Release notes for Uyuni Proxy

Deploying Proxy and Retail Branch Servers as containers is now also possible using a Helm chart.

For more information check this README file. The information will be part of the Uyuni official documentation in a future release.

WARNING: The container images configuration has a new format and it is now packaged as tar.gz file. All previously deployed container Proxies and Retail Branch Servers will need to get their configuration regenerated and deployed again before pulling these images.

WARNING: This release updates the base OS from openSUSE Leap 15.3 to openSUSE Leap 15.4 and there are special steps required. You need at least Uyuni 2021.06 already installed to perform the upgrade, and you need to follow the (major upgrade procedure for the Proxy. More details are also available at the "Update from previous versions of Uyuni Proxy" section below.

WARNING: This release updates the Salt version for master and minions to a next major release. Make sure you update the Uyuni Server before updating the proxies, as backward compatiblity of minions against an older master is not guaranteed

WARNING: With Uyuni 2021.12, we announced the future deprecation of the Traditional client tools. Uyuni 2022.06 is the last release that supports them. Starting with Uyuni 2022.08, the traditional client tools will be deprecated as we will start removing the code at some point after the summer. Do not use the traditional stack for any new deployments of clients or proxies, and start migrating your traditional clients to Salt.

The base system has been upgraded to openSUSE Leap 15.4.

Salt has been upgraded to upstream version 3004, plus a number of patches, backports and enhancements by SUSE, for the Uyuni Manager Server, Proxy, and Client Tools.

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3004 upstream release notes.

Salt Bundle 3004 will be available for all supported clients.

The non-bundle version of Salt requires Python3 instaled by default, so it will not be available for:

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Uyuni 2022.04 allows enabling HSTS. Which means each request will need to be HTTPS while plain HTTP requests will be rejected.

To enable it for the Uyuni Proxy:

IMPORTANT: If you enable HSTS while using the default SSL certificate generated by Uyuni, or a self-signed certificate, some browsers will refuse to connect using HTTPS unless the CA used to sign such certificates is trusted by the browser. If you are using the SSL certificate generated by Uyuni, you can trust it at the servers by using the file located at `http://<UYUNI-PROXY-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT

We highly encourage you to migrate your workload to a newer version of each distribution, or to an alternative distribution that is still supported, so you can continue managing your infrastructure with Uyuni.

Please note that we will not break things on purpose for these unsupported products, and there is a possibility that they could still continue to work. But if things break, there will not be any support provided, not even on a best-effort basis, unless someone from the community can step in.

Uyuni 2022.02 updates Prometheus from version 2.27.1 to 2.32.1.

The new version contains some breaking changes that need to be addressed after the Uyuni Server is updated.

Breaking changes:

Important changes:

Check the upstream changelog for more details on what has changed.

It is now possible to change the proxy used by an Uyuni client using the WebUI.

This can be done from the Connection tab at the Details tab for any Salt client, using the new link Change to change the connection type.

Using System Set Manager is supported as well, and can be done from the Misc tab, and then Proxy tab.

NOTE: Changing the connection for a Proxy to move it, is not supported at this moment. The Connectiontab will not show the Change link for proxies.

Salt Bundle is a single package called venv-salt-minion containing the Salt Minion, Python and all Python modules. It is exactly the same version and codebase for the current salt-minion RPM package.

The Salt Bundle can be used on systems that already run another Salt Minion, that do not meet Salt’s requirements or already provide a newer salt version that is used instead of the version provided by Uyuni.

Starting with Uyuni 2021.12, Uyuni is able to bootstrap systems with Salt Bundle for all the supported operating systems.

On bootstrapping new proxies the Salt Bundle package will be used instead of salt-minion, if the package venv-salt-minion is present in the bootstrap repo.

Proxies already registered will not be changed, but can be switched to Salt Bundle with applying the state util.mgr_switch_to_venv_minion to them.

CentOS 8 will be End of Life on December 31st, 2021. Uyuni support for this product will end as well.

Please refer to support section for more information.

With Uyuni 2021.12, we announced the future deprecation of the Traditional client tools.

Uyuni 2022.06 is the last release that supportes them.

Starting with Uyuni 2022.08, the traditional client tools will be deprecated as we will start removing the code to support them at some point after the summer.

Do not use traditional for any new deployments of clients or proxies, and start migrating your traditional clients to Salt.

From this version, the Prometheus package will also be available for Uyuni Proxy and Retail Branch Server.

In case you plan to use the branch server or proxy as a monitoring server with Prometheus, be aware that Prometheus demands additional hardware resources.

The Ansible package will also be available for Uyuni Proxy and Retail Branch Server, which makes it possible to use Uyuni Proxy and Retail Branch Server as Ansible control Node.

When making Uyuni Proxy or Retail Branch Server an Ansible control Node, the extra load can affect the performance of this critical component. Bad performance of the Branch Server can further affect attached clients.

WARNING: This release updates the base OS from openSUSE Leap 15.2 to openSUSE Leap 15.3 and there are special steps required. You need at least Uyuni 2020.07 already installed to perform the upgrade, and you need to follow the (major upgrade procedure for the Proxy. More details are also available at the "Update from previous versions of Uyuni Proxy" section below.

Salt has been upgraded to upstream version 3002, plus a number of patches, backports and enhancements by SUSE, for the Uyuni Server, Proxy and Client Tools (where the client operating system supports Python 3.5+; otherwise Salt 3000 or 2016.11 are used).

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3002 upstream release notes and Salt 3001 upstream release notes.

The base system was upgraded to openSUSE Leap 15.3.

The Uyuni Proxy and Retail Branch Server can now be installed on top of openSUSE Leap 15.3 JeOS edition.

Bootstrap scripts can include an activation key to directly assign software channels, configuration channels, entitlements, etc to a system while registering.

Reactivation keys can be used to re-register a previously registered client and regain all Uyuni settings. For example, to move clients registered to the Uyuni Server to being registered through an Uyuni Proxy (or Retail Branch Server), when reinstalling, and in some other cases.

Uyuni now supports the combination of reactivation keys and bootstrap scripts. Specify a reactivation key in the bootstrap script to re-register systems. For example, if your Uyuni Server has too many clients directly attached and you want to bulk move them to a Uyuni Proxy (or Retail Branch Server).

Subject Alternative Name (SAN) is an extension to X.509 that allows various values to be associated with a security certificate using a subjectAltName field. This is commonly used to generate SSL certificates that protect multiple domains with a single certificate.

These kinds of certificates are becoming popular amongst users with their own Certificate Authority, so we have implemented support.

This release includes the fixes for CVE-2020-28243, CVE-2020-28972, CVE-2021-3148, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-3144, CVE-2021-25284, CVE-2021-3197 and CVE-2020-35662

The fixes affect your Uyuni Server, Proxy, Retail Branch Server and Salt minions, so we recommend appling the fixes as soon as possible.

This release includes the fixes for CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592 that we already released on November 16th for Uyuni 2020.09

You should patch all your Uyuni Server, Proxy, and Salt minions as soon as possible.

With the update of ISC bind to version 9.16.6 on openSUSE Leap 15.1 and openSUSE Leap 15.2, DNSSEC is now enabled by default, which may cause DNS resolution to fail unless there are fallback DNS servers.

The Retail Branch Server formula has been modified to disable DNSSEC, and will be updated to support DNSSEC in a future release of Uyuni. For existing Retail Branch Servers, you can disable DNSSEC to retain the same behaviour ISC bind showed until version 9.11.2. To do that, edit /etc/bind and set:

Salt has been upgraded to upstream version 3000, plus a number of patches, backports and enhancements by SUSE, for the Uyuni Server, Proxy and Client Tools. In particular, CVE-2020-11651 and CVE-2020-11652 fixes are included in our release.

As part of this upgrade, cryptography is now managed by the Python-M2Crypto library (which is itself based on the well-known OpenSSL library).

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt upstream release notes 3000

Please note Salt 3000 is the last version of Salt which will support the old syntax of the module.run module.

The base system was upgraded to openSUSE Leap 15.2.

The Uyuni Proxy and Retail Branch Server can now be installed on top of openSUSE Leap 15.2 JeOS edition.

The Uyuni Proxy can now be installed on top of openSUSE Leap 15.1 JeOS

RHEL, SLES ES, CentOS and Oracle Linux 8 appstreams can now be mixed and converted to flat repositories using a new type of CLM filter.

The dhcp formula, branch network formula and pxe formula have been updated to support booting EFI terminals (systems) via HTTP in addition to TFTP.

Uyuni is now changing from X.Y version format to YYYY.MM format, and the URLs for the repositories remove the X.Y part.

This will allow easier releases, no need to change URLs at all in the future, and less confussion regarding the relationship between Uyuni and SUSE Manager (Uyuni is always ahead).

CentOS 8, Red Hat Enterprise Linux 8 and SUSE Linux Enterprise Server Expanded Support 8 are now supported clients as Salt minions. The traditional stack will not be supported on these operating systems.

With the new application streams concept introduced in these operating systems, you will need to import both the BaseOS and the AppStream directories from the ISO image for the bootstrap repository to be created correctly. If the AppStream directory is not imported, you will receive an error about missing Python 3 packages.

AppStream awareness in the UI and Content Lifecycle Management will be available in an upcoming version of Uyuni.

This version of Uyuni includes formulas to install Prometheus and Grafana, and makes the Apache exporter available for Ubuntu 18.04, CentOS6, CentOS7 and Proxy.

SUSE Package Hub is now supported on the Server, since the problems with the search that were caused by PackageHub-provided packages have been solved.

If you were using Package Hub as a source of packages for you clients, it is recommended that you re-generate all package metadata. The reason for this is in the Package Hub repositories there may exist multiple packages with the same NEVRA but different checksums. This might result in checksum errors when repositories are used on the clients as Uyuni randomly selected any of those packages. After this update, Uyuni will generate the checksum into the package path to ensure the right package is used. If you use also Uyuni Proxy please update all of them before you re-generate the metadata.

The cpu-mitigations-formula is now installed by default.

The Retail branch network formula now works all SUSE and openSUSE based distros, using SuSEfirewall or firewalld as appropriate.

The Uyuni documentation has received improvements in all of the books, with small clarifications and enhancements all around: content lifecycle management filters, public cloud, JeOS, retail images and formulas, etc

Of particular interest for users with large installations will be the new Large Scale Deployment and Salt Tuning sections in the Salt Guide. Given that modifying advanced parameters can cause catastrophic failure, we recommend making a backup and being conservative doing changes.

Additionally, the search functionality in the documentation now works offline.

We now include packages for the latest version of Prometheus.

Some exporters will be pre-installed on Uyuni Proxy as part of its self-monitoring features. They will provide hardware, operating system, and HTTP Proxy metrics.

Formulas used to operate a Uyuni for Retail Branch Server were updated to support a SUSE Linux Enterprise 15 SP1 environment.

During installation of Uyuni Retail Branch Server the secondary network interface, intended to be used for the terminal network, may be configured and bound to a firewall zone. This zone binding can interfere with the configuration of Retail services, and could result in you being unable to apply the highstate.

To avoid this problem, ensure that:

Do this by running these commands before you apply the retail formulas:

This example assumes eth0 is the primary interface and eth1 the secondary terminal interface.

Salt has been upgraded to the 2019.2.0 release.

We intend to regularly upgrade Salt to more recent versions.

For more information about changes in your manually-created Salt states, see the Salt upstream release notes 2019.2.0.

The base system was upgraded to openSUSE Leap 15.1. As a result, all code was ported to run with Python 3.