3.3. ZENworks Linux Management
Novell is selling ZENworks Linux Management (ZLM) as a way to manage the life cycle of Linux systems. Naturally, patch management is a big part of the operating system life cycle, and its functions are integrated into ZLM, formerly known as Red Carpet Enterprise.
Nevertheless, with the skills already described in this chapter, you can still use local mirrors and download patches to help manage Linux computers on your own network. Many of the aforementioned tools can help you manage patches and updates on other Linux distributions. ZLM is a proprietary interface and is also used to manage many non-Linux operating systems. It is feature-rich; full coverage would require an additional book. In this section, you'll learn to install and configure a ZLM 6.6.1 server and client (which was the latest available when this book was drafted).
While this section briefly describes the Web-based interface, more can be done from the command-line interface, using commands such as rug and rcman. I do not provide detailed descriptions of these tools, as that would refocus this book toward a single proprietary solution that would not work for most Linux distributions. For detailed information on ZLM, see the associated administration guide, which you can download from www.novell.com/documentation/zlm/index.html.
3.3.1. Supported Clients and Servers
If you want to install a ZLM 6.6.1 server, you'll need a computer with SUSE Linux Enterprise Server 9 for Intel 32- or 64-bit computers. Alternatively, you can install ZLM on Red Hat Enterprise Linux 3 AS or ES for Intel 32-bit computers. As of this writing, ZLM 7 was still under development, and we expect that it will be installable as a server on Red Hat Enterprise Linux 4 and work for updates on SUSE Linux Workstation 9.3 and SUSE Linux 10.0 (along with the other clients distributions listed below). If you do not want to install either distribution on your network, you'll have to use the techniques previously described in this chapter to keep your SUSE computers up to date.
You can use ZLM to manage updates for a number of different clients. ZLM 6.6.1 clients are available for the following distributions:
3.3.2. Installing the ZLM Server
You'll need a license to operate ZLM. You can download a CD from download.novell.com; then use the search terms: zenworks linux. You can download the latest available version in ISO format, which you can then write to a CD.
When you have a ZLM CD available, you can install the ZLM server on one of the supported distributions. It includes an installation script, rce-install, which you can use to install ZLM server. To install ZENworks, insert and mount the ZLM CD, and then run the rce-install script. If the CD is mounted on the /media/cdrecorder directory, you can run the script with the following command:
As shown in Figure 3-17, the script asks you to accept the license agreement. It asks for your activation code, email address, and any proxy information for your network. It then installs at least the Red Carpet Daemon, rcd, and the Red Carpet command-line client, rug. Support services and packages are also installed, including configuration files that allow you to control the ZLM using a Web server.
Figure 3-17. The ZLM installation process
Make sure that some essential packages are installed, including
3.3.3. Configuring the Web interface
When ZLM is installed, you can configure it from the Web interface. It's available through the secure Web protocol, HTTPS. Open the browser of your choice. If the name of the computer with ZLM installed is zlmserver.example.com, navigate to
Your browser should open up https://zlmserver.example.com/initial.php. At that point, you can configure initial administrative information with
You'll also need to configure the server.key file, which you should have gotten with your Novell ZLM license. To find the server.key file, navigate to your Novell account. It should be associated with the information for your ZLM license. Copy it to the /etc/ximian/rcserver/ directory. Make sure the ownership of this file is appropriate. On SUSE, it should be owned by the wwwrun user and www group. On Red Hat, it should be owned by the apache user and apache group.
Now you can open ZLM locally or remotely. The next time you do so, you'll see a login screen where you'll need the username and password.
3.3.4. Configuring Administrators
In all but the smallest networks, there is normally more than one person who needs administrative privileges. It's easy to add another administrator. Log into the ZLM Web-based interface. Click the Admins link on the left side of the menu. This opens the Account Administration menu. You should see your account on the system. Click Create New Administrator. You can now add another ZLM administrative account, using the same information you just used to create your own account. The only difference is that you do not need to use the same email address you used to register ZLM with Novell.
Alternatively, you could set this up from the command line interface. You can add administrators with the rce-init command. For example, if your other administrator's email address is Joe@blow.abc, you'd run
rce-init -U Joe@blow.abc -P password -R "Joe Blow"
3.3.5. Adding Clients
The ZLM CD also includes the software required to set up ZLM clients. RPM packages for each of the aforementioned client distributions are available in the CD redcarpet2/ subdirectory. The packages are straightforward; they include the following:
There are subdirectories under redcarpet2 for each supported client. The directory names are straightforward. The numbers are associated with version numbers of each distribution, as shown in Table 3-2. These directory names are importantyou'll need to use them when you specify a target for update packages shortly.
Additional packages in these directories satisfy associated dependencies. Install the packages from the directory associated with your client distribution, and then start the Red Carpet Daemon with the following command:
Now ZLM is configured to use verified SSL certificates. For more information, see the associated Linux HOWTO document at www.tldp.org/HOWTO/SSL-Certificates-HOWTO. If you want to avoid SSL certificates, you can configure your setup as such on each client with the following command:
rug set require-verified-certificates false
Next, let your ZLM server know that you're ready to connect this client. To do so, add a connection to the ZLM server. Assuming the server name is zlmserver.example.com, you'd run the following commands to connect to the local ZLM server and disconnect from the default Red Carpet server:
rug service-add https://zlmserver.example.com/data rug service-delete http://red-carpet.ximian.com
You'll also need to activate each client using a key that you can create in the next section. For example, if you've been told that the activation key is rhel-key, you'd run the following command:
rug activate rhel-key Joe@blow.abc
3.3.6. Setting Up Activations
To actually connect a client to ZLM, you'll need to set up an activation key. You can configure a single-use key or one that can be used for a whole group of clients. To create a reusable key from the Web-based interface, click Server in the left-hand pane, and then click the Create New Reusable Activations link. You can then enter the key and description of your choice. No special entries are required; for example, I've created the rhel-key for my Red Hat clients.
Alternatively, you can create a key from the command line interface with the appropriate rcman command:
rcman act-add --key=susewks-key
3.3.7. Creating Groups
After you've installed the ZLM client on a number of computers, you may want to configure some in groups. As you might expect, groups allow you to configure several computers in the same way. While you can create groups in the Web-based interface, it is (in our opinion) simplest using the command-line interface. The following example creates the susewks group:
rcman group-add --desc="SUSE Workstations" susewks
All commands in this section prompt for your username and password. As you might remember, the username is the email address associated with the ZLM administrator. While there are switches that allow you to enter the username and password directly to the command, your password would be exposed in clear text.
Before you add members to a group, you'll want to do a few other things. If you want another administrator to have authority over this group, you can add his account with the following command:
rcman group-addemail susewks Joe@blow.abc all
You're prompted for your authorized username and password. You'll also add the activation key created earlier to the susewks group:
rcman act-addgroup susewks-key susewks
Now it's time to add the computers of your choice to the susewks group. For example, you could add the suse1 computer with the following command:
rcman group-addmachine susewks suse1
You can confirm the results. To list the members of the susewks group, issue this command:
rcman group-listmachines susewks
3.3.8. Configuring Channels
Before you can use ZLM to transfer patches, you need to configure one or more channels. The process is straightforward. For example, to add a PatchMan channel to ZLM, you could run the following command:
rcman channel-add "PatchMan" --desc="PatchManagement"
Add the following key:
rcman act-addchannel susewks-key PatchMan
Strangely enough, the rcman command returns an error when you have a multiple word description, such as "Patch Management." Now you can add gaggles of RPM packages to your channel. Consider the packages download to the YaST Online Update Server. As described earlier, one of the applicable directories on SUSE Linux Enterprise Server is /var/lib/YaST2/you/mnt/i386/update/SUSE-CORE/9/rpm/i586. You could navigate to this directory and then add the download RPMs to your ZLM channel with the following command:
rcman channel-addpkg --targets=suse-9-i586 --desc="PatchUpdates" PatchMan *.rpm
You don't have to add every RPM package in a directory, but there are advantages to downloads such as those associated with YaST Online Update Server. There is less concern about conflicts and dependencies from such repositories.
3.3.9. Creating Transactions
Now you can configure transactions. First, make sure that your client is active. From the client, if you haven't already done so, add the service associated with your ZLM server.
rug service-add https://zlmserver.example.com/data
Activate your system with the encryption key created earlier.
rug activate susewks-key Joe@blow.abc
If you followed the instructions earlier in this chapter, you should have a PatchMan channel available. To see what channels are available on your system, run the following command:
Now you can activate the channel of your choice. If PatchMan is the channel you want, you'd run the following command:
rug subscribe PatchMan
Now you can find updates available through your channel. For example, the command shown in Figure 3-18 lists any suggested or urgent updates that may be available through the PatchMan channel.
Figure 3-18. Available updates through a ZLM channel
You can install the packages of your choice. For example, if you want to install the updated version of grip (for recording CDs), just run the following command:
rug install grip
You're prompted to confirm before the download starts. If you confirm, ZLM downloads and then automatically installs the package you selected onto your computer. But this isn't very efficient. You can download and install all updates from subscribed channels with the following command:
But be careful; if you do not want to install all updates, such as a new Linux kernel, you'll have to remove the associated packages from the channel on the ZLM server.