Blog Entry
Search
Share This
Popular content
Recent comments
User login
Registering and updating a SLES server through an authenticated proxy
814
In most corporate environments web proxies are implemented as part of an overall security requirement. When implementing a SLES server it is just as important, from a security standpoint, to keep the server patched up to date. Being able to set the server to register and update from the command line did not seem possible until I discovered the following method.
- The suse_register script, which is used to perform the server registration, uses curl in order to interact with the Novell website. The first step is therefore to tell curl to use the proxy, which is done by creating the file
/root/.curlrcand adding the following content. Obviously the settings in the file must correspond to the settings required in your environment.
proxy = "https://10.10.2.10:8080" proxy-user = "username:password"
- Run
suse_registeras normal. The registration will appear to fail. What's happening in the background is that the server is being registered, but is not able to subscribe to the software update channels. - RCD (Red Carpet Daemon) is the background process which keeps track of available updates and listens for update commands from
rug. Use the following commands after registering the server in order to set RCD to go through the proxy:
rug set proxy-url https://10.10.2.10:8080 rug set proxy-username username rug set proxy-password password
- Initiate a rug refresh so that the available channels can be picked up:
rug ref
- Check which channels are available.
rug ca
- Subscribe to the appropriate channels, for example:
rug sub SLES10-SP2-Updates
- Retrieve the available updates.
rug up
One could suggest that step 3 gets done before step 2 in order to make the process more efficient. Unfortunately this doesn't work - suse_register appears to overwrite whatever settings are already in place for RCD. It'd be great if suse_register could take options which allow this all to be done in one shot. At the time of writing this, suse_register does allow a full registration process to be completed through an unauthanticated proxy (if you configure a proxy through YaST before doing the registration), but not an authenticated proxy.
Related Articles
- Laptop proxy switch
- Getting the SLES / SLED 10 Software Updater to work if you use a Proxy Server
- Using ZLM Mirrors of OES and SLES to Update Local Servers
- Unable to update SUSE via https://you.novell.com/update due to a http and https proxy
- SLE10: Apply Updates Without New Kernel Updates Being Applied
User Comments
Something we are now using
Submitted by currin on 12 October 2009 - 8:17am.
Hey Dude
Dunno if you have checked out Novell's SMT (Subscription Management Tool). If not - you really must !!!
It is the best thing since sliced bread, as the saying goes, we are using it to patch all our OES & SLES boxes now, and will be added SLED if we find the need, it can also do RHEL but we haven't got the subscription for that option.
Check this URL for a pretty thorough overview: http://www.novell.com/communities/node/5922/keep-y...
Another option I would have tried is running a CNTLM proxy on the box while I needed to connect and then just point your proxy at localhost, but accomplished pretty much what you did anyway.
Cheers
- Login to post comments
Agreed
Submitted by preycor on 12 October 2009 - 11:00pm.
I agree that the Subscription Management Tool (SMT) is an excellent way of facilitating patch management. I implemented a previous version of it in May and haven't had the chance to look at upgrading it to the latest iteration which includes integration with the Novell Support Advisor".
When deploying the SMT, the instructions in this post can help for the SMT server itself. The other internal servers will more than likely only need to access the SMT server and therefore probably won't need to access through an authenticated proxy.
- Login to post comments
What about BorderManager?
Submitted by abrahamr on 25 October 2009 - 2:06pm.
Does anyone know how to get around the issue if you have BorderManager? Client trust does not work on Linux.
- Login to post comments
The only way I can suggest
Submitted by preycor on 27 October 2009 - 6:02am.
The only way I can suggest is to setup a filter on your NBM box which allows access to the outside world via HTTP/HTTPS from your server IP range. This will be a global setting and I don't think it'll be logged by NBM.
- Login to post comments
4