AWS On-demand SUSE Subscription cannot access Public Cloud Update Infrastructure
This document (000019601) is provided subject to the disclaimer at the end of this document.
Environment
AWS on-demand image for SUSE Linux Enterprise Server
AWS on-demand image for SUSE Linux Enterprise Server for SAP Applications
AWS on-demand image for SUSE Linux Enterprise Server for SAP Applications
Situation
AWS on-demand SUSE Subscriptions are offered at either a flat, hourly rate with no commitment or through a one-time, upfront payment. Both purchase options include Amazon EC2 compute charges and SUSE subscription charges. Amazon tracks and bills customers who purchase SUSE Linux Enterprise Server (SLES) or SUSE Linux Enterprise Server for SAP Applications (SLES for SAP) subscriptions through AWS.
SLES and SLES for SAP are tracked using specific billing codes that are associated to the Amazon EC2 instance metadata. SLES uses the “billingProducts” field and SLES for SAP uses the “marketplaceProductCodes” to store the billing code`. A customer that purchases SUSE subscriptions through AWS, will have access to patches, updates and security fixes through the Public Cloud Update Infrastructure.
SUSE is working with Amazon Web Services to determine when the billing code will be validated so that only properly configured instances can access the Public Cloud Update Infrastructure. The billing code will be used to enable access to patches, updates and security fixes when using on-demand SUSE Subscription. If a customer’s EC2 instance(s) is missing the billing code and has access to the Public Cloud Update Infrastructure, the customer is out of compliance.
Below are the steps to determine if an instance is out of compliance:
1. Check to see if the billing code is present by running the command below on their EC2 instances:
curl http://169.254.169.254/latest/dynamic/instance-identity/document
The command will return the meta-data associated with the EC2 instance. If the value for the key “billingProducts” is null, then move to step 2.
"billingProducts" : null,
If the “billingProducts” value is “bp-6ca54005”, then your instance has the necessary entitlements and this article does not apply to the EC2 instance.
"billingProducts" : [ "bp-6ca54005" ],
2. Determine if the EC2 instance is connected to the Public Cloud Update Infrastructure by running “zypper lr --uri”. The URI column will list either “https://smt-ec2_susecloud_net” or credentials “plugin:/susecloud?credentials=SU…”
OR
3. If the “billingProducts” is null and “SMT-http_smt-ec2_susecloud_net” is listed and enabled as the Repository Index Service, then your system is out of compliance.
SLES and SLES for SAP are tracked using specific billing codes that are associated to the Amazon EC2 instance metadata. SLES uses the “billingProducts” field and SLES for SAP uses the “marketplaceProductCodes” to store the billing code`. A customer that purchases SUSE subscriptions through AWS, will have access to patches, updates and security fixes through the Public Cloud Update Infrastructure.
SUSE is working with Amazon Web Services to determine when the billing code will be validated so that only properly configured instances can access the Public Cloud Update Infrastructure. The billing code will be used to enable access to patches, updates and security fixes when using on-demand SUSE Subscription. If a customer’s EC2 instance(s) is missing the billing code and has access to the Public Cloud Update Infrastructure, the customer is out of compliance.
Below are the steps to determine if an instance is out of compliance:
1. Check to see if the billing code is present by running the command below on their EC2 instances:
curl http://169.254.169.254/latest/dynamic/instance-identity/document
The command will return the meta-data associated with the EC2 instance. If the value for the key “billingProducts” is null, then move to step 2.
"billingProducts" : null,
If the “billingProducts” value is “bp-6ca54005”, then your instance has the necessary entitlements and this article does not apply to the EC2 instance.
"billingProducts" : [ "bp-6ca54005" ],
2. Determine if the EC2 instance is connected to the Public Cloud Update Infrastructure by running “zypper lr --uri”. The URI column will list either “https://smt-ec2_susecloud_net” or credentials “plugin:/susecloud?credentials=SU…”
OR
3. If the “billingProducts” is null and “SMT-http_smt-ec2_susecloud_net” is listed and enabled as the Repository Index Service, then your system is out of compliance.
Resolution
There are two known options to bring the instance into compliance
Option 1:
Purchase SUSE subscriptions and register the purchased subscription on the EC2 instance using SUSEConnect. The customer will need to setup an update infrastructure or connect all EC2 instances to SUSE Customer Center.
Please, contact SUSE through e-mail/phone /post / etc….
Option 2:
Move the EBS volumes from a SLES EC2 instance without a billing code to a SLES EC2 Instance with a billing code.
This option requires you to create a new EC2 instance, which can cause the private IP address of the new EC2 instance to be different. Also, instance specific attributes (Placement Groups, Security Groups, Subnets, etc) will need to be checked before launching a new instance to make sure they are the same from the instance without a billing code.
Outlined below is the high-level procedure of how to perform this move:
a. Launch a new “target” SLES EC2 on-demand instance (i.e.: EC2 instance A). Please be sure to choose an instance type, VPC, Subnet (Availability Zone) and Security Groups that matches the instance type of the “source” EC2 instance with the missing AWS billing code (i.e.:EC2 instance X) as “EC2 instance A” will replace the “EC2 instance X”. Other attributes that you may want to check are:
b. It is recommended to create a new Amazon Machine Image (AMI) or EBS Snapshots from source “EC2 instance X” for backup purposes. Ensure the instance is stopped before taking the snapshot of a root volume.
c. Next detach the EBS volume(s) from target “EC2 instance A” and source “EC2 instance X”:
AWS Documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html
d. Attach the EBS volumes that were attached to source “EC2 instance X” to target “EC2 instance A”:
AWS Documentation :
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html
e. Start and login to target “EC2 instance A” and validate that the billing code is now associated to the instance (see Section 1 above).
f. In case you have questions please reach out to AWS for more information. Customers subscripted to an AWS Support plan can open support cases for technical assistance.
Option 1:
Purchase SUSE subscriptions and register the purchased subscription on the EC2 instance using SUSEConnect. The customer will need to setup an update infrastructure or connect all EC2 instances to SUSE Customer Center.
Please, contact SUSE through e-mail/phone /post / etc….
Option 2:
Move the EBS volumes from a SLES EC2 instance without a billing code to a SLES EC2 Instance with a billing code.
This option requires you to create a new EC2 instance, which can cause the private IP address of the new EC2 instance to be different. Also, instance specific attributes (Placement Groups, Security Groups, Subnets, etc) will need to be checked before launching a new instance to make sure they are the same from the instance without a billing code.
Outlined below is the high-level procedure of how to perform this move:
a. Launch a new “target” SLES EC2 on-demand instance (i.e.: EC2 instance A). Please be sure to choose an instance type, VPC, Subnet (Availability Zone) and Security Groups that matches the instance type of the “source” EC2 instance with the missing AWS billing code (i.e.:EC2 instance X) as “EC2 instance A” will replace the “EC2 instance X”. Other attributes that you may want to check are:
- Placement Groups
- Instance Termination Protection and Behavior
- Enhanced Monitoring
- CPU Options
- Tenancy
- IAM Profile, and
- Tags
b. It is recommended to create a new Amazon Machine Image (AMI) or EBS Snapshots from source “EC2 instance X” for backup purposes. Ensure the instance is stopped before taking the snapshot of a root volume.
c. Next detach the EBS volume(s) from target “EC2 instance A” and source “EC2 instance X”:
AWS Documentation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html
d. Attach the EBS volumes that were attached to source “EC2 instance X” to target “EC2 instance A”:
AWS Documentation :
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html
e. Start and login to target “EC2 instance A” and validate that the billing code is now associated to the instance (see Section 1 above).
f. In case you have questions please reach out to AWS for more information. Customers subscripted to an AWS Support plan can open support cases for technical assistance.
Additional Information
Formerly known as TID7024125
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000019601
- Creation Date: 03-Apr-2020
- Modified Date:30-Jun-2021
-
- SUSE Linux Enterprise Server
- SUSE Linux Enterprise Server for SAP Applications
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
