Disconnected Subscription Management Servers

This document (7017998) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 (SLES 11 SP3)

Situation

In some restricted environments it is not possible for the Subscription Management Tool to access the internet because it is located in a disconnected or isolated network.  By using some special parameters with the Subscription Management Tool commands and a mobile disk, it is possible to make accommodations for this situation.

This option works by having one Subscription Management Tool server that can access the internet and is able to mirror the repositories that are needed on the isolated servers.  Then the internal Subscription Management Tool server can "mirror" from the external Subscription Manager Tool server using mobile storage media.

Resolution

Setting up a SLES 11 SP3/4 - SMT 11 SP3 Disconnected Environment:

Basic setup:

SMT 11 SP3 Server that can access the internet (external-smt-server) and has SMT using the SMT
SMT 11 SP3 server that has no access to the interner (internal-smt-server)

Start by ensuring that the external-smt-server is fully patched.  The system should have the following repositories and they should be enabled:

#  | Alias                                                                    | Name                                                          | Enabled | Refresh
---+--------------------------------------------------------------------------+---------------------------------------------------------------+---------+--------
 1 | SUSE-Linux-Enterprise-Server-11-SP3 11.3.3-1.138                         | SUSE-Linux-Enterprise-Server-11-SP3 11.3.3-1.138              | Yes     | No    
 2 | Subscription-Management-Tool-for-SUSE-Linux-Enterprise-11-SP3_11.3.3-1.1 | Subscription Management Tool for SUSE Linux Enterprise 11 SP3 | Yes     | No    
 4 | nu_novell_com:SLE11-SMT-SP3-Pool                                         | SLE11-SMT-SP3-Pool                                            | Yes     | Yes   
 5 | nu_novell_com:SLE11-SMT-SP3-Updates                                      | SLE11-SMT-SP3-Updates                                         | Yes     | Yes   
20 | nu_novell_com:SLES11-SP3-Pool                                            | SLES11-SP3-Pool                                               | Yes     | Yes   
21 | nu_novell_com:SLES11-SP3-Updates                                         | SLES11-SP3-Updates                                            | Yes     | Yes 

zypper lu will show if any updates are available.  zypper patch can be run (multiple times if necessary) to install the updates.  Reboot the external-smt-server

Install the internal-smt-server

While SLES 11 SP3 and SMT 11 SP3 can be installed at the same time I prefer to install the server first and then SMT.

1. Install SLES 11 SP3 onto the system. 
The default settings are fine.  When you get to the registration portion "Configure later" can be selected as there is no internet connection.
2. Install the SMT 11 SP3 addon product

- Using either the SMT 11 SP3 burned to media or the SMT 11 SP3 ISO install SMT 11 SP3 using Yast2 --> Software --> Add-On Products --> Add --> point the installation at your choice of SMT 11 SP3 installation media
- When the SMT Configuration Wizard - Step 1/2 Appears:

Check "Enable Subscription Management Tool Service (SMT)
Check "Open Port In Firewall" is the firewall is running
Leave the Registration Server Url and Download Server Url settings at default
Enter your mirror credential Username and Password in the fields provided (the Test button will not work - the internal-smt-server has not internet access)
Select "Next"

- When the SMT Configuration Wizard - Step 2/2 Appears:

Enter a mysql database password for the smt User (do not use any special characters - limit your choices to numbers and letters. There is a bug fixed later in the SMT updates that will fix this)
Select "Next"

- NCC Credentials Screen:

Click the radio button for "Generate New NCC Credentials"
Select "Next"

- Adjusting New Database root Password

Enter a password for the mysql root user - it does not have to be the same as the smt user, but can. (do not user any special characters - limit your choices to numbers and letters)

Click Ok when the "Running the synchronization script failed" window pops up.  This is normal.

- Novell Customer Center Configuration

Select "Abort"

3. SMT 11 SP3 is now installed on the internal-smt-server, however, before proceeding any further in the process we need to fully patch the internal-smt-server so that it is at the same patch level as the external-smt-server which we fully patched earlier.

To get the latest updates installed (NOTE: this process will only need to be done during the initial installation. Going forward we will set the SMT servers up with a process to keep them fully patched and at the same patch level)

On the external-smt-server ensure that at least the following 4 repositories are enabled and fully mirrored (issue smt mirror on the external-smt-server if unsure):

SLE11-SMT-SP3-Pool for sle-11-x86_64
SLE11-SMT-SP3-Updates for sle-11-x86_64
SLES11-SP3-Pool for sle-11-x86_64
SLES11-SP3-Updates for sle-11-x86_64

Staging is currently not enabled on any of the repositories listed above on my external-smt-server.  Having them staged, even at this process, will still work.  The repositories themselves will simply need to be obtained from a different location on the external-smt-server.

Copy the following directories and their contents on the external-smt-server to an external drive that the internal-smt-server has access to:

/srv/www/htdocs/repo/$RCE/SLES11-SP3-Pool/sle-11-x86_64/
/srv/www/htdocs/repo/$RCE/SLES11-SP3-Updates/sle-11-x86_64/
/srv/www/htdocs/repo/$RCE/SLE11-SMT-SP3-Pool/sle-11-x86_64/
/srv/www/htdocs/repo/$RCE/SLE11-SMT-SP3-Updates/sle-11-x86_64/

We are going to create temporary repositories using those directories so keep them separate.  On my external drive I now have the following directories:

SLES11-SP3-Pool
SLES11-SP3-Updates
SLE11-SMT-SP3-Pool
SLE11-SMT-SP3-Updates

All containing the contents from my external-smt-server.  Usings those I create a repository on the internal-smt-server from each of them:

zypper ar /mnt/usbdrive/SLES11-SP3-Pool/sle-11-x86_64/  SLES11-SP3-Pool
zypper ar /mnt/usbdrive/SLES11-SP3-Updates/sle-11-x86_64/  SLES11-SP3-Updates
zypper ar /mnt/usbdrive/SLE11-SMT-SP3-Pool/sle-11-x86_64/  SLE11-SMT-SP3-Pool
zypper ar /mnt/usbdrive/SLE11-SMT-SP3-Updates/sle-11-x86_64/  SLE11-SMT-SP3-Updates

zypper lr on the internal-smt-server now shows:

# zypper lr
# | Alias                                                                    | Name                                                          | Enabled | Refresh
--+--------------------------------------------------------------------------+---------------------------------------------------------------+---------+--------
1 | SLE11-SMT-SP3-Pool                                                       | SLE11-SMT-SP3-Pool                                            | Yes     | No    
2 | SLE11-SMT-SP3-Updates                                                    | SLE11-SMT-SP3-Updates                                         | Yes     | No    
3 | SLES11-SP3-Pool                                                          | SLES11-SP3-Pool                                               | Yes     | No    
4 | SLES11-SP3-Updates                                                       | SLES11-SP3-Updates                                            | Yes     | No    

zypper lu also shows a lot of available updates.

Use zypper patch (it will need to be run twice, once to update the zypper stack and then again to install the rest of the updates). Check to insure that all updates have been installed using zypper lu.  If any remain run zypper patch again.

Reboot the internal-smt-server after all available updates have been installed.

The temporary repos we just created can now be removed as we will be adding the actual repos back using the smt import and then registering the internal-smt-server to itself in the following steps.

Using the zypper lr above that shows the repos that were created using zypper rr 1 2 3 4 will remove all of the temporary repos.

4. Preparing the internal-smt-server (refer to page 28 in https://www.novell.com/docrep/2009/11/SMT11%20Deployment%20Guide-en_f_en.pdf)

- Launch yast2 smt-server and click on the "Scheduled SMT Jobs" tab

Delete the "NCC Registration" and "Synchronization of Updates" jobs then click OK.
Enter the mysql root password when prompted
Click Ok when the "Running the synchronization script failed" window pops up (again this error can be ignored).

- Prevent registration data from attempting to do an upstream sync to the NCC

edit the /etc/smt.conf file on the internal-smt-server and ensure forwardRegistration = false

- Prevent a sync attempt with the NCC before generating reports:

Run the following on the internal-smt-server as root:

sed -i 's/REPORT_PARAMS=\"/REPORT_PARAMS=\"--nonccsync /g' /etc/smt.d/smt-cron.conf

5. Now the systems are ready to do perform the initial export from the external-smt-server to the internal-smt-server

5.1  On the external-smt-server

- Enable the repositories to be consumed by the internal Subscription Management Tool servers

At a minimum these need to include SLES 11 SP3 Pool and Updates and SLE11-SMT-SP3-Pool and Updates (which they should be as they were used in Step 3 above)

On the external-smt-server

- Connect the mobile disk and mount it
- Export the required Novell Customer Center data to a directory on that disk:

Create the directory to hold the data
Grant permissions to that directory. Since the smt commands execute as the smt user (of which the numeric uid can differ between the servers), we need to ease up the permissions for the directories on the mobile disk.
# chmod o+w </path-to-ncc-dir-on-mobile-disk>
Export the Novell Customer Center data:
# smt-ncc-sync --export </path-to-ncc-dir-on-mobile-disk>
Set up a directory for repositories:

5.2 Create the directory to hold the repositories that need to be transfered to the internal-smt-server

# mkdir </path-to-repository-on-mobile-disk>
Grant permissions as above
# chmod o+w </path-to-repository-on-mobile-disk>
Unmount and detach the removable disk

5.3 On the internal-smt-server

Populate the Subscription Management Tool database with the Novell Customer Center data just created
# smt-ncc-sync --fromdir </path-to-ncc-dir-on-mobile-disk>

Enable mirroring of the desired repositories
For example:
smt-repos -e SLES11-SP3-Pool sle-11-x86_64

repeat the command for all of the repositories to be enabled on the internal-smt-server
NOTE: At a minimum the SLES 11 SP3 Pool and Updates and SLE11-SMT-SP3-Pool and Updates need to be enabled


5.4 Create a database replacement file on the mobile hard disk

# smt-ncc-sync --createdbreplacementfile \
</path-to-dbrepl-file-on-mobile-disk>
NOTE: the path-to-dbrepl... needs to include the db replacement file name.

Unmount and detach the removable disk


5.5 Perform a mirror based on the file on the mobile disk and to a directory on the mobile disk

On the external-smt-server

# smt-mirror --dbreplfile </path-to-dbrepl-file-on-mobile-disk> --fromlocalsmt --directory </path-to-repository-on-mobile-disk> -L /var/log/smt/smt-mirror-<you-name-it>.log

NOTE: the </path-to-repository-on-mobile-disk> is the path created in step 5.2
NOTE: This process will only create repositories on the external drive if A) they are already mirrored to the external-smt-server and B) they were enabled on the internal-smt-server in step 5.3

Update the database on the mobile disk with product and subscription info from Novell Customer Center

# smt-ncc-sync --export </path-to-ncc-dir-on-mobile-disk> 

Unmount and disconnect the mobile disk

5.6 Update the information in the internal-smt-server including the repositories

On the internal-smt-server

Update the internal-smt-server's database with NCC data
# smt-ncc-sync --fromdir </path-to-ncc-dir-on-mobile-disk>

Update the SMT repositories on the internal-smt-server
# smt-mirror --fromdir </path-to-repository-on-mobile-disk>

Following https://www.suse.com/support/kb/doc.php?id=7004388 both the external-smt-server and internal-smt-server can be registered to themselves to get updates.

Notes about the day to day operation (ie steps 5.4 - 5.6)

As new updates become available for the external-smt-server the day to day process should be run first so that the internal-smt-server can be updated before the external-smt-server.  This will help prevent the two servers becoming out of sync with respect to versions and the database schema.  If this should happen perform step 5.5 and then the smt-mirror portion of 5.6.  Completely update the internal-smt-server and then run smt-ncc-sync --fromdir </path-to-ncc-dir-on-mobile-disk> to get the internal-smt-server's database updated.

Migrating a SLES 11 SP3/4 - SMT 11 SP3 server from the NCC to the SCC:

1. On the external server fully patch and migrate it to the SCC first (ie smt-ncc-scc-migration)

NOTE: if you get duplicate db entry errors use the following tid to clean them up:

https://www.suse.com/support/kb/doc?id=7017148

2. run a fresh export to the portable drive (ie smt-sync --todir </path/to/external/drive>)

3. Ensure that the internal server is also fully patched.

4. On the internal server change the ApiType = NCC to ApiType = SCC in the /etc/smt.conf and restart smt (ie rcsmt restart)

5. run a new import on the internal server (ie smt-sync --fromdir </path/to/external/drive>)

The db will automatically be converted.  Again if you get duplicate db entry errors use the following tid to fix the issue:

https://www.suse.com/support/kb/doc?id=7017148

You can now continue with your regular process replacing smt-ncc-sync with smt-sync. 

Setting up a SLES 12 SP1 disconnected SMT server environment:

1. Basic setup:

SMT 12 SP1 Server that can access the internet (external-smt-server)
SMT 12 SP1 server that has no access to the internet (internal-smt-server)

NOTE: It is critical to keep both SLES 12 SP1 SMT servers fully patched and at the same patch level.  See the notes on day-to-day operation at the bottom of this document. 

For more details about installing SMT on SLES 12 SP1 see: https://www.suse.com/documentation/sles-12/book_smt/data/smt_installation.html

After installing SLES 12 SP1 and SMT on the external-smt-server ensure that the external-smt-server is fully patched.  The system should have the following repositories and they should be enabled:


# zypper lr
# | Alias                                                                   | Name                         | Enabled | GPG Check | Refresh
--+-------------------------------------------------------------------------+------------------------------+---------+-----------+--------
1 | SLES12-SP1-12.1-0                                                       | SLES12-SP1-12.1-0            | Yes     | (r ) Yes  | No    
2 | SUSE_Linux_Enterprise_Server_12_SP1_x86_64:SLES12-SP1-Debuginfo-Pool    | SLES12-SP1-Debuginfo-Pool    | No      | ----      | No    
3 | SUSE_Linux_Enterprise_Server_12_SP1_x86_64:SLES12-SP1-Debuginfo-Updates | SLES12-SP1-Debuginfo-Updates | No      | ----      | Yes   
4 | SUSE_Linux_Enterprise_Server_12_SP1_x86_64:SLES12-SP1-Pool              | SLES12-SP1-Pool              | Yes     | (r ) Yes  | No    
5 | SUSE_Linux_Enterprise_Server_12_SP1_x86_64:SLES12-SP1-Source-Pool       | SLES12-SP1-Source-Pool       | No      | ----      | No    
6 | SUSE_Linux_Enterprise_Server_12_SP1_x86_64:SLES12-SP1-Updates           | SLES12-SP1-Updates           | Yes     | (r ) Yes  | Yes  

zypper lu will show if any updates are available.  zypper patch can be run (multiple times if necessary) to install the updates.  Reboot the external-smt-server.


2. Install the internal-smt-server


Install SLES 12 SP1 and SMT on the internal-smt-server (see https://www.suse.com/documentation/sles-12/book_smt/data/smt_installation.html for more details on installing SMT with SLES 12 SP1)

Before running the SMT Configuration Wizard copy the /etc/zypp/credentials.d/SCCcredentials file from the external-smt-server to the internal-smt-server (the /etc/zypp/credentials.d/ subdirectory will need to be created on the internal-smt-server).  This will prevent errors related to the credentials during the configuration.  The credentials will be reset later in the process to ensure that both smt servers have unique credentials.

When running SMT Configuration Wizard on the internal-smt-server do the following:

Check "Enable Subscription Management Tool Service (SMT)
Check "Open Port In Firewall" is the firewall is running
Leave the Registration Server Url and Download Server Url settings at default (ie https://scc.suse.com/connect and https://updates.suse.com/)
Enter your mirror credential Username and Password in the fields provided (the Test button will not work - the internal-smt-server has no internet access)
Select "Next"

- When the SMT Configuration Wizard - Step 2/2 Appears:

Enter a mysql database password for the smt User
Select "Next"
Enter a root mariaDB password and click OK
Run CA management if prompted and complete the information as requested. Clicking "Next" to continue.

When the synchronization script failed error pops up click OK to continue.


3. On the external-smt-server

3.1 Enable the repositories to be consumed by the internal Subscription Management Tool servers. At a minimum these need to include SLES 12 SP1 Pool and Updates

On the external-smt-server

- Connect the mobile disk and mount it
- Export the required Novell Customer Center data to a directory on that disk:

Create the directory to hold the data

and example would be: /smtsync/scc

Grant permissions to that directory. Since the smt commands execute as the smt user (of which the numeric uid can differ between the servers), we need to ease up the permissions for the directories on the mobile disk.
# chmod o+w </path-to-scc-dir-on-mobile-disk>
Export the SUSE Customer Center data:
# smt-sync --todir </path-to-scc-dir-on-mobile-disk>

Using the example above smt-sync --todir /smtsync/scc

3.2  Set up a directory for repositories:

Create the directory to hold the repositories that need to be transfered to the internal-smt-server

# mkdir </path-to-repository-on-mobile-disk>

an example would be: /smtsync/repos

Grant permissions as above
# chmod o+w </path-to-repository-on-mobile-disk>
Unmount and detach the removable disk

3.3 On the internal-smt-server

Populate the Subscription Management Tool database with the Novell Customer Center data just created
# smt-sync --fromdir </path-to-scc-dir-on-mobile-disk>

Enable mirroring of the desired repositories
For example:
smt-repos -e SLES12-SP1-Pool sle-12-x86_64

repeat the command for all of the repositories to be enabled on the internal-smt-server
NOTE: At a minimum the SLES 12 SP1 Pool and Updates need to be enabled


3.4 Create a database replacement file on the mobile hard disk

# smt-sync --createdbreplacementfile </path-to-dbrepl-file-on-mobile-disk>
NOTE: the path-to-dbrepl... needs to include the db replacement file name.

Unmount and detach the removable disk


3.5 Perform a mirror based on the file on the mobile disk and to a directory on the mobile disk

On the external-smt-server

# smt-mirror --dbreplfile </path-to-dbrepl-file-on-mobile-disk> --fromlocalsmt --directory </path-to-repository-on-mobile-disk> -L /var/log/smt/smt-mirror-<you-name-it>.log

NOTE: the </path-to-repository-on-mobile-disk> is the path created in step 3.2
NOTE: This process will only create repositories on the external drive if A) they are already mirrored to the external-smt-server and B) they were enabled on the internal-smt-server in step 3.3

Update the database on the mobile disk with product and subscription info from SUSE Customer Center

# smt-sync --todir </path-to-scc-dir-on-mobile-disk> 

Unmount and disconnect the mobile disk

3.6 Update the information in the internal-smt-server including the repositories

On the internal-smt-server

Update the internal-smt-server's database with SCC data
# smt-sync --fromdir </path-to-scc-dir-on-mobile-disk>

Update the SMT repositories on the internal-smt-server
# smt-mirror --fromdir </path-to-repository-on-mobile-disk>

The following error will likely occur the first time a mirror is run due to the fact that the internal-smt-server has not been fully patched yet:

DBD::mysql::st execute failed: Incorrect string value: '\xC4\x9Flay\xC4...' for column 'DESCRIPTION' at row 1 at /usr/lib/perl5/vendor_perl/5.18.2/SMT/Patch.pm line 388.

To resolve that problem do the following on the internal-smt-server:

run:
mysql -u smt -p smt

Enter password: ***********

at the MariaDB [smt] prompt enter:

ALTER TABLE Patches CONVERT TO CHARACTER SET utf8 COLLATE utf8_unicode_ci;

it will return:

Query OK, 0 rows affected (0.01 sec)
Records: 0  Duplicates: 0  Warnings: 0

type exit

run

# smt-mirror --fromdir </path-to-repository-on-mobile-disk>

The smt-mirror should now run without errors.

3.7 The following will register the internal-smt-server to itself for updating:

rm /etc/zypp/credentials.d/SCCcredentials (this will remove the duplicate guid we created in step 2)
SUSEConnect --url https://<url for internal-smt-server>/

Fully patch the internal-smt-server and reboot it.

Notes about the day to day operation (ie steps 3.4 - 3.6)

As new updates become available for the external-smt-server the day to day process should be run first so that the internal-smt-server can be updated before the external-smt-server.  This will help prevent the two servers becoming out of sync with respect to versions and the database schema.  If this should happen perform step 3.5 and then the smt-mirror portion of 3.6.  Completely update the internal-smt-server and then run smt-sync --fromdir </path-to-scc-dir-on-mobile-disk> to get the internal-smt-server's database updated.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017998
  • Creation Date: 29-Aug-2016
  • Modified Date:03-Mar-2020
    • Subscription Management Tool

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center