Walkthrough: Setting up and managing an offline patch catalog for Linux

This topic is intended for system administrators or patch administrators in charge of performing patching for Linux servers in an environment that does not have access to the internet.

Introduction

This topic is intended for system and patch administrators. The goal of this topic is to demonstrate how to organize patch information by setting up a central location for storing metadata about a type of patch. TrueSight Server Automation calls these locations patch catalogs. By creating patch catalogs customized to your needs, it becomes easier to select the patches you want to evaluate on servers.

What is a patch catalog?

A patch catalog provides a place to store metadata about patches and the patch payloads themselves. Patch catalogs can be designed for specific needs. For example, a patch catalog can used for a particular operating system, such as Red Hat Enterprise Linux (RHEL). With well designed patch catalogs, it is easier to select the patches that should be used when evaluating the patch configuration of a particular server.

 What does this walkthrough show?

This walkthrough shows how to download RHEL patches from the Red Hat website to any server having internet access, using the offline downloader utility shipped with TrueSight Server Automation. After downloading the RHEL patches, you can perform patching operations by transferring the metadata and payload information, using a removable storage, to the patch repository within the air-gapped environment.

  • Download the payload and metadata information from Red Hat website to any server having internet access. In this walkthrough, we will download the patch payload and metadata to a Linux server.
  • Use filters to limit the amount of information added to the catalog.

  • Schedule the catalog update job to run at a particular time in future and set up notifications for the patch administrator in charge of Linux patching.

    From TrueSight Server Automation 8.9.02 and later, certificates are mandatory to create RHEL patch catalog because now all the catalogs use CDN.

What do I need to do before I get started?

For this walkthrough, you must have the following:

  • An air-gapped environment that uses TrueSight Server Automation 8.6 or later to manage its Red Hat servers.
  • Any server with access to the internet. In this walkthrough we will be using a Linux server to download the patch payload from the Red Hat website.
  • From the BMC Software Electronic Product Distribution (EPD) website, download and extract the installer package (BSA<version>-<platform>64) to the Linux machine on which you want to download the payload and metadata. For steps on downloading installer package files from the EPD website, see Downloading-the-installation-files.
  • After extracting the BSA<version>-<platform>64 installer package that you have downloaded from the EPD, navigate to either of the following directories:


Note

In this walkthrough we will use the offline downloader utilities in the first directory path as we are downloading the patch payload on a Linux server.

  • Ensure that TrueSight Server Automation supports the operating system running on server that you plan to store the Red Hat patch repository.

    Click here to see the platforms supported for storing your repository

    1Support for this platform is deprecated. For the complete list of deprecated platforms, see Deprecated-and-discontinued-features.

  • The server that houses the patch repository must have the createrepo and pythonurl-grabber packages pre-installed before download begins.

    Note

    You do not require createrepo and pythonurl-grabber if you are using a Microsoft Windows server to run the Patch Downloader utility.

    If you are using a Microsoft Windows server in TrueSight Server Automation 8.9.02, you cannot download the patches.

  • Ensure that your Linux machine has the glibc.i686 or glibc.i386 library installed. Alternatively, you can ensure that the JRE version is upgraded to 1.8 or later.

Step 1: How to add configuration settings and filter information to sample XML file

The first step is to prepare the configuration file, which contains XML information that is used by the Patch Downloader utility. The configuration file must contain the download settings and patch filter information as show in the image below. You can also enter proxy server information if you are using one.

redhat config.PNG

TrueSight Server Automation provides sample configuration files in the installer package at <installer-path>/Disk1/files/installers/other_files/All-OS-Patch-Downloaders-linux-build-8.7.00/sample-downloader-config-files/. Edit the sample XML configuration file (sample-redhat-downloader-config.xml) provided by BMC, and add the following XML tags based on your requirements:

(Optional) Add proxy information using the following XML tags:

  1. Define download settings using the following XML tags:

    Example of download settings in configuration file
     <temporary-location>/tmp</temporary-location>
    <validate-payload-certificate>true</validate-payload-certificate>
    <payload-repository-location>/home/Payload_location</payload-repository-location>
    <download-request-retries>10</download-request-retries>
    <download-request-timeout>180000</download-request-timeout>
    <downloader-parallel-threads>10</downloader-parallel-threads>
    • If you are downloading rpms from CDN (reposync), you must add tags to specify the location of Red Hat certificates required for downloading the rpms.

    The syntax for the tags are as follows:

    <redhat-cert cert-arch="<arch>">              
       <caCert></caCert>

       <clientCert></clientCert>
       <clientKey></clientKey>
    </redhat-cert>

     Tag

    Description

    <redhat-cert cert-arch="<arch>">

    </redhat-cert>

    The variable <arch> can be x86, x86_64, s390x, or ppc64.

    Click here to expand a table that lists the OS version-Architecture combination of patches that are supported by the CDN (reposync) Red Hat network.

    RHEL version

    Supported processor architectures

    Support for child channels

    RHEL 6 and 7

    • x86_64
    • x86
    • s390x zSeries
    • ppc64 pSeries
    • ppc64le 

    Yes

    RHEL 5

    • x86_64
    • x86
    • s390x zSeries

    Yes

    RHEL 4

    • x86_64
    • x86

    No

    <caCert> </caCert>

    Holds the location of the CA certificate file (redhat-uep.pem) that is copied from the /etc/rhsm/ca/ directory of the RHEL 7 server; see Obtain the required certificates.

    <clientCert> </clientCert>

    Holds the location of the subscription certificate file (client-cert.pem) that is downloaded from the Red Hat subscription management service; Obtain the required certificates.

    <clientKey> </clientKey>

    Holds the location of the system ID file (client-key.pem) that is downloaded from the Red Hat subscription management service; see Obtain the required certificates.

    Example of tags
    <redhat-cert cert-arch="x86_64">              
      <caCert>/home/certs/rh-sslcacert.pem</caCert>
      <clientCert>/home/certs/rh-sslclientcert.pem</clientCert>
      <clientKey>/home/certs/rh-sslclientkey.pem</clientKey>
    </redhat-cert>
  2. Specify filters to limit the patches downloaded in the catalog. The same filters entered here must also be entered during catalog creation in the console.

    • For example, to create a filter that downloads the latest RPMs by errata type, use the following XML tags:

      Note

      If you want to add child channels for errata filters, use the same tags and add the child channel details in the <os></os>, <arch></arch><channel-label></channel-label> and <channel-url></channel-url>parameters.

      <errata-type-filter>
      <os>RHES7</os>
      <arch>x86_64</arch>
      <channel-label>rhel-7-server-rpms</channel-label>
      <channel-url>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os</channel-url>
      <errata-severity>
      <critical>true</critical>
      <important>true</important>
      <moderate>true</moderate>
      <low>true</low>
      </errata-severity>
      <errata-type>
      <security>true</security>
      <bugfix>true</bugfix>
      <enhancement>true</enhancement>
      </errata-type>
      </errata-type-filter>
  • To create a filter that downloads a specific errata by errata id. This filter should be used only if the downloader is executed on a Linux machine. Use the following syntax:
  <errata-ids-filter>
           <os>RHAS4</os>
           <arch>x86</arch>
           <channel-label>rhel-i386-as-4</channel-label>
           <channel-url>https://cdn.redhat.com/content/dist/rhel/as/4/4AS/i386/os</channel-url>
           <errata-ids>
               <errata-id>RHSA-2009:0429</errata-id>
               <errata-id>RHSA-2009:0430</errata-id>
               <errata-id>RHEA-2009:0422</errata-id>
               <errata-id>RHBA-2009:0407</errata-id>
               <errata-id>RHSA-2009:0397</errata-id>
               <errata-id>RHBA-2009:0388</errata-id>
           </errata-ids>
       </errata-ids-filter>

Parameter

Description

<os> </os>

OS for the channel label

<arch> </arch>

Architecture for the channel label

<channel-label>
</channel-label>

Channel label that you want to download

<errata-id>
</errata-id>

A valid Errata ID for the channel label specified in the filter

To create a filter that downloads a specific update level, use the following syntax:

<update-level-filter>
           <os>RHES7</os>
           <arch>x86_64</arch>
           <channel-label>rhel-7-server-rpms</channel-label>
           <iso-url>https://cdn.redhat.com/content/dist/rhel/server/7/7.1/x86_64/iso/rhel-server-7.1-x86_64-dvd.iso</iso-url>
           <update-level>1</update-level>
       </update-level-filter>

Parameter

Description

<os></os>

Operating system for the channel label

<arch></arch>

Architecture for the channel label

<channel-label></channel-label>

Channel label you want to download

<update-level></update-level>

A valid update level for the channel label specified in the filter
Note: The update-level filter works only on Linux computers. It does not work on windows computers.

<iso-url> </iso-url>

New in 8.9.02<iso-url> is optional  for<update-level-filter>.

  1. Save the configuration file. Use the sample configuration file below as a reference:

    <redhat-downloader-config>
       <config>
           <!--<proxy-settings>
                   <port>8080</port>
                   <host>127.0.0.1</host>
                   <username>user</username>
                   <password></password>
                   <domain-name></domain-name>
                   <proxy-type>ntlm-v2</proxy-type>
                   <protocol>http</protocol>
           </proxy-settings>-->
           <temporary-location>/tmp</temporary-location>
           <payload-repository-location>/home/repo/</payload-repository-location>
           <!-- The default value for download-request-retries will be 10 if no value is specified -->
           <download-request-retries>10</download-request-retries>
           <download-request-timeout>180000</download-request-timeout>
           <downloader-parallel-threads>10</downloader-parallel-threads>
       </config>

       <subscription>
       
           <redhat-cert cert-arch="x86_64">
               <caCert>/home/certs/rh-sslcacert.pem</caCert>
               <clientCert>/home/certs/rh-sslclientcert.pem</clientCert>
               <clientKey>/home/certs/rh-sslclientkey.pem</clientKey>
           </redhat-cert>
           
           <errata-ids-filter>
               <os>RHAS4</os>
               <arch>x86</arch>
               <channel-label>rhel-i386-as-4</channel-label>
               <channel-url>https://cdn.redhat.com/content/dist/rhel/as/4/4AS/i386/os</channel-url>
               <errata-ids>
                   <errata-id>RHSA-2009:0429</errata-id>
                   <errata-id>RHSA-2009:0430</errata-id>
                   <errata-id>RHEA-2009:0422</errata-id>
                   <errata-id>RHBA-2009:0407</errata-id>
                   <errata-id>RHSA-2009:0397</errata-id>
                   <errata-id>RHBA-2009:0388</errata-id>
               </errata-ids>
           </errata-ids-filter>
           
           <errata-type-filter>
               <os>RHES7</os>
               <arch>x86_64</arch>
               <channel-label>rhel-7-server-rpms</channel-label>
                 <channel-url>https://cdn.redhat.com/content/dist/rhel/server/7/7Server/x86_64/os</channel-url>
               <errata-severity>
                   <critical>true</critical>
                   <important>true</important>
                   <moderate>true</moderate>
                   <low>true</low>
               </errata-severity>
               <errata-type>
                   <security>true</security>
                   <bugfix>true</bugfix>
                   <enhancement>true</enhancement>
               </errata-type>
           </errata-type-filter>
           
           <update-level-filter>
               <os>RHES7</os>
               <arch>x86_64</arch>
               <channel-label>rhel-7-server-rpms</channel-label>
               <iso-url>https://cdn.redhat.com/content/dist/rhel/server/7/7.1/x86_64/iso/rhel-server-7.1-x86_64-dvd.iso</iso-url>
               <update-level>1</update-level>
           </update-level-filter>

       </subscription>
    </redhat-downloader-config>

Step 2: How to create a Red Hat Linux patch catalog




Wrapping it up

Congratulations. You have downloaded Red Hat patch payload and metadata on a Linux machine. You have also set up a job that creates a patch catalog for RHEL that will run at a specific time in the future.

Where to go from here

Now that you have a serviceable patch catalog it is time to use it to measure your RHEL servers for patch compliance. See Walkthrough-Basic-Red-Hat-Linux-patch-analysis.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*