nfs://server/path1
sap
nfs://server/path3
supplement
PASSWORD
SID
INSTANCE_NUMBER
no
44 Partitioning for an SAP application without the SAP Installation Wizard SLES-SAP 15 SP2
The sapMDC element is only applicable to SAP HANA.
The sapVirtHostname element must be specified for distributed or highly available in-
stallations.
For a full SAP HANA example, including partitioning, see /usr/share/doc/packages/sap-
installation-wizard/hana-autoyast.xml .
4.6.2 SAP NetWeaver installation
For SAP NetWeaver, the following example shows how the installation can be automated. Specif-
ically, this example is tailored to installing ASCS Instance of an SAP NetWeaver 7.5 ABAP Server
distributed system with MaxDB (product ID NW_ABAP_ASCS:NW750.ADA.ABAP ). When installing
other products based on SAP NetWeaver, not all of the following variables may be necessary or
these variables might need to be replaced by others:
The master password for the SAP NetWeaver instance: MASTER_PASSWORD
The SAP Identifier (SID): SID
The SAP kernel: KERNEL
The SAP instance number: INSTANCE_NUMBER
The ASCS virtual host name: ASCS_VIRTUAL_HOSTNAME
The SCS virtual host name: SCS_VIRTUAL_HOSTNAME
nfs://SERVER/PATH1
sap
nfs://SERVER/PATH2
sap
45 SAP NetWeaver installation SLES-SAP 15 SP2nfs://SERVER/PATH3
supplement
NW_ABAP_ASCS:NW750.ADA.ABAP
adm user. Provided value
# may be encoded.
DiagnosticsAgent.dasidAdmPassword =
# Windows domain in which the Diagnostics Agent users must be created.
# The property is Microsoft Windows only. This is an optional property.
DiagnosticsAgent.domain =
# Password for the Diagnostics Agent specific SAPService user.
# Provided value may be encoded.
# The property is Microsoft Windows only.
DiagnosticsAgent.sapServiceDASIDPassword =
NW_GetMasterPassword.masterPwd = MASTER_PASSWORD
# Human readable form of the Default Login language - valid names are stored
# in a table of the subcomponent NW_languagesInLoadChecks. Used when freshly
# installing an ABAP stack for the machine that performs an ABAP load (in the
# case of a distributed system, that is the database, otherwise it is used by
# the normal installer). The available languages must be declared in the
# LANGUAGES_IN_LOAD parameter of the product.xml . In this file, the one
# character representation of the languages is used. Check the same table in
# the subcomponent mentioned above.
NW_GetSidNoProfiles.SAP_GUI_DEFAULT_LANGUAGE =
# The drive to use (Windows only)
NW_GetSidNoProfiles.sapdrive =
# The /sapmnt path (Unix only)
NW_GetSidNoProfiles.sapmnt = /sapmnt
# The SAP System ID of the system to install
NW_GetSidNoProfiles.sid = SID
# Will this system be unicode system?
NW_GetSidNoProfiles.unicode = true
NW_SAPCrypto.SAPCryptoFile = /data/SAP_CDs/745-UKERNEL-SAP-Unicode-Kernel-745/DBINDEP/
SAPEXE.SAR
46 SAP NetWeaver installation SLES-SAP 15 SP2NW_SCS_Instance.ascsInstanceNumber =
NW_SCS_Instance.ascsVirtualHostname = ASCS_VIRTUAL_HOSTNAME
NW_SCS_Instance.instanceNumber = INSTANCE_NUMBER
NW_SCS_Instance.scsInstanceNumber =
NW_SCS_Instance.scsMSPort =
NW_SCS_Instance.scsVirtualHostname = SCS_VIRTUAL_HOSTNAME
NW_System.installSAPHostAgent = true
NW_Unpack.igsExeSar =
NW_Unpack.igsHelperSar =
NW_Unpack.sapExeDbSar =
NW_Unpack.sapExeSar =
NW_Unpack.sapJvmSar =
NW_Unpack.xs2Sar =
NW_adaptProfile.templateFiles =
# The FQDN of the system.
NW_getFQDN.FQDN =
# Do we want to set the FQDN for the system?
NW_getFQDN.setFQDN = false
# The path to the JCE policy archive to install into the Java home directory
# if it is not already installed.
NW_getJavaHome.jcePolicyArchive =
hostAgent.domain =
# Password for the SAP Host Agent specific sapadm user. Provided value may be
# encoded.
hostAgent.sapAdmPassword = MASTER_PASSWORD
nwUsers.sapDomain =
nwUsers.sapServiceSIDPassword =
47 SAP NetWeaver installation SLES-SAP 15 SP2nwUsers.sidadmPassword =
]]>
48 SAP NetWeaver installation SLES-SAP 15 SP25 Upgrading an SAP HANA cluster
This chapter describes how to upgrade your SAP HANA cluster with the YaST mod-
ule SUSE HANA Cluster Update. This acts as a wizard and guides you through all the
SAP HANA cluster maintenance procedures.
The official SAP HANA documentation describes the so-called Near Zero Downtime Upgrade
Process. The YaST module is based on this process and handles the part of the procedure related
to the SUSE cluster. Not all steps can be done automatically. Some steps need to be performed
manually by the SAP HANA administrator. The YaST module will inform you during the process.
This YaST module is available in the yast2-sap-ha package for SUSE Linux Enterprise Server
for SAP Applications 12 SP3 and higher. Currently, the wizard is only prepared to handle the
SAP HANA Scale-up Performance Optimized scenario.
The upgrade covers the following tasks:
1. Section 5.1, “Preparing the upgrade”
2. Section 5.2, “Upgrading your SAP HANA cluster”
3. Section 5.3, “Finishing the upgrade task”
5.1 Preparing the upgrade
1. Install the yast2-hana-update package on both nodes:
root # zypper install yast2-hana-update
After the installation, you can nd the module SUSE HANA Cluster Update in the YaST
Control Center.
2. On the secondary node, start the YaST Control Center and open the SUSE HANA Cluster
Update module.
3. In the YaST module, review the prerequisites. Make sure to fulfill all of them before con-
tinuing with the next step. Keep in mind that the wizard supports only the HANA Scale-
up Performance Optimized scenario.
4. To upgrade the SAP HANA system, select the secondary node.
49 Preparing the upgrade SLES-SAP 15 SP25. Select the location of the installation medium.
Point to the location where the SAP medium is located. If wanted, check Mount an update
medium on all hosts and provide the NFS share and path.
Important: Dierences between SAP HANA version 1.0 and
2.0
If you are upgrading from SAP HANA version 1.0 to version 2.0, make sure to check
This is a HANA 1.0 to HANA 2.0 upgrade.
The YaST module will copy the PKI SSFS keys from the former secondary node to
the former primary node. More information is available through the Help button.
Continue with Section 5.2, “Upgrading your SAP HANA cluster”.
5.2 Upgrading your SAP HANA cluster
1. Review the update plan generated by the wizard.
The wizard shows you two steps: automatic and manual. In this automatic step, the wizard
puts cluster resources into maintenance mode before it starts with the automatic steps.
The manual steps are SAP HANA specific and need to be executed by an SAP HANA ad-
ministrator. For more information, see the official SAP HANA documentation.
2. Update the SAP HANA software.
The wizard executes the automatic actions and waits until the SAP HANA administrator
performs the SAP HANA upgrade.
3. Perform the SAP HANA upgrade.
4. Review the plan for the primary (remote) node.
After the SAP HANA upgrade is done, the wizard shows the update plan. When you con-
tinue with this step, the wizard turns the primary node into a secondary node to make
it ready for the upgrade.
Keep in mind that this step can take some time.
Continue with Section 5.3, “Finishing the upgrade task”.
50 Upgrading your SAP HANA cluster SLES-SAP 15 SP25.3 Finishing the upgrade task
1. Update the former primary node.
Pay special attention to the --hdbupd_server_nostart option in this step.
2. Restore the previous state of the cluster.
By default, the wizard registers the former master as now being secondary on the SAP
HANA system replication. If you wish to revert the system replication to its original state,
click the Reverse button.
3. Review the update summary.
You can review the original and current SAP HANA versions and the cluster state.
Note: Dealing with intermediate cluster state
If the wizard is faster than the status update of the cluster resources, the summary
shows an intermediate cluster state. The cluster state is UNDEFINED or DEMOTED .
To overcome this, check the cluster status again with the command SAPHanaSR-
showAttr and make sure the former secondary node is now in the state PROMOTED .
Refer to the SUSE blog post https://www.suse.com/c/how-to-upgrade-your-suse-sap-hana-clus-
ter-in-an-easy-way/ for further information.
51 Finishing the upgrade task SLES-SAP 15 SP26 Setting up an installation server for SAP media sets
Using the SAP Installation Wizard, it is possible to copy the SAP media sets from a remote server
(for example, via NFS or SMB). However, using the option provided there means that you need
to install the product at the same time. Additionally, it does not allow for copying all SAP media
used in your organization to a single server.
However, you can easily create such a server on your own. For example, to put the SAP media
sets on an NFS Server, proceed as follows:
PROCEDURE 6.1: ADDING SAP PRODUCT INSTALLATION FILES TO AN NFS SERVER
1. On your installation server, create the directory /srv/www/htdocs/sap_repo .
2. Open the le /etc/exports and add the following:
/srv/www/htdocs/sap_repo *(ro,no_root_squash,sync,no_subtree_check,insecure)
Important: Executable rights must be visible
Clients must be able to see which les are executable. Otherwise, SUSE''s SAP In-
stallation Wizard will not be able to execute the SAP Installer.
3. In /srv/www/htdocs/sap_repo , create a directory for every SAP medium you have. Give
these directories speaking names, so you can identify them later on. For example, you
could use names like kernel , java , or hana .
4. Copy the contents of each SAP medium to the corresponding directory with cp -a .
Important: Avoid using Windows* operating systems for
copying
Using a Windows operating system for copying from/to Windows le systems like
NTFS can break permission settings and capitalization of les and directories.
You can now install from the NFS server you set up. In the SAP Installation Wizard, specify the
path this way: server_name/srv/www/htdocs/sap_repo . For more information about speci-
fying the path, see Table 4.1, “Media source path”.
52 SLES-SAP 15 SP2For information about setting up an NFS server from scratch, see Administration Guide, Part
“Services”, Chapter “Sharing File Systems with NFS”, Section “Installing NFS Server” (https://docu-
mentation.suse.com/sles-15 ).
For information about installing SUSE Linux Enterprise Server from an NFS server, see De-
ployment Guide, Chapter “Remote Installation”, Section “Setting Up an NFS Repository Manually”
(https://documentation.suse.com/sles-15 ).
53 SLES-SAP 15 SP27 Setting up an SAP HANA cluster
You can use a YaST wizard to set up SAP HANA or SAP S/4HANA Database Server clusters
according to best practices, including SAP HANA system replication. A summary of the setup
options is given in Section 1.1.3, “Simplified SAP HANA system replication setup”.
Administrators can now use the SAP HANA-SR Wizard to run the module unattended, usually
for on-premises deployments. Additionally, it is possible to configure the SAP HANA cluster on
Azure now. The YaST module identifies automatically when running on Azure and configures
an extra resource needed on Pacemaker.
The following Best Practices from the SUSE Linux Enterprise Server for SAP Applications Re-
source Library (https://www.suse.com/products/sles-for-sap/resource-library/ ) contain setup
instructions:
Performance-optimized scenario and multi-tier/chained scenario: Setting up a SAP HANA
SR Performance Optimized Infrastructure
Cost-optimized scenario: Setting up a SAP HANA SR Cost Optimized Infrastructure
Important: Wizard can only be used for initial configuration
The YaST wizard described in the following can only be used for the initial cluster con-
figuration.
To reconfigure a cluster, use the separate YaST module Cluster (available from package
yast2-cluster ). For more information about its usage, see Administration Guide, Part
“Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Module” at https://docu-
mentation.suse.com/sle-ha-15 .
7.1 Prerequisites
The following procedure has prerequisites:
Two machines which both have an SAP HANA installation created by the SAP Installation
Wizard or SAP HANA Application Lifecycle Management. Both machines need to be on
the same L2 network (subnet).
In the case of a multi-tier/chained scenario, there must also be a third machine elsewhere.
The machines are not yet set up as a high-availability cluster.
54 Prerequisites SLES-SAP 15 SP2openSSH is running on both machines and the nodes can reach each other via SSH. How-
ever, if that has not already happened, the wizard will perform the SSH key exchange itself.
For more information about SSH, see Security Guide, Part “Network Security”, Chapter “SSH:
Secure Network Operations” at https://documentation.suse.com/sles-15 .
A disk device that is available to both nodes under the same path for SBD. It must not
use host-based RAID, cLVM2 or reside on a DRBD instance. The device can have a small
size, for example, 100 MB.
You have created either:
A key in the SAP HANA Secure User Store on the primary node
An initial SAP HANA backup on the primary node
The package yast2-sap-ha is installed on both the primary and the secondary node.
HANA-Firewall is set up on both computers with the rules HANA_HIGH_AVAILABILITY and
HANA_SYSTEM_REPLICATION on all relevant network interfaces.
For information about setting up HANA-Firewall, see Section 9.2, “Configuring HANA-Firewall”.
Cost-optimized scenario only: The secondary node has a second SAP HANA installation. The
database may be running but will be stopped automatically by the wizard.
Cost-optimized scenario only: For the non-production SAP HANA instance, you have created
an SAP HANA Secure User Store key QASSAPDBCTRL for monitoring purposes. For more
information, see SAP HANA SR Cost Optimized Scenario, Chapter “Installing the SAP HANA
Databases on both cluster nodes”, Section “Postinstallation configuration”, Section “Install the
non-productive SAP HANA database (QAS)” at https://www.suse.com/products/sles-for-sap/
resource-library/ .
7.2 Setup
The following procedure needs to be executed on the primary node (also called the “mas-
ter”). Before proceeding, make sure the prerequisites listed in Section 7.1, “Prerequisites” are
fulfilled.
1. Open the YaST control center. In it, click HA Setup for SAP Products in the category High
Availability.
55 Setup SLES-SAP 15 SP22. If an SAP HANA instance has been detected, you can choose between the scale-up scenarios
Performance-optimized, Cost-optimized, or Chained (multi-tier). For information about these
scale-up scenarios, see Section 1.1.3, “Simplified SAP HANA system replication setup”.
Continue with Next.
3. This step of the wizard presents a list of prerequisites for the chosen scale-up scenario.
These prerequisites are the same as those presented in Section 7.1, “Prerequisites”.
Continue with Next.
4. The next step lets you configure the communication layer of your cluster.
Provide a name for the cluster.
The default transport mode Unicast is usually appropriate.
Under Number of rings, a single communication ring usually suffices.
For redundancy, it is often better to use network interface bonding instead of multi-
ple communication rings. For more information, see Administration Guide, Part “Con-
figuration and Administration”, Chapter “Network Device Bonding” at https://documen-
tation.suse.com/sle-ha-15 .
From the list of communication rings, configure each enabled ring. To do so, click
Edit selected, then select a network mask (IP address) and a port (Port number) to
communicate over.
56 Setup SLES-SAP 15 SP2Finish with OK.
Additionally, decide whether to enable the configuration synchronization service
Csync2 and Corosync secure authentication using HMAC/SHA1.
For more information about Csync2, see Administration Guide Part “Installation, Setup
and Upgrade”, Chapter “Using the YaST Cluster Module”, Section “Transferring the Con-
figuration to All Nodes” at https://documentation.suse.com/sle-ha-15 .
For more information about Corosync secure authentication, see Administration
Guide, Part “Installation, Setup and Upgrade”, Chapter “Using the YaST Cluster Mod-
ule”, Section “Defining Authentication Settings” at https://documentation.suse.com/sle-
ha-15 .
Proceed with Next.
5. The wizard will now check whether it can connect to the secondary machine using SSH.
If it can, it will ask for the root password to the machine.
Enter the root password.
The next time the primary machine needs to connect to the secondary machine, it will
connect using an SSH certificate instead of a password.
6. For both machines, set up the host names and IP address (for each ring).
Host names chosen here are independent from the virtual host names chosen in SAP HANA.
However, to avoid issues with SAP HANA, host names must not include hyphen characters
( - ).
57 Setup SLES-SAP 15 SP2If this has not already been done before, such as during the initial installation of SAP
HANA, host names of all cluster servers must now be added to the le /etc/hosts . For
this purpose, activate Append to /etc/hosts.
Proceed with Next.
7. If NTP is not yet set up, do so. This avoids the two machines from running into issues
because of time differences.
a. Click Reconfigure.
b. On the tab General Settings, activate Now and on Boot.
c. Add a time server by clicking Add. Click Server and Next. Then specify the IP address
of a time server outside of the cluster. Test the connection to the server by clicking
Test.
To use a public time server, click Select Public server and select a time server. Finish
with OK.
Proceed with OK.
d. On the tab Security Settings, activate Open Port in Firewall.
e. Proceed with Next.
8. In the next step, choose fencing options. The YaST wizard only supports the fencing mech-
anism SBD (STONITH block device). To avoid split-brain situations, SBD uses a disk device
which stores cluster state.
The chosen disk must be available from all machines in the cluster under the same path.
Ideally, use either by-uuid or by-path for identification.
The disk must not use host-based RAID, cLVM2 or reside on a DRBD instance. The device
can have a small size, for example, 100 MB.
Warning: Data on device will be lost
All data on the chosen SBD device or devices will be deleted.
To define a device to use, click Add, then choose an identification method such as by-uuid
and select the appropriate device. Click OK.
To define additional SBD command-line parameters, add them to SBD options.
If your machines reboot particularly fast, activate Delay SBD start.
58 Setup SLES-SAP 15 SP2For more information about fencing, see the Administration Guide at https://documenta-
tion.suse.com/sle-ha-15 .
Proceed with Next.
9. The following page allows configuring watchdogs which protect against the failure of the
SBD daemon itself and force a reboot of the machine in such a case.
It also lists watchdogs already configured using YaST and watchdogs that are currently
loaded (as detected by lsmod ).
To configure a watchdog, use Add. Then choose the correct watchdog for your hardware
and leave the dialog with OK.
For testing, you can use the watchdog softdog . However, we highly recommend us-
ing a hardware watchdog in production environments instead of softdog . For more
information about selecting watchdogs, see Administration Guide, Part “Storage and Da-
ta Replication”, Chapter “Storage Protection”, Section “Conceptual Overview”, Section “Set-
ting Up Storage-based Protection”, Section “Setting up the Watchdog” at https://documenta-
tion.suse.com/sle-ha-15 .
Proceed with Next.
10. Set up the parameters for your SAP HANA installation or installations. If you have selected
the cost-optimized scenario, additionally ll out details related to the non-production SAP
HANA instance.
Production SAP HANA instance
Make sure that the System ID and Instance number match those of your SAP
HANA configuration.
Replication mode and Operation mode usually do not need to be changed.
For more information about these parameters, see the HANA Administration
Guide provided to you by SAP.
Under Virtual IP address, specify a virtual IP address for the primary SAP HANA
instance. Under Virtual IP Mask, set the length of the subnetwork mask in CIDR
format to be applied to the Virtual IP address.
Prefer site takeover defines whether the secondary instance should take over the
job of the primary instance automatically (true). Alternatively, the cluster will
restart SAP HANA on the primary machine.
59 Setup SLES-SAP 15 SP2Automatic registration determines whether primary and secondary machine
should switch roles after a takeover.
Specify the site names for the production SAP HANA instance on the two nodes
in Site name 1 and Site name 2.
Having a backup of the database is a precondition for setting up SAP HANA
replication.
If you have not previously created a backup, activate Create initial backup. Un-
der Backup settings, configure the File name and the Secure store key for the
backup. The key in the SAP HANA Secure User Store on the primary node must
have been created before starting the wizard.
For more information, see the documentation provided to you by SAP.
Cost-optimized scenario only: Within Production system constraints, configure how
the production instance of SAP HANA should behave while inactive on the
secondary node.
Setting the Global allocation limit allows directly limiting memory usage. Acti-
vating Preload column tables will increase memory usage.
For information about the necessary global allocation limit, see documentation
provided to you by SAP such as How to Perform System Replication for SAP HANA
at https://archive.sap.com/documents/docs/DOC-47702 .
Cost-optimized scenario only: non-production SAP HANA instance
Make sure that the System ID and Instance number match those of your non-
production SAP HANA instance.
These parameters are needed to allow monitoring the status of the non-produc-
tion SAP HANA instance using the SAPInstance resource agent.
Generate a hook script for stopping the non-production instance and starting
the production instance and removing the constraints on the production system.
The script is written in Python 2 and can be modified as necessary later.
Click Hook script and then set up the correct user name and password for the
database. Then click OK.
You can now manually verify and change the details of the generated hook
script. When you are done, click OK to save the hook script at /hana/shared/
SID/srHook .
60 Setup SLES-SAP 15 SP2Warning: Passwords stored in plain text
By default, the hook script stores all credentials in plain text. To improve
security, modify the script yourself.
Proceed with Next.
FIGURE 7.1: SAP HANA OPTIONS (COST-OPTIMIZED SCENARIO)
11. On the page High-Availability Configuration Overview, check that the setup is correct.
To change any of the configuration details, return to the appropriate wizard page by click-
ing one of the underlined headlines.
Proceed with Install.
12. When asked whether to install additional software, confirm with Install.
13. After the setup is done, there is a screen showing a log of the cluster setup.
To close the dialog, click Finish.
14. Multi-tier/chain scenario only: Using the administrative user account for the production
SAP HANA instance, register the out-of-cluster node for system replication:
SIDadm > hdbnsutil -sr_register --remoteHost=SECONDARY_HOST_NAME \
--remoteInstance=INSTANCE_NUMBER --replicationMode=async \
--name=SITE_NAME
61 Setup SLES-SAP 15 SP27.3 Unattended setup using SAP HANA-SR wizard
An unattended setup requires a manual installation of HANA rst. The result is saved into a le
containing all configuration options that were chosen. If the administrator needs to reproduce
the installation, with this le the installation can be run automatically and unattended.
To use it, perform the following steps on both nodes:
1. On the production machines with SAP HANA installed, create a configuration le by run-
ning the sap_ha YaST module.
2. On the last screen, click the Save configuration button.
3. Decide what you want to do:
• To review the configuration, upload and validate the configuration on the primary
SAP HANA machine and run:
root # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH
It is possible to start the installation on the review screen.
• To start the installation based on the provided configuration le unattended, run:
root # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH unattended
4. Import, validate, and install the cluster unattended, based on the provided configuration
le:
root # yast2 sap_ha readconfig CONFIGURATION_FILE_PATH unattended
7.4 Using Hawk
After you have set up the cluster using the wizard, you can open Hawk directly from the last
screen of the HA Setup for SAP Products wizard.
To revisit Hawk, open a browser and as the URL, enter the IP address or host name of any cluster
node running the Hawk Web service. Alternatively, enter the virtual IP address you configured
in Section 7.2, “Setup”.
https://HAWKSERVER:7630/
62 Unattended setup using SAP HANA-SR wizard SLES-SAP 15 SP2On the Hawk login screen, use the following login credentials:
Username: hacluster
Password: linux
Important: Secure password
Replace the default password with a secure one as soon as possible:
root # passwd hacluster
7.5 For more information
Hawk. Administration Guide, Part Configuration and Administration, Chapter Configuring and
Managing Cluster Resources with Hawk (https://documentation.suse.com/sle-ha-15 ).
Near zero downtime for SAP HANA system replication. Use
SAP HANA System Replication for Near Zero Downtime Up-
grades (https://help.sap.com/viewer/2c1988d620e04368aa4103bf26f17727/2.0.03/en-US/
ee3fd9a0c2e74733a74e4ad140fde60b.html) .
Implementing the Python hook SAPHanaSR. https://documentation.suse.com/sbp/all/html/
SLES4SAP-hana-sr-guide-PerfOpt-15/
63 For more information SLES-SAP 15 SP28 Tuning
This chapter presents information about tuning SUSE Linux Enterprise Server for SAP Applica-
tions to work optimally with SAP applications.
On SUSE Linux Enterprise Server for SAP Applications you have the choice between sapconf
and saptune . However, saptune is the more elaborate tool that offers more features.
Note: The sapconf command has been removed
In SUSE Linux Enterprise Server and SUSE Linux Enterprise Server for SAP Applications
11 and 12, the sapconf command was included in the package with the same name.
For SUSE Linux Enterprise Server and SUSE Linux Enterprise Server for SAP Applications
15 this has been changed: the command sapconf have been removed from the sapconf
package. The package contains a systemd service only. There is no sapconf command
line tool anymore, no sapconf / tuned profiles, and no tuned .
8.1 Tuning systems with sapconf 4
The package sapconf is available in SUSE Linux Enterprise Server and SUSE Linux Enterprise
Server for SAP Applications. This package contains the tuned profile sapconf . This single
tuning profile sets recommended parameters for the following types of SAP applications: SAP
NetWeaver, SAP HANA and SAP HANA-based applications.
OVERVIEW OF sapconf4 IN SUSE® LINUX ENTERPRISE SERVER 12
sapconf 4 ( tuned based)
sap-netweaver ( tuned profile)
sap-hana ( tuned profile)
sap-bobj ( tuned profile)
sap-ase ( tuned profile)
OVERVIEW OF sapconf4 IN SUSE® LINUX ENTERPRISE SERVER 15
sapconf 4 ( tuned based)
sapconf ( tuned profile)
64 Tuning systems with sapconf 4 SLES-SAP 15 SP2Note that if you previously made changes to the system tuning, those changes may be overwrit-
ten by the sapconf profile.
sapconf consists of two primary parts:
A systemd service that ensures tuned and related services are running and the sapconf
profile is applied.
The tuned profile sapconf that applies configured sapconf tuning parameters using a
script and configuration les.
To use sapconf , make sure that the packages tuned and sapconf are installed on your system.
Note: Unified profiles in SUSE Linux Enterprise Server and SUSE
Linux Enterprise Server for SAP Applications 15 SP2
In SUSE Linux Enterprise Server and SUSE Linux Enterprise Server for SAP Applications
15 and above, only a single tuned profile, sapconf , is shipped. It is equivalent to the
profiles sap-hana / sap-netweaver shipped in earlier versions of SUSE Linux Enterprise
Server for SAP Applications.
8.1.1 Enabling and disabling sapconf and viewing its status
After the installation of sapconf , tuned is enabled and the sapconf profile is activated. How-
ever, if another tuned profile is already enabled, sapconf will not enable its own tuned pro-
file.
To make sure sapconf applies all tuning parameters, reboot the machine after installation.
You can inspect or change the status of sapconf as described in the following:
To see the status of the service sapconf :
root # systemctl status sapconf
The service should be displayed as active (exited), as it is only responsible for starting
tuned and will exit afterward.
To start the service sapconf and with it the service tuned :
root # systemctl start sapconf
65 Enabling and disabling sapconf and viewing its status SLES-SAP 15 SP2Should sapconf be disabled, enable and start it with:
root # systemctl enable --now sapconf
To stop the service sapconf and with it the service tuned :
root # systemctl stop sapconf
This will terminate tuned as well, therefore the vast majority of optimizations will be
disabled immediately. The only exceptions from that are options that require a system
reboot to enable/disable.
To disable sapconf , use:
root # systemctl disable sapconf
If you have not specifically enabled any of the services that sapconf depends on yourself,
this will also disable most tuning parameters and all services used by sapconf .
Similarly, you can inspect and change the status of the underlying service tuned :
To see the status of the service tuned :
root # systemctl status tuned
To see which tuned profile is currently in use:
root # tuned-adm active
If this command does not return the name of the currently active profile as sapconf ,
enable that profile:
root # tuned-adm profile sapconf
66 Enabling and disabling sapconf and viewing its status SLES-SAP 15 SP2Tip: Additional services that sapconf relies on
In addition to the sapconf service itself and the tuned service, sapconf also relies on
the following two services:
sysstat which collects data on system activity.
uuidd which generates time-based UUIDs that are guaranteed to be unique even
in settings where many processor cores are involved. This is necessary for SAP ap-
plications.
8.1.2 Configuring sapconf4
In general, the default configuration of sapconf already uses the parameter values recommend-
ed by SAP. However, if you have special needs, you can configure the tool to better suit those.
The configuration of sapconf is split into two parts that can be configured in different ways:
/usr/lib/tuned/PROFILE/tuned.conf
Any le that adheres to this pattern can be edited like in Procedure 8.1, “Configuring sapconf4
profiles”. To configure parameters from this le, copy it to the custom profile directory of
tuned under /etc/tuned rst and then change values in it. If you change the le in place
instead, you will lose the changes you make on the next update of the sapconf package.
The following procedure shows an example how to adapt the le /usr/lib/tuned/sap-
conf/tuned.conf . However, as written before, this is possible with any profile. Configure
the le as described in the following procedure:
PROCEDURE 8.1: CONFIGURING sapconf4 PROFILES
1. Create a new custom tuned profile directory and copy the le tuned.conf :
root # mkdir /etc/tuned/sapconf
root # cp /usr/lib/tuned/sapconf/tuned.conf /etc/tuned/sapconf/
2. Within the newly copied tuned.conf , x the reference to script.sh to use an
absolute path that points to the script from the original profile:
script = /usr/lib/tuned/sapconf/script.sh
67 Configuring sapconf4 SLES-SAP 15 SP2Do not instead copy script.sh , as that provokes update compatibility issues for
sapconf .
3. Edit the parameters in /etc/tuned/sapconf/tuned.conf .
After each update to sapconf , make sure to compare the contents of the original and the
custom tuned.conf .
Log messages related to this le are written to /var/log/tuned/tuned.log .
/etc/sysconfig/sapconf
This le contains most parameters of sapconf . The parameters from this le are applied
using the aforementioned script /usr/lib/tuned/sapconf/script.sh .
This le can be edited directly. All parameters in this le are explained by means of com-
ments and references to SAP Notes which can be viewed at https://launchpad.support.s-
ap.com/ .
When sapconf is updated, all customized parameters from this le will be preserved as
much as possible. However, sometimes parameters cannot be transferred cleanly to the
new configuration le. Therefore, after updating it is advisable to check the difference
between the previous custom configuration which during the update is moved to /etc/
sysconfig/sapconf.rpmsave and the new version at /etc/sysconfig/sapconf .
Log messages related to this le are written to /var/log/sapconf.log .
When editing either of these les, you will nd that some values are commented by means of
a # character at the beginning of the line. This means that while the parameter is relevant for
tuning, there is no suitable default for it.
Conversely, you can add # characters to the beginning of the line to comment specific parame-
ters. However, you should avoid this practice, as it can lead to sapconf not properly applying
the profile.
To apply edited configuration, restart sapconf :
root # systemctl restart sapconf
68 Configuring sapconf4 SLES-SAP 15 SP2Confirming that a certain parameter value was applied correctly works differently for different
parameters. Hence, the following serves as an example only:
EXAMPLE 8.1: CHECKING PARAMETERS
To confirm that the setting for TCP_SLOW_START was applied, do the following:
View the log le of sapconf to see whether it applied the value. Within /var/log/
sapconf.log , check for a line containing this text:
Change net.ipv4.tcp_slow_start_after_idle from 1 to 0
Alternatively, the parameter may have already been set correctly before sapconf
was started. In this case, sapconf will not change its value:
Leaving net.ipv4.tcp_slow_start_after_idle unchanged at 1
The underlying option behind TCP_SLOW_START can be manually configured at
/proc/sys/net.ipv4.tcp_slow_start_after_idle . To check its actual current
value, use:
root # sysctl net.ipv4.tcp_slow_start_after_idle
8.1.3 Removing sapconf
To remove sapconf from a system, uninstall its package with:
root # zypper rm sapconf
Note that when doing this, dependencies of sapconf will remain installed. However, the ser-
vices sysstat and tuned will go into a disabled state. If either is still relevant to you, make
sure to enable it again.
Certain parameters and les are not removed when sapconf is uninstalled. For more informa-
tion, see the man page man 7 sapconf , section PACKAGE REQUIREMENTS.
69 Removing sapconf SLES-SAP 15 SP28.1.4 For more information
The following man pages provide additional information about sapconf :
High-level overview of tuning parameters used by sapconf : man 7 tuned-pro-
files-sapconf
Detailed description of all tuning parameters set by sapconf : man 5 sapconf
Information about configuring and customizing the sapconf profile: man 7 sapconf
Also see the blog series detailing the updated version of sapconf at https://www.suse.com/c/
a-new-sapconf-is-available/ .
8.2 Tuning systems with sapconf 5
The package sapconf is available in SUSE Linux Enterprise Server and SUSE Linux Enterprise
Server for SAP Applications. It sets recommended parameters for the following types of SAP
applications: SAP NetWeaver, SAP HANA and SAP HANA-based applications.
OVERVIEW OF sapconf5 IN SUSE® LINUX ENTERPRISE SERVER 12
sapconf 5 (without tuned )
sapconf-netweaver ( sapconf profile as a replacement for tuned profile)
sapconf-hana ( sapconf profile as a replacement for tuned profile)
sapconf-bobj ( sapconf profile as a replacement for tuned profile)
sapconf-ase ( sapconf profile as a replacement for tuned profile)
OVERVIEW OF sapconf5 IN SUSE® LINUX ENTERPRISE SERVER 15
sapconf 5 (without tuned )
no profiles anymore
Note that if you previously made changes to the system tuning, those changes may be overwrit-
ten by sapconf .
sapconf 5 ships a systemd service which applies the tuning and ensures that related services
are running.
70 For more information SLES-SAP 15 SP2To use sapconf , make sure that the package sapconf is installed on your system.
Note: No profiles in SUSE Linux Enterprise Server and SUSE
Linux Enterprise Server for SAP Applications 15 SP2
In SUSE Linux Enterprise Server and SUSE Linux Enterprise Server for SAP Applications
15, sapconf no longer supports profiles.
8.2.1 Enabling and disabling sapconf and viewing its status
After the installation of sapconf , the sapconf service is enabled.
You can inspect or change the status of sapconf as described in the following:
To see the status of the service sapconf :
root # systemctl status sapconf
The service should be displayed as active (exited).
To start the service sapconf :
root # systemctl start sapconf
Should sapconf be disabled, enable and start it with:
root # systemctl enable --now sapconf
To stop the service sapconf :
root # systemctl stop sapconf
This command will disable the vast majority of optimizations immediately. The only ex-
ceptions from this rule are options that require a system reboot to enable/disable.
To disable sapconf , use:
root # systemctl disable sapconf
If you have not specifically enabled any of the services that sapconf depends on yourself,
this will also disable most tuning parameters and all services used by sapconf .
71 Enabling and disabling sapconf and viewing its status SLES-SAP 15 SP2Tip: Additional services that sapconf relies on
In addition to the sapconf service it also relies on the following two services:
sysstat which collects data on system activity.
uuidd which generates time-based UUIDs that are guaranteed to be unique even
in settings where many processor cores are involved. This is necessary for SAP ap-
plications.
8.2.2 Configuring sapconf5
In general, the default configuration of sapconf already uses the parameter values recommend-
ed by SAP. However, if you have special needs, you can configure the tool to better suit those.
All parameters of sapconf can be found in the le /etc/sysconfig/sapconf . The le can be
edited directly. All parameters in this le are explained by means of comments and references
to SAP Notes which can be viewed at https://launchpad.support.sap.com/ .
When sapconf is updated, all customized parameters from this le will be preserved as much as
possible. However, sometimes parameters cannot be transferred cleanly to the new configuration
le. Therefore, after updating it is advisable to check the difference between the previous custom
configuration which during the update is moved to /etc/sysconfig/sapconf.rpmsave and
the new version at /etc/sysconfig/sapconf .
Log messages related to this le are written to /var/log/sapconf.log .
When editing either of these les, you will nd that some values are commented by means of
a # character at the beginning of the line. This means that while the parameter is relevant for
tuning, there is no suitable default for it.
Conversely, you can add # characters to the beginning of the line to comment specific parame-
ters. However, you should avoid this practice, as it can lead to sapconf not properly applying
the profile.
To apply edited configuration, restart sapconf :
root # systemctl restart sapconf
72 Configuring sapconf5 SLES-SAP 15 SP2Confirming that a certain parameter value was applied correctly works differently for different
parameters. Hence, the following serves as an example only:
EXAMPLE 8.2: CHECKING PARAMETERS
To confirm that the setting for TCP_SLOW_START was applied, do the following:
View the log le of sapconf to see whether it applied the value. Within /var/log/
sapconf.log , check for a line containing this text:
Change net.ipv4.tcp_slow_start_after_idle from 1 to 0
Alternatively, the parameter may have already been set correctly before sapconf
was started. In this case, sapconf will not change its value:
Leaving net.ipv4.tcp_slow_start_after_idle unchanged at 1
The underlying option behind TCP_SLOW_START can be manually configured at
/proc/sys/net.ipv4.tcp_slow_start_after_idle . To check its actual current
value, use:
root # sysctl net.ipv4.tcp_slow_start_after_idle
8.2.3 Removing sapconf
To remove sapconf from a system, uninstall its package with:
root # zypper rm sapconf
Note that when doing this, dependencies of sapconf will remain installed. However, the service
sysstat will go into a disabled state. If it is still relevant to you, make sure to enable it again.
8.2.4 For more information
The following man pages provide additional information about sapconf :
Detailed description of all tuning parameters set by sapconf : man 5 sapconf
Information about configuring and customizing the sapconf profile: man 7 sapconf
Also see the blog series detailing the updated version of sapconf at https://www.suse.com/c/
a-new-sapconf-is-available/ .
73 Removing sapconf SLES-SAP 15 SP28.2.5 Using tuned together with sapconf
With version 5 sapconf does not rely on tuned anymore. This means both tools can be used
independently. sapconf will print a warning in it''s log if tuned service is started.
Note: Important: using tuned and sapconf together
If you are going to use tuned and sapconf simultaneously, be very careful, that bot
tools do not configure the same system parameters.
8.3 Tuning systems with saptune
Using saptune , you can tune a system for SAP NetWeaver, SAP HANA/SAP BusinessObjects,
and SAP S/4HANA applications. This method relies on the system tuning service tuned .
To use saptune , make sure that the packages tuned and saptune are installed on your system.
Note: tuned daemon
sapconf (only version 4) and saptune both rely on the daemon tuned to set tuning
configuration but they use different (though very similar) tuning profiles. Therefore, only
one of sapconf or saptune can be enabled at a time.
8.3.1 Enabling saptune to tune for an SAP application
1. To tune a system, rst nd a tuning solution. To nd the appropriate solution, use:
tux > saptune solution list
saptune knows the following tuning solutions (groups of SAP notes):
BOBJ . Solution for running SAP BusinessObjects.
HANA . Solution for running an SAP HANA database.
MAXDB . Solution for running an SAP MaxDB database.
NETWEAVER . Solution for running SAP NetWeaver application servers.
74 Using tuned together with sapconf SLES-SAP 15 SP2S4HANA-APPSERVER . Solution for running SAP S/4HANA application servers (identi-
cal to SAP NetWeaver solution).
S4HANA-APP+DB . Solution for running both SAP S/4HANA application servers and
SAP HANA on the same host (identical to SAP NetWeaver + SAP HANA solution).
S4HANA-DBSERVER . Solution for running the SAP HANA database of an SAP
S/4HANA installation (identical to SAP HANA solution).
SAP-ASE . Solution for running an SAP Adaptive Server Enterprise database.
Alternatively, you can tune the computer according to recommendations from specific
SAP Notes. A list of notes that you can tune for is available via:
root # saptune note list
2. To set up saptune with a preconfigured solution, use:
root # saptune solution apply SOLUTION
To set up saptune for the recommendations of a specific SAP Note, use:
root # saptune note apply NOTE
Note: Combining optimizations
You can combine solutions and notes. However, only one solution can be active at
a time. In rare cases, notes can have conflicting options or parameters. To avoid
conflicts, order your notes, keeping in mind that the last note always overrides
conflicting options or parameters of previous notes.
3. To start saptune and enable it at boot, make sure to run the following command:
root # saptune daemon start
In the background, saptune applies a tuned profile also named saptune that is dynamically
customized according to selected “solutions” and “notes”. Using tuned-adm list , you can also
see this profile.
75 Enabling saptune to tune for an SAP application SLES-SAP 15 SP28.3.2 Customizing an SAP note
Every SAP note can be configured freely with:
root # saptune note customise
The command includes changing a value or disabling a parameter.
8.3.3 Creating a new SAP note
It is possible to create a new SAP note with:
root # saptune note create
All features of saptune are available.
8.3.4 Deleting an SAP note
This command allows to delete a created note, including the corresponding override le if avail-
able:
root # saptune note delete test
Note to delete is a customer/vendor specific Note.
Do you really want to delete this Note (test2)? [y/n]: y
The note may not be applied at the time. Keep in mind the following points:
A confirmation is needed to finish the action.
Internal SAP notes shipped by saptune cannot be deleted. Instead, the override le is
removed when available.
If the note is already applied, the command will be terminated with the information, that
the note rst needs to be reverted before it can be deleted.
8.3.5 Renaming an SAP note
This command allows to rename a created note to a new name. If a corresponding override le
is available, this le will be renamed too:
root # saptune note rename test test2
76 Customizing an SAP note SLES-SAP 15 SP2Note to rename is a customer/vendor specific Note.
Do you really want to rename this Note (test) to the new name ''test2''? [y/n]: y
The note may not be applied at the time. Keep in mind the following points:
A confirmation is needed to finish the action.
Internal SAP notes shipped by saptune cannot be renamed.
If the note is already applied, the command will be terminated with the information, that
the note rst needs to be reverted before it can be deleted.
8.3.6 Showing the configuration of an SAP note
The shipped configuration of a note can be listed with:
root # saptune note show
8.3.7 Verifying an SAP note or an SAP solution
The commands saptune note verify NOTE and saptune solution verify SOLUTION list
the following data for each active or requested note:
The parameter name
The expected value (default)
A configured override (created using saptune customise )
The current system value
Whether the current state is in accordance with the SAP recommendation
8.3.8 Simulating the application of an SAP note or an SAP solution
To show each parameter of a note , use:
root # saptune note simulate
To show each parameter of a solution , use:
root # saptune solution simulate
77 Showing the configuration of an SAP note SLES-SAP 15 SP2It lists the current system value and the expected values (default and override).
8.3.9 Disabling saptune
To disable saptune and to stop and disable tuned run:
root # saptune daemon stop
8.3.10 For more information
See the following man pages:
man 8 saptune
man 8 saptune_v1
man 8 saptune_v2
man 8 saptune-migrate
man 8 saptune-note
Also see the project home page https://github.com/SUSE/saptune/ .
8.4 Tuning kernel parameters manually using sysctl
In addition to or instead of tuning kernel parameters using sapconf / saptune , you can also
use sysctl to make manual adjustments to kernel parameters. However, such changes using
sysctl do not persist across reboots by default. To make them persist across reboots, add them
to one of the configuration les read by sysctl .
Tip: sysctl and saptune
If you plan to configure sysctl parameters for your SAP system, consider using saptune
as the central tool for managing such configurations.
For more information about sysctl , see the man pages sysctl(8) , sysctl.conf(5) , and
sysctl.d(5) .
78 Disabling saptune SLES-SAP 15 SP28.5 Tuning workload memory protection
Keeping SAP applications in physical memory is essential for their performance. With SUSE
Linux Enterprise Server for SAP Applications 11 SP1 onwards and SUSE Linux Enterprise Server
for SAP Applications 12 the Page Cache Limit prevented a swap out to disk by a growing page
cache. In SUSE Linux Enterprise Server for SAP Applications 15 the Page Cache Limit has been
replaced with the more advanced Workload Memory Protection.
Workload Memory Protection puts SAP instances into a dedicated cgroup (v2) and tells the
kernel by the memory.low parameter the amount of memory to keep in physical memory. This
protects the processes in this cgroup against any form of memory pressure outside that cgroup,
including a growing page cache. Workload Memory Protection can not protect against memory
pressure inside this cgroup. It covers the memory of all instances together on one host.
The value for memory.low depends on the kind of SAP instance and the workload and has to
be configured manually. If the system is under extreme pressure the Linux kernel will ignore
the memory.low value and try to stabilize the whole system, even by swapping or invoking
the OOM killer.
For more information about cgroups, see https://documentation.suse.com/sles/15-SP2/html/SLES-
all/cha-tuning-cgroups.html .
8.5.1 Architecture
WMP relies on three components:
cgroup2 memory controller (Linux kernel)
The cgroup2 memory controller parameter memory.low allows to define an amount of
memory, which the Linux kernel will keep in physical memory. This amount of memory
will be excluded from the reclaiming process except the entire system is in a critical mem-
ory situation.
WMP uses memory.low to prevent memory of SAP processes to be paged or swapped
out to disk. Cgroup1 controllers, except the memory controller, still are available, but not
mounted anymore.
systemd
Systemd provides the infrastructure to create and maintain the cgroup hierarchy and also
allows the configuration of cgroup parameters. WMP ships systemd configuration les to
allow easy configuration of memory.low via systemd methods.
79 Tuning workload memory protection SLES-SAP 15 SP2SAP start service
The SAP Start Service ( sapstartsrv ) manages the start and stop of SAP instances. An
important feature for WMP is the configurable execution of programs before the instance
itself gets started in the instance profile. WMP uses this method to call a program to move
the sapstartsrv / sapstart processes into a designated cgroup, so the SAP instance will
be started inside that cgroup.
8.5.2 Support for workload memory protection
WMP is supported for SUSE Linux Enterprise Server for SAP Applications 15 SP2 on Intel 64/
AMD64 for one or multiple SAP systems on one host, such as:
App Server (SAP NetWeaver, SAP S/4HANA) or
SAP HANA 1.0/2.0
Workload Memory Protection does not cover databases other than SAP HANA. Depending on
their start method the processes might run inside or outside the dedicated cgroup. If they run
inside, the memory consumption has to be taken into account when determine memory.low .
Important: Restrictions of WMP
Using WMP comes with benefits, but you should be aware of some restrictions:
WMP cannot protect against memory pressure inside the dedicated cgroup.
WMP cannot protect SAP systems or their instances from each other. All SAP
processes share the same memory limit. If you have multiple SAP systems (for ex-
ample, SAP NetWeaver and SAP S/4HANA), WMP cannot shield one SAP applica-
tion from the other.
Support for SUSE’s HA cluster solution is not yet available.
80 Support for workload memory protection SLES-SAP 15 SP28.5.3 Setting up workload memory protection
8.5.3.1 Preparing for workload memory protection
1. Check if your SAP software (SAP HANA, SAP NetWeaver etc) is installed. The group sap-
sys is needed during the package installation of sapwmp later. If you skip that part, you
will get a warning message (see Important: Watch out order of package).
2. Stop the SAP system:
root # systemctl stop sapinit
The service can be enabled, but all SAP processes have to be terminated.
3. Install the package sapwmp :
tux > sudo zypper install sapwmp
Important: Watch out order of package
The following message should only appear if no SAP software has been installed
on the system:
Warning: sapsys group not found warning: group sapsys does not exist - using
root
Remove the package sapwmp and install the SAP software rst before installing it
again.
As an alternative you can x ownership and permission after installing the SAP
software with:
tux > sudo chgrp sapsys /usr/lib/sapwmp/sapwmp-capture && \
chmod +s /usr/lib/sapwmp/sapwmp-capture
The following message can be ignored:
Warning: Found memory controller on v1 hierarchy. Make sure unified hierarchy only
is used.
81 Setting up workload memory protection SLES-SAP 15 SP2Switching to unified hierarchy is done in the next step.
4. Add systemd.unified_cgroup_hierarchy=true to the kernel command line by adding
it to GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub like:
GRUB_CMDLINE_LINUX_DEFAULT="... systemd.unified_cgroup_hierarchy=true swapaccount=1"
With this change, only cgroup2 controllers will be mounted on /sys/fs/cgroup . Cgroup1
controllers, except the memory controller, are still available and can be used though. Tools
using cgroup1 might not work anymore out of the box and need reconfiguration. Also the
required mount structure for cgroup1 has to be provided.
The parameter swapaccount=1 is not needed for WMP to work, but it aids the analysis
in support cases to show the amount of swapped out memory for each cgroup.
5. Rewrite the GRUB2 configuration:
tux > sudo grub2-mkconfig -o /boot/grub2/grub.cfg
After reboot (will be done later), the cgroup hierarchy is switched to v2 (unified hierarchy)
only.
6. Configure MemoryLow for the SAP.slice :
tux > sudo systemctl set-property SAP.slice MemoryLow=...
This command creates a drop-in in /etc/systemd/system.control/SAP.slice.d/ to
set MemoryLow .
The sapwmp package includes the systemd configuration SAP.slice which creates the
cgroup of the same name for the SAP instances. MemoryLow is the systemd equivalent of
the cgroup parameter memory.low mentioned in the introduction. The value for Memo-
ryLow depends on the type of the SAP application and the workload.
For SAP HANA
Since SAP HANA has a Global Allocation Limit its value can be used directly.
SAP application server (SAP NetWeaver, SAP S/4HANA)
For the Application Server the sizing for the workload should indicate the value for
MemoryLow . The sapwmp package contains a monitoring part which might be useful
to determine MemoryLow . See Section 8.5.6, “Monitoring memory usage”.
82 Setting up workload memory protection SLES-SAP 15 SP2Keep in mind:
All SAP instances on one host are inside the SAP.slice . MemoryLow must cover the
amount of memory of all instances together on that host. You cannot protect SAP
systems or their instances from each other.
If you are using a database other than SAP HANA some database processes might be
part of SAP.slice . Their memory consumption has to be taken into account when
determine the MemoryLow value.
Never chose a value for MemoryLow very close or larger than your physical memory.
System services and additional installed software require memory too. If they are
forced to use swap to extensively in expense of the SAP application, your system can
become unresponsive.
Note: Correctly calculate MemoryLow value
MemoryLow takes the memory size in bytes. If the value is suffixed with K, M, G or T,
the specified memory size is parsed as Kibibytes, Mebibytes, Gibibytes, or Tebibytes
(with the base 1024 instead of 1000, see https://en.wikipedia.org/wiki/Binary_pre-
fix ), respectively. Alternatively, a percentage value may be specified, which is
taken relative to the installed physical memory on the system.
The underlying cgroup memory controller will round up the value to a multiple of
the page size. To avoid confusion already set a multiple of the page sizes as value
for MemoryLow .
7. Create a backup of each SAP instance profile. Errors in a profile can prevent a SAP system
from starting.
8. For each SAP instance, add the following line to the instance profile (usually located in /
usr/sap/SID/SYS/profile/ ) after the last Execute_ line:
Execute_20 = local /usr/lib/sapwmp/sapwmp-capture -a
Increase the number of the Execute statement when necessary, to be the highest one and
the line is executed last.
83 Setting up workload memory protection SLES-SAP 15 SP2Important
Edit the instance profiles directly only if you do not have imported the profiles into
the database to manage them by the SAP GUI (transaction RZ11). If you do so, use
the SAP GUI to add the lines. The profile les located in the le system are getting
overwritten and any manual changes would get lost!
Now the system is ready for a reboot.
8.5.3.2 Reboot and verification
1. Reboot the system.
2. After Reboot verify that indeed cgroups v2 has been used:
root # grep cgroup /proc/mounts
cgroup /sys/fs/cgroup cgroup2 rw,nosuid,nodev,noexec,relatime 0 0
3. Verify that the cgroup was created successfully and the low memory value has been set:
tux > systemctl show -p MemoryLow SAP.slice
MemoryLow=18487889920 <- Should be your chosen value (always in bytes)!
# cat /sys/fs/cgroup/SAP.slice/memory.low
18487889920 <- Should be your chosen value!
The variable MemoryLow can be set to any value, but the content of the variable is always
be a multiple of the page size. Keep this in mind, when you notice a slight difference
between both values.
4. Check that all SAP instance processes are in the correct system slices/cgroup.
If you have not enabled sapinit.service start the service now. If autostart is not enabled
in the instance profiles, start the instances before you check.
Example:
root # systemd-cgls -a /sys/fs/cgroup/SAP.slice
Directory /sys/fs/cgroup/SAP.slice:
|-wmp-rd91fd6b3ca0d4c1183659ef4f9a092fa.scope
| |-2707 /usr/sap/HA0/ERS10/exe/sapstartsrv pf=/usr/sap/HA0/ERS10/profile/H...
| |-3349 sapstart pf=/usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er
84 Setting up workload memory protection SLES-SAP 15 SP2| `-3375 er.sapHA0_ERS10 pf=/usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er N...
|-wmp-r360ebfe09bcd4df4873ef69898576199.scope
| |-3128 /usr/sap/HA0/D01/exe/sapstartsrv pf=/usr/sap/HA0/SYS/profile/HA0_D...
| |-3572 sapstart pf=/usr/sap/HA0/SYS/profile/HA0_D01_sapha0ci
| |-3624 dw.sapHA0_D01 pf=/usr/sap/HA0/SYS/profile/HA0_D01_sapha0ci
...
For each instance a directory wmp-rSCOPEID.scope exists with all processes of this in-
stance. The SCOPEID is a hexadecimal 128bit random value.
The SAP HostAgent is not covered by WMP and remains partly in sapinit.slice and
partly in the user slice of sapadm .
5. If the processes are not in the cgroup, check if the Execute lines in the instance profiles
are correct. Also each instance start should now be logged in the system log /var/log/
messages :
...
2020-06-16T18:41:28.317233+02:00 server-03 sapwmp-capture: Found PIDs:
2020-06-16T18:41:28.317624+02:00 server-03 sapwmp-capture: 17001
2020-06-16T18:41:28.317813+02:00 server-03 sapwmp-capture: 16994
2020-06-16T18:41:28.317959+02:00 server-03 sapwmp-capture: 16551
2020-06-16T18:41:28.319423+02:00 server-03 sapwmp-capture: Successful capture into
SAP.slice/wmp-r07a27e12d7f2491f8ccb9aeb0e080aaa.scope
2020-06-16T18:41:28.319672+02:00 server-03 systemd[1]: Started wmp-
r07a27e12d7f2491f8ccb9aeb0e080aaa.scope.
...
Tip
You can nd a script to verify your WMP setup here: https://github.com/scmschmidt/wm-
p_check .
8.5.4 Configuring workload memory protection
To configure WMP edit /etc/sapwmp.conf :
# NOTE: Local changes may be reverted after update of WMP package. Check for
# .rpmsave file to restore & merge changes.
## Description: Slice unit name where workload is put into
## Type: string
## Default: "SAP.slice"
85 Configuring workload memory protection SLES-SAP 15 SP2DEFAULT_SLICE="SAP.slice"
## Description: Comma-separated list of command names to which capture is
## applied (matching against /proc/$PID/stat)
## Type: string
## Default: sapstart,sapstartsrv
PARENT_COMMANDS=sapstart,sapstartsrv
After a change restart all SAP instances.
Warning
Altering /etc/sapwmp.conf should not be necessary. Don’t do it until you know exactly
what you do!
8.5.5 Changing the value of memoryLow
To change the value of MemoryLow run:
root # systemctl set-property SAP.slice MemoryLow=...
The changes will take effect immediately.
The underlying cgroup memory controller will round up the value to a multiple of the page size.
To avoid confusion set a multiple of the page sizes as value for MemoryLow .
Important
Never set MemoryLow to a value lower than the memory already accounted to SAP.s-
lice . To check run:
root # systemctl show -p MemoryCurrent SAP.slice
8.5.6 Monitoring memory usage
Logging the memory usage can either be necessary to determine the value for memory.low , but
also to monitor the correct operation of WMP.
To enable monitoring activate the shipped timer unit:
root # systemctl enable --now wmp-sample-memory.timer
86 Changing the value of memoryLow SLES-SAP 15 SP2Now the timer should be listed by systemctl list-timers :
root # systemctl list-timers
NEXT LEFT LAST PASSED UNIT ACTIVATES
...
Tue... 9min left Tue... 4s ago wmp-sample-memory.timer wmp-sample-memory.service
...
If you check the current configuration, you can see that memory data gets collected every 10
minutes with a randomized delay of 3 minutes:
root # systemctl cat wmp-sample-memory.timer
# /usr/lib/systemd/system/wmp-sample-memory.timer
[Unit]
Description=WMP periodic log of memory consumption
[Timer]
OnCalendar=*:0/10
RandomizedDelaySec=180
AccuracySec=60
[Install]
WantedBy=timers.target
To change this, create a drop-in le and reload systemd (example with increasing the interval
to 30 minutes):
root # mkdir /etc/systemd/system/wmp-sample-memory.timer.d
# cat <
/etc/systemd/system/wmp-sample-memory.timer.d/override.conf
[Timer]
OnCalendar=
OnCalendar=*:0/30
EOF
# systemctl daemon-reload
(The rst OnCalendar= line is important to delete previously defined OnCalendar= settings.)
To see the memory consumption check the system log for lines written by wmp_memory_cur-
rent :
root # grep wmp_memory_current /var/log/messages
...
87 Monitoring memory usage SLES-SAP 15 SP22020-09-14T12:02:40.337266+02:00 server-03 wmp_memory_current: SAP.slice :
memory.low=21474836480 memory.current=2294059008 memory.swap.current=0 , user.slice :
memory.low=0 memory.current=5499219968 memory.swap.current=0 , init.scope :
memory.low=0 memory.current=8364032 memory.swap.current=0 , system.slice : memory.low=0
memory.current=1863335936 memory.swap.current=0
2020-09-14T12:03:00.767838+02:00 server-03 wmp_memory_current: SAP.slice :
memory.low=21474836480 memory.current=2294022144 memory.swap.current=0 , user.slice :
memory.low=0 memory.current=5499473920 memory.swap.current=0 , init.scope :
memory.low=0 memory.current=8364032 memory.swap.current=0 , system.slice : memory.low=0
memory.current=1862586368 memory.swap.current=0
2020-09-14T12:04:00.337315+02:00 server-03 wmp_memory_current: SAP.slice :
memory.low=21474836480 memory.current=2294022144 memory.swap.current=0 , user.slice :
memory.low=0 memory.current=5499207680 memory.swap.current=0 , init.scope :
memory.low=0 memory.current=8355840 memory.swap.current=0 , system.slice : memory.low=0
memory.current=1862746112 memory.swap.current=0
...
Here a reformatted log line to get a better impression:
2020-09-14T12:02:40.337266+02:00 server-03 wmp_memory_current:
SAP.slice : memory.low=21474836480 memory.current=2294059008 memory.swap.current=0 ,
user.slice : memory.low=0 memory.current=5499219968 memory.swap.current=0 ,
init.scope : memory.low=0 memory.current=8364032 memory.swap.current=0 ,
system.slice : memory.low=0 memory.current=1863335936 memory.swap.current=0
For each cgroup directly below /sys/fs/cgroup/ one block exists separated by comma. On a
normal system you should at least nd user.slice , system.slice , and init.scope . WMP
adds SAP.slice .
Each block contains the information about the current value of memory.low and memory.cur-
rent , the currently allocated amount of physical memory of processes in this cgroup.
If you have enabled swap accounting ( swapaccount=1 ) during setup you also have memo-
ry.swap.current , the amount of swapped out memory of the cgroup.
All values are in bytes. See Step 6 in Section 8.5.3.1, “Preparing for workload memory protection”.
Tip
You can nd a script to print the information as table or CSV here: https://github.com/
scmschmidt/wmp_log_extract
88 Monitoring memory usage SLES-SAP 15 SP28.5.7 Verifying correct operation
Besides monitoring memory consumption and swapping (see Section 8.5.6, “Monitoring memory
usage”) you also should check regularly that all SAP instance processes are in their scopes below
SAP.slice .
To do so, run '' systemd-cgls and check each instance process.
Example:
root # systemd-cgls -a /sys/fs/cgroup/SAP.slice
Directory /sys/fs/cgroup/SAP.slice:
|-wmp-rd91fd6b3ca0d4c1183659ef4f9a092fa.scope
| |-2707 /usr/sap/HA0/ERS10/exe/sapstartsrv pf=/usr/sap/HA0/ERS10/profile/H...
| |-3349 sapstart pf=/usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er
| `-3375 er.sapHA0_ERS10 pf=/usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er N...
|-wmp-r360ebfe09bcd4df4873ef69898576199.scope
| |-3128 /usr/sap/HA0/D01/exe/sapstartsrv pf=/usr/sap/HA0/SYS/profile/HA0_D...
| |-3572 sapstart pf=/usr/sap/HA0/SYS/profile/HA0_D01_sapha0ci
| |-3624 dw.sapHA0_D01 pf=/usr/sap/HA0/SYS/profile/HA0_D01_sapha0ci
...
A simpler test would be listing all processes including cgroups for all s used on the
system.
Example:
tux > ps -eo user,pid,cgroup:60,args | grep -e [h]a0adm
ha0adm 2062 0::/user.slice/user-1001.slice/user@1001.service/init.scope /usr/lib/
systemd/systemd --user
ha0adm 2065 0::/user.slice/user-1001.slice/user@1001.service/init.scope (sd-pam)
ha0adm 2480 0::/SAP.slice/wmp-r73c594e050904c9c922a312dd9a28fd4.scope /usr/sap/HA0/
ASCS00/exe/sapstartsrv pf=/usr/sap/HA0/SYS/profile/HA0_ASCS00_sapha0as -D -u ha0adm
ha0adm 2688 0::/SAP.slice/wmp-ra42489517eb846c282c57681e627a496.scope /usr/sap/HA0/
ERS10/exe/sapstartsrv pf=/usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er -D -u ha0adm
ha0adm 3081 0::/SAP.slice/wmp-r73c594e050904c9c922a312dd9a28fd4.scope sapstart pf=/
usr/sap/HA0/SYS/profile/HA0_ASCS00_sapha0as
ha0adm 3106 0::/SAP.slice/wmp-r0951160bb5454f4fa32be03a6e8bc98a.scope /usr/sap/HA0/
D01/exe/sapstartsrv pf=/usr/sap/HA0/SYS/profile/HA0_D01_sapha0ci -D -u ha0adm
ha0adm 3133 0::/SAP.slice/wmp-r73c594e050904c9c922a312dd9a28fd4.scope
ms.sapHA0_ASCS00 pf=/usr/sap/HA0/SYS/profile/HA0_ASCS00_sapha0as
ha0adm 3134 0::/SAP.slice/wmp-r73c594e050904c9c922a312dd9a28fd4.scope
en.sapHA0_ASCS00 pf=/usr/sap/HA0/SYS/profile/HA0_ASCS00_sapha0as
ha0adm 3327 0::/SAP.slice/wmp-ra42489517eb846c282c57681e627a496.scope sapstart pf=/
usr/sap/HA0/ERS10/profile/HA0_ERS10_sapha0er
...
All instance processes have to be in a scope below 0::/SAP.slice/ .
89 Verifying correct operation SLES-SAP 15 SP2Warning
It is possible that a sapstartsrv process is in a user slice temporarily. This happens if the
process was started manually or was missing and started when running a sapcontrol
command. After an instance restart this is corrected normally. Never should an instance
process except sapstartsrv be running outside of SAP.slice .
8.5.8 Deinstalling workload memory protection
1. Stop the SAP system completely. The sapinit.service has to be stopped, but can stay
enabled. All SAP processes have to be terminated.
2. Remove any changes made to SAP.slice like setting MemoryLow :
root # systemctl revert SAP.slice
3. (Optional) Remove the package sapwmp :
root # zypper remove sapwmp
This step is optional. The package can stay on the system without having an influence.
4. (Optional) Remove systemd.unified_cgroup_hierarchy=true from
GRUB_CMDLINE_LINUX_DEFAULT in /etc/default/grub .
This step is optional. You can keep cgroup2 without using WMP.
5. Rewrite the GRUB2 configuration:
root # grub2-mkconfig -o /boot/grub2/grub.cfg
After the next boot, the system is switched back to the hybrid cgroup hierarchy.
6. Remove the line to call sapwmp-capture from each SAP instance profile (usually located
in /usr/sap/SID/SYS/profile/ ):
Execute_20 = local /usr/lib/sapwmp/sapwmp-capture -a
90 Deinstalling workload memory protection SLES-SAP 15 SP2Important: Backup is necessary
Before editing an instance profile create a backup! Errors in a profile can prevent
a SAP system from starting!
Important: About editing profiles directly
Edit the instance profiles directly only if you do not have imported the profiles into
the database to manage them by the SAP GUI (transaction RZ11). If you do so, use
the SAP GUI to add the lines. The profile les located in the le system are getting
overwritten and any manual changes would get lost!
7. Reboot the system and verify that your SAP system has been started successfully.
91 Deinstalling workload memory protection SLES-SAP 15 SP29 Firewalling
This chapter presents information about restricting access to the system using firewalling and
encryption and gives information about connecting to the system remotely.
9.1 Configuring firewalld
By default, the installation workflow of SUSE Linux Enterprise Server for SAP Applications en-
ables firewalld .
Note: firewalld replaces SuSEfirewall2
SUSE Linux Enterprise Server for SAP Applications 15 GA introduces firewalld as the
new default software firewall, replacing SuSEfirewall2. SuSEfirewall2 has not been re-
moved from SUSE Linux Enterprise Server for SAP Applications 15 GA and is still part of
the main repository, though not installed by default. If you are upgrading from a release
older than SUSE Linux Enterprise Server for SAP Applications 15 GA, SuSEfirewall2 will
be unchanged and you must manually upgrade to firewalld (see Security Guide).
The firewall needs to be manually configured to allow network access for the following:
SAP application
Database (see the documentation of your database vendor; for SAP HANA, see Section 9.2,
“Configuring HANA-Firewall”)
Additionally, open the ports 1128 (TCP) and 1129 (UDP).
SAP applications require many open ports and port ranges in the firewall. The exact numbers
depend on the selected instance. For more information, see the documentation provided to you
by SAP.
9.2 Configuring HANA-Firewall
To simplify setting up a firewall for SAP HANA, install the package HANA-Firewall . HANA-
Firewall adds rule sets to your existing SuSEfirewall2 configuration.
92 Configuring firewalld SLES-SAP 15 SP2HANA-Firewall consists of the following parts:
YaST module SAP HANA firewall. Allows configuring, applying, and reverting firewall rules
for SAP HANA from a graphical user interface.
Command-line utility hana-firewall . Creates XML les containing firewall rules for SAP
HANA.
If you prefer, you can configure the rule sets using the configuration le at /etc/syscon-
fig/hana-firewall instead of using YaST.
Important: SAP HANA MDC databases
For multi-tenant SAP HANA (MDC) databases, determining the port numbers that need
to be opened is not yet possible automatically. If you are working with a multi-tenant
SAP HANA database system, before you use YaST, run a script on the command line to
create a new service definition:
root # cd /etc/hana-firewall.d
root # hana-firewall define-new-hana-service
You need to switch to the directory /etc/hana-firewall.d , otherwise the rule le for
the new service will be created in a place where it cannot be used.
The script will ask several questions: Importantly, it will ask for TCP and UDP port ranges
that need to be opened.
Note: Install HANA-Firewall packages
Before continuing, make sure that the packages HANA-Firewall and yast2-hana-fire-
wall are installed.
PROCEDURE 9.1: USING HANA-FIREWALL
1. Make sure the SAP HANA databases for which you want to configure the firewall are
correctly installed.
2. To open the appropriate YaST module, select Applications YaST, Security and Users SAP
HANA Firewall.
3. Under Global Options, activate Enable Firewall. Additionally, decide whether to Allow Re-
mote Shell Access (SSH).
93 Configuring HANA-Firewall SLES-SAP 15 SP24. Choose a network interface under Allowed Services on Network Interface.
5. Allow network services by selecting them in the list box on the left and clicking →. Remove
services by selecting them in the list box on the right and clicking ←.
To add services other than the preconfigured ones, use the following notation:
SERVICE_NAME:CIDR_NOTATION
For more information about the CIDR notation, see https://en.wikipedia.org/wiki/Class-
less_Inter-Domain_Routing . To nd out which services are available on your system, use
getent services .
6. Repeat from Step 4 for all network interfaces.
7. When you are done, click OK.
The firewall rules from HANA-Firewall will now be compiled and applied. Then, the ser-
vice hana-firewall will be restarted.
8. Finally, check whether HANA-Firewall was enabled correctly:
root # hana-firewall status
HANA firewall is active. Everything is OK.
For more information, see the man page of hana-firewall .
94 Configuring HANA-Firewall SLES-SAP 15 SP29.3 SAProuter integration
The SAProuter software from SAP allows proxying network traffic between different SAP sys-
tems or between an SAP system and outside networks. SUSE Linux Enterprise Server for SAP
Applications now provides integration for SAProuter into systemd . This means that SAProuter
will be started and stopped properly with the operating system and can be controlled using
systemctl .
Before you can use this functionality, make sure the following has been installed, in this order:
An SAP application that includes SAProuter
The SAProuter systemd integration, packaged as systemd-saprouter
If you got the order of applications to install wrong initially, reinstall systemd-saprouter .
To control SAProuter with systemctl , use:
Enabling the SAProuter service: systemctl enable saprouter
Starting the SAProuter service: systemctl start saprouter
Showing the Status of SAProuter service: systemctl status saprouter
Stopping the SAProuter service: systemctl stop saprouter
Disabling the SAProuter service: systemctl disable saprouter
95 SAProuter integration SLES-SAP 15 SP210 Protecting against malware with ClamSAP
ClamSAP integrates the ClamAV anti-malware toolkit into SAP NetWeaver and SAP Mobile
Platform applications. ClamSAP is a shared library that links between ClamAV and the SAP
NetWeaver Virus Scan Interface (NW-VSI). The version of ClamSAP shipped with SUSE Linux
Enterprise Server for SAP Applications 15 SP2 supports NW-VSI version 2.0.
10.1 Installing ClamSAP
1. On the application host, install the packages for ClamAV and ClamSAP. To do so, use the
command:
tux > sudo zypper install clamav clamsap
2. Before you can enable the daemon clamd , initialize the malware database:
tux > sudo freshclam
3. Start the service clamd :
tux > sudo systemctl start clamd
4. Check the status of the service clamd with:
tux > systemctl status clamd
● clamd.service - ClamAV Antivirus Daemon
Loaded: loaded (/usr/lib/systemd/system/clamd.service; enabled; vendor preset:
disabled)
Active: active (running) since Tue 2017-04-11 10:33:03 UTC; 24h ago
[...]
10.2 Creating a virus scanner group in SAP
NetWeaver
1. Log in to the SAP NetWeaver installation through the GUI. Do not log in as a DDIC or
SAP* user, because the virus scanner needs to be configured cross-client.
96 Installing ClamSAP SLES-SAP 15 SP22. Create a Virus Scanner Group using the transaction VSCANGROUP.
3. To switch from view mode to change mode, click the button Change View ( ).
Confirm the message This table is cross-client by clicking the check mark. The table is now
editable.
4. Select the rst empty row. In the text box Scanner Group, specify CLAMSAPVSI . Under
Group Text, specify CLAMSAP .
Make sure that Business Add-in is not checked.
5. To save the form, click the button Save ( ).
10.3 Setting up the ClamSAP library in SAP
NetWeaver
1. In the SAP NetWeaver GUI, call the transaction VSCAN.
2. To switch from view mode to change mode, click the button Change View ( ).
Confirm the message This table is cross-client by clicking the check mark. The table is now
editable.
3. Click New entries.
97 Setting up the ClamSAP library in SAP NetWeaver SLES-SAP 15 SP24. Fill in the form accordingly:
Provider Type: Adapter (Virus Scan Adapter)
Provider Name: VSA_HOSTNAME (for example: VSA_SAPSERVER )
Scanner Group : The name of the scanner group that you set up in Section 10.2,
“Creating a virus scanner group in SAP NetWeaver” (for example: CLAMSAPVSI )
Server: HOSTNAME_SID_INSTANCE_NUMBER (for example: SAPSERVER_P04_00 )
Adapter Path: libclamdsap.so
5. To save the form, click the button .
10.4 Engaging ClamSAP
To run ClamSAP, go to the transaction VSCAN. Then click Start.
98 Engaging ClamSAP SLES-SAP 15 SP2FIGURE 10.1: CHANGE VIEW “VIRUS SCAN PROVIDER DEFINITION”
Afterward, a summary will be displayed, including details of the ClamSAP and ClamAV (shown
in Figure 10.2, “Summary of ClamSAP data”).
99 Engaging ClamSAP SLES-SAP 15 SP2FIGURE 10.2: SUMMARY OF CLAMSAP DATA
10.5 For more information
For more information, also see the project home page https://sourceforge.net/projects/clam-
sap/ .
100 For more information SLES-SAP 15 SP211 Connecting via RDP
If you installed SLES-SAP with the RDP option activated or if you installed from a KIWI image,
RDP is enabled on the machine via the service xrdp . Alternatively, you can enable RDP later
as described at the end of this section.
You can connect using any software that supports RDP, such as:
Linux: Vinagre (available in SUSE Linux Enterprise Desktop/SLE-WE and openSUSE) or
Remmina (available in openSUSE)
Windows: Remote Desktop Connection
Important: Connection parameters
Make sure to set up the connection with the following parameters:
Port: 3389
Color depth: 16-bit or 24-bit only
PROCEDURE 11.1: SETTING UP RDP
If you have not set up an RDP connection during the installation, you can also do so later
using the following instructions.
1. First, create the necessary exception for your firewall, opening port TCP 3389 in all rel-
evant zones. For example, if your internal network uses the internal zone, use the fol-
lowing command:
root # firewall-cmd --zone=internal --add-port=3389/tcp
This is a temporary assignment for testing the new setting. If you need to change more
than one zone, change and test each zone one at a time.
2. When you are satisfied that new configuration is correct, make it permanent:
root # firewall-cmd --runtime-to-permanent
root # firewall-cmd --reload
Find more information on using firewalld in https://docs.suse.com/sles/15/single-html/SLES-se-
curity/#sec-security-firewall-firewalld .
101 SLES-SAP 15 SP212 Creating operating system images
There are multiple ways to create custom operating system images from SUSE Linux Enterprise
Server for SAP Applications. The preferred way is generally to use KIWI, which ingests an XML
configuration le and then runs fully automatically.
Alternatively, you can also create an image from an existing installation that is cleaned up before
re-use.
12.1 Creating images with KIWI
KIWI is a tool to create operating system images that can be easily copied to new physical or
virtual machines. This section will present information on creating SLES-SAP images with KIWI.
SUSE Linux Enterprise Server for SAP Applications now supports creating images with KIWI
using the template from the package kiwi-template-sap . However, there are certain restric-
tions in the current implementation:
Only building VMX disk images is supported. Building other image types is not supported.
You must provide an ISO image of SUSE Linux Enterprise Server for SAP Applications at
/tmp/SLES4SAP.iso , as the Open Build Service does not contain all necessary packages.
To build a basic image, use the following two commands:
1. Build the root le system:
root # kiwi -p SLES4SAP --root fsroot
2. Build the VMX image:
root # kiwi --create fsroot --type vmx -d build
To enable running graphical installations using SAPinst, the default settings of the image enable
the following:
Installation of an IceWM desktop
The service xrdp is started automatically, so you can connect to the machine via RDP.
For more information, see Chapter 11, Connecting via RDP.
102 Creating images with KIWI SLES-SAP 15 SP2For more information about KIWI and SLES-SAP:
On the KIWI configuration for SLES-SAP, see /usr/share/kiwi/image/SLES4SAP/
README .
On KIWI in general, see the openSUSE-KIWI Image System Cookbook (https://doc.open-
suse.org/projects/kiwi/doc/ ).
12.2 Cleaning up an instance before using it as a
master image
In some cases, it makes sense to use an image of an already-configured master instance on
multiple systems instead of generating a KIWI image from scratch. For example, when your
image needs to contain additional software or configuration that cannot be installed using KIWI.
However, normally such an image would contain certain configuration data that should not be
copied along with the rest of the system.
To avoid needing to clean up manually, use the script clone-master-clean-up (available from
the package of the same name).
It deletes the following data automatically:
Swap device (zero-wiped, then re-enabled)
SUSE registration information and repositories from SUSE, and the Zypper ID
User and host SSH keys and domain and host names
The generated HANA-Firewall script (but not the configuration itself)
Shell history, mails, cron jobs, temporary les ( /tmp , /var/tmp ), log les ( /var/log ),
random seeds, systemd journal, collectd statistics, postfix configuration, parts of /
root
/var/cache , /var/crash , /var/lib/systemd/coredump
Additionally, the following configuration is restored to defaults:
Network interfaces that do not use DHCP and network configuration ( /etc/hostname , /
etc/hosts , and /etc/resolv.conf )
sudo settings
103 Cleaning up an instance before using it as a master image SLES-SAP 15 SP2Additionally, you can choose to set up a new root password. UUID-based entries in /etc/
fstab are replaced by device strings. This script also ensures that if the rst-boot section of the
installation workflow was used for the original installation, it is run again on the next boot.
12.2.1 Configuring clone-master-clean-up
Before running clone-master-clean-up , the script can be configured in the following ways:
To configure the script to not clean up certain data, use the configuration le /etc/
sysconfig/clone-master-clean-up .
This le also gives short explanations of the available options.
To configure the script to clean up additional directories or les, create a list with the
absolute paths of such directories and les:
/additional/file/to/delete.now
/additional/directory/to/remove
Save this list as /var/adm/clone-master-clean-up/custom_remove .
12.2.2 Using clone-master-clean-up
To use the script, do:
root # clone-master-clean-up
Then follow the instructions.
12.2.3 For more information
The following sources provide additional information about clone-master-clean-up :
For general information, see the man page clone-master-clean-up .
For information on which les and directories might additionally be useful to delete, see
/var/adm/clone-master-clean-up/custom_remove.template .
104 Configuring clone-master-clean-up SLES-SAP 15 SP213 Important log files
The most important log les for this product can be found as follows:
The SAP Installation Wizard is a YaST module. You can nd its log entries in /var/log/
YaST/y2log .
All SAP knowledge is bundled in a library. You can nd its log entries in /var/log/
SAPmedia.log .
You can nd log les related to auto-installation in /var/adm/autoinstall/logs .
105 SLES-SAP 15 SP2A Additional software for SLES-SAP
SUSE Linux Enterprise Server for SAP Applications makes it easy to install software that is not
included with your subscription:
Extensions and modules allow installing additional software created and supported by
SUSE. For more information about extensions and modules, see Deployment Guide, Part
“Initial System Configuration”, Chapter “Installing Modules, Extensions, and Third Party Add-
On Products” at https://documentation.suse.com/sles-15 .
SUSE Connect Program allows installing packages created and supported by third parties,
specifically for SLES-SAP. It also gives easy access to third-party trainings and support. See
Section A.2, “SUSE connect program”.
SUSE Package Hub allows installation of packages created by the SUSE Linux Enterprise
community without support. See Section A.3, “PackageHub”.
A.1 Identifying a base product for SUSE Linux
Enterprise Server for SAP Applications
To identify and distinguish SUSE products, use one of the following les:
/etc/os-release
A text le with key-value pairs, similar to shell-compatible variable assignments. Each key
is on a separate line.
You can search for the CPE_NAME key; however, between different releases and service
packs, the value may have been changed. If you need further details, refer to the article
at https://www.suse.com/support/kb/doc/?id=7023490 .
/etc/product.d/baseproduct
A link to an XML le. The /etc/product.d/ directory contains different .prod les.
Depending on which products you have purchased and how you installed your system,
the link /etc/product.d/baseproduct can point to a different .prod le, for example,
sle-module-sap-applications.prod . The same information as CPE_NAME is stored in
the tag .
Identifying a base product for SUSE Linux Enterprise Server for SAP Applications SLES-SAP
106 15 SP2Among other information, both les contain the operating system and base product. The base
product (key CPE_NAME and tag ) follow the Common Platform Enumeration Specifica-
tion (http://scap.nist.gov/specifications/cpe/) .
Basically, you can extract any information from the le /etc/product.d/baseproduct either
with the commands grep or xmlstarlet (both are available for your products). As XML is
also text, use grep for “simple searches” when the format of the output does not matter much.
However, if your search is more advanced, you need the output in another script, or your would
like to avoid the XML tags in the output, use the xmlstarlet command instead.
For example, to get your base product, use grep like this:
tux > grep cpeid /etc/products.d/baseproduct
cpe:/o:suse:sle-module-sap-applications:RELEASE:spSP_NUMBER
The RELEASE and SP_NUMBER are placeholders and describe your product release number and
service pack.
The same can be achieved with xmlstarlet . You need an XPath (the steps that lead you to
your information). With the appropriate options, you can avoid the / tags:
tux > xmlstarlet sel -T -t -v "/product/cpeid" /etc/products.d/baseproduct
cpe:/o:suse:sle-module-sap-applications:RELEASE:spSP_NUMBER
A more advanced search (which would be difficult for grep ) would be to list all required de-
pendencies to other products. Assuming that basename points to sle-module-sap-applica-
tions.prod , the following command will output all product dependencies which are required
for SUSE Linux Enterprise Server for SAP Applications:
>tux > xmlstarlet sel -T -t -v "/product/productdependency[@relationship=''requires'']/
@name" /etc/products.d/baseproduct
SUSE_SLE
sle-ha
A.2 SUSE connect program
Start SUSE Connect Program from the YaST control center using SUSE Connect Program. Choose
from the available options. To enable a software repository, click Add repository.
All software enabled by SUSE Connect Program originates from third parties. For support, con-
tact the vendor in question. SUSE does not provide support for these offerings.
107 SUSE connect program SLES-SAP 15 SP2Note: SUSEConnect command-line tool
The SUSEConnect command-line tool is a separate tool with a different purpose: It allows
you to register installations of SUSE products.
A.3 PackageHub
PackageHub provides many packages for SLE that were previously only available on openSUSE.
Packages from SUSE Package Hub are created by the community and come without support.
The selection includes, for example:
The R programming language
The Haskell programming language
The KDE 5 desktop
To enable PackageHub, add the repository as described at https://packagehub.suse.com/how-to-
use/ .
For more information, see the PackageHub Web site at https://packagehub.suse.com .
108 PackageHub SLES-SAP 15 SP2B Partitioning for the SAP system using AutoYaST
Partitioning for the SAP system is controlled by the les from the directory /usr/share/YaST2/
include/sap-installation-wizard/ . The following les can be used:
SAP NetWeaver or SAP S/4HANA Application Server installation. base_partition-
ing.xml
SAP HANA or SAP S/4HANA Database Server installation. hana_partitioning.xml
SAP HANA or SAP S/4HANA Database Server installation on SAP BusinessOne-certified hard-
ware. hardware-specific partitioning le
The les will be chosen as defined in /etc/sap-installation-wizard.xml . Here, the content
of the element partitioning is decisive.
If the installation is, for example, based on HA or a distributed database, no partitioning is
needed. In this case, partitioning is set to NO and the le base_partitioning.xml is used.
Note: autoinst.xml Cannot Be Used Here
autoinst.xml is only used for the installation of the operating system. It cannot control
the partitioning for the SAP system.
The les that control partitioning are AutoYaST control les that contain a partitioning
section only. However, these les allow using several extensions to the AutoYaST format:
If the partitioning_defined tag is set to true , the partitioning will be performed with-
out any user interaction.
By default, this is only used when creating SAP HANA le systems on systems certified for
SAP HANA (such as from Dell, Fujitsu, HP, IBM, or Lenovo).
For every partition, you can specify the size_min tag. The size value can be given as a
string in the format of RAM*N . This way you can specify how large the partition should
minimally be ( N times the size of the available memory ( RAM )).
PROCEDURE B.1: CREATING A CUSTOM SAP PARTITIONING SETUP
The steps below illustrate how to create a partitioning setup for TREX. However, creating
a partitioning setup for other applications works analogously.
109 SLES-SAP 15 SP21. In /usr/share/YaST2/include/sap-installation-wizard/ , create a new XML le.
Name it TREX_partitioning.xml , for example.
2. Copy the content of base_partitioning.xml to your new le and adapt the new le
to your needs.
3. Finally, adapt /etc/sap-installation-wizard.xml to include your custom le. In the
listitem for TREX , insert the following line:
TREX_partitioning
Important: Do not edit base_partitioning.xml
Do not edit base_partitioning.xml directly. With the next update, this le will be
overwritten.
For more information about partitioning with AutoYaST, see AutoYaST Guide, Chapter “Parti-
tioning” (https://documentation.suse.com/sles-15 ).
110 SLES-SAP 15 SP2C Supplementary Media
Supplementary Media allow partners or customers to add their own tasks or workflows to the
Installation Wizard.
This is done by adding an XML le which will be part of an AutoYaST XML le. To be included
in the workflow, this le must be called product.xml .
This can be used for various types of additions, such as adding your own RPMs, running your
own scripts, setting up a cluster le system or creating your own dialogs and scripts.
C.1 product.xml
The product.xml le looks like a normal AutoYaST XML le, but with some restrictions.
The restrictions exist because only the parts of the XML that are related to the second stage of
the installation are run, as the rst stage was executed before.
The two XML les ( autoyast.xml and product.xml ) will be merged after the media is read
and a “new” AutoYaST XML le is generated on the y for the additional workflow.
The following areas or sections will be merged:
1
...
2
...
3
4
5
...
1 see Section C.2, “Own AutoYaST ask dialogs”
2 see Section C.3, “Installing additional packages”
3 after the package installation, before the rst boot
4 during the rst boot of the installed system, no services running
5 during the rst boot of the installed system, all services up and running
All other sections will be replaced.
111 product.xml SLES-SAP 15 SP2For more information about customization options, see AutoYaST Guide, Chapter “Con-
figuration and Installation Options”, Section “Custom User Scripts” (https://documenta-
tion.suse.com/sles-15 ).
C.2 Own AutoYaST ask dialogs
For more information about the “Ask” feature of AutoYaST, see AutoYaST Guide, Chapter “Con-
figuration and Installation Options”, Section “Ask the User for Values During Installation” (https://
documentation.suse.com/sles-15 ).
For the Supplementary Media, you can only use dialogs within the cont stage ( con-
t ), which means they are executed after the rst reboot.
Your le with the dialogs will be merged with the base AutoYaST XML le.
As a best practice, your dialog should have a dialog number and an element number, best with
steps of 10. This helps to include later additions and could be used as targets for jumping over
a dialog or element dependent on decisions. We also use this in our base dialogs and if you
provide the right dialog number and element number, you can place your dialog between our
base dialogs.
You can store the answer to a question in a le, to use it in one of your scripts later. Be aware
that you must use the prefix /tmp/ay for this, because the Installation Wizard will copy such
les from the /tmp directory to the directory where your media data also will be copied. This
is done because the next Supplementary Media could have the same dialogs or same answer le
names and would overwrite the values saved here.
Here is an example with several options:
cont
10
What is your name?
Enter your name here
Please enter your full name within the field
/tmp/ay_q_my_name
112 Own AutoYaST ask dialogs SLES-SAP 15 SP2
C.3 Installing additional packages
You can also install RPM packages within the product.xml le. To do this, you can use the
element for installation in stage 2.
For more information, see AutoYaST Guide, Chapter “Configuration and Installation Options”,
Section “Installing Packages in Stage 2” (https://documentation.suse.com/sles-15 ). An example
looks as follows:
...
yast2-cim
...
113 Installing additional packages SLES-SAP 15 SP2C.4 Example directory for Supplementary Media
A minimal example for the Supplementary Media directory contains only a le called produc-
t.xml .
114 Example directory for Supplementary Media SLES-SAP 15 SP2D GNU licenses
formats that can be read and edited only by proprietary word processors, SGML or XML for
This appendix contains the GNU Free Docu- which the DTD and/or processing tools are not generally available, and the machine-generat-
ed HTML, PostScript or PDF produced by some word processors for output purposes only.
mentation License version 1.2. The "Title Page" means, for a printed book, the title page itself, plus such following pages as
are needed to hold, legibly, the material this License requires to appear in the title page. For
works in formats which do not have any title page as such, "Title Page" means the text near the
GNU free documentation license most prominent appearance of the work''s title, preceding the beginning of the body of the text.
A section "Entitled XYZ" means a named subunit of the Document whose title either is precisely
Copyright (C) 2000, 2001, 2002 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, XYZ or contains XYZ in parentheses following text that translates XYZ in another language.
Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies (Here XYZ stands for a specific section name mentioned below, such as "Acknowledgements",
of this license document, but changing it is not allowed. "Dedications", "Endorsements", or "History".) To "Preserve the Title" of such a section when
you modify the Document means that it remains a section "Entitled XYZ" according to this
0. PREAMBLE definition.
The Document may include Warranty Disclaimers next to the notice which states that this
The purpose of this License is to make a manual, textbook, or other functional and useful License applies to the Document. These Warranty Disclaimers are considered to be included
document "free" in the sense of freedom: to assure everyone the effective freedom to copy by reference in this License, but only as regards disclaiming warranties: any other implication
and redistribute it, with or without modifying it, either commercially or non-commercially. that these Warranty Disclaimers may have is void and has no effect on the meaning of this
Secondarily, this License preserves for the author and publisher a way to get credit for their License.
work, while not being considered responsible for modifications made by others.
This License is a kind of "copyleft", which means that derivative works of the document must 2. VERBATIM COPYING
themselves be free in the same sense. It complements the GNU General Public License, which
is a copyleft license designed for free software. You may copy and distribute the Document in any medium, either commercially or non-
We have designed this License to use it for manuals for free software, because free software commercially, provided that this License, the copyright notices, and the license notice saying
needs free documentation: a free program should come with manuals providing the same this License applies to the Document are reproduced in all copies, and that you add no other
freedoms that the software does. But this License is not limited to software manuals; it can conditions whatsoever to those of this License. You may not use technical measures to obstruct
be used for any textual work, regardless of subject matter or whether it is published as a or control the reading or further copying of the copies you make or distribute. However, you
printed book. We recommend this License principally for works whose purpose is instruction may accept compensation in exchange for copies. If you distribute a large enough number of
or reference. copies you must also follow the conditions in section 3.
You may also lend copies, under the same conditions stated above, and you may publicly
1. APPLICABILITY AND DEFINITIONS display copies.
This License applies to any manual or other work, in any medium, that contains a notice placed 3. COPYING IN QUANTITY
by the copyright holder saying it can be distributed under the terms of this License. Such a
notice grants a world-wide, royalty-free license, unlimited in duration, to use that work under If you publish printed copies (or copies in media that commonly have printed covers) of the
the conditions stated herein. The "Document", below, refers to any such manual or work. Any Document, numbering more than 100, and the Document''s license notice requires Cover Texts,
member of the public is a licensee, and is addressed as "you". You accept the license if you you must enclose the copies in covers that carry, clearly and legibly, all these Cover Texts:
copy, modify or distribute the work in a way requiring permission under copyright law. Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
A "Modified Version" of the Document means any work containing the Document or a portion must also clearly and legibly identify you as the publisher of these copies. The front cover
of it, either copied verbatim, or with modifications and/or translated into another language. must present the full title with all words of the title equally prominent and visible. You may
A "Secondary Section" is a named appendix or a front-matter section of the Document that add other material on the covers in addition. Copying with changes limited to the covers, as
deals exclusively with the relationship of the publishers or authors of the Document to the long as they preserve the title of the Document and satisfy these conditions, can be treated
Document''s overall subject (or to related matters) and contains nothing that could fall directly as verbatim copying in other respects.
within that overall subject. (Thus, if the Document is in part a textbook of mathematics, a If the required texts for either cover are too voluminous to t legibly, you should put the
Secondary Section may not explain any mathematics.) The relationship could be a matter rst ones listed (as many as t reasonably) on the actual cover, and continue the rest onto
of historical connection with the subject or with related matters, or of legal, commercial, adjacent pages.
philosophical, ethical or political position regarding them. If you publish or distribute Opaque copies of the Document numbering more than 100, you
The "Invariant Sections" are certain Secondary Sections whose titles are designated, as being must either include a machine-readable Transparent copy along with each Opaque copy, or
those of Invariant Sections, in the notice that says that the Document is released under this state in or with each Opaque copy a computer-network location from which the general net-
License. If a section does not t the above definition of Secondary then it is not allowed to be work-using public has access to download using public-standard network protocols a complete
designated as Invariant. The Document may contain zero Invariant Sections. If the Document Transparent copy of the Document, free of added material. If you use the latter option, you
does not identify any Invariant Sections then there are none. must take reasonably prudent steps, when you begin distribution of Opaque copies in quanti-
The "Cover Texts" are certain short passages of text that are listed, as Front-Cover Texts or ty, to ensure that this Transparent copy will remain thus accessible at the stated location until
Back-Cover Texts, in the notice that says that the Document is released under this License. A at least one year after the last time you distribute an Opaque copy (directly or through your
Front-Cover Text may be at most 5 words, and a Back-Cover Text may be at most 25 words. agents or retailers) of that edition to the public.
A "Transparent" copy of the Document means a machine-readable copy, represented in a for- It is requested, but not required, that you contact the authors of the Document well before
mat whose specification is available to the general public, that is suitable for revising the doc- redistributing any large number of copies, to give them a chance to provide you with an
ument straightforwardly with generic text editors or (for images composed of pixels) generic updated version of the Document.
paint programs or (for drawings) some widely available drawing editor, and that is suitable
for input to text formatters or for automatic translation to a variety of formats suitable for
input to text formatters. A copy made in an otherwise Transparent le format whose markup,
or absence of markup, has been arranged to thwart or discourage subsequent modification
by readers is not Transparent. An image format is not Transparent if used for any substantial
amount of text. A copy that is not "Transparent" is called "Opaque".
Examples of suitable formats for Transparent copies include plain ASCII without markup, Tex-
info input format, LaTeX input format, SGML or XML using a publicly available DTD, and stan-
dard-conforming simple HTML, PostScript or PDF designed for human modification. Examples
of transparent image formats include PNG, XCF and JPG. Opaque formats include proprietary
115 SLES-SAP 15 SP24. MODIFICATIONS The author(s) and publisher(s) of the Document do not by this License give permission to use
their names for publicity for or to assert or imply endorsement of any Modified Version.
You may copy and distribute a Modified Version of the Document under the conditions of
sections 2 and 3 above, provided that you release the Modified Version under precisely this 5. COMBINING DOCUMENTS
License, with the Modified Version filling the role of the Document, thus licensing distribution
and modification of the Modified Version to whoever possesses a copy of it. In addition, you You may combine the Document with other documents released under this License, under
must do these things in the Modified Version: the terms defined in section 4 above for modified versions, provided that you include in the
combination all of the Invariant Sections of all of the original documents, unmodified, and
A. Use in the Title Page (and on the covers, if any) a title distinct from that of the
list them all as Invariant Sections of your combined work in its license notice, and that you
Document, and from those of previous versions (which should, if there were any,
preserve all their Warranty Disclaimers.
be listed in the History section of the Document). You may use the same title as a
previous version if the original publisher of that version gives permission. The combined work need only contain one copy of this License, and multiple identical Invari-
ant Sections may be replaced with a single copy. If there are multiple Invariant Sections with
B. List on the Title Page, as authors, one or more persons or entities responsible for the same name but different contents, make the title of each such section unique by adding
authorship of the modifications in the Modified Version, together with at least ve at the end of it, in parentheses, the name of the original author or publisher of that section if
of the principal authors of the Document (all of its principal authors, if it has fewer known, or else a unique number. Make the same adjustment to the section titles in the list of
than ve), unless they release you from this requirement. Invariant Sections in the license notice of the combined work.
C. State on the Title page the name of the publisher of the Modified Version, as the In the combination, you must combine any sections Entitled "History" in the various original
publisher. documents, forming one section Entitled "History"; likewise combine any sections Entitled
"Acknowledgements", and any sections Entitled "Dedications". You must delete all sections
D. Preserve all the copyright notices of the Document.
Entitled "Endorsements".
E. Add an appropriate copyright notice for your modifications adjacent to the other
copyright notices. 6. COLLECTIONS OF DOCUMENTS
F. Include, immediately after the copyright notices, a license notice giving the public
permission to use the Modified Version under the terms of this License, in the form You may make a collection consisting of the Document and other documents released under
shown in the Addendum below. this License, and replace the individual copies of this License in the various documents with a
single copy that is included in the collection, provided that you follow the rules of this License
G. Preserve in that license notice the full lists of Invariant Sections and required Cover
for verbatim copying of each of the documents in all other respects.
Texts given in the Document''s license notice.
You may extract a single document from such a collection, and distribute it individually under
H. Include an unaltered copy of this License. this License, provided you insert a copy of this License into the extracted document, and follow
I. Preserve the section Entitled "History", Preserve its Title, and add to it an item this License in all other respects regarding verbatim copying of that document.
stating at least the title, year, new authors, and publisher of the Modified Version
as given on the Title Page. If there is no section Entitled "History" in the Document, 7. AGGREGATION WITH INDEPENDENT WORKS
create one stating the title, year, authors, and publisher of the Document as given
on its Title Page, then add an item describing the Modified Version as stated in A compilation of the Document or its derivatives with other separate and independent docu-
the previous sentence. ments or works, in or on a volume of a storage or distribution medium, is called an "aggregate"
if the copyright resulting from the compilation is not used to limit the legal rights of the com-
J. Preserve the network location, if any, given in the Document for public access to
pilation''s users beyond what the individual works permit. When the Document is included in
a Transparent copy of the Document, and likewise the network locations given in
an aggregate, this License does not apply to the other works in the aggregate which are not
the Document for previous versions it was based on. These may be placed in the
themselves derivative works of the Document.
"History" section. You may omit a network location for a work that was published
at least four years before the Document itself, or if the original publisher of the If the Cover Text requirement of section 3 is applicable to these copies of the Document, then
version it refers to gives permission. if the Document is less than one half of the entire aggregate, the Document''s Cover Texts
may be placed on covers that bracket the Document within the aggregate, or the electronic
K. For any section Entitled "Acknowledgements" or "Dedications", Preserve the Title equivalent of covers if the Document is in electronic form. Otherwise they must appear on
of the section, and preserve in the section all the substance and tone of each of the printed covers that bracket the whole aggregate.
contributor acknowledgements and/or dedications given therein.
L. Preserve all the Invariant Sections of the Document, unaltered in their text and 8. TRANSLATION
in their titles. Section numbers or the equivalent are not considered part of the
section titles. Translation is considered a kind of modification, so you may distribute translations of the
M. Delete any section Entitled "Endorsements". Such a section may not be included Document under the terms of section 4. Replacing Invariant Sections with translations requires
in the Modified Version. special permission from their copyright holders, but you may include translations of some
or all Invariant Sections in addition to the original versions of these Invariant Sections. You
N. Do not retitle any existing section to be Entitled "Endorsements" or to conflict in may include a translation of this License, and all the license notices in the Document, and
title with any Invariant Section. any Warranty Disclaimers, provided that you also include the original English version of this
O. Preserve any Warranty Disclaimers. License and the original versions of those notices and disclaimers. In case of a disagreement
between the translation and the original version of this License or a notice or disclaimer, the
If the Modified Version includes new front-matter sections or appendices that qualify as Se- original version will prevail.
condary Sections and contain no material copied from the Document, you may at your option If a section in the Document is Entitled "Acknowledgements", "Dedications", or "History", the
designate some or all of these sections as invariant. To do this, add their titles to the list of requirement (section 4) to Preserve its Title (section 1) will typically require changing the
Invariant Sections in the Modified Version''s license notice. These titles must be distinct from actual title.
any other section titles.
You may add a section Entitled "Endorsements", provided it contains nothing but endorse-
ments of your Modified Version by various parties--for example, statements of peer review 9. TERMINATION
or that the text has been approved by an organization as the authoritative definition of a
You may not copy, modify, sublicense, or distribute the Document except as expressly pro-
standard.
vided for under this License. Any other attempt to copy, modify, sublicense or distribute the
You may add a passage of up to ve words as a Front-Cover Text, and a passage of up to 25 Document is void, and will automatically terminate your rights under this License. However,
words as a Back-Cover Text, to the end of the list of Cover Texts in the Modified Version. Only parties who have received copies, or rights, from you under this License will not have their
one passage of Front-Cover Text and one of Back-Cover Text may be added by (or through licenses terminated so long as such parties remain in full compliance.
arrangements made by) any one entity. If the Document already includes a cover text for the
same cover, previously added by you or by arrangement made by the same entity you are
acting on behalf of, you may not add another; but you may replace the old one, on explicit
permission from the previous publisher that added the old one.
116 SLES-SAP 15 SP210. FUTURE REVISIONS OF THIS LICENSE
The Free Software Foundation may publish new, revised versions of the GNU Free Documen-
tation License from time to time. Such new versions will be similar in spirit to the present
version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/
copyleft/ .
Each version of the License is given a distinguishing version number. If the Document specifies
that a particular numbered version of this License "or any later version" applies to it, you have
the option of following the terms and conditions either of that specified version or of any
later version that has been published (not as a draft) by the Free Software Foundation. If the
Document does not specify a version number of this License, you may choose any version ever
published (not as a draft) by the Free Software Foundation.
ADDENDUM: How to use this License for your documents
Copyright (c) YEAR YOUR NAME.
Permission is granted to copy, distribute
and/or modify this document
under the terms of the GNU Free
Documentation License, Version 1.2
or any later version published by the Free
Software Foundation;
with no Invariant Sections, no Front-Cover
Texts, and no Back-Cover Texts.
A copy of the license is included in the
section entitled “GNU
Free Documentation License”.
If you have Invariant Sections, Front-Cover Texts and Back-Cover Texts, replace the
“with...Texts.” line with this:
with the Invariant Sections being LIST
THEIR TITLES, with the
Front-Cover Texts being LIST, and with the
Back-Cover Texts being LIST.
If you have Invariant Sections without Cover Texts, or some other combination of the three,
merge those two alternatives to suit the situation.
If your document contains nontrivial examples of program code, we recommend releasing
these examples in parallel under your choice of free software license, such as the GNU General
Public License, to permit their use in free software.
117 SLES-SAP 15 SP2">
Product Categories
