SUSE Manager Proxy 4.1 and SUSE Manager Retail Branch Server 4.1

Release Notes
2021-06-07 23:44:35 +0200
Table of Contents

  * Version Revision History
  * About SUSE Manager Proxy 4.1
  * System Requirements
  * SUSE Manager Proxy Distribution
  * Installation and Setup
  * Upgrade from Version 4.0
  * Upgrade from Version 3.2
  * SUSE Manager Server Versions
  * Major changes since SUSE Manager Proxy 4.1 GA
      + Features and changes
          o Version 4.1.8
              # Salt 3002
          o Version 4.1.7
              # New products enabled
              # Reactivation keys in bootstrap scripts
          o Version 4.1.6
              # Enable SAN SSL certificates
          o Version 4.1.5.1
              # Fixes for Salt security issues
          o Version 4.1.5
              # Fixes for Salt security issues
          o Version 4.1.4
          o Version 4.1.3
              # Recent Salt CVEs remediation
              # DNSSEC enabled by default by bind update
          o Version 4.1.2
              # New products enabled
          o Version 4.1.1
      + Patches
          o Version 4.1.8
          o Version 4.1.7
          o Version 4.1.6
          o Version 4.1.5.1
          o Version 4.1.5
          o Version 4.1.4
          o Version 4.1.3
          o Version 4.1.2
          o Version 4.1.1
  * Major Changes Since SUSE Manager Proxy 4.0
      + New products enabled
          o CentOS
          o Oracle Linux
          o Third-party GPG keys now included
      + Proxy visibility in Systems Overview
      + Salt 3000
      + Content Lifecycle Management filters for AppStreams
      + New documentation guides
      + SLES 15 SP2 JeOS as a Base System
      + SUSE Manager for Retail
          o SLEPOS 15 SP2 clients
          o Small stores
          o EFI HTTP booting
      + Base System Upgrade
  * Known issues
      + Proxy password
      + Single Sign On, API and CLI tools
  * Providing feedback
  * Documentation and Other Information
  * Legal Notices
  * Colophon

This SUSE product includes materials licensed to SUSE under the GNU General
Public License (GPL). The GPL requires that SUSE makes available certain source
code that corresponds to the GPL-licensed material. The source code is
available for download.

For up to three years after SUSE?s distribution of the SUSE product, SUSE will
mail a copy of the source code upon request. Requests should be sent by e-mail
or as otherwise instructed here. SUSE may charge a fee to recover reasonable
costs of distribution.

Version Revision History

  * June 22nd, 2021: 4.1.8 release

  * April 15th, 2021: 4.1.7 release

  * March 19th, 2021: 4.1.6 release

  * February 25th, 2021: 4.1.5.1 release

  * January 27th, 2021: 4.1.5 release

  * December 10th, 2020: 4.1.4 release

  * November 5th, 2020: 4.1.3 release

  * October 1st, 2020: 4.1.2 release

  * August 28th, 2020: 4.1.1 release

  * July 21st, 2020: 4.1.0 release

About SUSE Manager Proxy 4.1

SUSE Manager Proxy provides mirroring proxy support for large and distributed
environments.

Operation of the proxy is completely transparent. The SUSE Manager Proxy looks
like a managed client to SUSE Manager Server, and like a server to the managed
clients. Managed clients talk to the proxy only, and the proxy in turn
communicates to the SUSE Manager Server.

All software packages that pass the SUSE Manager Proxy are cached and
subsequent client requests for these packages are resolved from the cache.

System Requirements

SUSE Manager Proxy is available for x86_64 architecture only. We recommend you
have at least 8 GB main memory, and approximately 50 GB of disk space per
distribution or channel.

Consider additional disk space required for storing images for retail
terminals.

For more details on system requirements, see the Installation Guide on https://
documentation.suse.com/suma/4.1/.

SUSE Manager Proxy Distribution

SUSE Manager Proxy 4.1 is provided through SUSE Customer Center and can be
installed with the unified installer for SUSE Linux Enterprise 15 SP2. No
separate SUSE Linux Enterprise subscription is required.

Installation and Setup

Installation of SUSE Manager Proxy 4.1 is done with the SUSE Manager Server 4.1
Web interface.

For more details on installing and configuring SUSE Manager Proxy 4.1, see the
Installation Guide on https://documentation.suse.com/suma/4.1/.

Upgrade from Version 4.0

To upgrade an existing SUSE Manager Proxy 4.0 system to SUSE Manager Proxy 4.1,
you can do an in-place upgrade, or you can set up a new system to replace the
old one.

For more information about upgrading, see the Upgrade Guide on https://
documentation.suse.com/suma/4.1/.

Upgrade from Version 3.2

To upgrade an existing SUSE Manager Proxy 3.2 system to SUSE Manager Proxy 4.1,
you can do an in-place upgrade, or you can set up a new system to replace the
old one.

For more information about upgrading, see the Upgrade Guide on https://
documentation.suse.com/suma/4.1/.

SUSE Manager Server Versions

SUSE Manager Proxy 4.1 works only with SUSE Manager 4.1 Server.

SUSE Manager Server 4.1 works with SUSE Manager Proxy 4.0 and later.

The combination of SUSE Manager 4.1 Server with SUSE Manager 3.2 Proxy or SUSE
Manager 3.2 Retail Branch Server is not supported.

Major changes since SUSE Manager Proxy 4.1 GA

Features and changes

Version 4.1.8

This is a bugfix release which also introduces several features, backported
from SUSE Manager 4.2.

Salt 3002

Salt has been upgraded to upstream version 3002, plus a number of patches,
backports and enhancements by SUSE, for the SUSE Manager Server, Proxy and
Client Tools (where the client operating system supports Python 3.5+; otherwise
Salt 3000 or 2016.11 are used).

Salt 3002 only works with Python 3.5+, therefore:

  * Salt 3002 is only available on SLE 15, RHEL 8 (and clones: CentOS, Oracle
    Linux and SLES Expanded Support), Ubuntu 18.04 and 20.04, and Debian 10.
    Only a Python 3 version is provided.

  * Salt 3000 is still the version of Salt for SLE 12, RHEL 7 (and clones:
    CenOS, Oracle Linux and SLES Expanded Support) and Debian 9. Only a Python
    2 version is provided. SLE 12 additionally provides a Python 3 version.

  * Salt 2016.11 is still the version of Salt for SLE 11 SP4. Only a Python 2
    version is provided.

We intend to regularly upgrade Salt to more recent versions, including those
which are still on Salt 3000.

For more details about changes in your manually-created Salt states, see the
Salt 3002 upstream release notes.

Version 4.1.7

Bugfix release

New products enabled

  * MicroFocus Open Enterprise Server 2018 SP3

Reactivation keys in bootstrap scripts

Bootstrap scripts can include an activation key to directly assign software
channels, configuration channels, entitlements, etc to a system while
registering.

Reactivation keys can be used to re-register a previously registered client and
regain all SUSE Manager settings. This is useful for cases such as moving
clients from directly registered to the SUSE Manager Server, to registered to a
SUSE Manager Proxy (or Retail Branch Server), or when reinstalling, or in
several other cases.

SUSE Manager now supports the combination of reactivation keys and bootstrap
scripts: you can specify a reactivation key in the bootstrap script to
re-register systems. For example, this helps if your SUSE Manager Server has
too many clients directly attached and you want to bulk move them to a SUSE
Manager Proxy (or Retail Branch Server).

Version 4.1.6

Enable SAN SSL certificates

Subject Alternative Name (SAN) is an extension to X.509 that allows various
values to be associated with a security certificate using a subjectAltName
field. This is commonly used to generate SSL certificates that protect multiple
domains with a single certificate.

Since this kind of certificates are becoming popular amongst users with their
own Certificate Authority, we have implemented support.

Version 4.1.5.1

Fixes for Salt security issues

Fixes for several Salt critical security issues: CVE-2020-28243, CVE-2020-28972
, CVE-2021-3148, CVE-2021-25281, CVE-2021-25282, CVE-2021-25283, CVE-2021-3144,
CVE-2021-25284, CVE-2021-3197 and CVE-2020-35662.

You should patch all your SUSE Manager Server, Proxy, Retail Branch Server, and
Salt minions as soon as possible.

Version 4.1.5

Bugfix release

Fixes for Salt security issues

This release includes fixes for several security issues with Salt:
CVE-2020-28243, CVE-2020-28972, CVE-2021-3148, CVE-2021-25281, CVE-2021-25282,
CVE-2021-25283, CVE-2021-3144, CVE-2021-25284, CVE-2021-3197 and CVE-2020-35662
.

You should patch all your SUSE Manager Server, Proxy, Retail Branch Server, and
Salt minions as soon as possible.

Version 4.1.4

Bugfix release

Version 4.1.3

Recent Salt CVEs remediation

This release fixes CVE-2020-16846, CVE-2020-17490 and CVE-2020-25592. You
should patch all your SUSE Manager Server, Proxy, Retail Branch Server and Salt
minions as soon as possible.

DNSSEC enabled by default by bind update

With the update of ISC bind to version 9.16.6 on SLES 15 SP1 and SP2, DNSSEC is
now enabled by default, which may cause DNS resolution to fail unless there are
fallback DNS servers.

The Retail Branch Server formula has been modified to disable DNSSEC, and will
be updated to support DNSSEC in a future release of SUSE Manager. For existing
Retail Branch Servers, you can disable DNSSEC to retain the same behaviour ISC
bind showed until version 9.11.2. To do that, edit /etc/bind and set:

dnssec-enable no; dnssec-validation no;

Version 4.1.2

Bugfix release.

New products enabled

  * SUSE Linux Enterprise Real Time 15 SP2

Version 4.1.1

Bugfix release.

Patches

The SUSE Patch Finder is a simple online service to view released patches.

Version 4.1.8

golang-github-prometheus-node_exporter:

  * Update to 1.1.2

      + Bug fixes + Handle errors from disabled PSI subsystem + Sanitize
        strings from /sys/class/power_supply + Silence missing netclass errors
        + Fix ineffassign issue + Fix some noisy log lines +
        filesystem_freebsd: Fix label values + Fix various procfs parsing
        errors + Handle no data from powersupplyclass + udp_queues_linux.go:
        change upd to udp in two error strings + Fix
        node_scrape_collector_success behaviour + Fix NodeRAIDDegraded to not
        use a string rule expressions + Fix node_md_disks state label from fail
        to failed + Handle EPERM for syscall in timex collector + bcache: fix
        typo in a metric name + Fix XFS read/write stats

      + Changes + Improve filter flag names + Add btrfs and powersupplyclass to
        list of exporters enabled by default

      + Features + Add fibre channel collector + Expose cpu bugs and flags as
        info metrics + Add network_route collector + Add zoneinfo collector

      + Enhancements + Add more InfiniBand counters + Add flag to aggr ipvs
        metrics to avoid high cardinality metrics + Adding backlog/current
        queue length to qdisc collector + Include TCP OutRsts in netstat
        metrics + Add pool size to entropy collector + Remove CGO dependencies
        for OpenBSD amd64 + bcache: add writeback_rate_debug status + Add check
        state for mdadm arrays via node_md_state metric + Expose XFS inode
        statistics + Expose zfs zpool state + Added an ability to pass
        collector.supervisord.url via SUPERVISORD_URL environment variable

  * Do not include sources (bsc#1151558)

  * Remove rc symlink

patterns-suse-manager:

  * Add require for py27-compat-salt (salt 3002 does not provide python2-salt
    anymore)

spacewalk-backend:

  * Fail traditional errata and package actions when they act on retracted
    items

  * Add advisory_status to reposync and ISS

  * Add minrate/timeout configuration values for downloading DEB/RPM packages

  * switch to www group for satellite logs (bsc#1185097)

  * Fix binary blob corruptions in tradidional config file deployment (bsc#
    1183864)

  * Fix for GPG checking on synchonizing mirrored dpkg repo (bsc#1184351)

spacewalk-certs-tools:

  * Fix typo: activaion -> activation

  * Add support of DISABLE_LOCAL_REPOS=0 for salt minions (bsc#1185568)

  * Add missing environment variable SALT_RUNNING for pkg module to the minion
    configuration

spacewalk-proxy:

  * prevent stopping publishing messages on XPUB socket of salt-broker (bsc#
    1182954)

  * using Loader=yaml.SafeLoader for yaml.load as using yaml.load without
    Loader is deprecated as the default Loader is unsafe

spacewalk-web:

  * Show the info about unsynced patches in the Content Lifecycle Management
    screens

Version 4.1.7

golang-github-boynux-squid_exporter:

  * Build requires Go 1.15

  * Add %license macro for LICENSE file

golang-github-lusitaniae-apache_exporter:

  * Build with Go 1.15

rhnlib:

  * Require missing python-backports.ssl_match_hostname on SLE 11 (bsc#1183959)

spacecmd:

  * Handle SIGPIPE without a user-visible exception (bsc#1181124)

spacewalk-backend:

  * Deb_src repo plugin is not restoring config namespace on exception (bsc#
    1182197)

  * Fixing improper exception handling causing another exception in
    ThreadedDownloader

  * Avoid race condition due multiple reposync import threads (bsc#1183151)

  * Fix for UnicodeDecodeError in satellite-sync: Opening RPM file in binary
    mode (bsc#1181274)

spacewalk-certs-tools:

  * Add reactivation key support to bootstrap script (bsc#1181580)

spacewalk-client-tools:

  * Fallback to sysfs when reading info from python-dmidecode fails (bsc#
    1182603)

  * Log an error when product detection failed (bsc#1182339)

spacewalk-web:

  * Fix flow-bin runtime issues that were breaking the tests

Version 4.1.6

mgr-osad:

  * Adapt to new SSL implementation of rhnlib (bsc#1181807)

rhnlib:

  * Change SSL implementation to Python SSL for better SAN and hostname
    matching support (bsc#1181807)

spacewalk-backend:

  * Open repomd files as binary (bsc#1173893)

  * Fix requesting release file in Debian repositories (bsc#1182006)

  * Reposync: Fixed Kickstart functionality.

  * Reposync: Fixed URLGrabber error handling.

  * Reposync: Fix modular data handling for cloned channels (bsc#1177508)

spacewalk-client-tools:

  * Adapt to new SSL implementation of rhnlib (bsc#1181807)

spacewalk-proxy:

  * Adapt to new SSL implementation of rhnlib (bsc#1181807)

spacewalk-proxy-installer:

  * Adapt to new SSL implementation of rhnlib (bsc#1181807)

spacewalk-web:

  * Replace CRLF in SSH private key when bootstrapping (bsc#1182685)

  * Upgrade immer to fix CVE-2020-28477

  * Default to preferred items per page in content lifecycle lists (bsc#1180558
    )

  * Fix sorting in content lifecycle projects and cluster tables (bsc#1180558)

Version 4.1.5.1

salt:

  * VUL-0: salt: February 2021 release (bsc#1181550)

  * VUL-0: CVE-2020-28243: salt: possible privilege escalation on a minion when
    an unprivileged user is able to create files in any non-blacklisted
    directory (bsc#1181556)

  * VUL-0: CVE-2020-28972: salt: authentication to vCenter, vSphere, and ESXi
    servers does not always validate the SSL/TLS certificate (bsc#1181557)

  * VUL-0: CVE-2021-3148: salt: possible command injection when sending crafted
    web requests to the Salt API via SSH client (bsc#1181558)

  * VUL-0: CVE-2021-25281: salt: API does not honor eAuth credentials for the
    wheel_async client (bsc#1181559)

  * VUL-0: CVE-2021-25282: salt: salt.wheel.pillar_roots.write method is
    vulnerable to directory traversal (bsc#1181560)

  * VUL-0: CVE-2021-25283: salt: jinja render does not protect against
    server-side template injection attacks (bsc#1181561)

  * VUL-0: CVE-2021-3144: salt: eauth tokens can be used once after expiration
    (bsc#1181562)

  * VUL-0: CVE-2021-25284: salt: Salt.modules.cmdmod can log credential to the
    ?error? log level (bsc#1181563)

  * VUL-0: CVE-2021-3197: salt: Salt-API?s SSH client is vulnerable to a shell
    injection by including ProxyCommand in an argument (bsc#1181564)

  * VUL-0: CVE-2020-35662: salt: certain modules do not always validated SSL
    certificates (bsc#1181565)

Version 4.1.5

mgr-osad:

  * Change the log file permissions as expected by logrotate (bsc#1177884)

spacecmd:

  * Fix spacecmd with no parameters produces traceback on SLE 11 SP4 (bsc#
    1176823)

  * Added '-r REVISION' option to the 'configchannel_updateinitsls' command (
    bsc#1179566)

  * Fix: internal: workaround for future tee of logs translation

spacewalk-backend:

  * Drop Transfer-Encoding header from proxy respone to fix error response
    messages (bsc#1176906)

  * Prevent tracebacks on missing mail configuration (bsc#1179990)

  * Fix pycurl.error handling in suseLib.py (bsc#1179990)

  * Harden extratag key import by execute_values to ignore conflicts

  * Fix Debian package version comparison

  * Use sanitized repo label to build reposync repo cache path (bsc#1179410)

  * Quote the proxy settings to be used by Zypper (bsc#1179087)

  * Add the VirtualPC as virtualization type (bsc#1178990)

  * Truncate author name in the changelog (bsc#1180285)

spacewalk-proxy:

  * Fix package manager string compare - python3 porting issue

spacewalk-web:

  * Fix Package States page display error (bsc#1180580)

  * Fix incorrect password autocompletions (bsc#1148357)

  * Migrate CommonJS based React components to ES6

  * Prevent deletion of CLM environments if they?re used in an autoinstallation
    profile (bsc#1179552)

  * Fix loading indicator for tables using SimpleDataProvider (bsc#1177756)

  * Fix question mark explanations for Recurring States (bsc#1179485)

  * Allow specifying both name and label of new Content Environment (bsc#
    1176411)

susemanager-tftpsync-recv:

  * Fix option parsing in configure-tftpsync (bsc#1180017)

uyuni-common-libs:

  * Section in Debian packages in now treated as optional (bsc#1179555)

Version 4.1.4

mgr-daemon:

  * Fix removal of mgr-deamon with selinux enabled (bsc#1177928)

spacecmd:

  * Fix: make spacecmd build on Debian

spacewalk-backend:

  * Fix missing 'LiteServer.add_suse_products' method (bsc#1178704)

  * Do not raise TypeError when processing SUSE products (bsc#1178704)

  * Fix spacewalk-repo-sync to successfully manage and sync ULN repositories

  * Fix errors in spacewalk-debug and align postgresql queries to new DB
    version

  * ISS: Differentiate packages with same nevra but different checksum in the
    same channel (bsc#1178195)

  * Re-enables possibility to use local repos with repo-sync (bsc#1175607)

  * Add 'allow_vendor_change' option to rhn clients for dist upgrades

spacewalk-certs-tools:

  * Improve check for correct CA trust store directory (bsc#1176417)

spacewalk-client-tools:

  * Update translations

spacewalk-web:

  * Update content sensitive help links

  * Fix mandatory channels JS API to finish loading in case of error (bsc#
    1178839)

  * Fix the search panel in CLM filters page

  * Localize documentation links

  * Fix link to documentation in Admin -> Manager Configuration -> Monitoring (
    bsc#1176172)

  * Show cluster upgrade plan in the upgrade UI

  * Don?t allow selecting spice for Xen PV and PVH guests

supportutils-plugin-susemanager-client:

  * Remove checks for obsolete packages

  * Gather new configfiles

  * Add more important informations

supportutils-plugin-susemanager-proxy:

  * Remove checks for obsolete packages

  * Gather new configfiles

  * Add more important informations

Version 4.1.3

mgr-daemon:

  * Update translation strings

spacecmd:

  * Python3 fixes for errata in spacecmd (bsc#1169664)

  * Added support for i18n of user-facing strings

  * Python3 fix for sorted usage (bsc#1167907)

spacewalk-backend:

  * Prevent IntegrityError during mgr-inter-sync execution (bsc#1177235)

spacewalk-client-tools:

  * Remove RH references in Python/Ruby localization and use the product name
    instead

spacewalk-web:

  * Enable to switch to multiple webUI theme

  * Only refresh the virtual storage list when pool events are received

  * Drop node-fetch to fix CVE-2020-15168

  * Notify about missing libvirt or hypervisor on virtual host

  * Redesign maintenance schedule systems table to use paginated data from
    server

susemanager-build-keys:

  * Replace "SuSE" user-facing references with "SUSE"

Version 4.1.2

golang-github-QubitProducts-exporter_exporter:

  * Pin Golang version to 1.14

golang-github-prometheus-node_exporter:

  * Update to 1.0.1

      + Changes to build specification + Modify spec: update golang version to
        1.14 + Remove update tarball script + Add _service file to allow for
        updates via osc service disabledrun

      + Bug fixes + [BUGFIX] filesystem_freebsd: Fix label values #1728 +
        [BUGFIX] Update prometheus/procfs to fix log noise #1735 + [BUGFIX] Fix
        build tags for collectors #1745 + [BUGFIX] Handle no data from
        powersupplyclass #1747, #1749

  * Update to 1.0.0

      + Bug fixes + [BUGFIX] Read /proc/net files with a single read syscall #
        1380 + [BUGFIX] Renamed label state to name on
        node_systemd_service_restart_total. #1393 + [BUGFIX] Fix netdev nil
        reference on Darwin #1414 + [BUGFIX] Strip path.rootfs from mountpoint
        labels #1421 + [BUGFIX] Fix seconds reported by schedstat #1426 +
        [BUGFIX] Fix empty string in path.rootfs #1464 + [BUGFIX] Fix typo in
        cpufreq metric names #1510 + [BUGFIX] Read /proc/stat in one syscall #
        1538 + [BUGFIX] Fix OpenBSD cache memory information #1542 + [BUGFIX]
        Refactor textfile collector to avoid looping defer #1549 + [BUGFIX] Fix
        network speed math #1580 + [BUGFIX] collector/systemd: use regexp to
        extract systemd version #1647 + [BUGFIX] Fix initialization in perf
        collector when using multiple CPUs #1665 + [BUGFIX] Fix accidentally
        empty lines in meminfo_linux #1671

      + Several enhancements + See https://github.com/prometheus/node_exporter/
        releases/tag/v1.0.0

  * Update to 1.0.0-rc.0

      + The netdev collector CLI argument --collector.netdev.ignored-devices
        was renamed to --collector.netdev.device-blacklist in order to conform
        with the systemd collector. #1279

      + The label named state on node_systemd_service_restart_total metrics was
        changed to name to better describe the metric. #1393

      + Refactoring of the mdadm collector changes several metrics
        node_md_disks_active is removed node_md_disks now has a state label for
        "fail", "spare", "active" disks. node_md_is_active is replaced by
        node_md_state with a state set of "active", "inactive", "recovering",
        "resync".

      + Additional label mountaddr added to NFS device metrics to distinguish
        mounts from the same URL, but different IP addresses. #1417

      + Metrics node_cpu_scaling_frequency_min_hrts and
        node_cpu_scaling_frequency_max_hrts of the cpufreq collector were
        renamed to node_cpu_scaling_frequency_min_hertz and
        node_cpu_scaling_frequency_max_hertz. #1510

      + Collectors that are enabled, but are unable to find data to collect,
        now return 0 for node_scrape_collector_success.

  * Add missing sysconfig file in rpm bsc#1151557

mgr-daemon:

  * Remove duplicate languages and update translation strings

patterns-suse-manager:

  * Change PostgreSQL requirements to require at least PostgreSQL 12

spacecmd:

  * Fix softwarechannel_listlatestpackages throwing error on empty channels (
    bsc#1175889)

spacewalk-backend:

  * Fix strings (mentions of Satellite, replace SUSE Manager with PRODUCT_NAME,
    etc)

  * Only regenerate bootstrap repositories when linking new packages (bsc#
    1174636)

  * Support installer_updates flag in ISS

  * Remove duplicate languages and update translation strings

spacewalk-certs-tools:

  * Add option --nostricthostkeychecking to spacewalk-ssh-push-init

  * Fix the fallback to RES bootstrap repo for Centos (bsc#1174423)

spacewalk-client-tools:

  * Remove duplicated languages and update translation strings

spacewalk-web:

  * Fix the jQuery selector in SP Migration page (bsc#1176500)

  * Fix JavaScript error caused by SPA navigation event with empty event field
    (bsc#1176503)

  * Force disable SPA for non-navigation links (bsc#1175512)

  * Add translation support for react t() function

  * Fix striping on react tables

  * Update translation strings

Version 4.1.1

mgr-osad:

  * Move uyuni-base-common dependency from mgr-osad to mgr-osa-dispatcher (bsc#
    1174405)

patterns-suse-manager:

  * Add Recommends for golang-github-QubitProducts-exporter_exporter

spacecmd:

  * Fix softwarechannel update for vendor channels (bsc#1172709)

  * Fix escaping of package names (bsc#1171281)

spacewalk-backend:

  * Take care of SCC auth tokens on DEB repos GPG checks (bsc#1175485)

  * Use spacewalk keyring for GPG checks on DEB repos (bsc#1175485)

  * Adds basic functionality for gpg check

  * Verify GPG signature of Ubuntu/Debian repository metadata (Release file)

spacewalk-certs-tools:

  * Strip SSL Certificate Common Name after 63 Characters (bsc#1173535)

  * Fix centos detection (bsc#1173584)

spacewalk-proxy:

  * Python3 fix for loading pickle file during kickstart procedure (bsc#1174201
    )

spacewalk-web:

  * Upgrade jQuery and adapt the code - CVE-2020-11022 (bsc#1172831)

  * Fix JS linting errors/warnings

  * Enable Nutanix AHV virtual host gatherer.

  * Web UI: Implement managing maintenance schedules and calendars

  * Warn when a system is in multiple groups that configure the same formula in
    the system formula?s UI (bsc#1173554)

  * Add virtual network start, stop and delete actions

  * Add virtual network list page

  * Fix internal server error when creating module filters in CLM (bsc#1174325)

  * Fix VM creation page when there is no volume in the default storage pool

  * Refresh virtualization pages only on events

  * Product list in the Wizard doesn?t show SLE products first (bsc#1173522)

  * Cluster UI: return to overview page after scheduling actions

  * Changes in the logic to update the tick icon.

  * For the postgres localhost:5432 case, use the

  * Fix internal server errors by returning 0 instead of dying

  * Add missing dependency to spacewalk-base-minimal (bsc#678126)

  * Change kickstart to autoinstallation in navigation on pxt pages

  * Debranding

suseRegisterInfo:

  * Enhance RedHat product detection for CentOS and OracleLinux (bsc#1173584)

uyuni-common-libs:

  * Fix issues importing RPM packages with long RPM headers (bsc#1174965)

Major Changes Since SUSE Manager Proxy 4.0

New products enabled

  * SUSE Linux Enterprise Real Time 12 SP5

  * SUSE Linux Enterprise 15 SP2 family

  * openSUSE Leap 15.2

  * MicroFocus Open Enterprise Server 2018 SP2

  * CentOS 6, 7, and 8

  * Oracle Linux 6, 7 and 8

  * Ubuntu 20.04 LTS

CentOS

Starting with SUSE Manager 4.1, CentOS is supported as a client and shows in
the product tree in the WebUI.

If you were using CentOS via spacewalk-common-channels, you will need to delete
your existing channels, synchronize the channel information from SCC, and
reassign the channels to the clients.

Oracle Linux

Starting with SUSE Manager 4.1, Oracle Linux is supported as a client and shows
in the product tree in the WebUI.

Third-party GPG keys now included

Enabling verification of non-SUSE product metadata used to require manual
acceptance, and sometimes even manual installation, of the third-party keys for
products available from the product tree. Alternatively, an option to not
verify the GPG key signature was there.

In addition to SUSE?s, SUSE Manager 4.1 now includes the GPG keys used to sign
packages and/or metadata by other vendors whose products are available in the
product tree in the WebUI:

  * openSUSE

  * CentOS

  * Oracle Linux

  * Ubuntu

  * MicroFocus Open Enterprise Server

Manual acceptance of those keys is no longer required for GPG signature
verification for those products to work.

Manual acceptance of GPG keys for any other product or repository is still
required for security reasons.

Proxy visibility in Systems Overview

SUSE Manager Proxy nodes are now included in the Systems Overview page, with
system type "Proxy".

Salt 3000

Salt has been upgraded to the 3000 release for the SUSE Manager Server, Proxy,
and Client Tools. As part of this upgrade, the cryptography is now managed by
the Python-M2Crypto library (which is itself based on the well-known OpenSSL).

We intend to regularly upgrade Salt to more recent versions.

For more detail about changes in your manually-created Salt states, see the
Salt upstream release notes 3000

Content Lifecycle Management filters for AppStreams

RHEL, SLES ES, CentOS and Oracle Linux 8 appstreams can now be mixed and
converted to flat repositories using a new type of CLM filter.

New documentation guides

Two new books have been added to the SUSE Manager 4.1 documentation:

  * Large Deployments Guide. Everything related to architecture and
    configuration for large (thousands of clients) deployments is contained in
    this guide. It contains all the documentation for the SUSE Manager Hub
    component. Some parts of the Salt guide that dealt with parameter tuning
    for large deployments have now been moved here too.

  * Public Cloud QuickStart Guide. This new guide shows you the fastest way to
    get SUSE Manager up and running in a public cloud. It includes instructions
    for Amazon Web Services, Microsoft Azure, and Google Cloud Engine.

Also:

  * A new section on how to configure Salt for GitFS to achieve GitOps has now
    been added to the Salt Guide

  * In-place automatic upgrade of SUSE Linux Enterprise clients is now
    documented, with a sample AutoYaST profile.

  * Example SSO implementation with Keycloak

  * Lots of revised and updated content across all guides

SLES 15 SP2 JeOS as a Base System

The SUSE Manager 4.1 Proxy and Retail Branch Server can now be installed on top
of SLES 15 SP2 JeOS edition.

SUSE Manager for Retail

SLEPOS 15 SP2 clients

Pre-defined templates for SLEPOS 15 SP2 are now provided. SLEPOS 15 SP2 is
supported for 7.5 years since the release date.

Small stores

Where a dedicated SUSE Manager Server or SUSE Manager Retail Branch Server is
not feasible, it is now possible to use a Retail Branch Server running in a
remote datacenter or public cloud.

Thanks to HTTP booting instead of PXE, branch servers no longer need to be on
same physical network as the terminals.

EFI HTTP booting

The DHCP, branch network, and PXE formulas have been updated to support booting
EFI terminals (systems) using HTTP in addition to TFTP.

Base System Upgrade

The base system was upgraded to SUSE Linux Enterprise 15 SP2.

Known issues

Proxy password

Do not use the '@' character in the SUSE Manager Proxy password, as it is not
escaped correctly.

Single Sign On, API and CLI tools

Single Sign On can be used to authenticate in the Web UI but not with the API
or CLI tools. This will be fixed in a future release of SUSE Manager.

Providing feedback

If you encounter a bug in any SUSE product, please report it through your
support contact or in the SUSE Forums:

https://forums.suse.com/forumdisplay.php?22-SUSE-Manager

Documentation and Other Information

Latest product documentation: https://documentation.suse.com/suma/4.1/.

Technical product information for SUSE Manager: https://www.suse.com/products/
suse-manager/

These release notes are available online: https://www.suse.com/releasenotes

Visit https://www.suse.com for the latest Linux product news from SUSE.

Visit https://www.suse.com/download-linux/source-code.html for additional
information on the source code of SUSE Linux Enterprise products.

Legal Notices

SUSE LLC
Maxfeldstr. 5
D-90409 N?rnberg
Tel: +49 (0)911 740 53 - 0
Email: feedback@suse.com
Registrierung/Registration Number: HRB 36809 AG N?rnberg
Gesch?ftsf?hrer/Managing Director: Felix Imend?rffer
Steuernummer/Sales Tax ID: DE 192 167 791
Erf?llungsort/Legal Venue: N?rnberg

SUSE makes no representations or warranties with regard to the contents or use
of this documentation, and specifically disclaims any express or implied
warranties of merchantability or fitness for any particular purpose. Further,
SUSE reserves the right to revise this publication and to make changes to its
content, at any time, without the obligation to notify any person or entity of
such revisions or changes.

Further, SUSE makes no representations or warranties with regard to any
software, and specifically disclaims any express or implied warranties of
merchantability or fitness for any particular purpose. Further, SUSE reserves
the right to make changes to any and all parts of SUSE software, at any time,
without any obligation to notify any person or entity of such changes.

Any products or technical information provided under this Agreement may be
subject to U.S. export controls and the trade laws of other countries. You
agree to comply with all export control regulations and to obtain any required
licenses or classifications to export, re-export, or import deliverables. You
agree not to export or re-export to entities on the current U.S. export
exclusion lists or to any embargoed or terrorist countries as specified in U.S.
export laws. You agree to not use deliverables for prohibited nuclear, missile,
or chemical/biological weaponry end uses. Please refer to the SUSE Legal
information page for more information on exporting SUSE software. SUSE assumes
no responsibility for your failure to obtain any necessary export approvals.

Copyright ? 2012-2020 SUSE LLC.

This release notes document is licensed under a Creative Commons
Attribution-NoDerivatives 4.0 International License (CC-BY-ND-4.0). You should
have received a copy of the license along with this document. If not, see
https://creativecommons.org/licenses/by-nd/4.0/.

SUSE has intellectual property rights relating to technology embodied in the
product that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the
U.S. patents listed at https://www.suse.com/company/legal/ and one or more
additional patents or pending patent applications in the U.S. and other
countries.

For SUSE trademarks, see SUSE Trademark and Service Mark list (https://
www.suse.com/company/legal/). All third-party trademarks are the property of
their respective owners.

Colophon

Thank you for using SUSE Manager Proxy and/or SUSE Manager Retail Branch Server
in your business.

Your SUSE Manager Team.

Last updated 2021-06-07 23:44:35 +0200
