mcp-suse-enterprise 0.3.3

Enterprise MCP for SUSE Linux administration with OBS, openQA, multi-SP support, and contribution pipeline

MCP SUSE Enterprise

Enterprise MCP server for SUSE Linux administration with OBS, openQA, multi-SP support, and contribution pipeline.

Installation

# Install from PyPI
pip install mcp-suse-enterprise

# Or run directly with uvx
uvx mcp-suse-enterprise

Configuration

Environment Variables

# SSH Connection
export MCP_SUSE_HOST=sles-server.example.com
export MCP_SUSE_USER=admin
export MCP_SUSE_PORT=22
export MCP_SUSE_KEY_PATH=~/.ssh/id_ed25519

# OBS (Open Build Service)
export OBS_API_URL=https://api.opensuse.org
export OBS_USERNAME=myuser
export OBS_API_KEY=your-api-key

# openQA
export OPENQA_URL=https://openqa.opensuse.org
export OPENQA_API_KEY=your-key
export OPENQA_API_SECRET=your-secret

# Logging
export MCP_SUSE_LOG_LEVEL=INFO  # DEBUG, INFO, WARNING, ERROR

# Security Mode
export MCP_SUSE_SECURITY_MODE=execute  # read-only (default) or execute

YAML Configuration

Create ~/.config/mcp-suse-enterprise/config.yaml:

# List format (recommended)
profiles:
  - name: production
    hostname: sles-prod.example.com
    port: 22
    user: admin
    auth_method: key
    key_path: ~/.ssh/id_ed25519
    security_mode: read-only
    is_default: true

  - name: staging
    hostname: sles-staging.example.com
    user: tester
    auth_method: password
    security_mode: execute

# Dict format (also supported)
# profiles:
#   production:
#     hostname: sles-prod.example.com
#     port: 22
#     user: admin
#     security_mode: execute
#     is_default: true

obs:
  api_url: https://api.opensuse.org
  username: myuser
  api_key: secret-key

openqa:
  url: https://openqa.opensuse.org
  api_key: qa-key
  api_secret: qa-secret

log_level: INFO
ssh_pool_size: 5

Environment variables take priority over YAML values.

Tools by Namespace

suse.util.* (Always available)

• suse.util.sanitize-text - Sanitize text for shell execution
• suse.util.metrics - Server metrics and invocation stats
• suse.util.list-profiles - List connection profiles
• suse.util.detect-version - Detect SUSE distribution
• suse.util.test-connection - Test SSH connectivity
• suse.util.security-check - Check tool risk level

suse.admin.* (Requires SSH)

• suse.admin.execute-command - Run arbitrary commands (requires execute mode)
• suse.admin.run-background - Run long commands in background, get job ID
• suse.admin.get-job-status - Check if background job is still running
• suse.admin.get-job-output - Get stdout/stderr of background job
• suse.admin.kill-job - Kill a background job by PID
• suse.admin.service-status - Get systemd service status
• suse.admin.service-restart - Restart a service (sudo)
• suse.admin.service-enable - Enable a service (sudo)
• suse.admin.service-disable - Disable a service (sudo)
• suse.admin.logs - Get system logs (journalctl)
• suse.admin.firewall-status - Firewall status

suse.zypper.* (Requires SSH)

• suse.zypper.search - Search packages
• suse.zypper.info - Package information
• suse.zypper.list-repos - List repositories
• suse.zypper.list-patches - List available patches
• suse.zypper.list-patterns - List patterns
• suse.zypper.deps - Query dependencies
• suse.zypper.dup-dry-run - Distribution upgrade dry-run

suse.obs.* (Requires OBS credentials)

• suse.obs.list-projects - List OBS projects
• suse.obs.list-packages - List packages in project
• suse.obs.build-status - Get build status
• suse.obs.build-log - Get build log
• suse.obs.branch - Branch a package
• suse.obs.submit-request - Create submit request

suse.openqa.* (Requires openQA credentials)

• suse.openqa.list-jobs - List test jobs
• suse.openqa.get-job - Get job details
• suse.openqa.trigger-job - Trigger test job
• suse.openqa.job-modules - Get test modules
• suse.openqa.list-suites - List test suites

suse.sle.* (Requires OBS credentials)

• suse.sle.list-branches - List branch projects
• suse.sle.release-status - Consolidated release status

Supported Distributions

• SLES 15 SP5, SP6
• openSUSE Leap 15.5, 15.6, 16.0
• openSUSE Tumbleweed

Security

• Default mode: read-only (write operations require confirmation)
• suse.admin.execute-command is blocked entirely in read-only mode
• Shell injection detection on all inputs (;, |, &, $(), backticks, >, <)
• API keys never exposed in error messages
• All executed commands logged with timestamp, user, and host for audit
• Structured JSON audit logging to stderr
• Timeout enforcement on all commands (default 30s, configurable)

execute-command Security

The suse.admin.execute-command tool allows running arbitrary commands but with guardrails:

1. Blocked in read-only mode — requires security_mode: execute or MCP_SUSE_SECURITY_MODE=execute
2. Shell injection validation — commands containing ;, |, &, $(), backticks are rejected
3. Audit logging — every command is logged with timestamp, user, and host
4. Timeout enforcement — commands killed after timeout (default 30s)
5. Output truncation — large outputs (>1MB) are truncated

Background Jobs

For long-running commands (downloads, builds, imports), use the background job tools:

1. suse.admin.run-background command="wget -O /tmp/image.qcow2 https://..."
   → Returns: {job_id: "mcp-job-a1b2c3d4", pid: "12345", log_file: "/tmp/mcp-job-a1b2c3d4.log"}

2. suse.admin.get-job-status job_id="mcp-job-a1b2c3d4" pid="12345"
   → Returns: {running: true, output_tail: "... 45% ..."}

3. suse.admin.get-job-output job_id="mcp-job-a1b2c3d4" lines=100
   → Returns: {output: "...", total_lines: 250}

4. suse.admin.kill-job pid="12345" signal="TERM"
   → Returns: {success: true}

Background jobs:

• Run via nohup — survive MCP reconnects
• Output stored in /tmp/mcp-job-<id>.log
• Can be monitored, tailed, or killed at any time
• Require security_mode: execute

MCP Client Configuration

Add to your MCP client config (e.g., Claude Desktop):

{
  "mcpServers": {
    "suse": {
      "command": "uvx",
      "args": ["mcp-suse-enterprise"],
      "env": {
        "MCP_SUSE_HOST": "your-suse-host.com",
        "MCP_SUSE_USER": "admin",
        "MCP_SUSE_KEY_PATH": "~/.ssh/id_ed25519"
      }
    }
  }
}

Important Notes

• Do NOT run simultaneously with mcp-suse MVP against the same host
• Logs are emitted as JSON to stderr (stdout is reserved for MCP protocol)
• Connection pool reuses SSH connections for performance