Wednesday 9 September 2020


[A rambling blog about SAP on GCP, by Dylan Drummond, Helsinki. Last modified (content): 2021-06-07;

Meta-comment on 2022-06-12 - seems the screenshots got deleted. ach well, text-only, like the 1980s].

Intro

There’s a free product from SAP, for developers and system admins to use for various experimental activities: using the ABAP programming language, prototyping Fiori apps (browser-based apps accessing an SAP server), SAP connectivity and networking scenarios, and so on. At the time of writing, the product has a long official name, including the version numbering: “SAP NetWeaver AS ABAP Developer Edition 7.52 SP04”. I will usually refer to it as “SAP Dev Edition”.

This blog will show how to install and run SAP Dev Edition on Google Cloud Platform. Cubist montage of how that might look:




You can try to follow along if you like i.e. treat this blog as a tutorial; or you can just skim through it in the modern style of “oh that’s nice, amazing the curious things you find on the internet nowadays”... if you decide to follow along, please bear in mind that this blog really has no Helpdesk for if you get stuck, so it’s a case of BYODS and FIY: Bring Your Own Debugging Skills and Fix It Yourself 👍. On the other hand, if you spot some 😱 mistakes 😱, blog-improvement suggestions are welcomed.

Summary of what we do: spin up a VM with a GUI, get the SAP files; then spin up a new VM, attach SAP files disk, and install SAP; configure the various UI options to access the SAP server.

[If you would like to use your local machine rather than Google Cloud Platform, then here are a couple of blogs: two are from SAP themselves (for installation on openSUSE):

Installing SAP AS ABAP 752 SP04 on Linux – Virtual Box


Installing SAP AS ABAP 7.52 SP04 on Linux – VMWare

Another one is by, uhh, me (for installation on Ubuntu):

https://blogs.sap.com/2019/10/20/concise-guide-to-install-sap-netweaver-developer-edition-on-ubuntu-vm/ ].

UPDATE June 2021: if you are intending to use Ubuntu as the Linux distro for your SAP system installation, then you can save yourself some pain by reading another blog I wrote, which shows how to modify the installer bash script to get round a couple of bugs, one of which is to do with compatibility with Linux kernels of version 5.4 or higher:


https://blogs.sap.com/2021/06/07/adjusting-installer-script-for-sap-netweaver-dev-edition-for-distros-with-kernel-version-5.4-or-higher/

In this blog, we show how to do the cloud-infra things mostly using the Web Console of GCP. In the Terraform Appendix below, I provide a .tf file which you can use to spin up any or all of the cloud-infra mentioned in this blog’s experiments. (Terraform is a popular and free Infra-as-Code tool from Hashicorp).

I would like to thank Erno Venäläinen, for enlightening discussions about SAP on GCP, and for comments on a draft of this blog.



Network setup, and getting .rar files via VM on GCP

The .rar files we need for SAP Dev Edition, we will be getting them from this website (though let’s wait until we have a helper VM on GCP, before we start any downloading):

https://developers.sap.com/trials-downloads.html

Some bureaucracy… before you can get those files, you will need to have either a free user account with SAP (called a “P-user”) or you can use a paid user account (called an “S-user”). Getting a user account is something you could sort out before creating any VMs on GCP.
When you click on the “person icon” near top right of the page , then you are prompted to either sign-in or register (i.e. create) a relevant user. I am using a P-user. (If you have linked your P-user and/or S-user to SAP Universal ID, then you get redirected to sign in using the Universal ID, otherwise you just sign in as the P-user/S-user).

In the past when downloading the 14GB of .rar files from SAP to my local machine using a reasonably good home Internet connection, it has taken me around 2 hours to get everything downloaded. Also, in our GCP case, we would face another 2 hours of uploading the rar files to e.g. a VM on GCP (tested using the gcloud-CLI ‘gcloud compute ssh…’ then scp-ing the files). So 4 hours work 😱 , no-oh!

Luckily for me and for yous, there is a much faster way to get these files: we create a Linux VM on GCP, add a GUI-desktop and enable remote access to said GUI-desktop. Then getting the rar files to GCP will take us something like 5 minutes (as the VM has a much higher download speed relative to most home internet connections), instead of several hours.


Basics of GCP

You will need to have or get a GCP account. Sign up at https://cloud.google.com/getting-started



Newbies get 300 USD of free credits, valid for one year, so that is more than enough for completing this tutorial. (The author’s free credits expired about 2 or 3 years before starting this blog). As a rough guide to costs: doing the “research” i.e. trying out lots of things and making lots of mistakes, the total cost was about 8 euros over 3 weeks; so we could guess that following all the steps in this blog should cost only a fraction of that amount. (In the end it is up to everyone themselves to decide what GCP costs they are prepared to take on; I am just giving you an estimate based on my own experience, with no guarantees attached!).

The main Web Console for GCP is at: https://console.cloud.google.com

You will need to create a GCP project and associate the project with Billing (most things that you create in any cloud platform, have a cost and therefore need to be billed) - see the GCP documentation for how to do this. In my case, the name of the project is “mssonhello”, in the top left of the screenshot you can see that this is the “current” project the console has been assigned to work with. Near top right there is a button called “Customise”, using this you can enable visibility of the Compute Engine “summary card”, and e.g. hide the card “App Engine” (since we are not using App Engine). Anyway feel free to organise your own project dashboard how you like.



Network resources and a VM for .rar files


We need the following resources to get started:

A VPC network (although we could just use the default VPC network, it is neater and anyway easy and free to define our own custom VPC network).

A subnet on the VPC network.

A firewall rule on the VPC network, which will enable us to access our VM.

A VM which we will enable remote desktop access to.

An additional disk which we will attach to the VM, and which later we will detach once it has the .rar files.

Let’s create these resources on GCP...


A VPC network, a subnet, and a firewall rule

From the top-left of the console, we can click on the I-Ching-hexagram-like-icon (well maybe trigram-like since only three lines) to see the list of GCP services.

Scroll down to find “VPC Network” (you can use pin-icon to pin the category to top of list in future). Then choose “VPC networks”.



Click on “Create VPC Network”. Here are the config values I put in the form, you can adjust according to your region, taste and so on:

Name: sap-net
Description: Network for SAP stuff
Subnets: Subnet creation mode: Custom
New subnet:
    Name: sap-subnet-eu-n1
    Region: europe-north1
    IP address range: 192.168.200.0/24

Keep the other values as defaults, and click on “Create”. After about 30 seconds, your network with subnet will be visible:




Although we could now go ahead and create VMs, assigning them as nodes on sap-subnet-eu-n1, we will want to be able to access those VMs using various protocols. So for example, we will need TCP port 22 open (for SSH), and TCP port 3389 open (for RDP), and in case we want to use VNC then it would be good to have e.g. TCP ports 5900-5905 open. Also, we may want to be able to ping our VMs, so the ICMP protocol could be useful. We will restrict the target VMs to which the firewall applies, using two target tags. The tag “sap-on-gcp-vm” will be for a helper VM that gets the SAP .rar files, and the tag “sap-instance” will be for any VMs we plan to install the SAP system on.

So under VPC Network we go to the Firewall section, and then click on “Create Firewall”. Here are example values:

Name: sap-net-allow-ssh-rdp-vnc-icmp
Network: sap-net
Priority: 1000
Direction of traffic: Ingress
Action on match: Allow
Targets: Specified target tags
Target tags: sap-on-gcp-vm sap-instance [note: space-separated to ensure 2 different tags specified]
Source filter: IP Ranges
Source IP ranges: 0.0.0.0/0 [i.e. from anywhere]
Protocols and ports:
    tcp: 22, 3389, 5900-5905
    Other protocols: icmp

Then click “Create” create the new firewall rule, which will look like this in your Firewall dashboard page:




A note on connecting securely

For the experiments in this blog, we are allowing anyone, anywhere to connect more or less directly to the VMs to which our firewall rules apply; in other words, in the blog we will stick to using "0.0.0.0/0" as the Source IP range. 

Nevertheless, if you know your own IP address (try googling “what is my IP” to find out), let’s say it is currently 85.76.100.172, then for “Source IP ranges” you could put “85.76.100.172/32” to restrict access:


Typically this IP address is actually the address of a NAT Gateway of your ISP, so although here we would be restricting access to a subset of the whole internet, it’s not usually only your connected device that is using the ISP’s NAT Gateway. Also you need to remember that next time you connect to the internet, that ISP assigned IP address is liable to be a different one, so you would either need to know and specify the ISP’s own range of NAT Gateway addresses in the firewall, or each time modify the existing /32 range in the firewall.

In many situations, such as if you are setting up VMs on any cloud platform for some organisation you work for, you would definitely want to have stronger security for access to the VMs. Some good advice for GCP is here:

https://cloud.google.com/solutions/connecting-securely

For example, the bastion-host-pattern is quite easy to set up. And if everyone who needs access is on a VPN, you can restrict access to be only through the VPN Gateway, and so on. For organisation-level scenarios you might also consider Google Cloud Armor:

https://cloud.google.com/armor

Although I have included SSH access in this firewall rule from anywhere, this is not a terrible security hole, since the SSH login requires having the private key - so long as you don’t give that key to anyone, you'll be fine.


A helper VM and a disk for storing .rar files

Now usually for creating a VM from Web Console, we would proceed as follows: go to the “VM instances” page.




Then we would click on “Create Instance” to start the VM instance creation workflow.

However, the Linux distro I chose for this “Get .rar files VM”, is not in the list of publicly available images for a boot disk; no problem though, as we can get the image we need from Google Marketplace and from there create our VM. (If you like, you can use any distro you like for this helper VM, of course the other main distros are just as fit for purpose, though in that case it is up to you to work out how to set it up for remote desktop access and get the .rar files).

So we are going to use the SUSE supplied openSUSE Leap 15.1 distro, which at time or writing (August 2020) is the latest version available on Marketplace (Leap 15.2 is the latest version of the distro, and at least as a local VM Leap 15.2 is also easy to install SAP on; you can download e.g. as an ISO file from https://opensuse.org - but for us, Leap 15.1 on GCP works well).

So using the trigram we can choose “Marketplace” from near the top of the list, and then use the Search Box to look for “opensuse”:



The search result should be SUSE’s openSUSE Leap 15.1 (at time of writing: probably in future a more recent version will be available, you can then pick the more recent version). Click on it to get the full description including GCP use cost estimates (there is no SUSE-licensing cost, as openSUSE is free to use; in practice, my GCP monthly usage costs for any VMs are much less than the cost estimates here, due to me keeping the VMs stopped when not needed):



So we click the “Launch” button… which takes us to the Create Instance workflow. I list here the configuration values I used, as a rough guide:

Name: opensuse-xfce [Xfce is the GUI-desktop layer we will later install; if you intend to install some other layer, e.g. Gnome3 or KDE, then you could name your VM accordingly].
Region: europe-north1 [choose the region that makes most sense for you, depending where you are in the world].
Zone: europe-north1-a [choose a zone from your region].
Machine configuration: Series: N1; Machine type: n1-standard-2 (2 vCPU, 7.5GB memory) [again, you can choose which Series and Machine type you like; your download speed will tend to be better the more computing power you have].
Boot disk: [should be prefilled with the opensuse-leap-15-1-v20190618 image or similar].
Expand the link “Management, security, disks, networking, sole tenancy”.
Under the Management tab:
Description: Auxiliary VM with GUI, to enable downloading SAP .rar files
Under the Disks tab:
Additional disks: Add new disk:
    Name: rar2unrar-disk
    Type: Standard persistent disk
    Source type: Blank disk:
        Mode: Read/write
        Deletion rule (when deleting instance): Keep disk [we need to keep this disk!].
    Size (GB): 50 [ignore any info message about possible reduced performance].
Keep other defaults for the additional disk and press “Done” to stage the disk configuration.
Under the Networking tab:
Network tags: sap-on-gcp-vm [this should match to the same string of any firewall rules’ target-tags, in case you want said firewall rule to apply to this VM].
Network interfaces: [click on “default” to change it]:
Network: sap-net
Subnetwork: sap-subnet-eu-n (192.168.200.0/24)
Keep other defaults (we don’t need a static IP for this “one-task VM”), and press “Done” to stage the Network Interface configuration.


If you like, you can click on “REST” or “command line” links to get a copy of what in the background the data are, that GCP will use to create your VM. This collection of values is useful for example if you want to write a Terraform file later that would create the same kind of VM.

Anyway now you can press “Create” and GCP will create your new VM, which will then be visible in the VM instances dashboard, a green circle means it is up and running, yay!



In general, when you are not using a VM, from the dashboard you can check the box to left of green circle then press the “Stop” button. This shuts the VM down and reduces costs (though there is still a cost associated with the additional persistent disk) while you do non-VM activities such as sleeping, talking to other people 😱, or going for a brisk walk. When you need to restart the VM, the button “Start/resume” is your friend.


Basic configuration of helper VM

Let’s first of all get the OS up to date with the latest patches from the standard openSUSE repos. Google has a new service called OS Patch Management, but that would be overkill for us here in our wee blog of experiments, anyway here is a link to the documentation:

https://cloud.google.com/compute/docs/os-patch-management#suse

So, we should be able to SSH in using the Browser SSH client from the VM instances dashboard, just press the “SSH” button. As we wisely already configured “allow TCP port 22 ingress” for sap-net, for any instances network-tagged with “sap-on-gcp-vm”, so we are able to login just fine:



By the way you might find the settings menu (from the gear-icon, top-right) useful, for example I changed the Keyboard Settings -> Alt Gr mode to match how my Finnish Mac keyboard works.

Although in this blog we usually show "Browser SSH", this method can be slow to transfer SSH keys, and occasionally times out. A more efficient SSH method, is to open the Cloud Shell using the: 

icon near top right of Web Console - then you can login to your instance "opensuse-xfce" using this command (specify your project-id and instance-zone):

gcloud compute ssh --project=Your-project-id --zone=Instance-zone opensuse-xfce


(If you are prompted to generate SSH keys, answer yes, you can hit <Enter> to not specify any password, or you can specify a password).

So to refresh the repos and install all recommended updates, the commands are:


sudo zypper ref
sudo zypper update -y



Might take a few minutes even though the download speed should be reasonable, e.g. running the update in September 2020, there were 633 packages to either install or upgrade. Most likely you should reboot the VM to ensure all the updates are taken into use:


sudo reboot now



This ends your SSH session, after about 20 seconds you can start a new SSH session.

The next task is to format the additional disk attached to our VM, and then to mount it so that it is accessible e.g. for downloading .rar files to the disk. Good advice, which we mostly follow, can be found here:

https://cloud.google.com/compute/docs/disks/add-persistent-disk#formatting

So check the ID of the block device, most likely it will be “sdb”:


lsblk




We create a directory, format our disk, and mount the disk to the directory:

sudo mkdir -p /usr/rardownloads
sudo mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb
sudo mount -o discard,defaults /dev/sdb /usr/rardownloads



We want to make the /usr/rardownloads directory easy to access and write to. Then we want to back up our /etc/fstab file, and find out the UUID of our device /dev/sdb:

sudo chmod a+w /usr/rardownloads
sudo cp /etc/fstab /etc/fstab.backup
sudo blkid /dev/sdb



The output contains the UUID, copy this (excluding the quote marks “” surrounding the UUID) e.g. to some kind of notepad like Sublime Text or Notepad++ or whatever, and then construct a statement of the form:

UUID=YourUUID /usr/rardownloads ext4 discard,defaults,nofail 0 2


… substituting your UUID in the relevant place just after the equals-sign. Now the openSUSE server on GCP doesn’t come with nano pre-installed, but does come with vi. If you want to use nano for the next step, you can install it using zypper. Anyway I want to avoid the pointless debate about why nano is obviously more intuitive than vi, so this once we will use vi to modify the /etc/fstab:

sudo vi /etc/fstab



Press ‘i’ to go into editing mode. Scroll using arrow-keys to the end of the existing line then hit <Enter> to create a new line. Paste your “UUID=YourUUID…” line there. Press ‘Esc’ to come out of editing mode. type “:wq” to write (save) the file and then exit from vi. Now our VM will know, on future reboots, to try and mount our additional disk, though if that disk isn’t found it won’t be a showstopper.


Install and configure remote desktop (Xfce and RDP)


First we need to set a password for our login user, e.g. if you login to Browser SSH or Cloud Shell and your username is visible there as “moomin_troll”, then become the sudoer, change the password of the user “moomin_troll”, and exit sudoer state:

sudo -i


passwd moomin_troll
exit



We install Xfce because, well, because the author decided so, nowadays all GUI-desktops are pretty good so if you prefer you can install something else. Also we install xrdp and enable it, so that we will be able to connect remotely to our Xfce desktop.

sudo zypper in -y patterns-xfce-xfce
sudo zypper in -y xrdp
sudo systemctl enable xrdp



We need to specify a default window manager, let’s make it the one that starts Xfce.. and ok, nano may have been installed as part of the patterns-xfce-xfce group of packages, but let’s make sure - that way when modifying files, we can use nano, if we like, not everyone likes, etcetera etcetera:

sudo zypper in nano
sudo nano /etc/sysconfig/windowmanager


DEFAULT_WM="startxfce4"



Ctrl+O, <Enter>, Ctrl+X to save and exit from nano.

Then change default target to be graphical, and reboot:

sudo ln -s /usr/lib/systemd/system/graphical.target /etc/systemd/system/default.target

sudo reboot now



After half a minute we can SSH back into the rebooted VM. Check that the xrdp service is running and that it is listening at port 3389:

systemctl status xrdp
sudo ss -tulpn | grep xrdp




Accessing the Xfce remotely using RDP

RDP clients are available for all the main OS platforms - macOS, mainstream Linux desktop distros, and of course on Windows, after all RDP is a Microsoft protocol. On macOS I use Microsoft Remote Desktop from the App Store, on Ubuntu and openSUSE laptops I use Remmina ( https://remmina.org/ ), and on Windows there is the inbuilt RDP client.

This isn’t going to be a guide on how to use RDP clients, but typically you will need to know the current External IP of the GCP VM (visible in VM dashboard), and you should also hopefully remember your VM username and the password you specified for that user earlier. Since our VM has a firewall rule allowing ingress to TCP port 3389 “the RDP port”, so RDP access is allowed. Success looks something like this:




If you like using VNC for remote desktop work instead of (or as well as) RDP, see the VNC Appendix.

(A third option would be using ‘ssh -X’ or ‘ssh -Y’ but as this is not so smooth a user experience, and setting it up is somewhat client OS dependent, so this blog doesn’t explain how to do this).

Note that when you restart the Xfce VM, it can take about a minute or so for the RDP and VNC sessions to become available for you to login to remotely.

Also, when you close your client, it is better to use the path Applications -> Log out -> Log out to really log out of the session. (If you just close the client app, still you remain logged in to your session, so then (as I once did) if you go to login over RDP from a different computer, it doesn’t work out).


Getting the .rar files from SAP

Ok, next task is to get hold of those rar files. Open Mozilla Firefox (Application -> Internet -> Firefox), and make a couple of config settings (top-right trigram -> Preferences)… one is to allow pop-up windows, as the SAP site works using pop-up windows (and doesn’t work if they are blocked):



The other thing we should do is change the Firefox Downloads folder to /usr/rardownloads (if we download to the user’s normal Downloads folder then we run out of boot disk space, accidentally “tested” this 😂):



Then you can login to the SAP site using your P-user, use a search term such as “7.52 SP04” (or whatever the latest version is) to list only the files you want, and download the various rar files.

https://developers.sap.com/trials-downloads.html

https://developers.sap.com/trials-downloads.html?search=7.52%20SP04

Note that at the time of writing there are eleven such files, and the website displays only 10 results per page, so remember to also go to “results page 2” and download the last part11.rar file. Screenshot shows a nice speedy download from SAP to GCP in progress:




Once the files are all downloaded, you can check that all the files are there.



So it took about 5 minutes to get the 14GB of rar stuff, thanks to our VM on GCP’s decent download speed.

While we are here we could expand (using the ‘unrar’ program) all the rar files. Note that it isn’t necessary to unrar the files here (I didn’t), we can also unrar them later e.g. when they are attached to a VM that will be used for really installing and running SAP. But here is how to do the unrarring in case you want to expand those .rar files now:

sudo zypper in unrar
cd /usr/rardownloads
unrar x /usr/rardownloads/TD752SP04part01.rar



When you unrar part01, it drags the other parts into the unrarring workflow and expands the whole set of files and directories.

Anyway, now we want to unmount and detach the disk with the rar files, so that it can later be attached to a different VM on which we will install SAP. To unmount, first check the disk’s id:

ls -l /dev/disk/by-id/




Find the line which corresponds to your device, e.g. to “sdb” and use that name to unmount it, so if the disk id is google-rar2unrar-disk then the command is:

sudo umount /dev/disk/by-id/google-rar2unrar-disk



Check (if you like) that there is now only the emptiness of being at the unmount-point:

ls /usr/rardownloads



Then we can stop the VM, go into the details page (click on VM name in Dashboard), choose Edit mode, and we delete (the association to VM of) the rar2unrar-disk. (Don’t worry, we are not deleting the disk itself).



Then Save. In the Compute Engine -> Disks list we can see that our rar2unrar-disk still exists 😅, but is now not attached to (“in use by”) any VM. So we can use this disk for future SAP Dev Edition installation runs, attaching it to a new VM then unrarring (or using unrarred files) i.e. later when we install SAP on Ubuntu on GCP, this disk of ours, “rar2unrar-disk”, will come in handy.


[People interested in automation might ask “Why do we need to use a GUI-browser to get these rar files from SAP?”. Well, I did a brief investigation trying tools such as wget, curl, lynx, elinks, and brow.sh, but couldn’t manage to get round the need for javascript running in a non-text browser; also tricky is the need for client SAML-functionality. So for now we are going with a GUI-enabled VM on GCP].



An openSUSE VM for SAP installation

Create the openSUSE VM for SAP

This VM will have a larger additional disk, say 120 GB, and we also attach the existing rar2unrar-disk to the VM. Since we want an openSUSE Leap 15 boot disk, we again enter the VM creation workflow via the GCP Marketplace, as explained above for the helper VM.

In the main form, here are example values:

Name: opensuse-sap
Region: europe-north1 [choose the region that makes most sense for you, depending where you are in the world. Also you would want the VM to be in the same region as the rar2unrar-disk].
Zone: europe-north1-a [choose a zone from your region. You would want the VM to be in the same zone as the rar2unrar-disk]
Machine configuration: Series: N1; Machine type: n1-standard-2 (2 vCPU, 7.5GB memory) [you can choose which Series and Machine type you like; more vCPUs will tend to make both SAP installation and SAP at runtime perform better; 7 or 8 GB memory is fine, whereas e.g. 5GB memory is typically not enough for the SAP installation to succeed].
Boot disk: [should be prefilled with the opensuse-leap-15-1-v20190618 image or similar]
Expand the link “Management, security, disks, networking, sole tenancy”
Under the Management tab:
Description: SAP NetWeaver AS ABAP Developer Edition 7.52 SP04 on openSUSE Leap 15.1, iteration v01
Under the Disks tab:
    Additional disks: Add new disk:
    Name: sap-storage-disk-suse
    Type: Standard persistent disk
    Source type: Blank disk:
        Mode: Read/write
        Deletion rule (when deleting instance): Keep disk [if you like, optional]
    Size (GB): 120 [ignore any info message about possible reduced performance]
Keep other defaults for the additional disk and press “Done” to stage the disk configuration.
Additional disks: Attach existing disk:
    Disk: rar2unrar-disk
        Mode: Read/write
        Deletion rule (when deleting instance): Keep disk [can be useful to keep this disk]
Keep other defaults for the additional disk and press “Done” to stage the disk configuration.
Under the Networking tab:
Network tags: sap-instance [this will match to two of our firewall rules, the generic one and the SAP-specific one]
Hostname: vhcalnplci.dummy.nodomain [the main thing is that the FQDN (Fully Qualified Domain Name) is unique on the sap-net network, and that the first part or “short hostname” is “vhcalnplci”. You can choose a different short hostname, but then later e.g. some of your Fiori apps might not work].
Network interfaces: [click on “default” to change it]:
Network: sap-net
Subnetwork: sap-subnet-eu-n (192.168.200.0/24)
External IP: Create IP address [optional, you can use Ephemeral IP, slightly cheaper but then the IP can change after reboot and you need to change your hosts files, SAPGUI items etc.].
    Name: static-ip-opensuse-sap
    Tier: Premium [optional: Standard is a bit cheaper]
Press “Done” to save the Network interface config.


The “REST” or “command line” links let you collect values for reference, e.g. for Terraform file creation.

Then press Create and wait for the new VM with attached disk to appear in the VM dashboard.


Firewall rule for SAP-specific ports

Create a new Firewall rule via VPC Network -> Firewall -> Create Firewall. This new rule enables using SAP-specific ports, that will come in handy later on once we have installed SAP:

Name: sap-net-allow-sapgui-webgui-fiori
Network: sap-net
Priority: 1000
Direction of traffic: Ingress
Action on match: Allow
Targets: Specified target tags
Target tags: sap-instance [an identifier for SAP instances]
Source filter: IP Ranges
Source IP ranges: 0.0.0.0/0 [i.e. from anywhere]
Protocols and ports:
    tcp: 3200, 8000, 44300

Then click “Create” to create the new firewall rule; your sap-net firewall rules will look like this in your Firewall dashboard page:



Prepare openSUSE VM for installing SAP

We do some basics, then some SAP-specific preparation...

Patches, disk formatting and mounting

SSH into the VM. Get the recommended updates and reboot:

sudo zypper ref
sudo zypper update -y

sudo reboot now


SSH in again. Now we format and mount the sap-storage-disk-suse. Check the ID of the block device, it is the one that is 120 GB in size:

lsblk




So here, the sap-storage-disk-suse is called “sdb”, and the rar2unrar-disk, is called “sdc”.

Now it just so happens that the part of these SAP installations that uses the most storage space concerns the database-related resources, which the SAP installer will put under a directory called /sybase. So let’s create a directory in advance called /sybase, format the disk, and mount the disk to /sybase.


sudo mkdir /sybase
sudo mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb
sudo mount -o discard,defaults /dev/sdb /sybase

sudo chmod a+w /sybase
sudo cp /etc/fstab /etc/fstab.backup
sudo blkid /dev/sdb



Use the UUID (without quote marks) to construct a line that you add into /etc/fstab for automounting after reboot of our disk to /sybase:

UUID=YourUUID /sybase ext4 discard,defaults,nofail 0 2


sudo zypper in nano

sudo nano /etc/fstab



We also want to mount our rar2unrar-disk, which was device “sdc”, though we don’t need an entry in fstab as this disk is only needed until we have SAP installed on the VM (can always manually mount the disk again after VM reboots, if needed).

sudo mkdir -p /usr/rardownloads

sudo mount -o discard,defaults /dev/sdc /usr/rardownloads

sudo chmod a+w /usr/rardownloads



Some SAP-specific preparation for opensuse-sap VM

We need unrar, to extract the .rar files; uuidd, during the SAP installation to guarantee unique UUIDs; libaio (should already be installed but we double-check); tcsh (also should already be installed).

sudo zypper in -y unrar uuidd libaio tcsh



We should check that the hostname is “vhcalnplci”:

hostname


If we need to change the hostname, we can do that as follows:

sudo hostnamectl set-hostname vhcalnplci



We should check that the locale is: LANG=en_US.UTF-8


cat /etc/locale.conf



If we need to set the locale, we can do that:


sudo localectl set-locale LANG=en_US.UTF-8
cat/etc/locale.conf



We need to know our private IP address on sap-net, so that we can make a “self-reference” in hosts file. We can get it from the VM dashboard, or if you like you can use the command line and see what eth0 interface has as IPv4:

ip a



Add this line into hosts file:


[internal IP in dot notation]  vhcalnplci vhcalnplci.dummy.nodomain


sudo nano /etc/hosts



So for example, my VM had internal IP 192.168.200.3, so in /etc/hosts added:

192.168.200.3 vhcalnplci vhcalnplci.dummy.nodomain



Move into /usr/rardownloads and unrar the .rar files:


cd /usr/rardownloads
unrar x /usr/rardownloads/TD752SP04part01.rar



When you unrar part01, it drags the other parts into the unrarring workflow and expands the whole set of files and directories.

Make the install.sh file executable:

sudo chmod +x install.sh



Finally as a preparation step, start the uuidd service and check it is active:

sudo systemctl start uuidd
systemctl status uuidd



A script to do the SAP-specific preparation for opensuse on GCP

If you prefer using a scripting approach to these SAP-preparation activities, upload or copy-paste the below file abapdevboxprepsusegcp.sh into the same directory as the rar files; set it to executable and run it as sudo:

sudo chmod +x abapdevboxprepsuse.sh
sudo ./abapdevboxprepsuse.sh



You are free to make a better version of this script than this quick demo effort - be my guest, be your poltergeist:

abapdevboxprepsusegcp.sh

#!/bin/bash

 

# Collating the various commands needed to install

# SAP NetWeaver AS Abap Developer Edition

# on openSUSE Leap 15 on Google Cloud Platform,

# Author: Dylan Drummond, Helsinki, Finland. August 2020 onwards

# Distributed for now under the Imaginary Whatever Free as in Feel Free License

 

# You will need to run this script as sudo.

# Script is assumed to be in the same directory as the .rar files

 

# Good practice to refresh repositories

# and get any updated versions of existing software.

# We use '-n' for 'non-interactive' before the update command

# to avoid being prompted.

zypper refresh

zypper -n update

 

# To extract .rar files, we need the unrar package.

# Also we need the uuidd service so that SAP installation picks genuinely

# unique uuid numbers when doing its stuff.

# libaio and tcsh should already exist but to be safe we include these also.

# For 'zypper install' i.e. 'zypper in', add '-y' to answer 'yes' to prompts.  

zypper in -y unrar uuidd libaio tcsh

 

# Next, we need to set the hostname, to "vhcalnplci"

hostnamectl set-hostname vhcalnplci

echo "Hostname set via hostnamectl to:" 

hostname

 

# Also we set the locale, just to make sure that it is "LANG=en_US.UTF-8"

localectl set-locale LANG=en_US.UTF-8

echo "System locale set via localectl to:"

cat /etc/locale.conf

 

# We need to know our private IP address, so that SAP can know it via hosts

ETH0IPRAW=$(ip a | egrep 'eth0:' -A 2)

ETH0IP=$(echo $ETH0IPRAW | awk '{ print $19 }' | cut -d / -f 1)

ETH0IPDESC="eth0: "$ETH0IP

 

# Append (using the '-a' option of tee) comment and mapping to the hosts file:

# But only if the IPv4 address has not already been mapped

CHECKIPV4=$(grep "$ETH0IP" /etc/hosts)

if test -z "$CHECKIPV4"

then

  echo "Appending 2 lines to /etc/hosts:"

  echo "# selfie line used by SAP Abap Dev Edition:" | sudo tee -a /etc/hosts

  echo "$ETH0IP vhcalnplci vhcalnplci.dummy.nodomain" | sudo tee -a /etc/hosts 

else

  echo "Seems a mapping in /etc/hosts already exists for "$ETH0IP

fi

 

# Next, let's unrar... find a file with "part01.rar" in the name

PART01=$(find . -type f -name '*part01.rar')

if test -z "$PART01"

then

  echo "No file containing string 'part01.rar' found, not unrarring"

else

  unrar x $PART01

fi

# Note that if unrar has already run, user is prompted to

# e.g. replace or quit, in case e.g. this script gets rerun.

# So user would most likely press 'Q' i.e. quit.

 

# The install.sh file should have been created, if so make it executable:

FILE=install.sh

if test -f "$FILE"

then

  chmod +x install.sh

fi

 

systemctl start uuidd

 

echo "All preparation done!"

echo "Before you install SAP, check that uuidd service is active:"

echo "systemctl status uuidd"

echo "Use 'q' to quit the status report in case command-line cursor not visible.."

echo "If not active, start it using:"

echo "sudo systemctl start uuidd"

echo

echo "With uuidd service active, you can run the SAP install.sh script as sudo:"

echo "sudo ./install.sh"



Install SAP Dev Edition on opensuse-sap VM

So we double-check that the uuidd service is active, and if not then we start it:

systemctl status uuidd    #if not active, the following 2 lines:

sudo systemctl start uuidd
systemctl status uuidd


Then hey ho, let’s go:


sudo ./install.sh



You can use the spacebar to scroll through the license (‘q’ if needed to get out of license-reading) and then you need to answer ‘yes’ to “Do you agree to the above license terms? yes/no:”

Enter and re-enter a master password for the OS users (such as npladm) that the SAP installer will create… and now wait and see if the installation succeeds…

So we wait… this is how it feels to be Admin, this is how it feels to be small [sounds like an indie song from the 90s.. I digress]… staring at a terminal output as it alternately rattles through stdout info or sits silently at some item making you slightly uncomfortable... “is it going to fail here…?”... 10 minutes of stdout go by… 20 minutes… 30 minutes… and a bit... Installation of NPL successful!!:



Post-install checking

Let’s switch to be the user npladm (hopefully you remembered the password you supplied at the beginning of the install.sh run, this becomes the password of SAP OS-users such as npladm):

su -l npladm


Check the status of the main SAP processes:


sapcontrol -nr 00 -function GetProcessList




Those “GREEN” statuses are what we want to see.

There are two more commands you will want to learn in your secret life as npladm. To stop your SAP system:


stopsap ALL


Then, there is the complement-command, to start your SAP system:


startsap ALL



(These two commands, ‘stopsap’ and ‘startsap’, are officially deprecated in favour of the utility ‘sapcontrol’, but SAP has kindly for now kept them going through symbolic links). After starting SAP, you can again check the progress of the SAP system using the command:

sapcontrol -nr 00 -function GetProcessList



Sometimes it takes a couple of minutes for all four main processes to be in status GREEN. If they “hang” then after e.g. 5 minutes try stopping SAP and then starting SAP again, using the relevant commands just noted.

A useful command if you are logged in as ordinary non-SAP user and want to check the status of SAP:


su - npladm -c '/usr/sap/NPL/D00/exe/sapcontrol -nr 00 -function GetProcessList'



When you want to shutdown your GCP VM, e.g. it’s sleepy time, or it’s go for a walk time, or whatever, then before you shutdown the VM, remember as npladm to stop the SAP system, that way your SAP DB is less likely to get corrupted.


Automating restart of the SAP instance on VM restart - for openSUSE and Ubuntu

There are two ways to automate starting up the SAP instance when the VM is started: one way is to configure your VM, the other is to use a start-up script as part of the GCP VM metadata. We show both ways, though I suggest not using both ways on a VM at the same time 😂. The configurations should work fine on openSUSE and Ubuntu, at least I have smoketested on both distros ok.

(Note that although it might be possible to automate stopping the SAP instance, still this has more potential to go wrong, for example in GCP there is a constraint of 90 seconds for running all shutdown-scripts before the VM is forced to shutdown, so here we would risk corrupting our SAP stuff 😱. So instead, you are encouraged to always remember to stop SAP manually 🤣).

Automate restart from inside the VM

In /etc/systemd/system create a file that is owned by root (i.e. use sudo to create) called e.g. startsap.service


sudo nano /etc/systemd/system/startsap.service



Example content of startsap.service:

[Unit]
Description=Start sap up on boot

[Service]
ExecStart=/etc/init.d/quickstartsap.sh

[Install]
WantedBy=default.target



Then create (again as root) file /etc/init.d/quickstartsap.sh


sudo nano /etc/init.d/quickstartsap.sh



Content of quickstartsap.sh:


#!/bin/sh
# Script to startsap
su - npladm -c '/usr/sap/NPL/D00/exe/startsap ALL'



Make this file executable by root (the owner)


sudo chmod +x /etc/init.d/quickstartsap.sh



Enable the new service, so that it runs on every reboot:


sudo systemctl enable startsap.service



Restart the VM and login. Note that there might be a 30 second or so delay in the startup-script getting uhh… started. Once it starts, check the status of the startup: eventually SAP should be up and running (screenshots for opensuse-sap and ubuntu-sap follow):




Automate restart from the VM metadata startup-script

With the VM switched off, go to Edit mode, and add the following:

Custom metadata:
Key: startup-script

In the “Value” box, paste the following wee script (the same contents as quickstartsap.sh above):


#!/bin/sh
# Script to startsap
su - npladm -c '/usr/sap/NPL/D00/exe/startsap ALL'



And Save the config. When you are done, config should look like this:




Because these scripts are executed by the root user, no npladm password is required.

Restart the VM and login. Bear in mind there may be a 30 second or so delay in startup-script running. Again you can check as npladm that SAP is either starting up or running.(Ubuntu might take a bit longer to start up, in my smoketest-experience).


Detach the rar2unrar-disk

Now that SAP is installed, we can detach the disk of installer-files, so that e.g. later if we want to use the installation files for another VM, we can reuse rar2unrar-disk. We show probably the safest way to do this.


ls -l /dev/disk/by-id



From the output we see that our disk has id “google-rar2unrar-disk”:



So then we unmount the disk (if it is not already unmounted) as follows:


sudo umount /dev/disk/by-id/google-rar2unrar-disk



Now we can stop opensuse-sap, go into Edit mode, and we delete (the association to VM of) the rar2unrar-disk. Then Save.


SAPGUI, License, Fiori, Webgui

SAPGUI

Now in this blog we are not going to explain how to install SAPGUI clients, but there is advice available on the Internet; and actually if you ever download the .rar files for SAP Dev Edition to your local computer, and extract them, then you will find (in the folder “client”) installable SAPGUI clients for Windows and for Java (macOS and Linux). Good luck now and remember I cannot help you if you are stuck!



Since my local machine is a MacBook, I will only show how to configure SAPGUI for Java to connect to our SAP instance on GCP. If you are on MacBook for Windows, the Internet has tutorials explaining how to set up a connection-item.

So our opensuse-sap VM has an External IP address, and it so happens that the “SAP instance number” is “00”, which means that SAPGUI connections go to TCP port 3200, where the last two digits are the SAP instance number.

So I make a new connection-item in SAPGUI for Java, it will look something like this:




So the External IP goes after /H/, and port 3200 goes after /S/.

Then we can connect to SAP on Google Cloud Platform over SAPGUI, yay!





SAP License

We need to login to SAP Client “000”, as the user “SAP*”; the password is available in the readme.html file (so you could cat readme.html on the server), currently in September 2020 the password for the SAP Application supplied users is “Down1oad”.

In the tcode box near the top-left of the screen, enter the tcode SLICENSE and hit <Enter>. From there you can copy the Hardware Key. Then go to:

https://go.support.sap.com/minisap/#/minisap

Scroll to find: “NPL - SAP NetWeaver 7.x (Sybase ASE)” line and check the radiobutton. Scroll down to section “Personal Data & Info”, enter relevant data including Hardware Key, check the box agreeing to License Agreement, then press “Generate”, to download the license as a text file to your local machine, probably it is called “NPL.txt”.

Then back in your SAPGUI screen, first delete any existing temporary licenses (important for some reason to do this step before installing a new license). Highlight license, Edit -> Delete license.



Once those are deleted, go to Edit -> Install License. You might need to go up to nearer the root folder then descend again to get to your Downloads folder where the NPL.txt license sits.



So you open the text file and then you should have a valid license:




After that you can logout. For day-to-day SAPGUI use, client 001, user DEVELOPER, and same generic password e.g. “Down1oad”.


Fiori

Fiori access should work “out of the box”. But remember kids: because the SAP backend will generate so many runtime objects the first time someone (most likely you) accesses the Fiori Launchpad or opens any of the Fiori apps in the Launchpad, you need to be patient. It can take e.g. up to 25 minutes for everything to be generated in the Fiori area.

First set your hosts file on your local machine to point ”vhcalnplci” to the External IP address of your SAP Dev Edition on GCP.



Or, if you do not have the admin rights or knowledge or desire to modify the local machine’s hosts file, but you have the Google Chrome desktop browser, then there is an excellent extension called LiveHosts which will work nicely (so long as you browse using Chrome):

https://chrome.google.com/webstore/detail/livehosts/hdpoplemgeaioijkmoebnnjcilfjnjdi?hl=en

Assuming your local hosts file or Chrome LiveHosts extension maps ”vhcalnplci” to the External IP address of your SAP on GCP instance, the Fiori Launchpad is located at:

https://vhcalnplci:44300/sap/bc/ui2/flp

Note that the first time you visit this website, the browser will complain that it cannot be certain the server is who it claims to be, this is due to the SAP self-signed root certificate offered by the server (browser is just as untrusting of the certificate even if you use the FQDN version of the URL). Click past the warnings to get to the Fiori Logon Screen.

Might take a few minutes even for the Logon screen to appear…




Anyway if we check the site certificate on offer, we see that during the installation, SAP provided a self-signed certificate for the (imaginary) TLD “*.dummy.nodomain” :



Although Chrome shows “Not Secure”, still if we look via Developer Tools at the certificate, we see that TLS encryption is nevertheless working, so at least that is good. Then we just need to believe that the server which uhh, we ourselves created, is what it claims to be 😅. To see those certificate details, open Developer Tools in Chrome (an OS specific action: https://developers.google.com/web/tools/chrome-devtools/shortcuts ). Go to Security tab and view the information:




That is good enough for us: we have reason to believe that the website really is served by our SAP server, and we know that the data sent between us and the server is encrypted.

So we login as e.g. user=”DEVELOPER”, to client 001.

The first time you login, it may take up to 15 minutes for the SAP system to generate the runtime code behind the couple of Fiori apps (I had to answer “Wait” to “Page seems unresponsive” popups), but eventually you should see the 2 demo apps… if you get an empty looking home page, try e.g. refreshing the page…



… in the end your patience should be rewarded with a view of the two Fiori apps:



It can then take 5-10 minutes from opening any of these Fiori apps, for them to have all their backend data and other runtime objects generated, but eventually you see some data:



After another 10 minutes of backend object-generation time, the second Fiori app should be working too 🤣 :



Here is a screenshot from GCP, showing the CPU usage when first-time-logging-in to Fiori Launchpad and first-time-opening the 2 apps. The generation of runtime objects is what causes the higher CPU usage for about 15 minutes (from around 10:20 - 10:35 in the diagram):


We can also see using the ‘top’ program from our SSH session, that SAP processes under sybnpl and npladm are occupying most of the compute power of the server while programs are generated:



Webgui

Some people like to use “SAPGUI for HTML”, a.k.a. “webgui”, which basically means a SAPGUI look and feel but with a browser as client instead of a specific local SAPGUI client. To set this up, we can login as Developer to client 001, and we go to tcode SICF (might take a while the first time, as the runtime of tcodes gets generated the first time someone uses the backend programs).

Click to view Hierarchy Type “SERVICE”, then go to /default_host/sap/bc/gui/sap/its/webgui and activate the node (right-click, Activate Service). That is all you really need to do (there are other needed settings but these have been set to correct values during installation); however if you like you can also run tcode

SIAC_PUBLISH_ALL_INTERNAL (or /nSIAC_PUBLISH_ALL_INTERNAL if you are outside the intro screen).

Then the URL you want is:

http://vhcalnplci:8000/sap/bc/gui/sap/its/webgui?sap-client=001

Login and you get to a webpage that looks and acts similarly to SAPGUI:



So once this is setup, users who do not have a SAPGUI client, or have such a client but are ideologically biased in favour of the GUI-browser, can access SAP using the browser, that is what SAPGUI for HTML means. Note that unless you switch to HTTPS (see below for how to do that), your password is being sent as cleartext when you login 😱. So I suggest, if you are staying on HTTP over port 8000, that you use only the default password for SAP application users,, and don't change the password to something you want to keep secret).

Note that there a few tcodes in SAPGUI, such as STMC_UI5, which are just links to webpages served over HTTP port 8000 (in this case), so in this example the tcode is a link for:

http://vhcalnplci:8000/sap/bc/dbosc_ui5/?sap-client=001

Feel free to try that one out, it gives you lots of technical information about your SAP system.

I suggest serving the webgui pages over HTTPS (port 44300) rather than HTTP (port 8000), so that the SSL/TLS encryption will apply, even if the identity of the server is still somewhat moot (in the browser’s opinion)... webgui over HTTPS is reasonably simple to set up in SAP, as follows...

In SAPGUI, go to SICF and again to the webgui node: /default_host/sap/bc/gui/sap/its/webgui

Highlight the node and hit <Enter>. Move to the Logon Data tab. Press the button to Edit the node config , or menu path is Service -> Change. Switch the “Security requirement” from standard to SSL:


and press “Save”. Click past the warning about changing SAP stuff. Then you can e.g. create a new change request , and save your change under it:



Now the webgui node will be accessed via port 44300, so for example the login link now becomes:

https://vhcalnplci:44300/sap/bc/gui/sap/its/webgui?sap-client=001

Similarly, if you would like e.g. to access the “system info” node /default_host/sap/bc/dbosc_ui5 over HTTPS, then you could adjust that node’s Logon Data Security requirement to be SSL too, and in that case the dbosc_ui5 webpage is served at:

https://vhcalnplci:44300/sap/bc/dbosc_ui5/?sap-client=001

(You would need to use the URL directly here, as the tcode STMC_UI5 still wants to use port 8000).


An Ubuntu VM for SAP installation

The steps to use Ubuntu as the OS for our SAP instance are similar to those for openSUSE, but different enough that we describe separately how to do this. (If you haven’t already done so, detach the rar2unrar-disk from opensuse-sap, as described above).

Create the Ubuntu VM for SAP

Since Ubuntu is available as a public image on GCP at the time of writing and for the foreseeable future (Ubuntu being one of the most popular Linux distros), we can start the VM creation workflow directly from the VM instances dashboard. Here are example values, you can modify these according to your own geolocation and so on.

Name: ubuntu-sap
Region: europe-north1 [You would want the VM to be in the same region as the rar2unrar-disk].
Zone: europe-north1-a [You would want the VM to be in the same zone as the rar2unrar-disk]
Machine configuration: Series: N1; Machine type: n1-standard-2 (2 vCPU, 7.5GB memory)
Boot disk: Change:
Public images:
    Operating system: Ubuntu
    Version: Ubuntu 20.04 LTS [this was the latest LTS available at time of writing; avoid the “LTS Minimal” versions since that would likely just mean more install work later]


Press “Select” to save this Boot disk config.
Expand the link “Management, security, disks, networking, sole tenancy”
Under the Management tab:
Description: SAP NetWeaver AS ABAP Developer Edition 7.52 SP04 on Ubuntu 20.04 LTS, iteration v01
Under the Disks tab:
Additional disks: Add new disk:
    Name: sap-storage-disk-ubuntu
    Type: Standard persistent disk
    Source type: Blank disk:
        Mode: Read/write
        Deletion rule (when deleting instance): Keep disk [if you like, optional]
    Size (GB): 120
Keep other defaults for the additional disk and press “Done” to stage the disk configuration.
Additional disks: Attach existing disk:
    Disk: rar2unrar-disk
        Mode: Read/write
        Deletion rule (when deleting instance): Keep disk
Keep other defaults for the additional disk and press “Done” to stage the disk configuration.
Under the Networking tab:
Network tags: sap-instance [this will match to both of our firewall rules]
Hostname: vhcalnplci.marmot.hello [the main thing is that the FQDN (Fully Qualified Domain Name) is unique on the sap-net network, and that the first part or “short hostname” is “vhcalnplci”. You can choose a different short hostname, but then later e.g. some of your Fiori apps might not work].
Network interfaces: [click on “default” to change it]:
Network: sap-net
Subnetwork: sap-subnet-eu-n (192.168.200.0/24)
External IP: Create IP address [optional, you can use Ephemeral IP, slightly cheaper but then the IP can change after reboot and you need to change your hosts files, SAPGUI items etc.].
    Name: static-ip-ubuntu-sap
    Tier: Premium [optional: Standard is a bit cheaper]

Press “Done” to save the Network interface config.


The “REST” or “command line” links let you collect values for reference, e.g. for Terraform file creation.


Then press Create and wait for the new VM with attached disk to appear in the VM dashboard.




Patches, disk formatting and mounting

SSH into the VM. Get the recommended updates and reboot:


sudo apt update
sudo apt upgrade -y

sudo reboot now



SSH in again. Now we format and mount the sap-storage-disk-ubuntu. Check the ID of the block device, it is the one that is 120 GB in size:

lsblk




So here, the sap-storage-disk-ubuntu is called “sdb”, and the rar2unrar-disk, is called “sdc”.

Create a directory called /sybase, format the storage disk, and mount the disk to /sybase.


sudo mkdir /sybase
sudo mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/sdb
sudo mount -o discard,defaults /dev/sdb /sybase

sudo chmod a+w /sybase
sudo cp /etc/fstab /etc/fstab.backup
sudo blkid /dev/sdb



Use the UUID (without quote marks) to construct a line that you add into /etc/fstab for automounting after reboot of our disk to /sybase:

UUID=YourUUID /sybase ext4 discard,defaults,nofail 0 2


sudo nano /etc/fstab



We also want to mount our rar2unrar-disk, which was device “sdc”, though we don’t need an entry in fstab as this disk is only needed until we have SAP installed on the VM (can always manually mount the disk again after VM reboots, if needed).

sudo mkdir -p /usr/rardownloads

sudo mount -o discard,defaults /dev/sdc /usr/rardownloads

sudo chmod a+w /usr/rardownloads



Some SAP-specific preparation for our Ubuntu VM

We would need: unrar, to extract the .rar files (though if you have already unrarred the files on the rar2unrar-disk, then unrar not so needed); uuidd, during the SAP installation to guarantee unique UUIDs - note that in Ubuntu, you need to install “uuid” package, with one “d”; libaio (should already be installed but we double-check); csh and tcsh (the SAP OS users need at least csh, and tcsh gives tab completion and command history).

sudo apt install -y unrar uuid csh tcsh libaio1


We should check that the hostname is “vhcalnplci”:


hostname



If we need to change the hostname, we can do that as follows:


sudo hostnamectl set-hostname vhcalnplci



We should check that the locale is: LANG=en_US.UTF-8


localectl



If we need to set the locale (quite possibly we need to, as I think the default System Locale on GCP for Ubuntu is LANG=C.UTF-8) we can do that:

sudo localectl set-locale LANG=en_US.UTF-8
localectl



We need to know our private IP address on sap-net, so that we can make a “self-reference” in hosts file. We can get it from the VM dashboard, or if you like you can use the command line and see what ens4 interface has as IPv4:

ip a



Add this line into hosts file:


[internal IP in dot notation]  vhcalnplci vhcalnplci.marmot.hello


sudo nano /etc/hosts



So for example, my VM had internal IP 192.168.200.5, so in /etc/hosts added:


192.168.200.5 vhcalnplci vhcalnplci.marmot.hello



Move into /usr/rardownloads. Unrar the .rar files (if not already unrarred):

cd /usr/rardownloads
unrar x /usr/rardownloads/TD752SP04part01.rar



When you unrar part01, it drags the other parts into the unrarring workflow and expands the whole set of files and directories.

Make the install.sh file executable:


sudo chmod +x install.sh



Finally as a preparation step, start the uuidd service and check it is active:


sudo systemctl start uuidd
systemctl status uuidd



A script to do the SAP-specific preparation for Ubuntu on GCP

If you prefer using a scripting approach to these SAP-preparation activities, upload or copy-paste into the same directory as the rar files the following script; set it to executable and run it as sudo:

sudo chmod +x abapdevboxprepubuntu.sh
sudo ./abapdevboxprepubuntu.sh



abapdevboxprepubuntu.sh

#!/bin/bash

 

# Collating the various commands needed to install

# SAP NetWeaver AS Abap Developer Edition

# on Ubuntu 20.04 server on Google Cloud Platform.

# Author: Dylan Drummond, Helsinki, Finland. August 2020 onwards

# Distributed for now under the Imaginary Whatever Free as in Feel Free License

 

# You will need to run this script as sudo.

# Script is assumed to be in the same directory as the .rar files

 

# Good practice to refresh repositories

# and get any updated versions of existing software.

apt update

apt -y upgrade

 

# Make sure the Ubuntu Firewall is disabled:

ufw disable

 

# To extract .rar files, we need the unrar package.

# Also we need the uuidd service from the uuid (<- note only one 'd') package

# so that SAP installation picks genuinely unique uuid numbers when doing its stuff.

# we need csh for installation, and it is good to have tcsh for npladm's convenience later

# libaio1 should already exist (new default package in 20.04 distro) but to be safe we include it also.

apt install -y unrar uuid csh tcsh libaio1

 

# Next, we need to set the hostname, to "vhcalnplci"

hostnamectl set-hostname vhcalnplci

echo "Hostname set via hostnamectl to:"

hostname

 

# Also we set the locale, just to make sure that it is "LANG=en_US.UTF-8"

localectl set-locale LANG=en_US.UTF-8

echo "System locale set via localectl to:"

localectl

 

# We need to know our private IP address, so that SAP can know it via hosts

ENS4IP=$(ip a | egrep 'scope global' | awk '{ print $2 }' | cut -d / -f 1)

ENS4IPDESC="ens4: "$ENS4IP

echo $ENS4IPDESC  # Added this echo info after smoketesting screenshots taken

 

# Append (using the '-a' option of tee) comment and mapping to the hosts file:

# But only if the IPv4 address has not already been mapped

# Also, we delete the "loopback" line that Ubuntu provides as a default

CHECKIPV4=$(grep "$ENS4IP" /etc/hosts)

if test -z "$CHECKIPV4"

then

  echo "Appending 2 lines to /etc/hosts:"

  echo "# selfie line used by SAP Abap Dev Edition:" | sudo tee -a /etc/hosts

  echo "$ENS4IP vhcalnplci vhcalnplci.dummy.nodomain" | sudo tee -a /etc/hosts

else

  echo "Seems a mapping in /etc/hosts already exists for "$ENS4IP

fi

LINETODELETE=$(grep -n '127.0.1.1' /etc/hosts | cut -d : -f 1)

if test -z "$LINETODELETE"

then

  echo "No loopback line in /etc/hosts, that is good."

else

    echo "Line number of loopback line to delete from /etc/hosts: $LINETODELETE"

    LINETODELETE+=d

    sed -i "$LINETODELETE" /etc/hosts

    echo "deleted loopback line"

fi

 

# Next, let's unrar... find a file with "part01.rar" in the name

PART01=$(find . -type f -name '*part01.rar')

if test -z "$PART01"

then

  echo "No file containing string 'part01.rar' found, not unrarring"

else

  unrar x $PART01

fi

# Note that if unrar has already run, user is prompted to

# e.g. replace or quit, in case e.g. this script gets rerun.

# So user would most likely press 'Q' i.e. quit.

 

# The install.sh file should have been created, if so make it executable:

FILE=install.sh

if test -f "$FILE"

then

  chmod +x install.sh

fi

 

# Easiest way to make sure uuidd service is active, is to start it.

# If it is stopped, then this command starts it.

# If it is already started, no harm done here.

systemctl start uuidd

 

echo "All preparation done!"

echo "Before you install SAP, check that uuidd service is active:"

echo "systemctl status uuidd"

echo "Use 'q' to quit the status report in case command-line cursor not visible.."

echo "If not active, start it using:"

echo "sudo systemctl start uuidd"

echo

echo "With uuidd service active, you can run the SAP install.sh script as sudo:"

echo "sudo ./install.sh"



Install SAP Dev Edition on ubuntu-sap VM

So we double-check that the uuidd service is active, and if not then we start it:

systemctl status uuidd    #if not active, the following 2 lines:

sudo systemctl start uuidd
systemctl status uuidd



Then hey ho, let’s go:


sudo ./install.sh



You can use the spacebar to scroll through the license (‘q’ if needed to get out of license-reading) and then you need to answer ‘yes’ to “Do you agree to the above license terms? yes/no:”

Enter and re-enter a master password for the OS users such as npladm that the SAP installer will create… and now wait and see if the installation succeeds…

So we wait… and wait… after maybe an hour or more 😱😂 (for some reason installing on Ubuntu seems to take much longer than installing on openSUSE)... the installation… succeeds!



Let’s check that it is all up n running:


su -l npladm



Initially (via the install script) npladm is using the csh shell; on Ubuntu this does not offer previous commands when pressing the <up>-arrow. If you want this useful “scroll back through previous commands” feature, you should switch npladm to use the tcsh shell instead (assuming you installed it). So to do this, as npladm, run the command:

chsh



Enter your (npladm) password when prompted, then when prompted for which login shell to use, type in:

/bin/tcsh



Now we logout of being npladm (type “exit” and hit <Enter>); then become npladm again, and now npladm is using the tcsh-shell.

Apart from tcsh config, for npladm activities such checking, stopping and starting (and automating these), the post-install instructions above are fine: everything works here the same for Ubuntu as for openSUSE.

Also when it comes to configuring the “SAP layer” (SAPGUI etc), this works independently of which OS SAP is installed on, so mostly the instructions above are fine. Since both opensuse-sap and ubuntu-sap instances have the same short-form hostname, you would adjust your local hosts file depending on which of these two instances you want ”vhcalnplci” to resolve to.


Tidying up

After you have done your experiments on GCP or any other cloud platform, you might want to think about housekeeping topics, such as: “Are there resources I want to keep for a while, but stopped? Are there resources that get charged even when no VM is using them? [Yes, persistent disks and static IP addresses for example]. What resources should I delete since I don’t need them and if I need them in future I can recreate them?”.

If you decide to delete all the resources used in going through this blog, then the list includes:

VMs, disks, static IP addresses, firewall rules, and a network.

If you forget to delete something, and are still being charged for it, this resource will be visible from the Billing page (with a one day lag-time); as well as the basic consumption graph there is helpfully also a breakdown of costs by resource. So it might be worth checking the Billing pages for a couple of days after you have deleted resources.



Terraform Appendix

Here we provide the full Terraform file, in case you want to create everything at once. You can of course comment out parts you don’t need, or change it or add to it; for example, you might comment out sections related to one of the two possible VMs for installing SAP, in case that you only want to try out one of the OS options.

Quick guide to using Cloud Shell for Terraformances

Open Cloud Shell using the icon. Cloud Shell comes with Terraform preinstalled, you can check the version:

terraform version



Probably you get a warning that it’s not the latest version; for me at the time of writing the GCP default terraform version v0.12.24 was fine with my .tf scripts, but if there is a version mismatch causing errors then you can use your superpowers to resolve that.

Make a directory for the Terraform file:


mkdir tf-blog-infra



Switch to the Code Editor using the “Open Editor” button, then right-click on your new directory and “New File”, call it something ending in “.tf”, for example “sap-infra.tf”. Then copy-paste the reference Terraform into the new file. Note that you need to supply in the first section of the file a valid project ID, compute region and zone.

 

provider "google" {

 project = "<project-id>"  #REPLACE <project-id> with your project ID

 region  = "<region>"      #REPLACE <region> with your region

 zone    = "<zone>"        #REPLACE <zone>with your zone

}



The Editor should auto-save your changes, unless auto-save is not set, in which case you, uhh, save manually (File -> Save).

Switch back to the Terminal using the “Open Terminal” button, and cd into your tf-blog-infra directory.

cd tf-blog-infra



Next we want the Terraform plugin for provider “google”, so we get that with:


terraform init



You would be well advised to run a syntax check on your .tf files, like so:


terraform validate



Hopefully you get a message that the file looks ok:




(If there is an error, you need to fix it yourself).

Next we find out what resources Terraform is planning to add, change, or destroy; Terraform makes a plan by comparing our declarative file of what should exist against the reality of what currently exists in our project already (at first, no resources specified this file exist). I gave all the relevant resources in the file an extra “tf” somewhere in their names, to avoid name-conflicts with any resources that may have been already created manually using the advice in this blog).

terraform plan



So at first, we expect the terraform plan only shows resources to add. If we are happy with how the plan looks, we can apply the plan, which will spin up the resources:

terraform apply



You need to answer “yes” to the question whether to really execute this plan.

(Note that you may need to login to the Cloud Shell again, in case terraform fails with some message about credentials).

If all goes well, your infra-resources are created in a couple of minutes.




You should find: 3 new VMs, on a new subnet of a new network, and that network has 2 new firewall rules; 6 new disks; 2 new static external IPs. So altogether 15 new resources. You can easily check the details using the web console to verify whether e.g. the disks have been attached to the VMs, and so on.

If you want to get rid of all the resources declared in your sap-infra.tf config, then you can do that:

terraform plan -destroy
terraform destroy



Once everything declared in the .tf file has been destroyed, you can verify this via the web console.


Reference Terraform file


### This Terraform file creates resources useful for installing and running ###

### SAP NetWeaver AS ABAP Developer Edition on GCP.                         ###

### Dylan Drummond, Helsinki. Created on 30.08.2020. Modified on 05.09.2020 ###

### Distributed under the Imaginary Whatever Free as in Feel Free License   ###

 

###          ###

### PROVIDER ###

###          ###

provider "google" {

 project = "<project-id>"  #REPLACE <project-id> with your project ID

 region  = "<region>"      #REPLACE <region> with your region

 zone    = "<zone>"        #REPLACE <zone> with your zone

}

 

 

 

###               ###

### NETWORK STUFF ###

###               ###

# sap-net-tf network, where we will apply our own firewall rules to:

resource "google_compute_network" "sap-net-tf" {

 name                    = "sap-net-tf"

 description             = "Network for SAP stuff (created via .tf file)"

 auto_create_subnetworks = false

}

 

# sap-subnet-tf-eu-n1 subnetwork, where our Linux VMs are to be located

# (you can change the subnet name to match e.g. your region, if you like):

resource "google_compute_subnetwork" "sap-subnet-tf-eu-n1" {

 name          = "sap-subnet-tf-eu-n1"

 network       = google_compute_network.sap-net-tf.self_link

 ip_cidr_range = "192.168.100.0/24"

}

 

# A firewall rule to allow SSH, RDP, VNC, and ICMP ingress on sap-net

resource "google_compute_firewall" "sap-net-tf-allow-ssh-rdp-vnc-icmp" {

 name        = "sap-net-tf-allow-ssh-rdp-vnc-icmp"

 network     = google_compute_network.sap-net-tf.self_link

 target_tags = ["sap-on-gcp-vm-tf", "sap-instance-tf"]

 

 allow {

   protocol = "tcp"

   ports    = ["22", "3389", "5900-5905"]

 }

 

 allow {

   protocol = "icmp"

 }

}

 

# Also we allow ingress for our SAP ports for SAPGUI, webgui(HTTP), and Fiori(HTTPS):

resource "google_compute_firewall" "sap-net-tf-allow-sapgui-webgui-fiori" {

 name        = "sap-net-tf-allow-sapgui-webgui-fiori"

 network     = google_compute_network.sap-net-tf.self_link

 target_tags = ["sap-instance-tf"]

 

 allow {

   protocol = "tcp"

   ports    = ["3200", "8000", "44300"]

 }

}

 

# A static IP address for opensuse-sap:

resource "google_compute_address" "static-ip-opensuse-sap-tf" {

 name         = "static-ip-opensuse-sap-tf"

 address_type = "EXTERNAL"

}

 

# A static IP address for Ubuntu VM:

resource "google_compute_address" "static-ip-ubuntu-sap-tf" {

 name         = "static-ip-ubuntu-sap-tf"

 address_type = "EXTERNAL"

}

 

 

 

###                             ###

### DISKS AND THEIR ATTACHMENTS ###

###                             ###

# A disk which will mostly contain the ASE DB of our SAP system (openSUSE):

resource "google_compute_disk" "sap-storage-disk-suse-tf" {

 name  = "sap-storage-disk-suse-tf"

 type  = "pd-standard"

 size  = "120"

 physical_block_size_bytes = 4096

}

 

# An attachment-object relating(attaching) the sap-storage-disk to the opensuse-sap VM:

resource "google_compute_attached_disk" "sap-storage-attach-suse-tf" {

 disk        = google_compute_disk.sap-storage-disk-suse-tf.self_link

 instance    = google_compute_instance.opensuse-sap-tf.self_link

 mode        = "READ_WRITE"

 device_name = "sap-storage-disk-suse-tf"

}

 

# A disk which will mostly contain the ASE DB of our SAP system (Ubuntu):

resource "google_compute_disk" "sap-storage-disk-ubuntu-tf" {

 name  = "sap-storage-disk-ubuntu-tf"

 type  = "pd-standard"

 size  = "120"

 physical_block_size_bytes = 4096

}

 

# An attachment-object relating(attaching) the sap-storage-disk to the Ubuntu VM:

resource "google_compute_attached_disk" "sap-storage-attach-ubuntu-tf" {

 disk        = google_compute_disk.sap-storage-disk-ubuntu-tf.self_link

 instance    = google_compute_instance.ubuntu-sap-tf.self_link

 mode        = "READ_WRITE"

 device_name = "sap-storage-disk-ubuntu-tf"

}

 

# A disk which will contain the rar files we download, then their expansions via unrar:

resource "google_compute_disk" "rar2unrar-disk-tf" {

 name  = "rar2unrar-disk-tf"

 type  = "pd-standard"

 size  = "50"

 physical_block_size_bytes = 4096

}

 

# An attachment-object relating(attaching) the rar2unrar disk to the opensuse-xfce VM:

resource "google_compute_attached_disk" "rar2unrar-attach-tf" {

 disk        = google_compute_disk.rar2unrar-disk-tf.self_link

 instance    = google_compute_instance.opensuse-xfce-tf.self_link

 mode        = "READ_WRITE"

 device_name = "rar2unrar-disk-tf"

}

 

 

 

###           ###

### INSTANCES ###

###           ###

# A helper VM which we can access over RDP and get hold of the files we need from SAP:

resource "google_compute_instance" "opensuse-xfce-tf" {

 name         = "opensuse-xfce-tf"

 description  = "Auxiliary VM with GUI, to enable downloading SAP .rar files"

 machine_type = "n1-standard-2"

 tags         = ["sap-on-gcp-vm-tf"]

 

 boot_disk {

   initialize_params {

     image = "opensuse-leap-15-1-v20190618"

   }

 }

 

 network_interface {

   network = google_compute_network.sap-net-tf.self_link

   subnetwork = google_compute_subnetwork.sap-subnet-tf-eu-n1.self_link

   access_config {

   }

 }

 

 lifecycle {

   ignore_changes = [attached_disk]

 }

}

 

 

# An opensuse-VM on which we can install and run SAP Developer Edition 7.52 SP04:

resource "google_compute_instance" "opensuse-sap-tf" {

 name         = "opensuse-sap-tf"

 description  = "SAP NetWeaver AS ABAP Developer Edition 7.52 SP04 on openSUSE Leap 15"

 machine_type = "n1-standard-2"

 tags         = ["sap-instance-tf"]

 hostname     = "vhcalnplci.dummy.nodomain"

 

 

 boot_disk {

   initialize_params {

     image = "opensuse-leap-15-1-v20190618"

   }

 }

 

 network_interface {

   network = google_compute_network.sap-net-tf.self_link

   subnetwork = google_compute_subnetwork.sap-subnet-tf-eu-n1.self_link

   access_config {

     nat_ip = google_compute_address.static-ip-opensuse-sap-tf.address

   }

 }

 

 lifecycle {

   ignore_changes = [attached_disk]

 }

}

 

 

# An Ubuntu-VM on which we can install and run SAP Developer Edition 7.52 SP04:

resource "google_compute_instance" "ubuntu-sap-tf" {

 name         = "ubuntu-sap-tf"

 description  = "SAP NetWeaver AS ABAP Developer Edition 7.52 SP04 on Ubuntu 20.04 LTS"

 machine_type = "n1-standard-2"

 tags         = ["sap-instance-tf"]

 hostname     = "vhcalnplci.marmot.hello"

 

 

 boot_disk {

   initialize_params {

     image = "ubuntu-2004-focal-v20200810"

   }

 }

 

 network_interface {

   network = google_compute_network.sap-net-tf.self_link

   subnetwork = google_compute_subnetwork.sap-subnet-tf-eu-n1.self_link

   access_config {

     nat_ip = google_compute_address.static-ip-ubuntu-sap-tf.address

   }

 }

 

 lifecycle {

   ignore_changes = [attached_disk]

 }

}

 




VNC Appendix

A bit of Yast work needed for this:


sudo yast



Go to Network -> Remote Administration (VNC):



Choose e.g. Allow Remote Administration With Session Management. (I also chose “Enable access using a web browser” though if I recall correctly that is on ports 58xx and requires Java applets, an entertaining technology that somehow fell out of favour years ago and is not supported on most browsers in 2020).



Yast prompts us to install some needed packages:




[I got this error but it didn’t cause any downstream issues, so just FYI:]




Now you define a vnc-specific password using the ‘vncpassword’ program:


vncpassword



Note that this password is not assigned to a user, but needs to be input when accessing the VNC session. (Though if/when the screenlock comes on when you are inside your VNC session, you will likely need your own username and password to unlock it, so hopefully you already defined such a user-password, as explained in the RDP section above 😀).

We can use either a direct insecure connection, or a secure connection via ssh port forwarding. To get a secure connection... we need to ssh into our VM locally. For this, you need to have the gcloud CLI installed on your local machine, and from there you should have at least once used the ‘gcloud compute ssh’ command to login to your opensuse-xfce instance e.g. if you are moomin_troll:

gcloud compute ssh --project=Your-project-id --zone=Zone-where-VM-is moomin_troll@opensuse-xfce



This downloads the private key for you, and you will usually find the file stored locally as: $HOME/.ssh/google_compute_engine

So with the private key available, you can ssh into your VM and set up port forwarding:

ssh -L5905:localhost:5905 -i /Users/muumipeikko/.ssh/google_compute_engine moomin_troll@35.228.250.110



Once logged in to the VM, start up a vncserver session, e.g. on DISPLAY 5.0

vncserver :5



The mapping to ports goes so, that port 59xx maps to vncserver :xx , where xx is an integer (often 0 is already taken so to be on the safe side I chose ‘5’ as our number). So that is why we port forwarded 5905, since it matches vncserver :5.

We will use the chrome extension “VNC Viewer for Google Chrome”:

https://chrome.google.com/webstore/detail/vnc%C2%AE-viewer-for-google-ch/iabmpiboiopbgfabjmgeedhcmjenhbla/related?hl=en

This is just one of many possible VNC clients, you can use whatever VNC client software you like.

If using direct connection, then you type in the external IP of the VM, and then the port number e.g:

35.228.250.110:5905



(also it seems that two colons are an allowed syntax, e.g. “35.228.250.110::5905”).

If using ssh port forwarding, then you type in e.g.:

localhost:5905



Click past the warning about unencrypted connection (warning also appears even if you are connected over SSH port forwarding, even though SSH is secure) by pressing “Connect”. Then enter your vncpassword that you defined earlier. Example of a VNC session:



VNC and RDP sessions can be ongoing and accessed from remote clients simultaneously, no problem (although it’s maybe overkill) - in this example, the VNC session is on Display 5.0, and the RDP session was auto-assigned to Display 200.0:



--EndOfFile

4 comments:

  1. Dylan,
    You can get the files down directly from the command line without a GUI which would make you life a lot easier. This link will help - https://www.google.com/amp/s/jonujoy.wordpress.com/2018/03/05/how-to-download-files-from-sap-if-the-download-manager-does-not-work/amp/

    ReplyDelete
    Replies
    1. hi,

      thanks for the link, for their case with SAP Download Manager it looks like this wget automation works nicely. Also I have seen python used to get files from SAP Download Manager.

      Remember though, SAP Download Manager is for the benefit of organisations who have purchased SAP licenses and thus have S-users. The SAP Dev Edition's "download workflow" doesn't go through SAP Download Manager, since SAP is kindly not restricting this free product to S-users. So then the download site works differently e.g. pop-up windows confirming you accept some Developer license for each part you download, as well as the need for a SAML2.0 client... on the other hand, you are right that if we could use wget or similar to get hold of the files, it would make life much easier for this blog's goals. I'll do some rootling around when I have some spare time, if any luck I would then add a note on wget into the blog.

      Delete
  2. Think there is a slight error in the reference terraform - There is a reference to project modern-tangent-822 which I believe needs changing to align with the project id of the person installing.

    ReplyDelete
    Replies
    1. hi,

      thanks for catching this bug! Yes I was using a project with ID "modern-tangent-822" when smoketesting, hence did not notice that I had left it hard-coded in the file for all 3 VMs. Removed those 3 hard-coded project ID references and smoketested ok, the VM creation now gets the project ID from the "provider" section near start of file.

      Also since I took the code for testing from the updated blogspot page, I note that blogspot has added an extra line feed or carraige return to the code; this doesn't cause any syntax or runtime errors, though the "terraform fmt" command did not remove the extra line spacing, so if you want the code to be more compact-looking you would remove the line spaces e.g. manually.

      Delete

Note: only a member of this blog may post a comment.