YaST and AutoYaST Make The Difference Thomas Göttlicher Project Manager tgoettlicher@suse.com Jiří Šrain Project Manager jsrain@suse.com
YaST 2
Security Center and Hardening Module 3
Security Center and Hardening yast2 security 4
Security Center and Hardening (cont'd) yast2 security 5
Debugging 6
Debugging Turn on debugging messages: Y2DEBUG=1 yast2 network Read YaST log file: tail -f /var/log/yast2/y2log Run the YaST debugger (byebug) Y2DEBUGGER=1 yast2 network 7
Debugging (cont d) 8
Feature: Hotkeys 9
Hotkeys Crtl + Shift + Alt + X Shift + F7 Print Shift + F8 Ctrl + Shift + Alt + M Ctrl + Shift + Alt + P Ctrl + Shift + Alt + S Run xterm Debug level Screenshot Save logs Start/stop macro recorder Play macro Style sheet editor 10
Feature: Themes 11
Themes in YaST2 QT Support for CSS-like stylesheets Customize installation For visually impaired users Default is style.qss or installation.qss in /usr/share/yast2/theme/current/wizard/ $Y2STYLE contains name of stylesheet Y2STYLE=installation.qss yast2 disk --qt 12
Themes in YaST2 QT (cont'd) 13
Themes in YaST2 QT (cont'd) 14
Themes in YaST2 QT (cont'd) 15
Themes in YaST2 ncurses File: /etc/sysconfig/yast2 Variable: Y2NCURSES_COLOR_THEME= mono Also braille available for visually impaired 16
Themes in YaST2 ncurses (cont'd) File: /etc/sysconfig/yast2 Variable: Y2NCURSES_COLOR_THEME= mono Also braille available for visually impaired 17
Feature: Driver Update 18
Driver Update Replace packages in your installation system Use RPM packages or cpio archives File on a web server contains a list of rpm packages Example file on http://foo.bar/list: dud=http://foo.bar/bash.rpm dud=http://foo.bar/yast2.rpm 19
Driver Update (cont'd) 20
Driver Update (cont'd) 21
Feature: Automated Installer Update 22
Automated Installer Update Repository with installer updates available at updates.suse.com Set of DUDs packaged as RPMs Updates applied transparently when requested self_update=1 on kernel command-line to enable self_update=<url> enable with custom repository Restart of YaST necessary SMT support for networks without access to update server Remember to mirror the installer updates repository 23
Feature: Remote Installation 24
Remote Installation Install SUSE Linux Enterprise remotely over the network Configure settings at the boot prompt: Network: hostip=192.168.1.123/24 Installation source: install=ftp://192.168.1.100/pub/suse install=http://192.168.1.100/suse 25
Remote Installation (cont'd) Installation via: VNC (Virtual Network Computing) vnc=1 vncpassword=susecon2016 SSH (Secure Shell) ssh=1 sshpassword=susecon2016 26
Remote Installation (cont'd) 27
Remote Installation (cont'd) Connect to host via vncviewer hostip :1 28
System Roles 29
System Roles Predefined default configuration Covers partitioning and software selection Further areas covered in next releases Different settings for different scenarios System Roles in SLES12-SP2 Standard System KVM virtualization host XEN virtualization host 30
Macro Recorder 31
Macro Recorder Recorder and player for user interaction Records logical actions like OK button pressed Username field contains tux Macros from text interface work in graphical interface and vice versa Automation for QA testers and power users 32
Macro Recorder (cont'd) Alt + Crtl + Shift + M Start recording Alt + Crtl + Shift + M Stop recording 33
Macro Recorder (cont'd) Play a recorded macro: Alt + Ctrl + Shift + P Run macros from the command line: /usr/lib/yast2/bin/y2base modulename qt --macro macro.ycp Macros are not a substitution for AutoYaST 34
AutoYaST 35
AutoYaST AutoYaST is the SUSE Linux Enterprise automated installation method that leverages standard installation processes with predefined rules and responses to create reproduceable OS builds Caution: Can reduce the time to provision a new SUSE Linux Enterprise machine to less than 10 minutes 36
When to Use AutoYaST Linux is your primary OS or you need deployment on demand Dealing with a wide range of machines Constantly changing hardware or a wide variety of hardware Constantly changing software requirements Only installing a few machines at a time Staff has varying Linux expertise 37
When to Use Imaging Need to support multiple operating systems Have a large number of identical systems to support Limited applications to support or you are using an application deployment system (I.e., thin images and SUSE Studio) Limited number of hardware platforms Few images are needed 38
SUSE Manager Best of both worlds with support for AutoYaST, multi-cast and integrated support for SUSE Studio images. 39
Create an Installation Server 40
Installation Server Specification Disk Space 5GB plus enough disk space to hold the Linux distributions you will use Processor/RAM Any system fulfilling the requirements of SUSE Linux Enterprise Server Apache installed HTTP is easiest to use and URLs can be manipulated via Apache Windows and other operating systems can be used if you already have an existing web server Alternatively you can use FTP, NFS, or Samba for installation. 41
Firewall Settings Disable Firewall You can temporarily turn it off completely Re-enable after installation Or open the necessary ports HTTP (80), HTTPS (443), TFTP (69), DHCPD (547) YaST can help you 42
YaST: Configure Installation Server YaST installs and configures Apache and copies the source media to the system 43
Verify the Installation Source Append e.g. /README if server forbids directory listing 44
Installing from Network Boot with standard installation DVD 45
Boot Options install=http://hostname/path/to/dvd1 If there is no DHCP on your network, you can use: hostip=<ip address> netmask=<mask> ie: hostip=172.17.2.1 netmask=255.255.255.0 use gateway=<gateway> if the Installation server is on a different subnet 46
Create an AutoYaST profile 47
Clone an Existing Machine Tools Create Reference Profile File Save 48
AutoYaST Profile Plain text, XML Can be customized using: YaST Autoinstallation Module Text Editor (vi, emacs, kate, etc.) Experiment with the Autoinstallation module and view the changes made in the XML 49
Sample AutoYaST Profile <?xml version="1.0"?> <!DOCTYPE profile> <profile xmlns="http://www.suse.com/1.0/yast2ns" xmlns:config="http://www.suse.com/1.0/configns"> <users config:type="list"> <user> <username>root</username> <user_password>myrootpassword</user_password> <encrypted config:type="boolean">false</encrypted> </user> </users> </profile> 50
AutoYaST Profile (cont d) Most often changed settings <software> Selecting patterns is usually enough Individual packages can be selected if necessary <partitioning> Change <size> to fixed size for swap and other partitions (ie 2GB) and auto to span the remainder of the disk When profile was created as a machine clone, review the whole profile and remove any machine-specific settings 51
Starting AutoYaST installation install=http://hostname/path/to/dvd1 autoyast2=http://hostname/path/to/profile.xml 52
Booting Installation from Network 53
Preboot Execution Environment (PXE) Part of the firmware of most modern network cards, PXE leverages DHCP (Dynamic Host Configuration Protocol) to find an available PXE server to download a network bootstrap program (NBP) to the computer's RAM using TFTP (Trivial File Transfer Protocol). Once in RAM, the NBP can execute and download installation or other software, removing the need for installation media. 54
Setting Up a PXE Server Find out the requirements Different bootloader needed for legacy, uefi, SecureBoot, Install respective packages (DHCP server, TFTP, bootloader, xinetd) Copy the Linux kernel and initrd (initial ramdisk) from the source media (or installation directory): cp boot/x86_64/loader/linux /srv/tftpboot cp boot/x86_64/loader/initrd /srv/tftpboot Similarly for other architectures 55
Setting Up a PXE Server (cont d) Configure the TFTP server YaST can help you Create directory structure to hold the boot loader, kernel, initrd and config files Configure the DHCP server Following options need to be set: allow booting; allow bootp; next-server 172.17.2.70; #TFTP server IP filename "pxelinux.0"; #path on TFTP server May need to be set differently for different hosts 56
Upgrade with AutoYaST 57
Upgrade with AutoYaST Possible upgrade paths From SLES11 to SLES12 From one SLES12 service pack to a newer one Boot options autoupgrade=1 autoyast2=http://example/autoinst.xml autoupgrade=1 and leave the profile in the root of the system 58
New Sections in AutoYaST profile upgrade software networking backup 59
New Sections in AutoYaST profile (cont d) <upgrade> <only_installed_packages config:type="boolean"> false </only_installed_packages> <stop_on_solver_conflict config:type="boolean"> true </stop_on_solver_conflict> </upgrade> 60
New Sections in AutoYaST profile (cont d) <software> <packages config:type="list"> <package>autoyast2-installation</package> </packages> <patterns config:type="list"> <pattern>base</pattern> </patterns> <remove-packages config:type="list"/> <remove-patterns config:type="list"/> </software> 61
New Sections in AutoYaST profile (cont d) <networking> <keep_install_network config:type="boolean"> true </keep_install_network> </networking> 62
New Sections in AutoYaST profile (cont d) <backup> <sysconfig config:type="boolean">true</sysconfig> <modified config:type="boolean">true</modified> <remove_old config:type="boolean">false</remove_old> </backup> 63
Booting AutoYaST upgrade 64
AutoYaST Upgrade Summary 65
AutoYaST Upgrade: Dependency conflicts Dependency conflicts quite likely Require manual intervention Find adjusted profile in the system after upgrade 66
Session References TUT88423 - Upgrading SLES 11 to SLES 12 TUT88693 - System Security Hardening HO88467 - SUSE Manager for Dummies v.3 67