This chapter explains how you can patch Linux hosts using Oracle Enterprise Manager Cloud Control (Cloud Control). In particular, this chapter covers the following:
Linux Host Patching is a feature in Cloud Control that keeps the hosts in an enterprise updated with security fixes and critical bug fixes, especially in a data centre or a server farm. This feature in Cloud Control enables you to:
Set up Linux RPM Repository based on Unbreakable Linux Network (ULN) channels
Download Advisories (Erratas) from ULN
Set up a Linux Patching group to update a group of Linux hosts and collect compliance information
Allow non-compliant packages to be patched
Rollback/uninstall packages from a host
Manage RPM repositories and channels (clone channels, copy packages from one channel into another, delete channels)
Add RPMs to custom channels
Manage configuration file channels (create/delete channels, upload files, copy files from one channel into another)
The following are concepts related to Linux patching:
Cloud Control provides the following deployment procedures for Linux patching:
Patch Linux Hosts
This deployment procedure enables you to patch Linux hosts.
Linux RPM Repository server setup
This deployment procedure enables you to set up a Linux RPM repository server. To set up the Linux RPM repository server, see Setting Up the RPM Repository for Patching.
The following releases are supported for Linux patching:
Oracle Linux 5
Oracle Linux 6
Oracle Linux 7
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
This section describes the setup requirements for Linux patching. In particular, this section describes the following:
To use the Linux Patching feature, meet the following prerequisites:
Meet the basic prerequisites described in Setting Up Your Infrastructure.
Install yum on all your Oracle Linux 6 target hosts. Install yum and up2date on all your Oracle Linux 5 target hosts.
Enable the following commands through SUDO:
/bin/cp
/bin/rm
/bin/chmod
/sbin/chkconfig
yum
up2date
sed
rpm
This section describes how you can set up the RPM repository. In particular, this section describes the following:
Note:
The RPM repository can be set up in a shared location. This configuration is supported. The same EM repository is shared by using the symlink
(symbolic link) in the folder /var/www/html
to a shared file system. In case the host target goes down then the RPM repository also is unavailable.
The RPM repository can exist on the OMS or on a non-OMS designated host target.
Before setting up the RPM repository, meet the following prerequisites:
Identify a Redhat or Oracle Linux host, install a Management Agent, and point to the OMS. This host must have the sudo package installed.
Obtain a valid Customer Support Identifier (CSI) number from your Oracle sales representative.
After obtaining a valid CSI number, ensure that you create a ULN account. To create a ULN account, access the following URL:
Download the up2date packages ( Oracle Linux 5 only) from the following URL:
https://linux.oracle.com/switch.html
Upload the downloaded packages to Software Library if the host on which you plan to set up the RPM repository is running on one of the following platforms:
Red Hat Enterprise Linux 5 (i386)
Red Hat Enterprise Linux 5 (x86_64)
Red Hat Enterprise Linux 5 (ia64)
Note:
You do not need to upload the up2date packages to Software Library if the host on which you plan to set up the RPM Repository is running on an Oracle Linux platform.
Follow these steps to upload up2date packages to the Software Library:
Note:
For a multi-OMS setup, the following steps only need to be performed on one OMS.
Compress up2date and up2date-gnome into a zip file, and name it as up2date_comp.zip
.
Copy the zip file to the <ORACLE_HOME>/sysman/metadata/swlib/patch/stageServerComponents
directory present in the Oracle home of the OMS.
Edit the Patch Software Library entities metadata file swlib.xml
present in the Oracle home of the OMS to upgrade the ExternalID of the Software Library entity Up2date Package Component.
To do so, follow these steps:
(1) Open the swlib.xml
file present at the following location: $ORACLE_HOME/sysman/metadata/swlib/patch/
(2) Search for the tag <Entity name="Install up2date RPM">
, which in turn has a subtag ExternalID.
(3) Increase the values of the ExternalID by 0.1.
For example, if the original value of the entity in the software library's ExternalID is 2.0, then update the value by 0.1 to upgrade the ExternalID to 2.1.
Upload the zip file to Software Library by running the following command:
$ emctl register oms metadata -service swlib -file $ORACLE_HOME/sysman/metadata/swlib -core
Ensure that the /var/www/html/
directory on the host on which you plan to set up the RPM repository has at least 60 GB of free disk space per channel.
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host
.
For example: http://h1.example.com
. If this works, then it is confirmed that Apache is installed and listening on port 80.
Ensure that the createrepo
package is installed on the RPM Repository host. To obtain this package, subscribe to the el*_addon
or the ol*_addon
channel.
Ensure that the yum-arch,uln-yum-proxy
(for Oracle Linux 5) or uln-yum-mirror
(for Oracle Linux 6 and 7), and yum-utils
packages are installed on the RPM Repository host. To obtain the yum-arch
and the uln-yum-proxy/uln-yum-mirrors
packages, subscribe to the add ons channel. To obtain the yum-utils
package, subscribe to the latest channel.
If the RPM Repository host is not running on Oracle Linux 6 (OL6), but is subscribed to an OL6 channel whose name is of the format ol6_*
, then you must import the OL6 public key manually. To do so, follow these steps:
Download the OL 6 key from:
Store it under the following directory on your host:
/usr/share/rhn
Run the following command:
rpm --import /usr/share/rhn/RPM-GPG-KEY-oracle-ol6
Ensure that the Enterprise Manager user has the EM_LINUX_PATCHING_ADMIN
role and the FULL_LINUX_PATCHING_SETUP
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them.
Ensure that the Oracle GPG keys are installed on the host on which you plan to set up the RPM Repository.
To install the Oracle GPG keys on a host running on the Oracle Linux 5 or Oracle Linux 6 platforms, run the following command:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY
Log in with super user privileges to set up an RPM Repository that downloads latest RPM packages and advisories from ULN. Follow these steps:
To set up an RPM Repository that downloads the latest RPM packages and advisories from ULN, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Setup RPM Repository.
On the Setup RPM Repository page, in the RPM Repository Server section, select the RPM Repository server by clicking the search icon. Select the host assigned for subscribing to ULN.
In the Credentials section, ensure that the Normal Host Credential user has write access to the stage location, and the Privileged Host Credential user can sudo with root privilege. Click Apply.
In the Deployment Procedure submission confirmation, click Linux RPM Repository Server Setup. The deployment procedure starts a job to download latest RPM packages and Advisories from the subscribed ULN channels.
(Optional) If you want to change the refresh mode to 30 seconds, then from the View Data list, select Real Time: 30 Second Refresh.
In the Steps tab of the Status Detail section, check the status of this step. Wait till the step Installing Up2date is completed or skipped.
Click the status of the manual step Register with ULN to verify if your host has been registered to ULN.
If you have registered your host to ULN, then select the target and click Confirm, and then click Done to go to the main flow.
If you have not registered your host to ULN, then perform the following steps on your Linux host:
Log in to the RPM Repository server machine.
Check if your host can connect to ULN. If your host cannot connect to the ULN directly, you can configure up2date (for Oracle Linux 5) or uln_register (for Oracle Linux 6 or 7) to use a proxy server. To configure access to ULN using a proxy server, follow these instructions:
https://linux.oracle.com/uln_faq.html#9
Register the host to ULN by following the steps at:
https://linux.oracle.com/uln_faq.html#2
Note:
While registering, you can choose the user name and password. This credential will be used to log in to http://linux.oracle.com
Click the status of the step Subscribe to ULN channels.
When you register a Linux server to ULN, it will be subscribed to a channel that has the latest Oracle Linux packages for the appropriate architecture. If no additional channels are needed to be subscribed to your host, then select the target and click Confirm, and then click Done to go to the main flow.
If some additional channels are needed to be subscribed to your host, then perform the following steps:
Log in to ULN:
Click on the Systems tab to manage subscriptions for each subscribed server.
Subscribe to all the additional channels you need.
Note:
If the createrepo
package is not installed on your Linux host, subscribe to the el*_addon
or the ol*_addon
channel.
Ensure that the yum-arch, uln-yum-proxy,
(for Oracle Linux 5) or uln-yum-mirror
(for Oracle Linux 6 or 7) and yum-utils
packages are installed on your Linux host. To obtain the yum-arch
and the uln-yum-proxy/uln-yum-mirror
packages, subscribe to the add ons channel. To obtain the yum-utils
package, subscribe to the latest channel.
Verify the list of subscribed channels on ULN.
Once the deployment procedure ends successfully, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository to verify if the ULN channels are displayed in the Cloud Control console.
On the Manage RPM Repository page, check if all the subscribed channels are listed and if all the packages are downloaded.
This section describes how you can set up a Linux Patching group for compliance reporting by associating the group with the RPM Repository (each subscribed ULN channel is a repository) created in Setting Up the RPM Repository for Linux Patching.
In particular, this section describes the following:
Before setting up the Linux Patching Group, meet the following prerequisites:
Set up RPM Repository server or set a custom RPM Repository as a channel in Cloud Control.
Install yum on all your Oracle Linux 6 target hosts. Install yum and up2date on all your Oracle Linux 5 target hosts.
Install Sudo on the target hosts.
Ensure that the Enterprise Manager user logs in to the OMS with super user privileges.
Ensure that the Enterprise Manager user has the EM_LINUX_PATCHING_ADMIN
role and the FULL_LINUX_PATCHING_SETUP
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them.
This section describes how to patch your Linux hosts. It consists of the following:
Note:
Before patching your Linux hosts, ensure that the Enterprise Manager user has the EM_PATCH_DESIGNER
role and the OPERATOR_ANY_TARGET
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them.
If the Linux Patching Compliance Home page reports that a particular Linux patching group is not compliant, you can choose to patch the group. To apply patches on this Linux patching group, follow these steps:
This section describes how you can manage your Linux configuration files. It consists of the following:
The configuration file feature enables you to manage your Linux configuration files in an efficient and convenient manner. Using this feature (which is accessible from the Linux Patching home page), you can create a Linux configuration file channel, upload the required Linux configuration files present on your local host (or on a remote host that has a Management Agent deployed on it) to the created channel, then deploy the configuration files present in the channel to a large number of target hosts in a single operation.
This feature saves you the effort of manually copying the required Linux configuration files to each target host. For example, if a HTTP server configuration file that you want to copy to a large number of target hosts is present on your local host, you can use the Linux Patching home page to create a Linux configuration file channel, upload the HTTP server configuration file to this channel, then deploy the file from this channel to the target hosts.
Ensure that the Software Library is already configured on the OMS.
To create a configuration file channel, follow these steps:
This section describes how you can upload configuration files to a particular channel. In particular, this section covers the following:
Before uploading configuration files to a particular channel, ensure that there exists at least one configuration file on the local host or on a remote host.
This section describes how you can import configuration files from one channel to another. In particular, this section covers the following:
Before importing configuration files, ensure that there are at least two channels.
This section describes how you can deploy configuration files from a particular channel. In particular, this section covers the following:
Before deploying configuration files, meet the following prerequisites:
Ensure that the privileged patching user has write permission on the target machine location where each configuration file will be staged, and has SUDO privileges too.
Ensure that there is at least one channel with some files uploaded.
This section describes how you can delete configuration file channels. In particular, this section covers the following:
Before deleting a configuration file channel, ensure that there is at least one configuration file.
This section describes the configurations that OPlan supports for patching GI and RAC databases of versions 11.2.0.2 or higher, on Linux X64, Solaris X64, Solaris SPARC and AIX platforms. Enterprise Manager integrates with OPlan to generate the procedure dynamically. If you use OPlan, then the commands that run as root will use the script available in the target Oracle Home. The commands required to run as root depend on the version and the mode of patching.
The following table lists the details:
Table 44-2 Oracle Grid Infrastructure and Oracle RAC Configuration Support
Version | Mode | Command |
---|---|---|
11.2 |
In-Place |
|
11.2 |
Out Of Place |
|
12.1 |
In-Place |
|
12.1 |
Out of Place |
|
This section describes the additional tasks you can perform using the Linux Patching Home page:
This section describes how you can view the compliance history for a selected group, for a specific time period. In particular, this section covers the following:
Ensure that you have defined at least one Linux patching group.
Ensure that you have View privileges on the Linux host comprising the patching group.
To view the compliance history of a Linux patching group, follow these steps:
Note:
By default, the compliance data that is displayed is retrieved from the last seven days. To view compliance history of a longer time period, select an appropriate value from the View Data drop-down list. The page refreshes to show compliance data for the selected time period.
This section describes how you can patch non-compliant packages from the Linux Patching home page. In particular, this section covers the following:
Before patching non-compliant packages, ensure that a Linux Patching group is created and the Compliance Collection job has succeeded.
To patch non-compliant packages, follow these steps:
This section describes how you can rollback a patch update session, or even uninstall the unstable version completely in case that patch version is found unsuitable for has a bug or security vulnerability. In particular, this section covers the following:
Prerequisites for Rolling Back Linux Patch Update Sessions or Deinstalling Packages
Rolling Back Linux Patch Update Sessions or Deinstalling Packages
Note:
Rolling back upgrades is supported to a certain extent. When performing an upgrade such as from OEL 5.2 to OEL 5.3, many RPMs that are dependent on others are upgraded. When you apply RPMs, this dependency can be followed. However, when rolling back patch update sessions, this dependency must be followed in reverse order. This reverse operation is not supported by yum or up2date. Hence, you can use the rollback feature to rollback a patch update session, but not to completely rollback a major upgrade such as from OEL 5.2 to OEL 5.3.
Rolling back upgrades is not supported on hosts running on Oracle Linux 6.
Before rolling back patch update sessions or deinstalling packages, meet the following prerequisites:
Ensure that a Linux Patching group is created.
Ensure that the lower version of the packages are present in the RPM repository.
This section describes how you can register a custom channel. In particular, this section covers the following:
Before registering a custom channel, meet the following prerequisites:
Ensure that the RPM Repository is under /var/www/html
and is accessible through HTTP protocol.
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host.
For example: http://h1.example.com. If this works, then it is confirmed that Apache is installed and listening on port 80.
Ensure that metadata files are created by running yum-arch and createrepo commands.
Ensure that a Management Agent is installed on the RPM repository host, and ensure that Management Agent is communicating with the OMS.
Ensure that the Enterprise Manager User logs in with Super User privileges for registering a custom channel.
This section describes how you can clone a channel. In particular, this section covers the following:
Before cloning a channel, meet the following prerequisites:
Ensure that there is at least one channel already present.
Ensure that there is enough space on the target channel host.
Ensure that the stage location of the source host does not have a directory named createLikeSrc
, and the Directory for the Target Channel does not exist.
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host
.
For example: http://h1.example.com
. If this works, then it is confirmed that Apache is installed and listening on port 80.
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
This section describes how you can copy packages from one channel to another. In particular, this section covers the following:
Before copying the packages from one channel to another, meet the following prerequisites:
Ensure that there are at least 2 channels.
Ensure that the target channel machine has adequate space.
Ensure that the stage location of the source host does not have a directory named copyPkgsSrc,
and the stage location of Target Host does not have a directory named copyPkgsDest
.
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host.
For example: http://h1.example.com. If this works, then it is confirmed that Apache is installed and listening on port 80.
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
This section describes how you can add custom packages to a channel. In particular, this section covers the following:
Before you add custom packages to a channel, meet the following prerequisites:
Ensure that there is at least one channel.
Ensure that the stage location of the source host does not have a directory named addPkgsSrc
, and the stage location of the destination channel does not have a directory named addPkgsDest
.
This section describes how you can delete a channel. In particular, this section covers the following:
Before deleting a channel, meet the following prerequisites:
Ensure that there is at least one channel.
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
To delete a channel, follow these steps: