SUSE Manager Server 5.0

SUSE Manager 5.0 represents a significant evolution with its delivery in containers, offering enhanced modularity and efficiency. In version 4.3, the SUSE Manager Proxy and Retail Branch Server were containerized. However, with this release, the SUSE Manager Server is now delivered in containers.

This shift allows for improved portability, simplifying deployment and management in modern container-centric environments. By containerizing the Server, flexibility is increased and it becomes easier to adapt to various infrastructure setups. This is the first step toward further modularization, preparing SUSE Manager Server for resilience and scalability. Future versions of SUSE Manager are expected to continue this journey.

Containerization streamlines deployment and management processes, resulting in better resilience and improved infrastructure availability. These changes reflect a commitment to delivering a more adaptable and efficient solution for managing different environments.

These enhancements are expected to greatly benefit users, providing them with a more flexible and efficient SUSE Manager.

AppStreams in Red Hat Enterprise Linux (RHEL) are repositories that provide curated software packages, solving the problem of discovering and installing applications, libraries, and development tools efficiently on RHEL systems while simplifying the required list of RPM repositories.

However, SUSE Manager has been supporting RHEL 8 and RHEL 9 by removing modular data from the AppStream. This process involved flattening the repository by removing the modular data, essentially reverting it to a traditional repository format.

With SUSE Manager 5.0, we will be removing this limitation so SUSE Manager can natively support AppStreams. This enhancement will significantly improve the user experience, enabling users to manage systems consistently both from SUSE Manager and directly from the clients using DNF.

Confidential Computing is becoming increasingly crucial in our industry. While there is significant ongoing work in the industry and within SUSE on this topic, SUSE Manager will play a role in aiding confidential computing attestation. We will adopt a phased approach, starting with a small-scale implementation and gradually expanding. Initially, our offering will be exclusively on AMD-based hardware, aligning with available tools.

SUSE Manager’s CVE audit feature scans systems and images for known security vulnerabilities (CVEs), providing administrators with visibility and enabling prioritization and mitigation based on severity. Previously, it relied on channel metadata to determine system vulnerability, leading to limitations in distinguishing between unaffected systems and those lacking needed patches.

To expand this, we are enhancing the approach by integrating OVAL data provided by the upstream. This helps us avoid false positives and allows for system scanning without the need to synchronize channels. Channel information will continue to be for patch application and remediation.

With the release of SUSE Manager 5.0, the platform now supports next-generation SL Micro 6.0, SLE 15 SP6 family, and Liberty 7 LTSS, allowing for centralized management of Enterprise Linux distributions irrespective of their location.

SUSE Manager now boasts management capabilities for various distributions, such as SUSE Linux Enterprise Server, SUSE Linux Enterprise Server for SAP Applications, SUSE Linux Enterprise Server Micro, Red Hat Enterprise Linux, openSUSE, SUSE Liberty Linux, Oracle Linux, CentOS, AlmaLinux, Rocky Linux, Ubuntu, Debian, and Amazon Linux.

SUSE Manager 5.0 will introduce a standalone Health Check tool. This tool provides a detailed dashboard, metrics, and logs from a SUSE server, showcasing its current health status. Users can efficiently evaluate the health of their running instance and identify any potential errors for effective troubleshooting.

SUSE Manager 5.0 will not be a base product. Instead, it will be an extension for SUSE Linux Enterprise Micro 5.5, provided through the SUSE Customer Center. This extension will include all the necessary tools to install and manage SUSE Manager. It is compatible with SUSE Enterprise Linux Micro 5.5 and supports x86_64, s390x, IBM POWER (ppc64le) and now also ARM64 (AArch64) architectures.

SUSE Manager Server, Proxy, and Retail Branch Server will be delivered in containers, accessible from the SUSE Registry.

Only the containerized versions of SUSE Manager Server, Proxy and Retail Branch Server will be available for SUSE Manager 5.0.

No separate subscription is required for SUSE Linux Enterprise Micro. Additionally, VM images are provided for simplified setup, featuring preloaded configurations for easy customization.

Currently, the PostgreSQL database is locally deployed within the same container environment as the Server. In an upcoming version of SUSE Manager, we are considering adding support for remote PostgreSQL databases.

For more details on system requirements, see the Installation Guide on https://documentation.suse.com/suma/5.0/.

Please be aware that an in-place upgrade from SUSE Manager Server 4.3 is not supported. However, SUSE Manager 5.0 comes equipped with the necessary tools to streamline the migration process. This involves running both versions in parallel and transferring data from the existing 4.3 Server to the new 5.0 Server though.

Once the migration is complete, all connected clients will seamlessly continue to run without any changes.

For detailed instructions on upgrading, please refer to the Upgrade Guide available at https://documentation.suse.com/suma/5.0/.

SUSE Manager 5.0 will come with virtual machine images tailored for KVM and VMware. These images will support x86_64, s390x, IBM POWER (ppc64le), and now also ARM64 (AArch64) architectures.

These virtual machine images provide pre-configured environments that can be quickly deployed in KVM and VMware environments, saving time and effort in setting up virtual machines from scratch.

Using these images is the recommended and supported method for deploying new instances of SUSE Manager Server on these platforms.

For detailed instructions, see the Deploy as a Virtual Machine section in the official documentation.

SUSE Manager 4.3 was built on SUSE Linux Enterprise 15 SP4. SUSE Manager 5.0, moves to SUSE Linux Enterprise Micro 5.5 as the container host system. This change was made because SLE Micro is designed for container workloads and has a longer lifecycle. The SLE Micro subscription for the Server will be included in the SUSE Manager subscription, eliminating the need for customers to purchase the underlying OS subscription separately.

The supported container host is SLE Micro 5.5, while the image itself will be based on bci-init image, which is then based on SLES 15 SP6.

SUSE Manager 5.0, continues to use Salt 3006.0. It is considered by upstream to be a long-term support (LTS) version. Our plan is to upgrade to the next LTS version, which will be 3008.0 when available. Short-term support (STS) versions of salt are not supported for use with SUSE Manager.

Throughout this process, all critical bug fixes, including CVEs, L3 fixes, and essential features needed for SUSE Manager, will be provided.

The database engine has been updated from PostgreSQL 14 to PostgreSQL 16, which brings a number of performance and reliability improvements. A detailed changelog is available upstream.

In SUSE Manager 5.0, we’re upgrading to the next LTS version of Java, which is Java 17. This update brings several new features, security enhancements, including support for new TLS versions and improved certificate validation.

For more information on this topic, see https://www.oracle.com/java/technologies/javase/17-relnote-issues.html

SUSE Manager 5.0 supports an even wider range of operating systems as clients. The following additional OS releases will be supported in SUSE Manager 5.0.

For more information about the registration process, refer Registration section, and for more information about supported features, consult Supported Features.

Following the integration of modularity and modular repositories in Red Hat Enterprise Linux and its derivatives, SUSE Manager initially implemented modularity through Content Lifecycle Management (CLM) and the introduction of AppStream filters. These filters effectively removed the modularity features from a repository by flattening it, enabling consumption through the SUSE Manager UI and API. However, this approach introduced complexity and limited functionality, prompting the need for a more comprehensive solution.

With this milestone, we have eliminated the restriction on flattening the AppStream repositories. This enhancement allows users to manage their clients, both from SUSE Manager and directly from the client using DNF if necessary.

Additionally, a new UI page has been introduced under System > Software > AppStreams. This page enables users to select the modules and their respective streams they wish to enable/disable on the client.

SUSE Manager 5.0 also introduces two new API namespaces: channel.appstreams and system.appstreams. These namespaces provide different endpoints that can be used to retrieve more information about available module streams, and enable or disable them on a specific system using API.

For further details about these endpoints, please refer to the SUSE Manager API Documentation.

SUSE Manager will be assisting in supporting Confidential Computing Attestation, specifically for AMD SEV-SNP clients. This functionality is compatible with hardware featuring either an AMD EPYC Milan CPU or an AMD EPYC Genoa CPU. Additionally, there is a Secure Boot module that handles the Secure Boot check in the context of Confidential Computing Attestation. For the Secure Boot module, offline RPMs for aarch64, ppc64le, and s390x will be made available with the next MU 5.0.1, while the RPM for x86_64 is already available.

SUSE Manager offers both a user-friendly UI and API to simplify the utilization of this feature for users.

For more information, please refer to the Confidential Computing

SUSE Manager 5.0 also comes with new state to update Salt in recurring states. Additionally, we enhance the detection of needed reboots and the update-to-date state.

These improvements have led to the update of a common workflow for keeping the system up to date with SUSE Manager.

For more information, please refer to Clients Update Using Recurring Actions workflow in the official documentation.

A new API endpoint, System.getRelevantErrata , has been introduced. This endpoint accepts a list of systems and returns all errata relevant to those systems.

For further details about these endpoint, please refer to the SUSE Manager API Documentation

Repositories are now kept strictly in sync with the upstream repository. For example, when a package is removed from the upstream repo, it is also removed from the channel directly connected to that repo. Cloned channels will remain unchanged unless the admin syncs them with the original parent channel.

Users can disable this behavior for custom channels; however, it cannot be changed for vendor channels.

Although SUSE Manager Server 5.0 works with SUSE Manager Proxy 4.3 and SUSE Manager Retail Branch Server 4.3, we highly recommend upgrading your Proxy and Retail Branch Server when feasible. The product is designed for optimal performance when used in a scenario where all components — SUSE Manager Server, SUSE Manager Proxy, and Retail Branch Server — are of the same version. It’s generally advised to avoid using mixed versions long-term in production environments.

When upgrading, upgrade the SUSE Manager Server first, followed by the SUSE Manager Proxy and Retail Branch Servers.

For instructions on upgrading when SUSE Manager Proxy or SUSE Manager Retail Branch Servers are in use, see the Upgrade Guide on https://documentation.suse.com/suma/5.0/.

When upgrading, upgrade the ISS master first, followed by the ISS slaves.

When handling Service Requests, supporters and engineers may ask for the output of the supportconfig tool from SUSE Manager Server or clients.

This disclaimer applies:

When you run supportconfig or mgradm support, the output will contain information about your clients as well as about the Server. In particular, debug data for the subscription matching feature contains a list of registered clients, their installed products, and some minimal hardware information (such as the CPU socket count). It also contains a copy of the subscription data available from the SUSE Customer Center.

If this is a concern, please prune data in the subscription-matcher directory in the spacewalk-debug tarball before sending it to SUSE.

All software components embedded into SUSE Manager, like Cobbler for PXE booting, are only supported in the context of SUSE Manager. Stand-alone usage (e. g. Cobbler command-line) is not supported.

The SUSE Manager engineering team provides 'best effort' support for products past their end-of-life date. For more information about product support, see Product Support Lifecycle.

Support for products that are considered past their end-of-life is limited to assisting you to bring production systems to a supported state. This could be either by migrating to a supported service pack or by upgrading to a supported product version.

SUSE Manager supports SUSE Liberty Linux 7, 8 and 9. SUSE Liberty Linux clients are sometimes also called SUSE Linux Enterprise Server with Expanded Support (SLESES) or simply RES.

SUSE has offered LTSS support for SUSE Liberty Linux 7, and SUSE Manager will continue to support it throughout the LTSS phase.

For a detailed list of supported features, check the Client Configuration Guide.

SUSE Manager supports RHEL/Oracle Linux 8 and 9.

SUSE Manager has the ability to mirror all entitled content for the supported operating systems. Although SUSE Manager doesn’t assign content for specific systems using subscription-manager, it does rely on it initially to retrieve the list of repositories that are available. By utilizing the same EUS channels that Red Hat provides, customers can limit content to individual dot releases.

CentOS Stream is explicitly not supported by SUSE.

Note: Direct sync’ing ULN repos with SUSE Manager are not currently supported. An Oracle Local Distribution for ULN must be used. To set up a local ULN mirror, please consult the Oracle documentation provided at the following link

SUSE Manager supports Rocky Linux 8/9 and AlmaLinux 8/9.

For a detailed list of supported features for AlmaLinux, check the Client Configuration Guide. For a detailed list of supported features for Rocky Linux, check the Client Configuration Guide.

SUSE Manager supports Ubuntu 20.04 LTS and 22.04 LTS clients using Salt.

Support for Ubuntu is limited to a growing list of specific features. For a detailed list of supported features, check the Client Configuration Guide.

SUSE Manager supports Debian 12 "bookworm" & Debian 11 "bullseye" clients using Salt.

Support for Debian is limited to a growing list of specific features. For a detailed list of supported features, check the Client Configuration Guide.

For RHEL and CentOS clients on the ppc64le architecture, SUSE Manager offers the same functionality that is supported for the x86_64 architecture. Client tools are not available yet from SCC but the CentOS 7 client tools from Uyuni can be enabled using spacewalk-common-channels. There’s no CentOS 8 support.

RHEL and CentOS ppc64le are only supported at L1 level support. L1 support is limited to problem determination, which means technical support designed to provide compatibility information, usage support, on-going maintenance, information gathering, and basic troubleshooting using available documentation. At the time of writing, any problems or bugs specific to RHEL and CentOS on ppc64le will only be fixed on a best-effort basis.

Please contact your Sales Engineer or SUSE Consulting if you need additional support or features for these operating systems.

SUSE provides scap-security-guide package for different OpenSCAP profiles. In the current version of scap-security-guide, SUSE supports the following profiles:

Other profiles, like the CIS profile, are community supplied and not officially supported by SUSE.

For Non-SUSE OSs, please note that the included profiles are community supplied and not officially supported by SUSE.

To effectively manage your SUSE Manager environment via the Web UI, it’s essential to use an up-to-date web browser. SUSE Manager is compatible with:

Please note that Windows Internet Explorer is not supported. The SUSE Manager Web UI may not render correctly when accessed through Windows Internet Explorer.

Please refer to the General Requirements for a list of supported browsers.

The only supported methods for installing SUSE Manager is by utilizing images provided by SUSE, or the tools provided in the SUSE Manager 5.0 Extension, on top of SUSE Linux Enterprise Micro 5.5.

In an IPv6-enabled environment, migrating from a 4.3 server to a new 5.0 server might result in Salt connections to ports 4505 and 4506 on the new server being refused.

Workaround: Inside the container, make sure /etc/salt/master has the following configuration:

Monitoring is currently unavailable on SUSE Linux Micro 6.0 clients. We are working on it and expect it to be resolved with upcoming maintenance updates.

Currently, there are some issues with migrating from SLE Micro 5.5 to SUSE Linux Micro 6.0. Before a migration, users need to manually import the ALP key for SUSE Linux Micro 6.0 into SLE Micro 5.5 and additionally sync the SUSE Linux Extras 6.0 module too. This is a known bug, and once fixed, these manual steps will no longer be necessary.

If both salt-minion and venv-salt-minion are installed on the client, the product migration will currently be blocked unless both are upgraded first if updates are available, even if only one is being used by SUSE Manager to manage the system. We are working on a fix to identify and block only when necessary. For now, users need to upgrade both packages before proceeding with the migration.

In some cases, the action for product migration from SLES 15 SP3 minion to SLES 15 SP4 fails with the error message Unable to parse migration result, even though the actual migration was successful.

We are investigating this issue. For now, if the migration was successful, you can ignore this message.

SUSE Manager 5.0 vm images already include these scripts. However, if you choose not to use the VM images, the scripts are not currently available as a separate package. They will be delivered with the next MU. We highly encourage using the SUSE Manager 5.0 images to avoid such issues.

If, after PXE booting and rebooting, the SLES 12 SP5 terminal gets stuck at the "GRUB" message, users need to use the latest profile available in the SUSE/manager-build-profiles repository.

The Salt SSH execution utilized during the onboarding process may face inconsistencies if a Salt Minion or the Salt Bundle is already present on the Minion, which could potentially result in onboarding failure.

Workaround: If the salt-minion or venv-salt-minion packages are already installed, remove them, and then proceed to onboard the SUSE Linux Enterprise Micro or openSUSE Leap Micro system.

The mgrpush tool will be functional only from the client side. Although it remains on the Server for the time being, it will no longer function and will eventually be removed.

The mgr-bootstrap tool has been taken out from the Proxy and will be removed from the Server as well in future. Overall, several tools on both the Server and Proxy will be phased out in favor of the API or integrated into mgrpxy/mgradm.

If users wish to create a bootstrap script to register against the Proxy, they can do so using the following command from the Server container:

If users migrate from SUSE Manager 4.3 to 5.0, some services for Confidential Computing Attestation might not function properly due to a known bug that we are fixing. This will be addressed in the first maintenance update.

Workaround: After the migration, running the mgradm upgrade command will create the necessary services and resolve the issue.

Additionally, offline installation is currently not supported for Confidential Computing Attestation case. We expect this limitation to be addressed in the first Maintenance Update (MU).