Walkthrough: Setting up and managing an offline patch catalog for Linux

This topic is intended for system administrators or patch administrators in charge of performing patching for Linux servers in an environment that does not have access to the internet.

Introduction

This topic is intended for system and patch administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. BSA calls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Red Hat Enterprise Linux (RHEL). With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server.

 What does this walkthrough show?

This walkthrough shows how to download RHEL patches from the Red Hat website to any server having internet access, using the offline downloader utility shipped with BMC Server Automation. After downloading the RHEL patches, you can perform patching operations by transferring the metadata and payload information, using a removable storage, to the patch repository within the air-gapped environment.

  • Download the payload and metadata information from Red Hat website to any server having internet access. In this walkthrough, we will download the patch payload and metadata to a Linux server.
  • Use filters to limit the amount of information added to the catalog.
  • Schedule the catalog update job to run at a particular time in future and set up notifications for the patch administrator in charge of Linux patching.

    From BMC Server Automation 8.9.02 and later, certificates are mandatory to create RHEL patch catalog because now all the catalogs use CDN.

What do I need to do before I get started?

For this walkthrough, you must have the following:

  • An air-gapped environment that uses BMC Server Automation 8.6 or later to manage its Red Hat servers.
  • Any server with access to the internet. In this walkthrough we will be using a Linux server to download the patch payload from the Red Hat website.

  • From the BMC Software Electronic Product Distribution (EPD) website, download and extract the installer package (BSA<version>-<platform>64) to the Linux machine on which you want to download the payload and metadata. For steps on downloading installer package files from the EPD website, see Downloading the installation files.
  • After extracting the BSA<version>-<platform>64 installer package that you have downloaded from the EPD, navigate to either of the following directories:


    • If you are planning to download the patch payload and metadata on a Linux server: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-8.6.00
    • If you are planning to download the patch payload and metadata on Windows server: <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-windows-build-8.6.00


Note

In this walkthrough we will use the offline downloader utilities in the first directory path as we are downloading the patch payload on a Linux server.

  • Ensure that BMC Server Automation supports the operating system running on server that you plan to store the Red Hat patch repository.

      Click here to see the platforms supported for storing your repository

    Start adding filters for your table either in the macro settings or on the filtration pane.

    Oops, it seems that you need to place a table or a macro generating a table within the Table Filter macro.

    The table is being loaded. Please wait for a bit ...

      MultiExcerpt named ' repositoryMatrix' was not found
    The page: Creating a patch catalog was found, but the multiexcerpt named ' repositoryMatrix' was not found. Please check/update the page name used in the 'multiexcerpt-include macro.

  • The server that houses the patch repository must have the createrepo and pythonurl-grabber packages pre-installed before download begins.

    Note

    You do not require createrepo and pythonurl-grabber if you are using a Microsoft Windows server to run the Patch Downloader utility.

    If you are using a Microsoft Windows server in BMC Server Automation 8.9.02, you cannot download the patches.


Step 1: How to add configuration settings and filter information to sample XML file

The first step is to prepare the configuration file, which contains XML information that is used by the Patch Downloader utility. The configuration file must contain the download settings and patch filter information as show in the image below. You can also enter proxy server information if you are using one.


BMC Server Automation provides sample configuration files in the installer package at <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-8.7.00/sample-downloader-config-files/. Edit the sample XML configuration file (sample-redhat-downloader-config.xml) provided by BMC, and add the following XML tags based on your requirements:

(Optional) Add proxy information using the following XML tags:

Tag

Description

<port></port>

Port number used to communicate with the proxy server

<host></host>

IP address or host name of the proxy server

<username></username>

User name required for authentication prior to communication with the proxy server

<password></password>

Encrypted password for the specified user

  Click here to see details on encrypting a password
If you are using a proxy server, use the following command to encrypt the password supplied to the proxy server by the Patch Downloader utility. You must specify the resulting encrypted password in the <password></password> parameter in the configuration XML file.

If you are running the downloader on Microsoft Windows:

  • For BMC Server Automaytion 8.9.01 and earlier: windows_downloader.bat -encode <passwordToEncrypt>

If you are running the downloader on UNIX:

  • For BMC Server Automaytion 8.9.01 and earlier: sh windows_downloader.sh -encode <passwordToEncrypt>
  • For BMC Server Automaytion 8.9.02 and later: sh redhat_downloader.sh -encode <password>

For BMC Server Automaytion 8.9.02 and later, you must run the downloader on Linux server only.

<domain-name></domain-name>

Domain name of the proxy server

<proxy-type></proxy-type>

Type of proxy server used
Valid values are:

  • None — indicates that no proxy server is used
  • NTLM
  • NTLM-V2
  • Squid
  1. Define download settings using the following XML tags:

    Tag

    Description

    <temporary-location> 
    </temporary-location>>

    Location where files can be stored temporarily during the download process

    <payload-repository-location> 
    </payload-repository-location>

    Local location of the patch repository where metadata and payload are stored

    <download-request-retries> 
    </download-request-retries>

    Number of times the download utility attempts to download if the first attempt at downloading a payload fails

    <download-request-timeout> 
    </download-request-timeout>

    Number of milliseconds that the utility waits for a response before considering the attempt as failed
    This parameter is useful if the http response is slow.

    <downloader-parallel-threads> 
    </downloader-parallel-threads>

    Number of downloads that can be performed in parallel

    Example of download settings in configuration file
     <temporary-location>/tmp</temporary-location>
     <validate-payload-certificate>true</validate-payload-certificate>
     <payload-repository-location>/home/Payload_location</payload-repository-location>
     <download-request-retries>10</download-request-retries>
     <download-request-timeout>180000</download-request-timeout>
     <downloader-parallel-threads>10</downloader-parallel-threads>
  2. Specify filters to limit the patches downloaded in the catalog. The same filters entered here must also be entered during catalog creation in the console.

    • For example, to create a filter that downloads the latest RPMs by errata type, use the following XML tags:

      Parameter

      Description

      <os></os>

      Operating system for the channel label

      <arch></arch>

      Architecture for the channel label

      <channel-label>
      </channel-label>

      Label of the channel or child channel to download from

      Example of a channel label: rhel-i386-server-5
      Example of a child channel label: rhel-i386-server-supplementary-5

      <channel-url>
      </channel-url>
      Url of the channel to download from.

      NEW IN 8.9.02CDN is supported for all the filters of Red Hat. This is mandatory for <errata-ids-filter> and <errata-type-filter>.

      You can get the command URL by using the following command:

      [root@clm-pun-srtffq All-OS-Patch-Downloaders-linux-build-8.9.02]# ./redhat_downloader.sh -listChannels

      <errata-severity>
      </errata-severity>

      Configure filter for metadata download of security advisory errata patches. For each classification, enter True to include patches of that type or False to exclude patches of that type.

      • <critical>
      • <high>
      • <moderate>

      • <low>
      <errata-type>
      </errata-type>

      Configure filter for metadata download of errata according to type. For each classification, enter True to include patches of that type or False to exclude patches of that type.

      • <security></security>
      • <bugfix></bugfix>
      • <enhancement></enhancement>

      Note

      If you want to add child channels for errata filters, use the same tags and add the child channel details in the <os><arch></arch>, and <channel-label> parameters.

      <errata-type-filter>
            <os>RHES5</os>
            <arch>x86</arch>
            <channel-label>rhel-i386-server-5</channel-label>
            <errata-severity>
              <critical>true</critical>
              <high>true</high>
              <moderate>true</moderate>
              <low>true</low>
            </errata-severity>
            <errata-type>
              <security>true</security>
              <bugfix>true</bugfix>
              <enhancement>true</enhancement>
            </errata-type>
          </errata-type-filter>
        If you are creating filters for RHEL 7, click here.

      If you are creating a filter for RHEL 7, you cannot use the errata-type filter. You must use the channel type of filter instead.

      <channel-type-filter>
            <os>RHES7</os>
            <arch>x86</arch>
            <channel-label>rhel-i386-server-7</channel-label>
      </channel-type-filter>
  • To create a filter that downloads a specific errata by errata id. This filter should be used only if the downloader is executed on a Linux machine. Use the following syntax:
  <errata-ids-filter>
      <os>RHAS4</os>
      <arch>x86</arch>
      <channel-label>rhel-i386-as-4</channel-label>
      <errata-ids>
        <errata-id>RHSA-2009:0429</errata-id>
        <errata-id>RHBA-2009:0388</errata-id>
      </errata-ids>
   </errata-ids-filter>

Parameter

Description

<os> </os>

OS for the channel label

<arch> </arch>

Architecture for the channel label

<channel-label> 
</channel-label>

Channel label that you want to download

<channel-url>
</channel-url>
Url of the channel to download from.

NEW IN 8.9.02CDN is supported for all the filters of Red Hat. This is mandatory for <errata-ids-filter> and <errata-type-filter>.

You can get the command URL by using the following command:

[root@clm-pun-srtffq All-OS-Patch-Downloaders-linux-build-8.9.02]# ./redhat_downloader.sh -listChannels

<errata-id> 
</errata-id>

A valid Errata ID for the channel label specified in the filter

(Not applicable for RHEL 7) To create a filter that downloads a specific update level, use the following syntax:

		<update-level-filter>
     		 <os>RHAS4</os>
     		 <arch>x86</arch>
     		 <channel-label>rhel-i386-as-4</channel-label>
     		 <update-level>5</update-level>
 		</update-level-filter>



Parameter Description
<os></os>
Operating system for the channel label
<arch></arch>
Architecture for the channel label
<channel-label></channel-label>
Channel label you want to download
<update-level></update-level>
A valid update level for the channel label specified in the filter
Note: The update-level filter works only on Linux computers. It does not work on windows computers.
<iso-url> </iso-url>

NEW IN 8.9.02<iso-url> is optional  for<update-level-filter>.

  1. Save the configuration file. Use the sample configuration file below as a reference:


<redhat-downloader-config>

  <config>
    <!--<proxy-settings>
      <port>8080</port>
      <host>_IPAddress_</host>
      <username>patch</username>
      <password>NWKIPRTPCWEB</password>
      <domain-name />
      <proxy-type>ntlm</proxy-type>
    </proxy-settings>-->

 	<temporary-location>/tmp</temporary-location>
	<payload-repository-location>/home/repo/</payload-repository-location>
    <download-request-retries>10</download-request-retries>
    <download-request-timeout>180000</download-request-timeout>
    <downloader-parallel-threads>10</downloader-parallel-threads>
  </config>

  <subscription>
    <errata-type-filter>
      <os>RHES5</os>
      <arch>x86</arch>
      <channel-label>rhel-i386-server-5</channel-label>
      <errata-severity>
        <critical>true</critical>
        <high>true</high>
        <moderate>true</moderate>
        <low>true</low>
      </errata-severity>
      <errata-type>
        <security>true</security>
        <bugfix>true</bugfix>
        <enhancement>true</enhancement>
      </errata-type>
    </errata-type-filter>

    <errata-type-filter>
      <os>RHES5</os>
      <arch>x86</arch>
      <channel-label>rhel-i386-server-supplementary-5</channel-label>
      <errata-severity>     
        <critical>true</critical>
        <high>true</high>
        <moderate>true</moderate>
        <low>true</low>
      </errata-severity>
      <errata-type>
        <security>true</security>      
        <bugfix>true</bugfix>
        <enhancement>true</enhancement>
      </errata-type>
    </errata-type-filter>

    <errata-ids-filter>
      <os>RHAS4</os>
      <arch>x86</arch>
      <channel-label>rhel-i386-as-4</channel-label>
      <errata-ids>
        <errata-id>RHSA-2009:0429</errata-id>
        <errata-id>RHBA-2009:0388</errata-id>
      </errata-ids>
    </errata-ids-filter>
   
    <update-level-filter>
      <os>RHES6</os>
      <arch>x86_64</arch>
      <channel-label>rhel-x86_64-server-6</channel-label>
      <update-level>5</update-level>
  	</update-level-filter>
  </subscription>

 </redhat-downloader-config>


Step 2: How to create a Red Hat Linux patch catalog


Step Example screen

Navigate to the Windows offline downloader utility located in the installer package at the following location: 

<installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-8.7.00

Replace <installer-path> with the path to the extracted installer package on the Linux payload machine.

From BMC Server Automation 8.9.02, Windows offline downloader utility is not supported. Only Linux offline downloader utility is supported.


 

 

Run the offline downloader utility and pass the the location of the the configuration file as a parameter.

sh windows_downloader.sh -configFile <downloaderConfigurationFilePath>

      1. Replace <downloaderConfigurationFilePath> with the location of the configuration file used by the Patch Downloader.

The RHEL patch payload is downloaded to the payload repository location that you defined while creating the configuration file.

(Optional) Transfer the metadata and payload information, using a removable storage, to the patch repository server within your air-gapped environment. However in this walkthrough we will use the same Linux server to host the repository location.

Perform the following:
      1. In the console Folders view, expand the Depot folder.
      2. Navigate to an existing folder or create a new folder for the patch catalog. The example screenshot on the right uses a folder named Patch Catalog.
      3. Right-click the folder in which you want to store the new catalog and select New > Patch Catalog > Red Hat Linux Patch Catalog
 

The New Patch Catalog wizard opens. On the General panel perform the following:

      1. In the Name field, provide a name for the new catalog.
      2. In the Description field, optionally, provide a description of the new catalog.
      3. In the Save in field, verify that the displayed path name is the folder in which you want to save the catalog. If necessary, you can browse to another location.
      4. Click Next.



On the Red Hat Linux Catalog panel, select Source From Disk Repository (Offline Mode).



In the Repository Options section, provide information in the following required fields:

      1. Payload Source Location: Browse to the location where the metadata and payload files are stored. It must be stored on a server, with an RSCD agent installed on it.
      2. Repository Location: Browse to an appropriate location to serve as a patch repository. BMC Server Automation processes the payload and metadata files from the payload source location and populates the repository location with Windows patches that are used by the catalog.

Note: The payload source location and the repository location can be the same.

Define the types of patches that you want to include in the catalog by selecting the same filters you have entered in the configuration file (as in this step).

      1. In the Filters section, click . The Add Windows Filter panel appears.
      2. Select the channel from the list provided. The operating system (OS) and architecture are supplied automatically in read-only boxes.
      3. If you want to filter by update level, click Enable Update Level and select the Update Level from the list provided.
      4. Click OK.
      5. The second screenshot on the right, shows a completed Red Hat Catalog panel for Offline mode with two filter selections.
      6. Click Next.




 

The Default Notifications panel appears.

      1. Define the type of notifications and under which circumstances (status of the Catalog update job) the notifications are sent.
        Note: If you set up notifications for a particular scheduled job, the default notifications set here will be overridden.
      2. Click Next.

The Schedules panel allows you to schedule a job to execute immediately, schedule a job at a specific time in the future, schedule a job on a recurring basis, and define notifications that are issued when a job runs.

Select the Execute job now option in the top-left corner of the Schedules panel to execute the catalog update job immediately after the wizard exits.

  If you want to schedule the execution of the catalog update job at a future time, click here ...
      1. Click . The Add New Schedule dialog box appears.
      2. Because we want the Patch Catalog Job to execute once at a particular time in future, we will select the Once option in the Occurrence panel. To select a recurring schedule you can select the appropriate option.
      3. Select the time and date that you want the job to execute.
      4. Select the appropriate time zone you want to follow.
      5. Define a priority for the job execution.
      6. Click the Scheduled Job Notifications tab.
      7. Define the type of notification that the scheduled job should send and under which circumstances (status of the catalog update job) the notifications are sent. This will override the settings defined in the Default Notifications panel.
      8. Click OK.
      9. Continue adding more schedules based on your requirement.

Click Next.

 

The Properties panel provides a list of properties automatically assigned to a Catalog Job. For any property that has a check in the Editable column, select the property and click in the Value column.

Click Next.

 

The Permissions list is an access control list (ACL) granting roles access to any objects created in the system, such as jobs, servers, or depot objects. ACLs control access to all objects, including the sharing of objects between roles.

Using the Permissions panel, you can add individual permissions to an object. You can also set permissions by adding ACL templates or ACL policies. For more information, see Patch catalog - Permissions.

Click Finish.



Wrapping it up

Congratulations. You have downloaded Red Hat patch payload and metadata on a Linux machine. You have also set up a job that creates a patch catalog for RHEL that will run at a specific time in the future.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to measure your RHEL servers for patch compliance. See Walkthrough: Basic Red Hat Linux patch analysis.

Was this page helpful? Yes No Submitting... Thank you

Comments