Red Hat Enterprise Linux System Roles for SAP

Red Hat Enterprise Linux for SAP Solutions 8

Red Hat Customer Content Services

Abstract

This guide contains an overview and additional information about Red Hat Enterprise Linux system roles for SAP.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code and documentation. We are beginning with these four terms: master, slave, blacklist, and whitelist. Due to the enormity of this endeavor, these changes will be gradually implemented over upcoming releases. For more details on making our language more inclusive, see our CTO Chris Wright’s message.

Providing feedback on Red Hat documentation

We appreciate your feedback on our documentation. Let us know how we can improve it.

Submitting comments on specific passages

  1. View the documentation in the Multi-page HTML format and ensure that you see the Feedback button in the upper right corner after the page fully loads.
  2. Use your cursor to highlight the part of the text that you want to comment on.
  3. Click the Add Feedback button that appears near the highlighted text.
  4. Add your feedback and click Submit.

Chapter 1. Overview

Red Hat Enterprise Linux (RHEL) 7 RHEA-2019:3190 introduced RHEL System Roles for SAP to assist with remotely or locally configuring a RHEL system for the installation of SAP HANA or SAP NetWeaver software. RHEL System Roles for SAP development is based on the Linux System Roles upstream project.

RHEL System Roles is a collection of roles executed by Ansible to assist administrators with server configuration right after the servers have been installed. These roles are provided in the RHEL Extras repository. In contrast, RHEL System Roles for SAP is provided in the RHEL for SAP Solutions subscription and can be used by Ansible Engine and Ansible Tower to manage RHEL systems.

The Red Hat Enterprise Linux subscription provides support for RHEL System Roles with Ansible Engine, which is available in the Ansible Engine repository (e.g. ansible-2-for-rhel-8-$(uname -m)-rpms). However, if you require full support for the Ansible Engine itself, a separate Red Hat Ansible Automation Subscription is necessary. Additional information is available at Top Support Policies for Red Hat Ansible Automation.

The following RHEL System Roles for SAP are fully supported on control nodes running RHEL 8.2 and later:

  • sap-preconfigure
  • sap-netweaver-preconfigure
  • sap-hana-preconfigure

The RHEL System Roles for SAP, just like the RHEL System Roles, are installed and run from a central node referred to as the control node (which can be Ansible Tower, Red Hat Satellite, or a RHEL 8 or RHEL 7 host). The control node connects to the local host and/or to one or more remote hosts (called managed nodes in the context of Ansible), and performs installation and configuration steps on them. It is recommended that you use the latest major release of RHEL on the control node (RHEL 8) and use the latest version of the roles either from the rhel-system-roles-sap RPM or from Red Hat Automation Hub. The RHEL System Roles for SAP and Ansible packages do not need to be installed on the systems that are being managed/configured.

See the following table for the support status:

Control NodeManaged NodeSupport Status

RHEL 8.4 or later

RHEL 8.0 or later

fully supported

RHEL 8.4 or later

RHEL 7.6 or later

fully supported

RHEL 8.4 or later

RHEL 7.5 or earlier

not supported

RHEL 8.3 or earlier

RHEL (any release)

not supported†


† Note: For control nodes running RHEL 7.8, RHEL 7.9, or RHEL 8.1, you can use the previous versions of rhel-system-roles-sap which are in Tech Preview support status. Please find the instructions for these versions here.

For control nodes running RHEL 8.2 or RHEL 8.3, you can use version 2 of rhel-system-roles-sap which is fully supported. Please find the instructions for this version here.

See the table below for the supported hardware/virtualization/cloud platforms of the managed node:

Hardware platformBare Metal/Virtualization/ Cloud platformSupport Status

x86_64

bare metal, Red Hat Virtualization/libvirt, VMware ESX, Red Hat Certified Cloud and Service Providers

fully supported

ppc64le

PowerVM LPARs

fully supported

s390x

zVM guest

fully supported: sap-preconfigure, sap-netweaver-preconfigure


Note

The roles are designed to be used right after the initial installation of a managed node. Do not run these roles against a SAP or other production system. The role will enforce a certain configuration on the managed node(s), which might not be intended.

Note

Before applying the roles on a managed node, verify that the RHEL release on the managed node is supported by the SAP software version that you are planning to install.

Chapter 2. Installing the Ansible Engine and RHEL System Roles for SAP

Use the following steps to for installing the Ansible Engine and the RHEL System Roles for SAP

Procedure

  1. Use subscription-manager to list the available Ansible Engine repositories. 

    # subscription-manager refresh
    # subscription-manager repos --list | grep ansible

  2. Enable the Ansible Engine repository and the RHEL for SAP Solutions repository using Red Hat Subscription Manager. 

    # subscription-manager repos --enable=ansible-2-for-rhel-8-$(uname -m)-rpms --enable=rhel-8-for-$(uname -m)-sap-solutions-rpms
    Note

    The generic version "2" of the Ansible Engine repository provides the latest release of the 2.X stream but it is also possible to specify a certain minor Ansible Engine version such as 2.9.

  3. Install Ansible Engine and RHEL System Roles for SAP: 

    # dnf install ansible rhel-system-roles-sap

The rhel-system-roles-sap package is installed to the following locations where <role> is the name of the individual role; for example, sap-hana-preconfigure. Each role includes a README file that explains all variables and how to use the role.

Documentation: /usr/share/doc/rhel-system-roles-sap/<role>

Ansible Roles: /usr/share/ansible/roles/<role>

Chapter 3. New Features

Version 3.1 has the following new features:

  • The three roles now support an assertion run, so they can be used to compare the settings of a managed node to the applicable SAP notes. While Ansible supports setting and verifying any modification made to a managed node by design, it can be useful to report SAP notes compliance of a SAP system from time to time without modifying the system configuration, for example to ensure that system settings are still in place after a manual modification of system parameters. The roles can either fail at each detected violation, or they can report failures but continue running and finally report the number of failures (if any).
  • The roles sap-preconfigure and sap-hana-preconfigure now support a reboot of the managed node if there have been software installations which require it.
  • Role sap-preconfigure only remounts file system /dev/shm if necessary.
  • Role sap-netweaver-preconfigure now supports the installation of packages which are required for Adobe Document Services.
  • The role sap-hana-preconfigure no longer sets the SELinux state. This is already done in role sap-preconfigure.
  • Configuring role sap-hana-preconfigure for using tuned and/or modifying the boot command line has been simplified.
  • Role sap-hana-preconfigure now supports activating tuned profile sap-hana and also modifying the boot command line. This provides greater flexibility when setting latency related parameters.
  • Role sap-hana-preconfigure now supports checking if the RHEL minor release is supported for SAP HANA. This behavior can be overridden so that any RHEL 7.6 or greater managed node can be prepared for SAP HANA.
  • Role sap-hana-preconfigure now supports setting kernel parameters for NetApp NFS as per SAP Note 3024346.

Chapter 4. Known Issues

4.1. Roles produce limited output when running in check mode

Running roles in check mode will not show all changes which are performed on a system when running in normal mode, as some Ansible modules have no or just partial support for check mode. For example, tasks will not report the values of kernel parameters. For more information on the Ansible check mode, please refer to Ansible Playbook.

To overcome this restriction, the sap*preconfigure roles can now run in an extended check (=assert) mode

4.2. Extended check (=assert) parameters are not recongnized in previous versions of the roles

The roles can run in an assert mode, in which case they do not modify managed nodes but report the compliance of a node with the applicable SAP notes. When running assert mode playbooks with previous versions (1.x or 2.x) of the roles, assert parameters are ignored, causing the roles to modify the managed nodes instead of only checking them. As roles can also be installed in other than the default locations (e.g. using git), it is recommended that you not only check if version 3 of package rhel-system-roles-sap is installed but also that the playbooks you are using are calling the roles in their correct, default locations, which is under /usr/share/ansible/roles.

4.3. Role sap-preconfigure fails if DNS domain is not set on the managed node

In case there is no DNS domain set on the managed node, which is typically the case on cloud systems, the role sap-preconfigure will fail in task Verify that the DNS domain is set. To avoid this, set variable sap_domain in file /usr/share/ansible/roles/sap-preconfigure/defaults/main.yml or run the ansible-playbook command with line parameter -e "sap_domain=example.com" (with the domain name being example.com in this case - please replace it by your domain name).

(sap-preconfigure issue 32)

4.4. The assertion for getting the current status of the CPU Govenor for performance (x86_64 platform only) fails

When running role sap-hana-preconfigure in assert mode against a x86_64 managed node, it might incorrectly report that the current status of the CPU Governor for performance is not as expected.

(sap-hana-preconfigure issue 180)

Chapter 5. Quick Start Guide to RHEL System Roles for SAP

Use the following procedures for configuring or verifying one or more systems for the installation of SAP NetWeaver or SAP HANA

5.1. Verifying the version of RHEL System Roles for SAP

Use the following steps to display the role path which is used when running the role so that you can verify if it is corresponding to the installed version.

Procedure

  1. Run the command (replace PLAYBOOK.YML by the actual name of the playbook and HOSTNAME by the name of the managed node):

    # ansible-playbook PLAYBOOK.YML -l HOSTNAME --step -vv

  2. Answer the first question with "N":

    Perform task: TASK: Gathering Facts (N)o/(y)es/(c)ontinue: N

  3. Answer the second question with "y":

    Perform task: TASK: sap-preconfigure : include os specific vars (N)o/(y)es/(c)ontinue: y

Verification

  1. This will display the absolute path name of file tasks/main.yml and then abort the play (because the vars file could not be found). Example output: 

    TASK [sap-preconfigure : include os specific vars]
****************************************************************************
task path: /usr/share/ansible/roles/sap-preconfigure/tasks/main.yml:3
fatal: [HOSTNAME]: FAILED! => {"msg": "No file was found when using first_found. Use errors='ignore' to allow this task to be skipped if no files are found"}

5.2. Preparing the control node

Use the following steps to display the system messages in English. RHEL System Roles for SAP requires that the Ansible control node uses locale C or en_US.UTF-8

Procedure

  1. Run the command on the local host to check the current setting. 

    # locale

  2. The output should display either C or en_US.UTF-8 in the line starting with LC_MESSAGES=.

    1. If the command does not produce the expected output, run the following command on the local host before executing the ansible-playbook command: 

      # export LC_ALL=C

      Or 

      # export LC_ALL=en_US.UTF-8

5.3. Configuring the local system

Use the following steps for preparing the local system for the installation of SAP NetWeaver

Prerequisites

  • No production software running on the system
  • A minimum of 20480 MB of swap space is configured on the local system

Procedure

  1. Make a bakckup, if you would like to preserve the original configuration of the server.

    Note

    These roles are run after the installation of RHEL, therefore a backup should not be required.

  2. Create a YAML file named sap-netweaver.yml with the following content: 

    - hosts: localhost
  connection: local
  roles:
    - sap-preconfigure
    - sap-netweaver-preconfigure
    Important

    The correct indentation of 2 spaces in front of roles: is essential.

  3. Run the RHEL System Roles sap-preconfigure and sap-netweaver-preconfigure to prepare the managed nodes for the installation of SAP NetWeaver. 

    # ansible-playbook sap-netweaver.yml

    At the end of the playbook run, the command will report that a reboot is required because role sap-preconfigure has changed the SELinux state from enabled to disabled, according to SAP Note 2772999.

  4. Reboot the managed nodes so that the new SELinux state will become effective. If you set the role variable sap_preconfigure_reboot_ok to yes, the role will reboot the server as the last step of its execution.

    Note

    By changing role variable sap_preconfigure_selinux_state from the default disabled to permissive before or at the time of running the playbook, you can have the role sap-preconfigure set the SELinux state to permissive, which is also allowed for SAP NetWeaver on RHEL 8. See the Examples section in this document for more information on setting role variables.

5.4. Verifying the local system

Use the following steps to verify if the local system is configured correctly for installation of SAP NetWeaver.

RHEL System roles for SAP can also be used to verify that RHEL systems are configured correctly.

Prerequisites

  • RHEL System Roles for SAP version 3

Procedure

  1. Create a YAML file named sap-netweaver.yml with the following content: 

    - hosts: localhost
  connection: local
  vars:
    sap_preconfigure_assert: yes
    sap_preconfigure_assert_ignore_errors: yes
    sap_netweaver_preconfigure_assert: yes
    sap_netweaver_preconfigure_assert_ignore_errors: yes
  roles:
    - sap-preconfigure
    - sap-netweaver-preconfigure

  2. Run the following command: 

    # ansible-playbook sap-netweaver.yml

    In case you would like to get a more compact output, you can filter the output to just display the essential FAIL or PASS information for each assertion. If you are using a terminal with dark background, replace all occurrences of color code [30m in the following command sequence by [37m. Otherwise, the output of some lines will be unreadable due to dark font on dark background.

    In case you accidentally ran the above command on a terminal with dark background, you can re-enable the default white font again with the following command: 

    # awk 'BEGIN{printf ("\033[37mResetting font color\n")}'

5.5. Configuring remote systems

Use the following steps for preparing one or more remote servers (managed nodes) for the installation of SAP HANA.

Prerequisites

  • Verify that the managed nodes are correctly set up for installing Red Hat software packages from a Red Hat Satellite server or the Red Hat Customer Portal.
  • Access via the ssh command to all managed nodes from the Ansible control node without using a password.
  • No production software running on the system

  • Supported RHEL release for SAP HANA.

Procedure

  1. Make a backup, if you would like to preserve the original configuration of the server.

    Note

    These roles are run after the installation of RHEL, therefore a backup should not be required.

  2. Create an inventory file or modify file /etc/ansible/hosts that contains the name of a group of hosts and each host which you intend to configure (=managed node) in a separate line (example for three hosts in a host group named sap_hana): 

    [sap_hana]
host01
host02
host03

  3. Verify that you can log in to all three hosts using ssh without password: 

    # ssh host01 uname -a
# ssh host02 hostname
# ssh host03 echo test

  4. Create a YAML file named sap-hana.yml with the following content: 

    - hosts: sap_hana
  roles:
    - sap-preconfigure
    - sap-hana-preconfigure
    Important

    The correct indentation (e.g. 2 spaces in front of roles:) is essential.

  5. Run the RHEL System Roles sap-preconfigure and sap-hana-preconfigure to prepare the managed nodes for the installation of SAP HANA. 

    # ansible-playbook sap-hana.yml
    Note

    Do not run these roles against an SAP or other production system. The role will enforce a certain configuration on the managed node(s), which typically is intended only right after the installation of RHEL and before the initial installation of SAP software.

    At the end of the playbook run, the command will report for each managed node that a reboot is required, for example because role sap-preconfigure has changed the SELinux state from enabled to disabled (as per requirement in SAP Note 2292690 or SAP Note 2777782).

  6. Reboot the managed nodes

5.6. Verifying a remote system

Use the following steps to verify if a remote system is configured correctly for installation of SAP HANA. It is recommended to verify each host separately

RHEL System roles for SAP can also be used to verify that RHEL systems are configured correctly.

Prerequisites

  • RHEL System Roles for SAP version 3

Procedure

  1. Verify each host

  2. Create a YAML file named sap-hana.yml with the following content: 

    - hosts: all
  vars:
    sap_preconfigure_assert: yes
    sap_preconfigure_assert_ignore_errors: yes
    sap_hana_preconfigure_assert: yes
    sap_hana_preconfigure_assert_ignore_errors: yes
  roles:
    - sap-preconfigure
    - sap-hana-preconfigure

  3. Run the ansible-playbook command line option -l to specify the name of the remote host to verify. 

    # ansible-playbook sap-hana.yml -l host01

Chapter 6. RHEL System Roles for SAP Description

This chapter provides a detailed description of RHEL System Roles for SAP.

6.1. System Roles and Purpose

The purpose of the three roles sap-preconfigure, sap-netweaver-preconfigure, and sap-hana-preconfigure is described in the following table:

System RolePurpose

sap-preconfigure

Install software and perform all configuration steps which are required for the installation of SAP NetWeaver and SAP HANA.

sap-netweaver-preconfigure

Install additional software and perform additional configuration steps which are required for SAP NetWeaver only.

sap-hana-preconfigure

Install additional software and perform additional configuration steps which are required for SAP HANA only.

6.2. System Roles and SAP Notes

The following table list the System Role and the corresponding action or SAP Note for the RHEL release of the managed node.

System RoleSAP Note for RHEL 7SAP Note for RHEL 8

sap-preconfigure

SAP Note 2002167

SAP Note 2772999

SAP Note 1391070

 

SAP Note 0941735 (TMPFS only)

 

sap-netweaver-preconfigure

SAP Note 2526952 (Tuned profiles only)

SAP Note 2526952 (Tuned profiles only)

sap-hana-preconfigure

Install required packages as per docuements SAP HANA 2.20 running on RHEL7.x and SAP HANA SPS 12 running on RHEL 7.x which are found in SAP Note 2009879

Install required packages found in SAP Note 2772999

ppc64le only: Install additional required packages located here.

ppc64le Install additional required packages located here

Perform the configuration steps in SAP HANA 2.0 running on RHEL 7.x and SAP HANA SPS 12 running on RHEL 7.x. SAP Note 2009879

 

ppc64le only. SAP Note 2055470

ppc64le only. SAP Note 2055470

SAP Note 2292690

SAP Note 2777782

SAP Note 2382421

SAP Note 2382421

6.3. Implemented SAP Notes

SAP NoteRHEL 7RHEL 8TitleScope

2002167

X

 

Red Hat Enterprise Linux 7.x: Installation and Upgrade

General RHEL 7 installation and configuration steps before installing SAP NetWeaver

1391070

X

 

Linux UUID solutions

Installation and configuration of uuid

0941735

X

 

SAP memory management system for 64-bit Linux systems

SAP and Linux kernel parameters and TMPFS for SAP NetWeaver

2772999

 

X

Red Hat Enterprise Linux 8.x: Installation and Configuration

General RHEL 8 installation and configuration steps, including uuid, before installing SAP NetWeaver or SAP HANA

2526952

X

X

Red Hat Enterprise Linux for SAP Solutions

Description of RHEL for SAP Solutions, including tuned-profiles

2009879

X

 

SAP HANA Guidelines for Red Hat Enterprise Linux (RHEL) Operating System

Kernel and OS settings for SAP HANA on RHEL 6.x and RHEL 7.x

2055470

X

X

HANA on POWER Planning and Installation Specifics - Central Note

Specific installation and configuration steps for SAP HANA on POWER

2292690

X

 

SAP HANA DB: Recommended OS settings for RHEL 7

Specific package requirements, Kernel and OS settings for SAP HANA on RHEL 7.x

2777782

 

X

SAP HANA DB: Recommended OS settings for RHEL 8

Specific package requirements, Kernel and OS settings for SAP HANA on RHEL 8.x

2382421

X

X

Optimizing the Network Configuration on HANA and OS-Level

Network-related kernel settings for SAP HANA

6.4. Role variables

In each role, default variable settings can be modified to change the behavior of the role. The README.md file of each role, located in directory /usr/share/ansible/roles/<role>, describes the purpose of these variables as well as their default settings. The variables are defined and can be changed in each role’s file main.yml in directory /usr/share/ansible/roles/<role>/defaults in an inventory file, in your playbooks, or by using the ansible-playbook command line parameter --extra-vars or -e. See the next section for examples.

Some of the variables are described in more detail below to explain their behavior and dependencies:

Kernel variables can be set either in the kernel command line via grub, or using tuned profile sap-hana. Use the following combinations of these variables in /usr/share/ansible/roles/sap-hana-preconfigure/defaults/main.yml for the cases described below.

6.4.1. Using tuned profile sap-hana only

In case you would like to use tuned profile sap-hana only, leave the default settings in place:

sap_hana_preconfigure_use_tuned: yes

6.4.2. Using tuned profile sap-hana and modify the kernel command line

In case you would like to use tuned and also modify the kernel command line, use following variable setting:

sap_hana_preconfigure_modify_grub_cmdline_linux: yes

6.4.3. Modifying the kernel command line and not using tuned

In case you would like to modify the kernel command line and not switch to tuned profile sap-hana (this will lead to all kernel settings to be configured statically), use the following variable setting:

sap_hana_preconfigure_use_tuned: no

Note

This will modify the grub command line even if variable sap_hana_preconfigure_modify_grub_cmdline_linux is set to no

Chapter 7. Related Information

Legal Notice

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.