Ansible on SUSE Linux Enterprise Server 16 Automation Complete Guide

SUSE Linux Enterprise Server 16 is SUSE's next major LTS, released in 2025. It introduces kernel 6.12, Python 3.13, immutable-by-default transactional updates, full image-based deployment, OpenSSH 9.9, and Podman 5. General support runs through 2031, LTSS through 2035. This is the master Ansible guide for SLES 16.

SLES 16 release facts

| Item | Value | |---|---| | GA | 2025-Q4 | | General support | until 2031 | | LTSS | until 2035 | | Default kernel | 6.12 | | Default Python | 3.13 | | Default mode | transactional (immutable) | | Container engine | Podman 5 | | Default firewall | firewalld + nftables |

See also: Ansible on SUSE Linux Enterprise Server 15 SP6 Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.18 LTS or 2.20.

Inventory

[sles16]
sles16-01.example.com
[sles16:vars]
ansible_user=ec2-user
ansible_python_interpreter=/usr/bin/python3

See also: Ansible on openSUSE Leap 15.6 Automation Complete Guide

Baseline playbook

- name: SLES 16 baseline
  hosts: sles16
  become: true
  tasks:
    - name: Register with SCC
      ansible.builtin.command: SUSEConnect -r {{ scc_regcode }} -e {{ scc_email }}
      args:
        creates: /etc/zypp/credentials.d/SCCcredentials
- name: Apply transactional update with packages installed
      ansible.builtin.command: |
        transactional-update --non-interactive pkg install vim chrony firewalld apparmor-utils cockpit podman
      register: tu
      changed_when: "'New default snapshot' in tu.stdout"
- name: Reboot to staged snapshot
      ansible.builtin.reboot:
      when: tu.changed

Transactional update orchestration

- name: Patch SLES 16 fleet (transactional)
  hosts: sles16
  become: true
  serial: 25%
  tasks:
    - name: transactional-update up
      ansible.builtin.command: transactional-update --non-interactive up
      register: tu
      changed_when: "'New default snapshot' in tu.stdout"
- name: Reboot
      ansible.builtin.reboot:
      when: tu.changed
- name: Verify snapshot active
      ansible.builtin.command: snapper list
      register: sn
      changed_when: false

See also: Ansible on openSUSE Tumbleweed Automation Complete Guide

Image-based provisioning (SLE Micro lineage)

- name: Pull new SLES 16 image
  hosts: sles16
  become: true
  tasks:
    - name: bootc switch
      ansible.builtin.command: bootc switch registry.suse.com/suse/sles16:latest
      register: bs
      changed_when: "'Image' in bs.stdout"
- name: Reboot
      ansible.builtin.reboot:
      when: bs.changed

SAP HANA on SLES 16

- name: SAP tunings on SLES 16
  hosts: sles16_sap
  become: true
  tasks:
    - name: Install SAP pattern via transactional-update
      ansible.builtin.command: |
        transactional-update --non-interactive pkg install -t pattern sap_server
      register: tu
      changed_when: "'New default snapshot' in tu.stdout"
- name: Reboot
      ansible.builtin.reboot:
      when: tu.changed
- name: Apply HANA tuning
      ansible.builtin.command: saptune solution apply HANA

Best practices

• Treat SLES 16 as immutable: every change is a transactional update; rollbacks are snapper rollback. • Use bootc for greenfield image-based fleets; transactional-update for upgrades on existing nodes. • For SAP, always run saptune verify after tuning.

Conclusion

SLES 16 doubles down on transactional updates and image mode. Ansible coordinates the snapshot-then-reboot flow rather than mutating files directly, which makes rollbacks deterministic and disaster recovery far simpler.

Installing Ansible on SLES 16

# Install via zypper
sudo zypper install ansible
# Or install via pip
pip3 install ansible --user
# Verify
ansible --version

SLES 16 Automation Tasks

- name: Configure SLES 16 server
  hosts: sles
  become: true
  tasks:
    - name: Install packages via zypper
      community.general.zypper:
        name:
          - vim
          - git
          - curl
          - firewalld
          - python3-pip
        state: present
- name: Register with SUSE Customer Center
      ansible.builtin.command: >
        SUSEConnect -r {{ vault_scc_registration_key }}
      changed_when: true
      no_log: true
- name: Enable firewalld
      ansible.builtin.service:
        name: firewalld
        state: started
        enabled: true
- name: Configure firewall rules
      ansible.posix.firewalld:
        service: "{{ item }}"
        permanent: true
        immediate: true
        state: enabled
      loop:
        - ssh
        - http
        - https
- name: Configure NTP
      ansible.builtin.template:
        src: chrony.conf.j2
        dest: /etc/chrony.conf
      notify: restart chronyd
handlers:
    - name: restart chronyd
      ansible.builtin.service:
        name: chronyd
        state: restarted

FAQ

What package module should I use for SLES?

Use community.general.zypper for SUSE/SLES systems. The generic ansible.builtin.package also works as it auto-detects zypper.

How is SLES different from openSUSE for Ansible?

SLES requires a subscription and uses SUSE Customer Center for updates. openSUSE is free. Ansible playbooks are largely compatible between the two — the main difference is repository management.

Does SLES 16 support SELinux or AppArmor?

SLES uses AppArmor by default, not SELinux. Use community.general.apparmor or manage AppArmor profiles via ansible.builtin.template.