System Locking

System locks are used to prevent actions from occurring on a client. For example, a system lock prevents a client from being updated or restarted. This is useful for clients running production software, or to prevent accidental changes. You can disable the system lock when you are ready to perform actions.

1. System Locks on Clients

When a client is locked, or put into blackout mode, no actions can be scheduled, execution commands are disabled, and a yellow banner is displayed on the System Details page. In this mode, actions can be scheduled for the locked client using the Web UI or the API, but the actions fail.

The locking mechanism is not available for Salt SSH clients.

Procedure: System Locking a Client
  1. In the Uyuni Web UI, navigate to the System Details page for the client you want to lock.

  2. Navigate to the Formulas tab, check the system lock formula, and click Save.

  3. Navigate to the Formulas  System Lock tab, check Lock system, and click Save. On this page, you can also enable specific Salt modules while the client is locked.

  4. When you have made your changes, you might need to apply the highstate. In this case, a banner in the Web UI notifies you. The client remains locked until you remove the system lock formula.

For more information about blackout mode in Salt, see https://docs.saltstack.com/en/latest/topics/blackout/index.html.

2. Package Locks

Package locking can be used on several clients, but different feature sets are available. You must differentiate between SUSE Linux Enterprise and openSUSE (zypp-based) versus Red Hat Enterprise Linux or Debian clients.

2.1. Package Locks on Zypp-based Systems

Package locks are used to prevent unauthorized installation or upgrades to software packages. When a package has been locked, it shows a padlock icon, indicating that it cannot be installed. Any attempt to install a locked package is reported as an error in the event log.

Locked packages cannot be installed, upgraded, or removed, neither through the Uyuni Web UI, nor directly on the client machine using a package manager. Locked packages also indirectly lock any dependent packages.

Procedure: Using Package Locks
  1. Navigate to the Software  Packages  Lock tab on the managed system to see a list of all available packages.

  2. Select the packages to lock, and click Request Lock. Pick date and time for the lock to activate. By default, the lock is activated as soon as possible. Note that the lock might not activate immediately.

  3. To remove a package lock, select the packages to unlock and click Request Unlock. Pick date and time as with activating the lock.

2.2. Package Locks on Red Hat Enterprise Linux- and Debian-like Systems

Some Red Hat Enterprise Linux- and Debian-like systems have package locking available on clients.

On Red Hat Enterprise Linux- and Debian-like systems, package locks are only used to prevent unauthorized upgrades or removals to software packages. When a package has been locked, it shows a padlock icon, indicating that it cannot be changed. Any attempt to change a locked package is reported as an error in the event log.

Locked packages cannot be upgraded or removed, neither through the Uyuni Web UI, nor directly on the client machine using a package manager. Locked packages also indirectly lock any dependent packages.

Procedure: Using Package Locks
  1. On Red Hat Enterprise Linux 7 systems, install yum-plugin-versionlock, and on Red Hat Enterprise Linux 8 or 9 systems, install python3-dnf-plugin-versionlock as root. On Debian systems, the apt tool has the locking feature included.

  2. Navigate to the Software  Packages  Lock tab on the managed system to see a list of all available packages.

  3. Select the packages to lock, and click Request Lock. Pick date and time for the lock to activate. By default, the lock is activated as soon as possible. Note that the lock might not activate immediately.

  4. To remove a package lock, select the packages to unlock and click Request Unlock. Pick date and time as with activating the lock.