Version Revision History

  • 2023/04/21: 2023.04 release

  • 2023/03/02: 2023.03 release

  • 2023/01/30: 2023.01 release

  • 2022/12/20: 2022.12 release

  • 2022/11/21: 2022.11 release

  • 2022/10/14: 2022.10 release

  • 2022/08/10: 2022.08 release

  • 2022/06/26: 2022.06 release

  • 2022/05/10: 2022.05 release

  • 2022/04/29: 2022.04 release

  • 2022/03/31: 2022.03 release

  • 2022/02/28: 2022.02 release

  • 2022/01/28: 2022.01 release

  • 2021/12/09: 2021.12 release

  • Older versions up to 4.0.0

Stay informed

You can stay up-to-date regarding information about Uyuni:

Check the home site https://www.uyuni-project.org

Support

Uyuni is a community-supported project. The ways of contacting the community are available at the home site.

Release model

Uyuni uses a rolling release model (meaning there will be no bugfixing for given Uyuni version, but new frequent versions that will include bugfixes and features)

Check the home site get in contact with the community.

Major changes since Uyuni Server 2021.06

Features and changes

Version 2023.04

Monitoring
Grafana updated to version 8.5.22

This update fixes several security vulnerabilities:

  • CVE-2023-1410

  • CVE-2023-0507

  • CVE-2023-0594

  • CVE-2022-46146

This update does not include any breaking changes or features.

Check the upstream changelog for all the details.

Prometheus updated to 2.37.6

With Uyuni 2023.04, golang-github-prometheus-prometheus has been updated from version 2.32.1 to 2.37.6

This version contains two noticeable changes related to TLS:

  • TLS 1.0 and 1.1 disabled by default client-side. Prometheus users can override this with the min_version parameter of tls_config.

  • Certificates signed with the SHA-1 hash function are rejected. This doesn’t apply to self-signed root certificates.

This update fixes several security vulnerabilities:

  • CVE-2022-46146

  • CVE-2022-41715

Note: Uyuni 2023.04 is not affected by CVE-2022-24921.

The update includes also several bugfixes and features but no breaking changes.

Check the upstream changelogs for all the details:

Prometheus PostgreSQL Server updated to 0.10.1

prometheus-postgres_exporter has been updated from version 0.10.0 to version 0.10.1, with the update fixing the following security vulnerability:

  • CVE-2022-46146

This update does not include any breaking changes or features.

Check the upstream release notes for all the details.

Prometheus Node Exporter updated to 1.5.0

With Uyuni 2003.04, golang-github-prometheus-node_exporter has been updated from version 1.3.0 to 1.5.0

This new version changes the Go runtime GOMAXPROCS to 1. This is done to limit the concurrency of the exporter to 1 CPU thread at a time in order to avoid a race condition problem in the Linux kernel and parallel IO issues on nodes with high numbers of CPUs/CPU threads.

This update fixes several security vulnerabilities:

  • CVE-2022-27191

  • CVE-2022-27664

  • CVE-2022-46146

The update includes also several bugfixes and features but no breaking changes.

Check the upstream changelogs for all the details:

All tomcat logs are now rotated with logrotate

Until Uyuni 2023.03, localhost.log, manager.log, host-manager.log, localhost_access_log.txt and catalina.out were rotated with Valve.

Valve does not support archiving, so now the Tomcat logs are configured to rotate with logrotate and support archiving.

The configuration is the same as for the other tomcat logs: weekly rotation, one year of retention and compression enabled.

Security enhancements to API logging

Together with the password, this Uyuni release also removes the arguments key and content from the API logging, because they could still include sensitive data and should not be exposed in the logs.

Version 2023.03

openSUSE Leap Micro 5.3 support as client

openSUSE Leap Micro is an ultra-reliable, lightweight operating system built for containerized and virtualized workloads.

Based on SUSE Linux Enterprise Micro, it leverages the enterprise hardened security and compliance components of SUSE Linux Enterprise. This merging of technologies provides for a modern, immutable and developer-friendly OS platform.

Check the Client Configuration Guide for information about the supported features.

New products enabled
  • openSUSE Leap 15.5 (Beta)

  • SUSE Linux Enterprise 15 SP5 family (Beta)

Both products are still beta, and both products will work only using the Salt Bundle (default since Uyuni 2022.12) as otherwise they ship Salt 3005 which is incompatible with the salt master version being used on Uyuni server (the Salt master on Uyuni still uses Salt 3004 as provided by openSUSE Leap 15.4).

Monitoring: Grafana update to 8.5.15

This update fixes several security vulnerabilities:

  • CVE-2022-39306

  • CVE-2022-39307

  • CVE-2022-39201

  • CVE-2022-31130

  • CVE-2022-31123

  • CVE-2022-39229

No other bugfixes, features or changelogs are part of this update.

Check the upstream changelog for all the details.

Syncing optional channels from from the WebUI

Until Uyuni 2023.01, syncing optional channels was only possible with the CLI tool mgr-sync, but not from the WebUI Setup Wizard.

Starting with Uyuni 2023.03, doing this from WebUI is now possible.

Each product at the Setup Wizard will now allow syncing optional channels, provided that the mandatory channels for the product are already synced.

To enable the optional channels:

  1. Go to Admin → Setup Wizard → Products

  2. Look for the product you want to sync optional channel for,

  3. Use the Show the product’s channels button (next to the sync status)

  4. A popup will show, allowing you to use checkboxes to enable optional channels. Mark as many as needed.

  5. Use the Confirm button to schedule the sync

Subscription warning notifications will now happen weekly

This change is only relevant for users using SUSE subscriptions.

Previous versions of Uyuni created a notification each day when a SUSE Customer Center (SCC) subscription was about to expire, starting 90 days before the subscription expiration and 30 days after expiration.

With Uyuni 2023.03 we are addressing the feedback we got about the frequency, and we are changing it to happen weekly, on Mondays.

The warning box at the Dashboard (Home > Overview) will still show up any time there is a subscription expiring in the next 90 days, or expired in the last 30 days.

Salt 3000 End of Life

Upstream Salt 3000 went End of life on August 31, 2021. However, because it was part of the Advanced Systems Management Module of SUSE Linux Enterprise 12 and there was no bundle available for SUSE Manager 4.1, it was still supported.

Salt 3000 will no longer be supported in the context of Uyuni now that both SUSE Manager 4.1 and the Advanced Systems Management Module of SUSE Linux Enterprise 12 are End of Life.

Users are required to migrate existing Salt 3000 minions for SUSE Linux Enterprise Server 12, Red Hat Enterprise Linux 7, CentOS 7, Oracle Linux 7, and Amazon Linux 2 to the Salt Bundle before creating any bug reports.

For more information about performing Salt 3000 to Salt Bundle migrations, please consult the Salt Bundle section in the Client Configuration Guide.

Debian 9 End of Life

Debian 9 LTS support ended in June 30th, 2022.

After a grace period of more than half a year, Uyuni 2023.03 is stopping support for this operating system.

While existing client tools repositories will not be removed, they will not get updates.

As for the code, it will not be broken on purpose, but it will not get tested for Debian 9 anymore, so even if Uyuni 2023.03 can still manage Debian 9, this can break at any further release.

All remaining users with Debian 9 systems are encouraged to migrate to Debian 10 or Debian 11 as soon as possible.

'spacewalk-clone-by-date' has been deprecated

With Uyuni 2023.03, spacewalk-clone-by-date tool has been deprecated. With CLM (Content Lifecycle Management), we believe users have a better alternative to spacewalk-clone-by-date, which is much more flexible and powerful.

CLM provides a comprehensive API to cover all the important features that spacewalk-clone-by-date tool offers.

Version 2023.01

Release notes cleanup

With Uyuni 2023.01, we are removing versions older than 2021.12 from the release notes, to make the document smaller and easier to review.

Release notes for older versions, up to 4.0.0 can still be found at the website.

SUSE Linux Enterprise Micro support as client

SUSE Linux Enterprise Server Micro is an ultra-reliable, lightweight operating system purpose built for containerized and virtualized workloads. It leverages the enterprise hardened security and compliance components of SUSE Linux Enterprise and merges them with a modern, immutable, developer-friendly OS platform.

Support for SUSE Linux Enterprise Server Micro in Uyuni was added as a tech preview. In the meanwhile, we have made some significant improvements around it to make sure that users get the seamless usability experience in case of an immutable OS such as SUSE Linux Enterprise Server Micro.

Check the Client Configuration Guide for information about the supported features.

The documentation still mentions SUSE Linux Enterprise Micro as "Technology Preview". This documentation bug will be fixed for Uyuni 2023.03

Please consult the Known issues section for an issue around SUSE Linux Enterprise Micro support.

Content Lifecycle Management: Disabling modularity for AppStream repositories

Starting with Uyuni 2023.01, AppStream modularity can be disabled by removing the module metadata from the target repositories without having to enable any modules. This can be achieved by using the new none matcher with the AppStream filters.

This new feature is especially useful for AlmaLinux 9, Rocky Linux 9, Oracle Linux 9 or RHEL 9, as default versions of most applications are now served as regular packages.

Check the Administration Guide for more information.

Version 2022.12

Indications for systems requiring reboot or with a scheduled reboot

Uyuni 2022.12 brings several improvements to the reboot of the Uyuni clients:

  • The System List page now provides a new icon at the Updates column when a reboot is required. This new icon allows scheduling the reboot.

  • The System Overview page for the clients will show the text System reboot scheduled when a reboot is scheduled.

Notification messages via email

Uyuni shows notification messages on the webUI, but they are not very useful for those users that do not login very often.

With Uyuni 2022.12, each user can enable such notifications to be delivered via email using the user preferences (checkbox Receive email notifications).

Monitoring: Grafana update to 8.5.15

This update fixes several security vulnerabilities:

  • CVE-2022-39306

  • CVE-2022-39307

  • CVE-2022-39201

  • CVE-2022-31130

  • CVE-2022-31123

  • CVE-2022-39229

No other bugfixes, features or changelogs are part of this update.

Check the upstream changelog for all the details-

Subscription warning notifications

Uyuni 2022.12 will show notifications at the Overview page now, when SUSE subscriptions are about to expire or have already expired.

This will not affect users not using SUSE subscriptions.

Limit changelogs at repositories metadata to the last 20 entries

Until 2022.11, Uyuni added all the changelog entries for all packages to the generated metadata for each repository generated at the Uyuni Server. This caused the file others.xml.gz to be very big in some situations, and therefore increasing the time it takes to synchronize the metadata on the Uyuni clients.

Starting with Uyuni 2022.12, this is now limited to 20 entries for each package by default for new packages. Already synced packages will keep the whole changelog.

This change is only about the repository metadata and will not affect the packages themselves, which will keep the complete changelogs.

If you want to go back to keeping all the changelog entries, increase the number of entries, or apply the new default for all existing packages. For that check the Administration Guide.

Drop legacy way to prevent disabling local repositories at bootstrap scripts

In the past, using DISABLE_LOCAL_REPOS=0 with the bootstrap script allowed users to keep local repositories enabled after registration.

This feature can be accomplished with Salt, for any kind of onboarding (webUI, API, Bootstrap script, etc.), as explained at the Client Configuration Guide.

Version 2022.11

System list refactor

The System list page has been refactored to be more optimized and can handle thousands of systems with a breeze.

For this we had to add a new database table to store the cached system data.

This table is updated every hour by the update-system-overview-default task and within a minute after data for any of the systems is changed.

As a side effect, the System list will be empty after the server upgrade until the refresh is triggered.

To force a refresh before the top of the hour, run the update-system-overview-default task manually in Admin > Task Schedules page. Keep in mind that processing this task can take some time depending on how many systems are present in the database.

We intend to automate the initial refresh during during the Uyuni Server update in a future release, for people that are still upgrading from versions older than 2022.11

The new page has also introduced a more advanced filtering of the data. Though quite powerful, the user interface for the value selection is still rough and requires knowing what to query. While this has been temporarily been worked around by keeping the old links in the Systems List menu, we expect improvements for the interface in a future release.

Instructions to disable custom channel automatic synchronization

Since Uyuni 2022.10, the custom channels are now synced automatically.

By default, a synchronization will start automatically after adding a new repository to a custom channel. Moreover, they will all update daily as a part of the mgr-sync-refresh-default scheduled task.

To disable this new feature and revert back to the old behaviour, you can set in /etc/rhn/rhn.conf:

java.unify_custom_channel_management = 0

Custom Channels section of the Administration guide for information about the custom channel synchronization.

Allow more tools for network management for the Uyuni Server

Until now, the Uyuni Server only supported Wicked for network management, because of a problem at the uyuni-check-database service.

With Uyuni 2022.11, this problem is fixed and now any other tool such as NetworkManager can be used.

Monitoring: Grafana update to 8.5.13

Uyuni 2022.03 updates Grafana from version 8.3.5 to 8.5.13.

This update fixes several security vulnerabilities:

  • CVE-2022-36062

  • CVE-2022-35957

  • CVE-2022-31107

  • CVE-2022-31097

  • CVE-2022-29170

Check the upstream changelog for all the details on what has changed.

There is one breaking change: - For a data source query made via /api/ds/query, if the DatasourceQueryMultiStatus feature is enabled and the data source response has an error set as part of the DataResponse, the resulting HTTP status code is now 207 Multi Status instead of 400 Bad gateway.

Updating Grafana is strongly recommended.

Monitoring: Fix TLS configuration and enable client certificate authentication for Blackbox exporter

Uyuni 2022.10 and previous versions were using basic authentication for the Blackbox exporter scrapping, even though using TLS client certificates was enabled at the prometheus-formula

With Uyuni 2022.11, the Prometheus formula adds a section for the Blackbox exporter with TLS certificate and key for client certificate authentication.

Traditional stack being removed

Uyuni 2022.06 was the last version where traditional client tools were tested to work, and it was announced that with Uyuni 2022.08 the traditional client tools will be deprecated and removed at some point after the summer.

Uyuni 2022.11 is already removing code for the traditional clients, so this version will not support traditional clients in any way. New deployments will not work and existing deployments will not work either. If you still have traditional clients and they still work normally, you need to migrate them to Salt before updating to Uyuni 2022.11.

Version 2022.10

Update notes

WARNING: This release requires vendor changes for some Uyuni dependencies at the server, so pay attention to the following instructions!

Because of bug at zypper, it could be that --allow-vendor-change is broken on your system. This can apply even if you are still on Uyuni 2022.05 or earlier (based on openSUSE Leap 15.3)

Make sure you manually update zypper first at the Uyuni Server with zypper ref && zypper in zypper, and then verify that the installed zypper version is 1.14.57 or newer (use zypper info zypper).

Then:

RHEL/Oracle Linux/AlmaLinux/Rocky Linux 9 as clients

Uyuni is now able to manage RHEL/Oracle Linux/AlmaLinux/Rocky Linux 9 as Salt or Salt SSH minions. All other features that worked for previous versions of RHEL/Oracle Linux/AlmaLinux/Rocky will work now too, with the exception of the Prometheus Exporters.

The following architectures can be managed:

  • x86_64

  • aarch64

  • s390x (RHEL/AlmaLinux/Rocky Linux only)

  • ppc64le (RHEL/AlmaLinux/Rocky Linux only)

Check the Client Configuration Guide for information about how to configure the Uyuni Server to work with RHEL/Oracle Linux/AlmaLinux/Rocky Linux 8 clients.

Monitoring for Ubuntu 22.04

The Client Tools for Ubuntu 22.04 now contain four exporters:

  • prometheus-apache-exporter

  • prometheus-exporter-exporter

  • prometheus-node-exporter

  • prometheus-postgres-exporter

With these tools all of the features available for previous Ubuntu versions are available at 22.04

pip support for the Salt Bundle

The Salt Bundle now includes support for pip, allowing users to extend the functionality of the bundled Salt Minion with extra Python packages.

Check the official Saltstack documentation on how to do it as a module and a state.

Keep in mind that not all of the functions are available with the state, but the missing functionality can still be accessed with module.run.

Apache exporter updated to version 0.11.0 for SUSE Linux Enterprise and openSUSE

Uyuni 2022.10 updates the Prometheus exporter for Apache from version 0.7 to version 0.10.0 for SUSE Linux Enterprise and openSUSE, including the Uyuni Server, the Uyuni Proxy and the Uyuni Retail Branch Server.

Check the upstream release notes for more details, including new metrics.

Cobbler updated to version 3.3.3

Cobbler was updated from version 3.1.2 to version 3.3.3.

  • "cobbler buildiso" now supports building ISOs with UEFI support

  • Cobbler has a new command "cobbler mkloaders" that can be called optionally after GRUB or Syslinux was updated on the Uyuni Server

For the complete list of changes, see the upstream release notes:

The migration of stored Cobbler collections and settings from previous Cobbler version to 3.3.3 will run automatically during this upgrade.

A backup of old Cobbler settings file will be created at /etc/cobbler/settings.before-migration-backup and old collections backup under /var/lib/cobbler/.

Version 2022.08

Ubuntu 22.04 as client

Uyuni is now able to manage Ubuntu 22.04 clients as Salt or Salt SSH minions. All other features that worked for previous versions of Ubuntu will work now too, with the exception of the Prometheus Exporters and package vendor identification, which will be part of a future Uyuni release (for now, Prometheus Exporters are available in the Universe repositories).

The following architectures can be managed:

  • x86_64

Check the Client Configuration Guide for information about how to configure Uyuni Server to work with Ubuntu 22.04 clients.

GPG key handling in Uyuni

Uyuni is now taking care of trusting the required GPG keys on the clients, in order to install packages from assigned channels

The GPG key URL can be defined for Software Channels which will be used to find the key needed for that channel.

When the channel is assigned to the client the key will be trusted on repository refresh or when installing a package out of the channels.

For more information, check the documentation.

Disabling locally defined repositories

To prevent problems with local defined repositories providing wrong or unwanted packages, we disable now all these repositories as the first step in bootstraping.

Additionally we try to keep local repositories disabled and perform this in the channel state which is also used during highstate.

For more information, check the documentation.

Technology Preview: Helm chart to deploy containerized Uyuni Proxy and Retail Branch Server

Deploying Proxy and Retail Branch Servers as containers is now also possible using a Helm chart.

For more information check this README file. The information will be part of the Uyuni official documentation in a future release.

WARNING: The container images configuration has a new format and it is now packaged as tar.gz file. All previously deployed container Proxies and Retail Branch Servers will need to get their configuration regenerated and deployed again before pulling these images.

Version 2022.06

Upgrade notes

WARNING: This release updates the base OS from openSUSE Leap 15.3 to openSUSE Leap 15.4 and there are special steps required. You need at least Uyuni 2021.06 already installed to perform the upgrade, and you need to follow the major upgrade procedure for the Server. More details are also available at the "Update from previous versions of Uyuni Server" section below.

WARNING: This release updates the Salt version for master and minions to a next major release. Make sure you update the Uyuni Server before updating the clients, as backward compatiblity of minions agains an older master is not guaranteed

WARNING: With Uyuni 2021.12, we announced the future deprecation of the Traditional client tools. Uyuni 2022.06 is the last release that supports them. Starting with Uyuni 2022.08, the traditional client tools will be deprecated as we will start removing the code at some point after the summer. Do not use traditional for any new deployments of clients or proxies, and start migrating your traditional clients to Salt.

Base system upgrade

The base system has been upgraded to openSUSE Leap 15.4.

PostgreSQL 14

The database engine has been updated from PostgreSQL 13 to PostgreSQL 14, which brings a number of performance and reliability improvements. A detailed changelog is available upstream.

To prevent inconsistent configurations and data on upgrade or update, Uyuni 2022.06 refuse to start until the database migration from PostgreSQL 13 to PostgreSQL 14 has been completed successfully.

Salt 3004

Salt has been upgraded to upstream version 3004, plus a number of patches, backports and enhancements by SUSE, for the Uyuni Manager Server, Proxy, and Client Tools.

We intend to regularly upgrade Salt to more recent versions.

For more details about changes in your manually-created Salt states, see the Salt 3004 upstream release notes.

Salt Bundle 3004 will be available for all supported clients.

The non-bundle version of Salt requires Python3 installed by default, so it will not be available for:

  • SUSE Linux Enterprise 12

  • CentOS 7

  • Oracle Linux 7

  • Red Hat Enterprise Linux 7

New products enabled
  • openSUSE Leap 15.4

  • SUSE Linux Enterprise 15 SP4 family

  • SLE Micro 5.2

Version 2022.05

Reporting Database documentation

The reporting database schema is now fully documented.

The documentation describes the schema in detail, showing all the tables and the views available and highlighting the relationships among them.

You can access it from the Uyuni Server WebUI, at Help > Report Database Schema, from the left navigation bar.

spacewalk-report now uses data from the reporting database

Starting with Uyuni 2022.05, spacewalk-report will use the data from the report database by default. This change affects both new and updated setups.

This means that the new generated reports will differ in the structure and the format of the data and might break existing integrations.

If this change causes trouble in your use case, the new option --legacy-report can be used to fallback to the old report engine.

For a comprehensive list of what is changed and what reports are affected, see the section "Generate Reports" at the Administration Guide.

Adding systems with failed actions to System Set Manager

It is now possible to select and add systems that failed or completed actions, with a new button Add Selected to SSM that shows for the actions at "Completed Systems" and "Failed Systems".

You can the find the actions at the Uyuni Server WebUI, at Schedule on the left navigation bar.

This can be useful to fix issues with systems that failed to complete actions, or to run more actions on those that completed them.

Technology Preview: JSON over HTTP API

With Uyuni 2022.05, in addition to the current XML-RPC API, a new JSON over HTTPI API will also be provided to make Uyuni API even easier to consume.

Uyuni is seeing more and more use in automated scenarios, where it is a part of a bigger system and driven via its APIs.

The XML-RPC protocol has served users well so far and will continue to do so, but HTTP APIs are more in demand and have better tooling support.

The API documentation has been updated to reflect the changes to support the HTTP API, and is available at the Uyuni Server WebUI under About > API, and at the website

Usage examples can be found in the "Sample scripts" section of the documentation.

With the addition of the JSON over HTTP API documentation:

  • Mandatory names to the input parameters for each method were added

  • Information about the HTTP request type (GET or POST) was added

  • Example scripts to consume the HTTP API via Curl were added

Version 2022.04

Salt SSH now uses the Salt Bundle

The Salt Bundle is now used to handle Salt SSH executions on the client side. The bootstrap of new Salt clients using webUI or API is now also using the Salt Bundle.

To ensure bootstrap works in the proper way, the bootstrap repositories for the clients must be regenerated before bootstrapping new clients.

The bootstrap repository regeneration happens for any given product when a resync for the product repositories happens:

  • For products provided by the SUSE Customer Center, added via de Setup Wizard or mgr-sync, this happens each night.

  • For products added via spacewalk-common-channels there is no automated resync by default, unless it was configured after adding the product. In this case, the regeneration needs to be trigger manually.

To manually trigger the regeneration, use the tool mgr-create-bootstrap-repo at the Uyuni Server.

Technology Preview: Containerized Uyuni Proxy and Retail Branch Server

Starting with Uyuni 2022.04, it will be possible to run the Uyuni proxy and Retail branch server also in containers. This could be very helpful in scenarios where adding new virtual machines is not feasible for some reason.

Additionally, the ability to run Uyuni Proxy and Retail branch servers in containers make it more flexible to run them anywhere without worrying about the underlying OS, while also making it possible to get the advantage of Kubernetes offerings like HA.

Reporting Database improvements

The following improvements have been made in the reporting database

  • Add UI for peripheral server with report database password regeneration

  • Added the server location information to the reporting database

  • detect MgrServer on bootstrap and store report database settings

  • Added Channel information

  • Added System packages information

  • Added OpenScap scans information

  • Added Groups information

  • Added System packages information

  • Added proxy information to the system table

  • Changed table SystemGroup to better reflect its content

  • Added location information to the system table

Improved image management

Uyuni 2022.04 comes with a lot of improvements for image management.

  • Kiwi images:

    • Uses name and version from Kiwi config file, revision is increased on each build

    • Built image files are referenced in the database and deleted with the image entry

    • Image pillars are stored in the database

    • The build log is visible in the User Interface

  • Docker images:

    • Use a new database entry for each revision

    • Old revision can be shown with the "Show obsolete" checkbox

  • Updated XML RPC API to manipulate with images, image files and pillars:

    • For more details about these end points, please refer to Uyuni API.

HSTS available

HTTP Strict Transport Security (HSTS) is a policy mechanism that helps to protect websites against man-in-the-middle attacks such as protocol downgrade attacks and cookie hijacking.

Uyuni 2022.04 allows enabling HSTS. Which means each request will need to be HTTPS while plain HTTP requests will be rejected.

To enable it for the Uyuni Server:

  1. Edit /etc/apache2/conf.d/zz-spacewalk-www.conf

  2. Uncomment the line # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

  3. Restart Apache with systemctl restart apache2

To enable it for the Uyuni Proxy

  1. Edit /etc/apache2/conf.d/spacewalk-proxy.conf

  2. Uncomment the line # Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

  3. Restart Apache with systemctl restart apache2

IMPORTANT: If you enable HSTS while using the default SSL certificate generated by Uyuni, or a self-signed certificate, some browsers will refuse to connect using HTTPS unless the CA used to sign such certificates is trusted by the browser. If you are using the SSL certificate generated by Uyuni, you can trust it at the servers by using the file located at http://<UYUNI-SERVER-HOSTNAME>/pub/RHN-ORG-TRUSTED-SSL-CERT

Version 2022.03

Fixes for Salt security issues

Fixes for the following security issues have been released: CVE-2022-22934, CVE-2022-22935, CVE-2022-22936, CVE-2022-22941.

You should patch your Salt master at the Uyuni Server and minions as soon as possible. Please take the next section into account when upgrading the Salt.

Salt Upgrade

To properly upgrade Salt with the fixes for the latest CVEs, and avoid breaking the communication between for Salt master and minion, you need to upgrade your "salt-master" first and then continue upgrading your Salt minions.

In case that a Salt minion is upgraded with the CVE fixes but your Salt master is not, then the communication between the master and this minion will be broken, and you would see errors like the following in your minion logs:

2022-03-28 13:19:41,880 [salt.crypt       :743 ][ERROR   ][15942] Sign-in attempt failed: {'publish_port': 4505, 'pub_key': '-----BEGIN PUBLIC KEY-----\n...\n-----END PUBLIC KEY-----\n''enc': 'pub','sig': ".."}
2022-03-28 13:19:41,885 [salt.minion      :1056][ERROR   ][15942] Error while bringing up minion for multi-master. Is master at salt-master-server.tf.local responding?

As soon as your Salt master is upgraded and restarted then the communication between master and minion will be restablished and the errors messages will not longer happen.

New XML-RPC API version 26

Uyuni 2022.03 updates the XML-RPC API version from 25 to 26, in preparation for SUSE Manager 4.3

There are no breaking changes to any methods.

If any of your scripts are checking for the version 25, you can change them to use version 26 without any further changes.

smdba: changed defaults for newer PostgreSQL versions

Starting with PostgreSQL 13, some defaults have changed.

To improve performance, smdba autotuning was adapted to use the new values.

Additionally an extra paramater --ssd was added to autotuning to tell smdba that the database is stored on ssd or fast network storage.

To change an existing configuration with the new defaults call

smdba system-check autotuning

Remember you can also adjust some other parameters, in case you need them:

smdba system-check autotuning [--max_connections=<number>] [--ssd]
Monitoring: Grafana 8.3.5

Uyuni 2022.03 updates Grafana from version 7.5.12 to 8.3.5.

This update fixes several security vulnerabilities:

  • XSS vulnerability in handling data sources (CVE-2022-21702)

  • Cross-origin request forgery vulnerability (CVE-2022-21703)

  • Insecure Direct Object Reference vulnerability in Teams API (CVE-2022-21713)

  • GetUserInfo: return an error if no user was found (CVE-2022-21673)

Updating Grafana is strongly recommended.

Relevant changes are:

  • New Alerting for Grafana 8

  • CloudWatch: Add support for AWS Metric Insights

  • CloudWatch: Add AWS RoboMaker metrics and dimension

  • CloudWatch: Add AWS Transfer metrics and dimension

  • CloudWatch: Add AWS LookoutMetrics

  • CloudWatch: Add Lambda@Edge Amazon CloudFront metrics

  • CloudMonitoring: Add support for preprocessing

  • CloudWatch: Add AWS/EFS StorageBytes metric

  • CloudWatch: Add Amplify Console metrics and dimensions

  • CloudWatch: Add metrics for managed RabbitMQ service

  • Elasticsearch: Add support for Elasticsearch 8.0

  • AzureMonitor: Add support for PostgreSQL and MySQL Flexible Servers

  • AzureMonitor: Add Azure Resource Graph

  • AzureMonitor: Add support for Microsoft.SignalRService/SignalR metrics

Check the upstream changelog for more details on what has changed.

There is one breaking change:

  • Grafana 8 Alerting enabled by default for installations that do not use legacy alerting.

Uyuni does not use Grafana alerting, so if you do not need it, you can disable it at the Grafana WebUI.

If you use legacy Grafana alerting in your environment, consider migrating to new Grafana 8 alerting.

Unsupported products
  • Red Hat Enterprise Linux 6

  • Oracle Linux 6

  • CentOS 6

  • CentOS 8

  • Ubuntu 16.04

We highly encourage you to migrate your workload to a newer version of each distribution, or to an alternative distribution that is still supported, so you can continue managing your infrastructure with Uyuni.

Please note that we will not break things on purpose for these unsupported products, and there is a possibility that they could still continue to work. But if things break, there will not be any support provided, not even on a best-effort basis, unless someone from the community can step in.

Version 2022.02

PostgreSQL default password encryption mechanism change

PostgresSQL is changing its default password encryption mechanism from md5 to scram-sha-256.

With this update Uyuni will follow this change and will migrate the database user to this new encryption mechanism.

This should happen fully automated for the existing database user.

The following changes will happen:

  • At the /var/lib/pgsql/data/postgresql.conf file, password_encryption = scram-sha-256 will be set.

  • The password for the user specified in the file /etc/rhn/rhn.conf will be reset.

  • At the /var/lib/pgsql/data/ph_hba.conf file, all mechanisms which are set to md5 will be changed to scram-sha-256.

In case additional users where created, the passwords must be reseted.

This can be done with the following command on the Uyuni Server executed as "root" user, and exchanging`<DBUSER>` with the right username and <DBPASSWD> with the new password:

runuser - postgres -c "echo \"ALTER USER <DBUSER> WITH PASSWORD '<DBPASSWD>';\" | psql"
Reporting Database

The reporting database provides Uyuni data used for reports in a simplified schema, and is accessible by any reporting tool with support for SQL databases as content sources.

This new database is isolated from the one used for the Uyuni Server, and created automatically.

The tool uyuni-setup-reportdb-user can create new users which has read-only access to the data.

For more information on this topic, see Hub reporting.

Ubuntu errata installation

Uyuni now comes with Ubuntu errata support. It does this by downloading errata information from https://usn.ubuntu.com/usn-db/database.json and matching it after the syncing of Ubuntu channels.

It also adds support for installing errata on Ubuntu systems by mapping them to package installs.

For users, it will be a seamless experience and they will get exactly the same UX as it was for errata management for other distros.

Monitoring
Prometheus 2.32.1

Uyuni 2022.02 updates Prometheus from version 2.27.1 to 2.32.1.

The new version contains some breaking changes that need to be addressed after the Uyuni Server is updated.

Breaking changes:

  • Uyuni Service Discovery: The configuration and the returned set of meta labels have changed. Please check the upstream documentation for more details.

  • As a consequence all users with existing monitoring setup must reapply the highstate on the monitoring server(s).

Important changes:

  • Introduced generic HTTP-based service discovery.

  • New expression editor with advanced autocompletion, inline linting, and syntax highlighting.

  • Discovering Kubernetes API servers using a kubeconfig file.

  • Faster server restart times via snapshotting.

  • Controlling scrape intervals and timeouts via relabeling.

Check the upstream changelog for more details on what has changed.

Postgres exporter updated to version 0.10.0 for SUSE Linux Enterprise and openSUSE

Uyuni 2022.02 updates the Postgres exporter from version 0.4.7 to the version 0.10.0 for SUSE Linux Enterprise and openSUSE.

This version brings the rename of the package from golang-github-wrouesnel-postgres_exporter to prometheus-postgres_exporter, as this package is now part of the Prometheus Community Projects. After the package is updated, you will need to reenable the prometheus-postgres_exporter service:

  • For the Uyuni Server WebUI, proceed to Admin > Manager Configuration > Monitoring. You will see PostgreSQL database is stopped. Click Enable and the service will get started.

  • For the SUSE Linux Enterprise and openSUSE, apply the highstate to all the clients where the PostgreSQL needs to be exported.

The new version also contains a patch that allows connecting to PostgreSQL servers using scram-sha-256, which is the new default for Uyuni installations starting with 2022.02.

Check the upstream changelog for more details, including new metrics.

Other operating systems such as for example CentOS7 or AlmaLinux 8 will get 0.10.0 with future Uyuni releases.

SLES PAYG client support on cloud

It is now possible to sync content from SUSE-operated Cloud RMT Server from the Uyuni. This makes it a lot easier for users with SLES PAYG instances because now they don’t need to go through a cumbersome process of getting zero-cost subscriptions.

It works in all three major public clouds AWS, GCP, and Azure.

For more information and instructions on this topic, see the Connect Pay-as-you-go instance.

openscap for Debian 11 (Tech Preview)

Uyuni 2022.02 provides the openscap package binaries using the sources from Debian Sid. Debian11 itself does not provide openscap, as it was removed from Debian Testing during Debian 11 development.

This is a Tech Preview and therefore not supported, but we invite the community to provide feedback and will provide updates from the Debian upstream package if needed.

Version 2022.01

Debian 11 as client

Uyuni is now able to manage Debian 11 clients as salt or salt-ssh minions, as well as all other features that work for previous versions of Debian, with the exception of openscap as it is not available on Debian 11

The following architectures can be managed:

  • x86_64

  • aarch64

  • armv7l

  • i586

  • ppc64le

  • s390x

Check the Client Configuration Guide for information about how to configure Uyuni Server to work with Debian 11 clients.

The patch details page now contains a new section Vendor Advisory, which links to the original advisory provided by the vendor of the patch.

This information is auto-generated from data already existing in the database thus, when possible, it will be available for both new and existing patches.

With Uyuni 2022.01, the following providers are supported:

  • SUSE

  • Red Hat

  • Oracle

  • Amazon

  • AlmaLinux

  • RockyLinux

  • Alibaba

Add support for custom SSH port for SSH minions

Starting with Uyuni 2022.01, using TCP port 22 for SSH minions is not required anymore, and any TCP port can be used.

Change proxy used for clients from the WebUI

It is now possible to change the proxy used by an Uyuni client using the WebUI.

This can be done from the Connection tab at the Details tab for any Salt client, using the new link Change to change the connection type.

Using System Set Manager is supported as well, and can be done from the Misc tab, and then Proxy tab.

NOTE: Changing the connection for a Proxy to move it, is not supported at this moment. The Connectiontab will not show the Change link for proxies.

Version 2021.12

Salt as a Bundle

Salt Bundle is a single package called venv-salt-minion containing the Salt Minion, Python and all Python modules. It is exactly the same version and codebase for the current salt-minion RPM package.

The Salt Bundle can be used on systems that already run another Salt Minion, that do not meet Salt’s requirements or already provide a newer salt version that is used instead of the version provided by Uyuni.

Starting with Uyuni 2021.12, Uyuni is able to bootstrap systems with Salt Bundle for all the supported operating systems.

On bootstrapping new clients the Salt Bundle package will be used instead of salt-minion, if the package venv-salt-minion is present in the bootstrap repo.

Clients already registered will not be changed, but can be switched to Salt Bundle with applying the state util.mgr_switch_to_venv_minion to them. For more information see the Client Configuration Guide.

Uyuni 2021.12 adds support for the aarch64 (ARM64) architecture for the following operating systems:

  • openSUSE Leap 15.3

  • CentOS 7/8

  • Oracle Linux 7/8

  • Rocky Linux 8

  • AlmaLinux 8

  • Amazon Linux 2

System reactivation

It is now possible to re-activate a system using the UI/XMLRPC-API of Uyuni which was only possible using bootstrap script before. The bootstrapping page UI has been extended and the user can now enter the reactivation key of the system and the UI/XMLRPC-API of Uyuni will take care of the rest.

The same could be achieved from the XMLRPC API.

Low Diskspace notification

With Uyuni 2021.12, on the login page, a banner will be shown when available disk space on the server will be running low. This will help users avoid situations like the automatic shutdown of Uyuni when disk space is critically low, without even noticing it.

Package Locking for Salt Minions

Package locks are used to prevent unauthorized installation or upgrades of software packages. In the past the package lock feature was only available for traditional clients. Now it is also available for Salt clients (SUSE, RHEL and clones, and Debian/Ubuntu).

Check the Package Locking documentation for information about how to use this feature.

Monitoring
Prometheus Blackbox exporter

Uyuni 2021.12 comes with the Blackbox exporter, which allows blackbox probing of endpoints over HTTP, HTTPS, DNS, TCP, and ICMP. It needs to be installed next to the Prometheus server and not on the clients. Prometheus formula has been extended to configure the Blackbox exporter.

The package prometheus-blackbox_exporter has been added as recommended for the Proxy.

Formulas

One of the limitations of the current formulas is that they are listed against every client, even if the supported packages are not available for that OS version or service pack.

While we are continuously focused on improving the formulas, for now, starting with the monitoring formulas it will be mentioned in documentation if applying those formulas would actually work in the case of a particular client.

In 2021.09, we made the Prometheus package available for Uyuni Proxy and Retail Branch Server but that is not the case with Grafana.

  • Prometheus is available for the client tools for SLE 12, SLE 15, and openSUSE 15 Uyuni Proxies or Retail Branch Servers

  • Grafana is available for the client tools for SLE 12, SLE 15, openSUSE15

Content Lifecycle Management improvement

From the Content Lifecycle Management project view, the new column Last build has been added. This information is useful when you need a general overview of all latest build times rather than retrieving the information project by project.

New XMLRPC API methods for SaltKey

Following new XMLRPC methods have been added in SaltKey namespace.

  • accept : API endpoint to accept minion keys

  • reject : API endpoint to reject minion keys

  • pendingList : API endpoint to list pending salt keys

  • acceptedList : API endpoint to list accepted salt keys

  • rejectedList : API endpoint to list rejected salt keys

These methods could further help in improving the automation workflows.

New product enabled
  • SUSE Linux Enterprise Server 15 SP2 LTSS

CVE-2021-40348 remediation

A security fix for CVE-2021-40348 is included as apart of Uyuni 2021.08, to fix a potential injection arbitrary code to a root-owned file that eventually will be executed by the system.

The fix for this problem was previously released on October 29th as a patch on top of Uyuni 2021.09, but if you did not apply such patch yet, we recommend appling the update to Uyuni 2021.12 as soon as possible.

CentOS 8 End of Life

CentOS 8 will be End of Life on December 31st, 2021. Uyuni support for this product will end as well.

Please refer to support section for more information.

Future deprecation of the traditional stack

With Uyuni 2021.12, we announced the future deprecation of the Traditional client tools.

Uyuni 2022.06 is the last release that supports them.

Starting with Uyuni 2022.08, the traditional client tools will be deprecated as we will start removing the code at some point after the summer.

Do not use traditional for any new deployments of clients or proxies, and start migrating your traditional clients to Salt.

Known issues

AlmaLinux

Because of an upstream bug, the original package shipped with AlmaLinux 8.5 is providing a broken repository file (containing duplicated identificators). We have already reported this issue to AlmaLinux.

Workaround: Update the package almalinux-release before registering the instance to Uyuni so at least the version 8.5-3 is installed.

Bootstrap with web UI using non-root user

Onboarding of clients with the non-root user from the Uyuni UI fails the following error:

ERROR com.suse.manager.webui.controllers.utils.AbstractMinionBootstrapper - Error during bootstrap: SaltSSHError(13, stderr: "", stdout: "ERROR: Failure deploying ext_mods:"

The root cause of this problem is a wrong ownership of the Salt thin directory when using the Salt bundle.

Workaround: Once bootstrap fails, the user can run chown -R $USER:$GROUP /var/tmp/.*_salt once and try onboarding again, it shouldn’t fail this time.

CLM and custom repositories

When building a CLM project that includes custom channels with custom repositories, the custom repositories might not be selected in the new cloned custom channels. As a workaround, one can go to the new cloned custom channels, select the custom repositories and synchronize them.

Container build host and Salt bundle

The container build host will not work with the Salt bundle. We are working on a fix. Meanwhile, don’t use the Salt bundle on the Container build host but rather a normal Salt.

Single Sign On, API and CLI tools

Single Sign On can be used to authenticate in the Web UI but not with the API or CLI tools. This will be fixed in a future release of Uyuni.

EPEL and Salt packages

Using the Extra Packages for Enterprise Linux directly on RHEL clients (or compatible: CentOS, Oracle Linux, etc) will install the Salt packages from EPEL, which miss some features in the Uyuni-provided Salt packages. This is an unsupported scenario.

If you need to enable the EPEL repository, make sure you are using the Salt Bundle (it is used by default with new clients but not for clients onboarded before Uyuni 2022.04)

RHEL native clients

When autogenerating bootstrap repositories for native RHEL clients, some errors may be logged from the moment the official Red Hat channels are added until the moment those channels are fully synchronized for the first time.

This does not affect CentOS, Rocky Linux, AlmaLinux or Oracle Linux.

Registering Spacewalk 2.x/Red Hat Satellite 5.x clients to Uyuni as Salt minions

If a client machine is running the Red Hat Satellite 5.x agent, registering it to Uyuni as a Salt minion will fail due to package conflicts.

Registering a RH Satellite 5.x client as a Uyuni traditional client works fine.

Registering a Uyuni traditional client as a Uyuni Salt minion will also work.

Works Fails

RH Satellite 5.x ⇒ Uyuni traditional

RH Satellite 5.x ⇒ Uyuni Salt minion

Uyuni traditional ⇒ Uyuni Salt minion

In order to register Red Hat Satellite 5.x clients to Uyuni as Salt minions, you will need to modify the bootstrap script to remove the Satellite agent packages first.

Spacewalk 2.x and Oracle Spacewalk 2.x clients will show the same behavior as Red Hat Satellite 5.x clients

Client Tools Notes

URLs of the Client Tools are:

Keep in mind you should manage the client tools using the command spacewalk-common-channels on the server, that will also allow you to add the required channels for all those operating systems that are freely available.

Supported clients

At the moment the status is the following:

Distribution

Salt bootstrap from server

Salt SSH bootstrap from server

Salt bootstrap from client

Traditional

openSUSE Leap 15.X

openSUSE Leap Micro 5.X

SLE12

SLE15

CentOS7

Oracle Linux 7

Oracle Linux 8

Oracle Linux 9

Amazon Linux 2

Alibaba Linux 2

AlmaLinux 8

AlmaLinux 9

Rocky Linux 8

Rocky Linux 9

Ubuntu18.04

Ubuntu20.04

Ubuntu22.04

Debian10

Debian11

= Working, = Not working, = Untested

With the exception of RHEL/CentOS and Oracle Linux, all maintained SPs and subversions are supported.

Untested clients

Distribution

Salt bootstrap from server

Salt SSH bootstrap from server

Salt bootstrap from client

Traditional

RHEL7

RHEL8

RHEL9

RHEL7 is expected to work in the same way as CentOS7, using the CentOS7 client tools. RHEL8 and 9 are expected to work in the same way as Rocky Linux or AlmaLinux 8 or 9, using the AlmaLinux/Rocky Linux/Oracle 8 or 9 client tools

CentOS8 (and therefore RHEL8) does not have support for the traditional client tools, only salt.

Installation

Requirements

  • OS: openSUSE Leap 15.4 x86_64, fully updated

  • Main memory: Minimum 16 GB for base installation

  • Disk space: Minimum 100 GB for root partition, Minimum 50 GB for /var/lib/pgsql, Minimum 50 GB per SUSE product + 100 GB per RHEL product (/var/spacewalk)

See the documentation for more details on the system requirements.

Installing the Server

Add the Stable repository:

Install the pattern:

zypper in patterns-uyuni_server

Run Yast2 and go to Network Services > Uyuni Setup

Follow the setup assistant.

See the Installation/Upgrade guide for detailed instructions on how to install.

Update from previous versions of Uyuni Server

See the Installation/Upgrade guide for detailed instructions on how to upgrade.

  • If you are upgrading from 2022.05 or earlier (at least 2021.06): You will need to follow the "Installation/Upgrade Guide > Upgrade > Upgrade the Server" > "Server - Major Upgrade" section.

  • If you are updating from 2022.06 or newer: You will need to follow the "Installation/Upgrade Guide > Upgrade > Upgrade the Server" > "Server - Minor Upgrade" section.

  • Migrating from versions older than 2021.06 is not possible

All connected clients will continue to run and are manageable unchanged.

Update from previous versions of Uyuni Proxy

When updating, always start with the server first and then continue with the proxies.

See the release notes for the proxy and the Installation/Upgrade guide for detailed upgrade instructions.

Other information

Red Hat Channels

Managing RHEL clients requires availability of appropriate Red Hat packages.

SUSE Channels

Managing SUSE Linux clients requires availability of appropriate SUSE channels.

Your licensed SUSE products can be used with Uyuni by following the setup Wizard.

Check the manuals for more information.

Providing feedback

In case of encountering a bug please report it at https://github.com/uyuni-project/uyuni/issues

Copyright © 2018 – 2023 The Uyuni Project

This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/es/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

For SUSE trademarks, see http://www.suse.com/company/legal/. All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its affiliates. Asterisks (*) denote third-party trademarks.

All information found in this document has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its affiliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof.