Why do I receive errors when I run Zypper commands on my EC2 SLES instance?

Short description

To determine the error, review the output messages of the Zypper command. The following errors might occur when you run Zypper commands:

• "HTTP Error" or "Not ready to read within timeout" or "Timeout"
• "Warning: There are no enabled repositories defined." Or "Missing Repositories or Authentication is required for https://smt-ec2.susecloud.net/services/2145?credentials=Basesystem_Module_x86_64' or or Permission to access 'https://smt-ec2.susecloud.net/repo/SUSE/Products/SLE-Module-Adv-Systems-Management/12/x86_64/product/repodata/repomd.xml?credentials=Advanced_Systems_Management_Module_x86_64 ' denied."
• "System management is locked by the application with PID xxx (zypper). Close this application before trying again."
• "The following xx items are locked and will not be changed by any action."

Resolution

Note: Before you use the following resolutions, create an Amazon Machine Image (AMI) or an Amazon Elastic Block Store (Amazon EBS) snapshot of your instance.

"HTTP Error" or "Not ready to read within timeout" or "Timeout"

Incorrect instance configurations cause these errors. To resolve the error, complete the following steps:

1.    Confirm that the security group that's attached to your instance permits outbound HTTP and HTTPS traffic.

2.    Verify that the network access control lists (network ACLs) that are associated with your instance's subnet allow outbound HTTP and HTTPS traffic.

Example network ACL rules:

Inbound rules
Rule#    Type                    Protocol    Port Range    Source        Allow/Deny
130      Custom TCP Rule         TCP (6)     1024-65535    0.0.0.0/0     ALLOW
140      Custom TCP Rule         TCP (6)     1024-65535    ::/0          ALLOW
*        ALL Traffic             ALL         ALL           0.0.0.0/0     DENY
*        ALL Traffic             ALL         ALL           ::/0          DENY


Outbound rules
Rule #    Type                   Protocol    Port Range    Destination  Allow/Deny
100       HTTP (80)              TCP (6)     80            0.0.0.0/0    ALLOW
101       HTTPS (443)            TCP (6)     443           0.0.0.0/0    ALLOW
102       HTTP (80)              TCP (6)     80            ::/0         ALLOW
103       HTTPS (443)            TCP (6)     443           ::/0         ALLOW
*         ALL Traffic            ALL         ALL           ::/0         DENY
*         ALL Traffic            ALL         ALL           0.0.0.0/0    DENY

In the preceding example, outbound rules 100 and 101 correspond to inbound rule 130. Outbound rules 102 and 103 correspond to inbound rule 140. The outbound traffic that's allowed on ports 80 and 443 (HTTP and HTTPS) is matched with the inbound traffic that's allowed on the ephemeral ports. Ephemeral ports are dynamically assigned and are used by the source for outbound traffic. You must allow inbound traffic on ephemeral ports so that the outbound connection allows responses from the destination. For more information, see Ephemeral ports.

The example network ACL rules have an ephemeral port range of 1024-65535. The range that you use for your network ACLs depends on your client and the client that you want to communicate with.

For more information and additional network ACL examples, see Custom network ACL.

3.    To access SUSE repositories, use one of the following methods for your Amazon EC2 instance:

• The instance is in a public subnet with an internet gateway. For more information, see Turn on internet access.
• The instance is in a private subnet with a NAT gateway. For more information, see NAT gateways.
• The instance is in a private subnet with a NAT instance. For more information, see NAT instances.
• The instance is in a private subnet. To determine if you need a private repository, see Accessing SUSE Updates in AWS. When do you need a private repository? on the SUSE website.

4.    After you configure your instance, run a few commands to verify that Zypper performs as expected. For example, run the following command to install telnet:

sudo zypper install telnet

"Warning: There are no enabled repositories defined" or "Missing Repositories or Authentication is required"

These errors occur when registration with the SUSE repositories fails.

1.    To verify that the instance has a valid billing code, run the following command:

$ curl -s [http://169.254.169.254/latest/dynamic/instance-identity/document](http://169.254.169.254/latest/dynamic/instance-identity/document) | grep -i billing

If both billingProducts and marketplaceProductCodes are null, then errors occur. All compliant SLES instances must have the billingProducts code.

Example billing code:

"billingProducts": ["bp-xxxxxxxx"],

2.    To verify that you registered SUSE, run the following command:

$ sudo SUSEConnect -s

If the command displays Not Registered, then run the following command to register SUSE.

rm /etc/SUSEConnect
rm -f /etc/zypp/{repos,services,credentials}.d/*
rm -f /usr/lib/zypp/plugins/services/*
sed -i '/^# Added by SMT reg/,+1d' /etc/hosts
/usr/sbin/registercloudguest --force-new

If you receive errors when you register SUSE, then see AWSSupport-TroubleshootSUSERegistration.

Note: The preceding registration method applies to AWS On-Demand (PAYG) SLES cloud instances. For standard SUSE installations or BYOS cloud images, use the traditional registration method that's specific to the SLE release.

• For SLE11 systems use suse_register for registration.
• For SLE12 systems use SUSEConnect. Note that SLE12/OES2018 uses suse_register to connect to Micro Focus repositories.

Or, you can register these systems against a local mirror, such as SUSE Manager or SMT/RMT server.

For more information, see AWS or Azure SUSE cloud instance missing software repositories on the SUSE website.

3.    To confirm that Zypper performs as expected, run a few commands.

System management is locked by the application with PID xxx (zypper). Close this application before trying again.

When this error occurs, some actions are restricted. For example, you can't run the Zypper update command. To resolve this issue, either wait for the process to complete or stop the process. To stop the process, complete the following steps:

1.    Connect to your instance.

2.    To check for active processes, run the following command. In the command output, note the PID of the active process.

ps -ef | grep zypper

To stop the process, run the following command:

sudo kill -9 xxx

In the preceding example command, replace xxx with the PID that you obtained in step 2.

After the process stops, the Zypper update command runs without the lock error.

The following xx items are locked and will not be changed by any action

This error in the event log indicates that SUSE locked specific packages to prevent unauthorized installations or upgrades. A padlock icon displays next to locked packages.

You can't install, upgrade, or remove locked packages through the SUSE Manager Web UI or with a package manager on the client machine. The Zypper main page provides commands to list and remove any locks. For more information, see System Locking on the SUSE website and SDB: Zypper manual (plain) on the openSUSE website.

To view the current package locks, run the following command:

zypper ll

Command output example:

| Name      | Type    | Repository | Comment
--+-----------+---------+------------+--------
1 | plymouth* | package | (any)      | 

To remove a lock, run the following command:

zypper rl plymouth*

After you remove the lock, run the Zypper update command again.

Note: Change the package name according to your instance's requirements.