool be able to scale to tens of thousands of Linux devices and beyond. With the performance and scalability enhancements in 4.1, your SUSE Manager deployment can easily scale in your environment in any direction, while providing better performance than any previous version even in very large-scale environments.

This allows you the flexibility to grow your infrastructure as required by your business needs, with the peace of mind that SUSE Manager will be able to manage your large estate, and the cost implications of growing their footprint will not be exaggeratedly high.

With the “SUSE Manager Hub – Tech Preview” multi-server architecture we are gradually introducing a framework that allows for scaling SUSE Manager deployments to the hundreds of thousands of nodes with tiered management servers.

Keep Informed

You can stay up-to-date regarding information about SUSE Manager and SUSE products:



SUSE Manager Server 4.1 is provided through SUSE Customer Center and can be installed with the unified installer for SUSE Linux Enterprise 15 Service Pack 2. It is available for x86-64, POWER (ppc64le), or IBM Z (s390x). No separate SUSE Linux Enterprise subscription is required.

With the adoption of a unified installer in SUSE Linux Enterprise 15, system roles are used to customize the installation for each product. The unified installer provides an easier way to install the operating system and the SUSE Manager Server application together with specific pre-configured system settings. This addresses the need for enterprise deployments to standardize on the base operating system as well as on specific storage setups.

PostgreSQL is the only supported database. Using a remote PostgreSQL database is not supported.

Update from previous versions of SUSE Manager Server

In-place update from SUSE Manager Server 4.0 is supported.

For SUSE Manager 3.2 Server users, the supported upgrade method is to migrate the data from your SUSE Manager Server 3.2 installation to SUSE Manager Server 4.1 and perform a clean installation. If your SUSE Manager Server 3.2 uses an older version of PostgreSQL, you will need to upgrade to PostgreSQL 10 before performing the migration.

All connected clients will continue to run and remain unchanged.

For detailed upgrading instructions, see the Upgrade Guide on

Migrating from Red Hat Satellite

Migrating from Red Hat Satellite 5.x or Spacewalk 2.x to SUSE Manager Server 4.1 is conditionally supported.

To perform this migration, we strongly recommend you get in contact with a SUSE sales engineer or consultant before starting the migration.

Scaling SUSE Manager

The default configuration of SUSE Manager will scale around one thousand clients, when deployed according to the instructions in the Installation Guide on Scaling beyond that number needs special consideration.

For more information and instructions on large-scale deployments, see the Large Deployments Guide.

Before you begin, you should always get advice from a SUSE partner, sales engineer, or consultant.

Channels with a large number of packages

Some channels, like SUSE Linux Enterprise Server with Expanded Support or Red Hat Enterprise Linux, come with a very large number of packages that may cause taskomatic to run out of memory. If this occurs, we recommended that you increase the maximum amount of memory allowed for taskomatic by editing /etc/rhn/rhn.conf and adding this line:

You will need to restart taskomatic after this change.

This grants taskomatic up to 8 GB of memory (up from the default of 4 GB). If taskomatic continues to run out of memory, you can increase the number further. However, keep in mind that this will affect the total memory required by SUSE Manager Server.

Major changes since SUSE Manager Server 4.1 GA

Features and changes

Version 4.1.1

Maintenance windows

The new Maintenance windows feature allows you to schedule sensitive actions (like package installation or upgrade) to occur during a scheduled one-time or recurrent maintenance window period on selected systems. These actions are forbidden to be executed outside of the specified period.

To define Maintenance windows, an iCalendar data is used, which can be exported from your favorite calendaring tool (Microsoft Outlook, KDE Organizer, Google Calendar…​).

For more information about about Maintenance windows check the Administration Guide

Monitoring reverse proxies

Prometheus fetches metrics using a pull mechanism, so the server must be able to establish TCP connections to each exporter on the monitored clients.

The new monitoring reverse proxies feature allows you to simplify your firewall configuration, by installing the reverse proxy on the clients you can get all the metrics for all the exporters on a single TCP port.

Check the Monitoring Guide for information about how to setup.

Monitoring reverse proxies are only available for SLE15 and openSUSE Leap 15 families of products, and not yet available for other operating system platforms like Red Hat Enterprise Linux or Ubuntu.

Support for other operating system platforms will come in future releases of SUSE Manager 4.1.

Added new type of "Virtual Host Manager": Nutanix AHV

In SUSE Manager 4.1.1, we have added a new type of Virtual Host Manager in order to gather virtual machines from Nutanix AHV infrastructure.

Creating VHM to gather virtual instances from the Nutanix AHV will enable the subscription matcher to match 1-2 virtual machines subscriptions for those instances that are running on the same virtualization host.

For more information about how to setup this new type, see the new documentation

Please keep in mind that installation of the virtual-host-gatherer-Nutanix package is required.

Salt compatibility state

A new mgrcompat.module_run custom compatibility state for Salt is available for registered systems.

In Salt 2019.2, a new syntax for was introduced. Up until Salt 3000 (the version currently shipped by SUSE Manager), Salt has supported both the old syntax and the new syntax.

From Salt 3001 on, Salt will no longer support the old syntax. This means any custom SLS file or "Configuration State Channel" that is using a state needs to be adapted to the new syntax. This turns even more problematic when you have minions with different Salt versions (e. g. SLES 11 with Salt 2016.11), because some minions would accept the new syntax but others would fail with it, so the SLS files would require extra logic to handle the different Salt versions and configurations.

SUSE Manager will ship Salt 3001 in a future release. In preparation for this syntax breakage, SUSE has developed the new mgrcompat.module_run compatibility state. This is a wrapper over which accepts the old syntax and takes care of tailoring the parameters for the new if necesasary according to the specific minion version and configuration.

To make your Salt states compatible with all versions of Salt, including Salt 3001 and newer, you only need to change to mgrcompat.module_run in your SLS files and "Configuration State Channels".

As an example of this, a non-migrated state like this:

    - name: mymodule.func
    - m_name: foobar
    - other: 1234

would look like this once adapted:

    - name: mymodule.func
    - m_name: foobar
    - other: 1234

All users are encouraged to migrate their Salt states. Once Salt 3001 comes to SUSE Manager, not migrated states will simply fail.

SLE15 and python3-M2Crypto

If you still have SLE15 but no LTSS subscription, you will see errors when generating the bootstrap repositories, as python3-M2Crypto is missing on SLE15 and is only part of SLE15 LTTSS.

However even with the error, the bootstrap repository itself will work and will provide salt 2019.2.0 until a LTSS subscription is available.


The SUSE Patch Finder is a simple online service to view released patches.

Version 4.1.1



  • Allow image-sync state on regular minion. Image sync state requires branch-network pillars to get the directory where to sync images. Use default /srv/saltboot if that pillar is missing so image-sync can be applied on non branch minions as well.


  • Remove unnecessary array wrap in 'list_modules' response object


  • Move uyuni-base-common dependency from mgr-osad to mgr-osa-dispatcher (bsc#1174405)


  • Add hint that ssl certs must be on system (bsc#1172279)


  • Add Recommends for golang-github-QubitProducts-exporter_exporter


  • Bugfix: Handle exporters proxy for unsupported distros (bsc#1175555)

  • Add support for exporters proxy (exporter_exporter)


  • Rollback the workaround for bsc#1172807, as dracut is now fixed




  • Take care of SCC auth tokens on DEB repos GPG checks (bsc#1175485)

  • Use spacewalk keyring for GPG checks on DEB repos (bsc#1175485)

  • Adds basic functionality for gpg check

  • Verify GPG signature of Ubuntu/Debian repository metadata (Release file)


  • Implement Maintenance Windows

  • Fix typo on spacewalk-branding license



  • use media.1/products from media when not specified different (bsc#1175558)

  • Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

  • Fix error when rolling back a system to a snapshot (bsc#1173997)

  • Implement maintenance windows backend

  • Add check for maintainence window during executing recurring actions

  • Implement maintenance windows in struts

  • XMLRPC: Assign/retract maintenance schedule to/from systems

  • Fix softwarechannel update for vendor channels (bsc#1172709)

  • Avoid deadlock when syncing channels and registering minions at the same time (bsc#1173566)

  • Change system list header text to something better (bsc#1173982)

  • Set CPU and memory info for virtual instances (bsc#1170244)

  • Add virtual network Start, Stop and Delete actions

  • Add virtual network list page

  • Fix httpcomponents and gson jar symlinks (bsc#1174229)

  • Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)

  • Provide comps.xml and modules.yaml when using onlinerepo for kickstart

  • Refresh virtualization pages only on events

  • Fix up2date detection on RH8 when salt-minion is used for registration

  • Improve performance of the System Groups page with many clients (bsc#1172839)

  • Include number of non-patch package updates to non-critical update counts in system group pages (bsc#1170468)

  • Bump XMLRPC API version number to distinguish from Spacewalk 2.10

  • Cluster UI: return to overview page after scheduling actions

  • Fix NPE on auto installation when no kernel options are given (bsc#1173932)

  • Fix issue with disabling self_update for autoyast autoupgrade (bsc#1170654)

  • Adapt expectations for jobs return events after switching Salt states to use 'mgrcompat.module_run' state.


  • Add aarch64 for openSUSE Leap 15.1 and 15.2


  • Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

  • Fix JS linting errors/warnings

  • Enable Nutanix AHV virtual host gatherer.

  • Web UI: Implement managing maintenance schedules and calendars

  • Warn when a system is in multiple groups that configure the same formula in the system formula’s UI (bsc#1173554)

  • Add virtual network start, stop and delete actions

  • Add virtual network list page

  • Fix internal server error when creating module filters in CLM (bsc#1174325)

  • Fix VM creation page when there is no volume in the default storage pool

  • Refresh virtualization pages only on events

  • Product list in the Wizard doesn’t show SLE products first (bsc#1173522)

  • Cluster UI: return to overview page after scheduling actions

  • Changes in the logic to update the tick icon.

  • For the postgres localhost:5432 case, use the

  • Fix internal server errors by returning 0 instead of dying

  • Add missing dependency to spacewalk-base-minimal (bsc#678126)

  • Change kickstart to autoinstallation in navigation on pxt pages

  • Debranding


  • Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)


  • Migrate all occurrences of kickstart to autoinstall in cobbler database (bsc#1169780)

  • Define bootstrap repo data for SUSE Manager Proxies (bsc#1174470)

  • Add SLE 15 LTSS Product ID to SLE15 bootstrap repositories, as it is required to get python3-M2crypto (bsc#1174167)


  • Ubuntu clients using the CLI in SUMA (bsc#1174025)

  • Left navigation structure cleaned up

  • Fixed several broken xrefs

  • Added hostname admonition for public cloud sections

  • Clarified Branch Proxy configuration instructions

  • Fixed index page pdf links, urls were 1 step to deep

  • SUSECOM 2020 branding update

  • PDF 2020 branding update

  • WEBUI 2020 branding update

  • Added maintenance window documentation

  • Added SLE client chapter

  • Added 508 compliance

  • Added reverse proxy information to Monitoring in Admin Guide

  • Add note about accessibility to index

  • In the Upgrade Guide, use Major, Minor, and Patch Level terminology for versioning.

  • Added docs for nutanix VHM


  • Ubuntu clients using the CLI in SUMA (bsc#1174025)

  • Left navigation structure cleaned up

  • Fixed several broken xrefs

  • Added hostname admonition for public cloud sections

  • Clarified Branch Proxy configuration instructions

  • Fixed index page pdf links, urls were 1 step to deep

  • SUSECOM 2020 branding update

  • PDF 2020 branding update

  • WEBUI 2020 branding update

  • Added maintenance window documentation

  • Added SLE client chapter

  • Added 508 compliance

  • Added reverse proxy information to Monitoring in Admin Guide

  • Add note about accessibility to index

  • In the Upgrade Guide, use Major, Minor, and Patch Level terminology for versioning.

  • Added docs for nutanix VHM


  • Upgrade jquery to 3.5.1 - CVE-2020-11022 (bsc#1172831)


  • Add new states and types for virtual instances in order to support Nutanix AHV.

  • Implement Maintenance Windows

  • Add virtual network state change action

  • Internal fixes to avoid problems with the idempotency tests


  • Fix the dnf plugin to add the token to the HTTP header (bsc#1175724)

  • Fix: supply a dnf base when dealing w/repos (bsc#1172504)

  • Fix: autorefresh in repos is zypper-only

  • Add virtual network state change state to handle start, stop and delete

  • Add virtual network state change state to handle start and stop

  • Fetch oracle-release when looking for RedHat Product Info (bsc#1173584)

  • Force a refresh after deleting a virtual storage volume

  • Prevent stuck Hardware Refresh actions on Salt 2016.11.10 based SSH minions (bsc#1173169)

  • Require PyYAML version >= 5.1

  • Log out of Docker registries after image build (bsc#1165572)

  • Prevent "" deprecation warnings by using custom mgrcompat module


  • Remove version from centos and oracle linux identifier (bsc#1173584)


  • Fix issues importing RPM packages with long RPM headers (bsc#1174965)


  • Add new gatherer module for Nutanix AHV.


  • Ensure kernel-default and libvirt-python3 are installed

  • Set bridge network as default

  • Fix conditionals (bsc#1175791)


  • Update to version 0.0.1+git.1595952633.b300be2:

    • pillar: install always kernel-default

    • chroot: python3-base is now a capability

    • Move systemctl calls inside chroot

    • Network: initial work for network declaration

    • MicroOS: Remove tmp subvolume

    • Update format following the new standard

    • Fix __mount_device wrapper

Major changes since SUSE Manager Server 4.0

New SUSE branding

The SUSE Manager 4.1 WebUI and documentation have been refreshed with the new SUSE branding guidelines, as published in the SUSE Brand website and SUSE EOS Design System.

The new theme is lighter and gives a bit more of free space between elements for better readability.

New products enabled

  • SUSE Linux Enterprise Real Time 12 SP5

  • SUSE Linux Enterprise 15 SP2 family

  • openSUSE Leap 15.2

  • MicroFocus Open Enterprise Server 2018 SP2

  • CentOS 6, 7, and 8

  • Oracle Linux 6, 7 and 8

  • Ubuntu 20.04 LTS


Starting with SUSE Manager 4.1, CentOS is supported as a client and shows in the product tree in the WebUI.

If you were using CentOS via spacewalk-common-channels, you will need to delete your existing channels, synchronize the channel information from SCC, and reassign the channels to the clients.

Oracle Linux

Starting with SUSE Manager 4.1, Oracle Linux is supported as a client and shows in the product tree in the WebUI.

Ubuntu 20.04 LTS

The Ubuntu 20.04 LTS product is now managed as a vendor channel and repository URLs (but not packages or metadata) come from SCC directly, so there is no need to use spacewalk-common-channels or manually add the repository URLs.

Ubuntu 18.04 LTS and 16.04 LTS still require manually adding the repository URLs via the WebUI or spacewalk-common-channels.

Cluster Management

As you modernize your IT landscape and make use of Software Defined Infrastructure stacks based on technologies like Kubernetes and Ceph, your focus of managing the IT infrastructure has to move from managing individual Linux servers and VMs to managing infrastructure clusters. Multiple cluster types will be supported in coming releases, with SUSE Manager 4.1 initially providing support for SUSE CaaSP.

Computing is increasingly being a more complex architecure: redundant servers, scale out, high-availability, etc where you deploy different kinds of clusters, such as SUSE CaaS Platform, SUSE Enterprise Storage or SAP. Managing those as a whole piece of infrastructure instead of as discrete nodes puts you in charge.

SUSE Manager 4.1 implements cluster management of SUSE CaaS Platform 4.x clusters. SUSE Manager works hand-in-hand with CaaS Platform to make sure that all cluster operations are issued properly.

The following actions are currently supported:
  • Register an existing cluster to SUSE Manager

  • Add or remove nodes to the cluster

  • Promote SLES system to managing node

  • Upgrade the cluster

Deployment of CaaS Platform clusters from scratch will be supported in an upcoming version of SUSE Manager.

Recurring highstate scheduling

You can schedule automated recurring highstate actions for Salt clients.

Recurring highstate actions apply the highstate to clients on a specified schedule. You can apply recurring action to individual clients, to all clients in a system group, or to an entire organization. The Recurring Actions section in the Administration Guide contains all the details for this feature.

More improvements in regards to automation will be coming in subsequent releases of SUSE Manager, including maintenance windows and patch automation.

Monitoring enhancements


The new version of the Prometheus formula allows configuring federation and pulling relevant metrics from Prometheus instances to provide a global monitoring view. This configuration is useful for a number of cases, such as:

  • Remote sites, each one with its own Prometheus server

  • Collecting monitoring data from multiple applications, each one of them providing its own Prometheus server (e. g. multiple SUSE products: SUSE Manager, CaaSP, SES, HA)

The combined data can then be visualized using Grafana.

Note that suitable recording rules have to be configured on the Prometheus instances (for example at CaaSP Prometheus instances). For more information about Prometheus federation, check the official documentation.

Pre-configured default alerting rules

A default set of alerting rules have been added to monitor the Prometheus instances themselves (meta-monitoring) and the availability of configured targets. These rules can be changed in the WebUI.

CaaSP dashboards

Specific Grafana dashboards for SUSE Container as a Service Platform have been integrated and can be deployed via the WebUI.

Updated Grafana and Prometheus

Grafana has been updated to version 7.0.3 and Prometheus to version 2.18.

Updated Node Exporter

The Prometheus Node Exporter has been updated to version 0.18.1.

All the changes can be found in the changelog for the package, or upstream (changelog for 0.18.0 and 0.18.1).

The new version includes some breaking changes:

  • Renamed interface label to device in netclass collector for consistency with other network metrics

  • The cpufreq metrics now separate the cpufreq and scaling data based on what the driver provides

  • The labels for the network_up metric have changed

  • Bonding collector now uses mii_status instead of operstatus

  • Several systemd metrics have been turned off by default to improve performance. These include unit_tasks_current, unit_tasks_max, service_restart_total, and unit_start_time_seconds

  • The systemd collector blacklist now includes automount, device, mount, and slice units by default

Virtual storage pool support

Virtual machine disks are stored in storage pools. Previously, SUSE Manager could only list storage pools.

With SUSE Manager 4.1, it is now possible to create, edit, start, stop, refresh, and delete storage pools. This is available from the WebUI, or through Salt states.

Performance improvements


Repository syncing has been optimized to perform in less time with respect to past versions. The performance improvement could be up to 6 times faster, depending on the hardware setup (specifically CPUs and network bandwidth) and number of packages.

Content Lifecycle Magement

Content Lifecycle Management has been optimized, with basic operations (build, promotion) up to two orders of magnitude faster and a quicker UI loading in installations with many channels and organizations.

Prometheus Service Discovery

Thanks to a number of enhancements and optimizations, Prometheus Service Discovery is now 10 times faster, on average, than it was in SUSE Manager 4.0.


Automatic generation of bootstrap repositories

A bootstrap repository contains packages for installing Salt on clients, as well as the required packages for registering Salt or traditional clients during bootstrapping.

In SUSE Manager 4.0 and earlier, bootstrap repository creation was a manual step, using the mgr-create-bootstrap-repo tool.

In SUSE Manager 4.1, bootstrap repositories are automatically created and regenerated on the SUSE Manager Server after a product is synchronized (and all mandatory channels have been fully mirrored).

More details, including how to revert to manual invocation, are available from the Client Configuration Guide.

Automatic database schema migrations and fail-over mechanism

Database schema upgrades are now applied automatically during services startup, so there is no need to call spacewalk-schema-upgrade manually. To prevent SUSE Manager services from starting if the schema upgrade has not successfully completed, a fail-over security mechanism has been implemented.

In case the database migration has not finished, or if it finishes with an error:

  • The spacewalk-service start command fails, and information is provided about the error.

  • No services will start, including the Apache service. This means the WebUI will also be unavailable.

Third-party GPG keys now included

Enabling verification of non-SUSE product metadata used to require manual acceptance, and sometimes even manual installation, of the third-party keys for products available from the product tree. Alternatively, an option to not verify the GPG key signature was there.

In addition to SUSE’s, SUSE Manager 4.1 now includes the GPG keys used to sign packages and/or metadata by other vendors whose products are available in the product tree in the WebUI:

  • openSUSE

  • CentOS

  • Oracle Linux

  • Ubuntu

  • MicroFocus Open Enterprise Server

Manual acceptance of those keys is no longer required for GPG signature verification for those products to work.

Manual acceptance of GPG keys for any other product or repository is still required for security reasons.

Onboarding of clients with SSH keys

In SUSE Manager 4.0, password authentication was the only authentication type available to bootstrap clients from the Server.

SUSE Manager 4.1 introduces a new SSH private key authentication method, including use of a passphrase on the private key. This is specially useful on the public cloud, where images prefer to authenticate with SSH instead of user and password.

To protect your security, the private key is only stored on the SUSE Manager Server during the bootstrap procedure and removed immediately after bootstrapping is complete, therefore the private key must be provided for each bootstrap.

From the API, the new method bootstrapWithPrivateSshKey in the namespace system is documented in the API Documentation.

You can use this example by adjusting the client, keyfile, passphrase, MANAGER_URL, MANAGER_LOGIN and MANAGER_PASSWORD according to your environment:

import xmlrpclib

client = ''
keyfile = '/path/to/priv/key'
passphrase = '' # empty string = no passphrase

conn = xmlrpclib.Server(MANAGER_URL, verbose=0)
key = conn.auth.login(MANAGER_LOGIN, MANAGER_PASSWORD)

with open(keyfile, 'r') as file:
  data =
  conn.system.bootstrapWithPrivateSshKey(key, server, 22, 'root', data, passphrase, '', False);

Service Pack migration: remember settings

A common source of errors in Service Pack Migrations is the human factor: a complex migration is carefully crafted, dry-run to a success, only to mysteriously fail in production. More often than not, the reason for this is when re-creating the migration for production, some step was forgotten.

In SUSE Manager 4.1, the Service Pack Migration feature has gained memory: you can now re-run successful dry-runs. This is especially useful when you have configured a complex migration, tested it successfully, and would like to make sure it runs in production with exactly the same settings it was designed to run with. To do this, go to the System Event History of the Dry-run action. There is a button "Run migration" which lets you execute the Service Package Migration.

Subscription warning

SUSE Manager requires an active subscription to connect to the SUSE Customer Center and download content and data.

We have now added a check in the Products page that will show a warning when the subscription is not available for one of these reasons:

  • Subscription was not added

  • Subscription was disabled

  • Subscription expired

Proxy visibility in Systems Overview

SUSE Manager Proxy nodes are now included in the Systems Overview page, with system type "Proxy".

Improved sync status visibility

In the product page, a new sync status icon has been added to convey the right information.

When a channel contains root and child products, separate feedback is provided for each product, to make sure a synchornization failure in either the root product, or a child product, will be immediately noticed.

Single Page Application UI (SPA)

In an effort to provide our WebUI users with a smoother navigation, we have implemented large parts of the user interface as a single page application.

This enhancement was started in SUSE Manager 4.0 as an opt-in feature and now becomes the default in SUSE Manager 4.1.

RHEL 8 enhancements

Content Lifecycle Management filters for AppStreams

RHEL, SLES ES, CentOS, and Oracle Linux 8 appstreams can now be mixed and converted to flat repositories using a new type of CLM filter.

In order to make this feature easier to use, in SUSE Manager 4.1:

  • SUSE Manager will show an error and prevent the user from proceeding when there are module conflics, a module is unavailable or modular filters are in use but no modular sources have been added (and viceversa)

  • Module names can be picked via a UI widget instead of typing this manually, thus avoiding errors

Prometheus exporters

Exporters for RHEL, SLES ES, CentOS, and Oracle Linux 8 are now available:

  • Node exporter: hardware and operating system metrics

  • Apache exporter: Apache HTTP server metrics

  • PostgreSQL exporter: PostgreSQL database metrics

SUSE Manager for Retail

SLEPOS 15 SP2 clients

Pre-defined templates for SLEPOS 15 SP2 are now provided. SLEPOS 15 SP2 is supported for 7.5 years since the release date.

Small stores

Where a dedicated SUSE Manager Server or SUSE Manager Retail Branch Server is not feasible, it is now possible to use a Retail Branch Server running in a remote datacenter or public cloud.

EFI HTTP booting

The DHCP, branch network, and PXE formulas have been updated to support booting EFI terminals (systems) using HTTP in addition to TFTP.

Custom headers for reposync

Reposync can now send additional custom HTTP headers configured in the /etc/rhn/spacewalk-repo-sync/extra_headers.conf file.

This new feature serves a number of special use cases, such as feeding special data to network proxies, bypassing MFA or informing traffic inspection devices your data is secure to avoid wasting resources inspecting e. g. large RPMs or containers.

Details are available in the Reference Guide.

New documentation

Two new books have been added to the SUSE Manager 4.1 documentation:

  • Large Deployments Guide. Everything related to architecture and configuration for large (thousands of clients) deployments is contained in this guide. It contains all the documentation for the SUSE Manager Hub component. Some parts of the Salt guide that dealt with parameter tuning for large deployments have now been moved here too.

  • Public Cloud QuickStart Guide. This new guide shows you the fastest way to get SUSE Manager up and running in a public cloud. It includes instructions for Amazon Web Services, Microsoft Azure, and Google Cloud Engine.


OpenVPN formula

As part of SUSE’s Home Office Workplace initiative in response to the crisis caused by the COVID-19, the SUSE Manager team has created a formula with forms to provision an OpenVPN Server node and manage client certificates from SUSE Manager.

For more details, see the SUSE Home Office Workplace blog, documentation and webinar.


In SUSE Manager 4.0 and earlier, the spacewalk-utils package contained a mix of L3 and L1 supported tools.

In SUSE Manager 4.1, we have split spacewalk-utils in two packages, with clear support levels for each:

  • spacewalk-utils contains only fully-supported (i. e. L3) tools:

    • spacewalk-common-channels: add channels not provided by SCC

    • spacewalk-hostname-rename: change SUSE Manager Server hostname

    • spacewalk-clone-by-date: clone channels by a specific date

    • spacewalk-sync-setup: set up ISS master/slave organization mappings

    • spacewalk-manage-channel-lifecycle: manage channels lifecycle

  • spacewalk-utils-extras contains the tools for which SUSE only provides limited (i. e. L1) support:

    • apply_errata: apply errata to systems

    • delete-old-systems-interactive: remove idle systems

    • migrate-system-profile: migrate systems between organizations

    • spacewalk-api: alternative to spacecmd api

    • spacewalk-export: export Spacewalk 2.x and Red Hat Satellite 5 data

    • spacewalk-export-channels: export Spacewalk 2.x and Red Hat Satellite 5 channels

    • spacewalk-final-archive: archive information from a running Spacewalk 2.x and Red Hat Satellite 5 server prior to a final shutdown

    • spacewalk-manage-snapshots: report on and purge snapshot entries by age

    • sw-ldap-user-sync: creates new SUSE Manager accounts for users in a specific LDAP group and removes SUSE Manager accounts after deleting users from a specific LDAP group

    • sw-system-snapshot: list or delete system snapshots from the management server

    • taskotop: displays a summary of Taskomatic activities in progress

Tools in spacewalk-utils-extras are valuable but they are so specific, or require additional customization for each customer, that it is not possible for SUSE to fully support them. If you were using these scripts in spacewalk-utils in SUSE Manager 4.0 or earlier, you will need to install spacewalk-utils-extras in SUSE Manager 4.1.

L1 support is limited to problem determination, which means technical support designed to provide compatibility information, usage support, on-going maintenance, information gathering and basic troubleshooting using available documentation. Should you need more advanced help or customization with a tool from spacewalk-utils-extras, please contact SUSE Consulting.

Single Sign-On (SSO)

SUSE Manager supports Single Sign-On authentication to the WebUI by implementing the Security Assertion Markup Language (SAML) 2 protocol. This feature, introduced in 4.0 as a Technology Preview, is now declared stable and fully supported.

SUSE Manager must be reconfigured to use the IdP as the source of authentication and post-login mapped users must be already created before enabling SSO.

Technology previews


The SUSE Manager Hub is a new multi-server architecture we are introducing as a technology preview in SUSE Manager 4.1.

Multiple SUSE Manager Servers can be managed from a single Hub node. The Hub is a Salt master itself and the managed SUSE Manager Server servers are both a minion (to the hub) and a master (to their own minions).

SUSE Manager Hub Architecture

The Hub covers a number of use cases, such as:

  • Scalability: when a single SUSE Manager Server will no longer be enough

  • Intermittently connected and bandwidth-limited sites, which can now be managed with their own schedule thanks to the Hub

  • Multi-tenancy with individual SUSE Manager Servers. While SUSE Manager is multi-organization itself, in some scenarios, an even stronger separation is required. The Hub provides a way to manage and aggregate back information for all those SUSE Manager Server servers.

The Hub comprises a number of components that we will be releasing and enhancing during the SUSE Manager 4.1 lifecycle. The first component of the Hub we are now introducing as a Technology Preview is the Hub XML-RPC API, which provides an extended version of the SUSE Manager Server XML-RPC API, targeted for the multi-server case.

Everything related to the Hub is documented in the new Large Deployments Guide.


Yomi (yet one more installer) is a Salt-based installer for SUSE and openSUSE operating systems.

In SUSE Manager 4.1, Yomi can be used as part of provisioning new clients, as an alternative to AutoYaST. Yomi consists of two components:

  • The Yomi formula, which contains the Salt states and modules required to perform the installation.

  • The operating system image, which includes the pre-configured salt-minion service.

Detailed information on how to use Yomi is available from the Salt Guide.

Yomi is work in progress and more operating systems and features will be added in coming releases.

Salt 3000

Salt has been upgraded to upstream version 3000, plus a number of patches, backports and enhancements by SUSE, for the SUSE Manager Server, Proxy and Client Tools. In particular, CVE-2020-11651 and CVE-2020-11652 fixes are included in our release.

As part of this upgrade, cryptography is now managed by the Python-M2Crypto library (which is itself based on the well-known OpenSSL library).

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3000 upstream release notes.

Please note Salt 3000 is the last version of Salt which will support the old syntax of the module.

PostgreSQL 12

The database engine has been updated from PostgreSQL 10 to PostgreSQL 12, which brings a number of performance and reliability improvements. A detailed changelog is available upstream.

To prevent inconsistent configurations and data on upgrade or update, SUSE Manager 4.1 will refuse to start until the database migration from PostgreSQL 10 to PostgreSQL 12 has completed successfully.

Base system upgrade

The base system was upgraded to SUSE Linux Enterprise 15 SP2.

Dropped features

Unpublished patches

The Unpublished Patches feature has been dropped in SUSE Manager 4.1.0.

This was a very old feature which originated more than 15 years ago when Spacewalk was used internally by vendors to manage patches before making them available to their customers. This functionality has been superseded a long (more than 10 years) time ago by other features in Uyuni for sysadmins, and by tools such as the Open Build Service for operating system vendors.

After a consultation period with users both in the upstream Uyuni community and the SUSE Manager community, we received no feedback against the removal and executed on it.

This will help us realize even further performance improvements in several areas, including the commonly-used Content Lifecycle Management build and promotion operations.

If you still have any unpublished patches, make sure you publish them with SUSE Manager 4.0 before migrating to SUSE Manager 4.1.

API breakage

With the removal of the unpublished patches feature, some APIs have changed and are therefore incompatible with SUSE Manager 4.0 and earlier:

  • Method errata.listUnpublishedErrata was removed

  • Method errata.create has one less parameter (the publish boolean, now always true) and it is now mandatory to specify at least one channel label in the last parameter (channelLabels). Previously specifying at least one channel label was mandatory only if publish was set to true.


Upgrading with SUSE Manager Proxy

SUSE Manager Server 4.1 works with SUSE Manager Proxy 4.0 and SUSE Manager Retail Branch Server 4.0. When upgrading, upgrade the SUSE Manager Server first, followed by the SUSE Manager Proxy and Retail Branch Servers.

For instructions on upgrading when SUSE Manager Proxy or SUSE Manager Retail Branch Servers are in use, see the Upgrade Guide on

Upgrading with inter-server synchronization

When upgrading, upgrade the ISS master first, followed by the ISS slaves.


Supportconfig confidentiality disclaimer

When handling Service Requests, supporters and engineers may ask for the output of the supportconfig tool from SUSE Manager Server or clients.

This disclaimer applies:

Detailed system information and logs are collected and organized in a
manner that helps reduce service request resolution times.
Private system information can be disclosed when using this tool.

If this is a concern, please prune private data from the log files.

Several startup options are available to exclude more sensitive
information. Supportconfig data is used only for diagnostic purposes
and is considered confidential information.

When you run supportconfig on the SUSE Manager Server, the output will contain information about your clients as well as about the Server. In particular, debug data for the subscription matching feature contains a list of registered clients, their installed products, and some minimal hardware information (such as the CPU socket count). It also contains a copy of the subscription data available from the SUSE Customer Center.

If this is a concern, please prune data in the subscription-matcher directory in the spacewalk-debug tarball before sending it to SUSE.

Supportability of embedded software components

All software components embedded into SUSE Manager, like Cobbler for PXE booting, are only supported in the context of SUSE Manager. Stand-alone usage (e. g. Cobbler command-line) is not supported.

Support for older products

The SUSE Manager engineering team provides 'best effort' support for products past their end-of-life date. For more information about product support, see Product Support Lifecycle.

Support for products that are considered past their end-of-life is limited to assisting you to bring production systems to a supported state. This could be either by migrating to a supported service pack or by upgrading to a supported product version.

Support for RHEL, CentOS and Oracle Linux Clients

SUSE Manager supports only the latest RHEL 6,7 and 8 minor release clients. Older minor releases might still work, but cannot be officially supported.

The same rule applies to CentOS and Oracle Linux.

Support for Ubuntu Clients

SUSE Manager supports Ubuntu 16.04 LTS, 18.04 LTS and 20.04 LTS clients using Salt. Traditional clients are not supported.

Support for Ubuntu is limited to a growing list of specific features. For a detailed list of supported features, check the Client Configuration Guide.

L1 support for Debian clients

For Debian clients, SUSE Manager only offers a subset of its functionality, mostly aligned with Ubuntu. Client tools are not available yet from SCC but the Debian 9 and Debian 10 client tools from Uyuni can be enabled using spacewalk-common-channels.

Debian is only supported at L1 level support. L1 support is limited to problem determination, which means technical support designed to provide compatibility information, usage support, on-going maintenance, information gathering and basic troubleshooting using available documentation. At this moment, any problems or bugs specific Debian will only be fixed in a best-effort mode.

Please contact your Sales Engineer or SUSE Consulting if you need additional support or features for these operating systems.

Browser support

Microsoft Internet Explorer fails to render some parts of the SUSE Manager Web UI and is therefore not a supported browser, in any version.

Please refer to the General Requirements for a list of supported browsers.

SUSE Manager installation

The SUSE Unified Installer, and installing SUSE Manager on top of SLE JeOS, are the only supported mechanisms to install SUSE Manager.

Installing SUSE Manager 4.1 on top of an existing SUSE Linux Enterprise Server 15 SP2 is known to generate an incomplete installation. If you require such a setup, please contact SUSE Consulting.

Known issues

Compatibility with the Development Tools Module

The Development Tools Module 15 SP2 is not enabled or used by default by SUSE Manager.

Enabling the Development Tools Module 15 SP2 on the SUSE Manager Server 4.1 will break the taskomatic component in SUSE Manager Server, resulting in actions not being scheduled or executed. This will be fixed in a future release of SUSE Manager.

Single Sign On, API and CLI tools

Single Sign On can be used to authenticate in the Web UI but not with the API or CLI tools. This will be fixed in a future release of SUSE Manager.

EPEL and Salt packages

Using the Extra Packages for Enterprise Linux directly on RHEL clients (or compatible: SLES ES, CentOS, Oracle Linux, etc) will install the Salt packages from EPEL, which miss some features available in the SUSE Manager-provided Salt packages. This is especially important since it will result in the bootstrap repository containing the non-SUSE Salt packages. Therefore, this is an unsupported scenario.

If you need to enable the EPEL repository, make sure you filter out the Salt packages from EPEL in advance.

RHEL native clients

When autogenerating bootstrap repositories for native RHEL clients, some errors may be logged from the moment the official Red Hat channels are added until the moment those channels are fully synchronized for the first time.

This does not affect SLES Expanded Support, CentOS or Oracle Linux.

RHEL 6, CentOS 6 and Oracle Linux 6 minimal installations

In the case of RHEL 6, CentOS 6 and Oracle Linux 6, the "Minimal" installation set is missing some packages required for the onboarding to work. It is recommented to install at least a "Basic Server".

Alternatively, if using a minimal installation, you must install the perl and openssh-clients packages before onboarding.

Registering Spacewalk 2.x/Red Hat Satellite 5.x clients to SUSE Manager as Salt minions

If a client machine is running the Red Hat Satellite 5.x agent, registering it to SUSE Manager as a Salt minion will fail due to package conflicts.

Registering a RH Satellite 5.x client as a SUSE Manager traditional client works fine.

Registering a SUSE Manager traditional client as a SUSE Manager Salt minion will also work.

Works Fails

RH Satellite 5.x ⇒ SUSE Manager traditional

RH Satellite 5.x ⇒ SUSE Manager Salt minion

SUSE Manager traditional ⇒ SUSE Manager Salt minion

In order to register Red Hat Satellite 5.x clients to SUSE Manager as Salt minions, you will need to modify the bootstrap script to remove the Satellite agent packages first.

Spacewalk 2.x and Oracle Spacewalk 2.x clients will show the same behavior as Red Hat Satellite 5.x clients

Third-party errata information for vendor channels

Since CentOS is now a vendor channel with repository URLs coming from SCC, altering the metadata is not permitted.

As a workaround, in order for the third-party errata service to continue working, you will need to apply it to a clone of the CentOS channel you want to add errata to.

The same problem occurs when adding errata information to Ubuntu 20.04 channels using third-party scripts.

This will be fixed in an upcoming version of SUSE Manager.

Providing feedback

If you encounter a bug in any SUSE product, please report it through your support contact or in the SUSE Forums:


Latest product documentation:

Technical product information for SUSE Manager:

These release notes are available online:

Visit for the latest Linux product news from SUSE.

Visit for additional information on the source code of SUSE Linux Enterprise products.

Maxfeldstr. 5
D-90409 Nürnberg
Tel: +49 (0)911 740 53 - 0
Registrierung/Registration Number: HRB 36809 AG Nürnberg
Geschäftsführer/Managing Director: Felix Imendörffer
Steuernummer/Sales Tax ID: DE 192 167 791
Erfüllungsort/Legal Venue: Nürnberg

SUSE makes no representations or warranties with regard to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to revise this publication and to make changes to its content, at any time, without the obligation to notify any person or entity of such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, SUSE reserves the right to make changes to any and all parts of SUSE software, at any time, without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be subject to U.S. export controls and the trade laws of other countries. You agree to comply with all export control regulations and to obtain any required licenses or classifications to export, re-export, or import deliverables. You agree not to export or re-export to entities on the current U.S. export exclusion lists or to any embargoed or terrorist countries as specified in U.S. export laws. You agree to not use deliverables for prohibited nuclear, missile, or chemical/biological weaponry end uses. Please refer to the SUSE Legal information page for more information on exporting SUSE software. SUSE assumes no responsibility for your failure to obtain any necessary export approvals.

Copyright © 2012-2020 SUSE LLC.

This release notes document is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License (CC-BY-ND-4.0). You should have received a copy of the license along with this document. If not, see

SUSE has intellectual property rights relating to technology embodied in the product that is described in this document. In particular, and without limitation, these intellectual property rights may include one or more of the U.S. patents listed at and one or more additional patents or pending patent applications in the U.S. and other countries.

For SUSE trademarks, see SUSE Trademark and Service Mark list ( All third-party trademarks are the property of their respective owners.


Thank you for using SUSE Manager Server in your business.

Your SUSE Manager Server Team.