RH AS 3.0 Patching Best-Practices

Dary — Mon, 06 Nov 2006 14:49:34 GMT

Hi All,

I have seven DL380 with RH AS 3.0, never been patched, I need to install any critical dsec patches. what is the Best-Practice to patced all my servers from the Command-Line(CLI). I have no GUI. Do you have any doc you can share with me? Again I am looking for the Command.

When I ran up2date --download; it is asking for the patchage names ???? is there any otherways to download all RPMS and save them all without providing the package names?

Thanks for you help.

Re: RH AS 3.0 Patching Best-Practices

Ivan Ferreira — Mon, 06 Nov 2006 15:21:18 GMT

Here you got good information about up2date.

http://www.redhat.com/advice/tips/up2date.html

http://kb.swsoft.com/article_17_234_en.html

Re: RH AS 3.0 Patching Best-Practices

Dary — Mon, 06 Nov 2006 16:03:52 GMT

Thanks for your e-mail, but When I ran up2date --download; it is asking for the patchage names ????
Is there any otherways to download all RPMS and save them all without providing the package names?

Re: RH AS 3.0 Patching Best-Practices

Steven E. Protter — Mon, 06 Nov 2006 17:14:40 GMT

Shalom,

You should just be able to click a radio button for all patches.

Just run up2date without options.

Best practice is to have all servers licensed and patch them individually. That being a pain I maintain a server with all packages installed and retain patches off that and use them with rpm -Fvh to patch other systems so nothing new gets added.

There is also a product called Satellite server that lets you have a single install point.

SEP

Re: RH AS 3.0 Patching Best-Practices

Dary — Mon, 06 Nov 2006 17:49:45 GMT

Steven,

I have No GUI interface, so I am running up2date from Command Line, in that case you don't have an option to select/choose radio.

Re: RH AS 3.0 Patching Best-Practices

Robert Walker_8 — Mon, 06 Nov 2006 21:01:20 GMT

Gday Dary,

Modify /etc/sysconfig/rhn/up2date (make a copy of the original first) with the following:

useNoSSLForPackages[comment]=Use the noSSLServerURL for package, package list, and header fetching
useNoSSLForPackages=1
storageDir[comment]=Where to store packages and other data when they are retrieved
storageDir=/var/spool/up2date
pkgSkipList[comment]=A list of package names, optionally including wildcards, to skip
pkgSkipList=;
retrieveOnly[comment]=Retrieve packages only
retrieveOnly=1
noSSLServerURL[comment]=Remote server URL without SSL
noSSLServerURL=http://xmlrpc.rhn.redhat.com/XMLRPC
networkSetup[comment]=None
networkSetup=1
networkRetries[comment]=Number of attempts to make at network connections before giving up
networkRetries=5
pkgsToInstallNotUpdate[comment]=A list of provides names or package names of packages to install not update
pkgsToInstallNotUpdate=kernel;kernel-modules;
noBootLoader[comment]=To disable modification of the boot loader (lilo, silo, etc)
noBootLoader=0
updateUp2date[comment]=Allow up2date to update itself when possible
updateUp2date=1
keepAfterInstall[comment]=Keep packages on disk after installation
keepAfterInstall=1
useGPG[comment]=Use GPG to verify package integrity
useGPG=1
showAvailablePackages[comment]=None
showAvailablePackages=1
headerCacheSize[comment]=The maximum number of rpm headers to cache in ram
headerCacheSize=40
forceInstall[comment]=Force package installation, ignoring package, file and config file skip list
forceInstall=0
systemIdPath[comment]=Location of system id
systemIdPath=/etc/sysconfig/rhn/systemid
retrieveSource[comment]=Retrieve source RPM along with binary package
retrieveSource=0
enableRollbacks[comment]=Determine if up2date should create rollback rpms
enableRollbacks=1
gpgKeyRing[comment]=The location of the gpg keyring to use for package checking
gpgKeyRing=/etc/sysconfig/rhn/up2date-keyring.gpg
adminAddress[comment]=List of e-mail addresses for update agent to communicate with when run in batch mode
adminAddress=rootlocalhost;
serverURL[comment]=Remote server URL
serverURL=http://xmlrpc.rhn.redhat.com/XMLRPC
fileSkipList[comment]=A list of file names, optionally including wildcards, to skip
fileSkipList=;
versionOverride[comment]=Override the automatically determined system version
versionOverride=
sslCACert[comment]=The CA cert used to verify the ssl server
sslCACert=/usr/share/rhn/RHNS-CA-CERT
noReplaceConfig[comment]=When selected, no packages that would change configuration data are automatically installed
noReplaceConfig=0
enableProxyAuth[comment]=To use an authenticated proxy or not
enableProxyAuth=1
disallowConfChanges[comment]=Config options that can not be overwritten by a config update actionx
disallowConfChanges=noReboot;sslCACert;useNoSSLForPackages;noSSLServerURL;serverURL;disallowConfChanges;
headerFetchCount[comment]=The maximimum number of rpm headers to fetch at once
headerFetchCount=10
removeSkipList[comment]=A list of package names, optionally including wildcards that up2date will not remove
removeSkipList=kernel*;
debug[comment]=Whether or not debugging is enabled
debug=0
noReboot[comment]=Disable the reboot actions
noReboot=1
#
proxyUser[comment]=The username for an authenticated proxy
proxyUser=
enableProxy[comment]=Use a HTTP Proxy
enableProxy=1
proxyPassword[comment]=The password to use for an authenticated proxy
proxyPassword=
httpProxy[comment]=HTTP proxy in host:port format, e.g. squid.redhat.com:3128
httpProxy=proxy.server.com:8080

If your site has a proxy server you will likely need to setup it a username/password may be required. We switched off the SSL version and download via RHN.

With this in place you should just do an up2date --config to update entries via a menu or just edit the text file.

You will then need to register to rhn. Ensure before all this that you have a RHN account and subscriptions are loaded into the system for that account.

You will also need to import your rpm-gpg-key this is done via rpm --import /usr/share/rhn/RPM-GPG-KEY

And then you can register to RHN via up2date -u --nox

This will put up a text screen menu system where you enter your RHN account name, email address, and profile name etc, you can also amend you packages however we work with what the server has installed and go with the defaults. It then saves your profile onto the Redhat Network.

One thing though ensure auto errata update is set to yes (on rhn.network.com) as this ensures all servers download packages automatically to /var/spool/up2date - you can if your game get the up2date config to auto install however we disable this and do it manually.

A hint we often test systems by using evaluation licenses, especially if we are awaiting on license keys from Redhat. So we have to rhn accounts a prod and eval one to not confuse us with all the profiles etc.

One can reregister the server again if you remove the existing profile id from RHN and the other way is to delete /etc/sysconfig/rhn/systemid as this is the link to the profile not the profile/server name if you happen to rename servers etc. If you duplicate servers you will also need to recreate up2date-uid as well as the checksum is used too (uuidgen can be used for this purpose it creates a new number which one copies/pastes into the up2date-uid file).

Hope some of this helps.

Robert.

PS: as for keeping track, at the moment I just run a find /var/spool/up2date/*.rpm -perm 644 -ls via cron on a weekly basis. When I update servers I chmod 770 the rpm package for the time being until its time to clean out the /var/spool/up2date directory.

PPS: One can set up a fools proxy server by using up2date -u --nodownload --nox - this only downloads the headers not the rpms and then using a nfs server copy the individual rpms over - this way you could save internet bandwidth if all your servers are the same. One does the downloads the others use the rpms from it while the nodownload option tracks whch patches are needed by the Redhat Network.

Re: RH AS 3.0 Patching Best-Practices

Robert Walker_8 — Mon, 06 Nov 2006 21:06:10 GMT

Dary,

Other usefull stuff to include is the rpm macros:

/etc/rpm/macros
%_transaction_color 3
%_query_all_fmt %%{name}-%%{version}-%%{release}.%%{arch}
%_repackage_all_erasures 1
%_unsafe_rollbacks 1180792800

The usefull one is repackage_all_erasures this allows rollbacks see rpm and query_all_fmt as this provides the architecture stuff in the rpm qa command. Note however some systems dont expect the architecture stuff and could bomb (Oracle might be such a beast) however it saves having to remember the syntax. I found these by googling hope they help.

Robert.

topic Re: RH AS 3.0 Patching Best-Practices in Operating System - Linux

RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices

Re: RH AS 3.0 Patching Best-Practices