1 Patching Your Oracle Private Cloud Appliance

This document describes the patching process for your Oracle Private Cloud Appliance. Upgrading your appliance is a different process, refer to the Oracle Private Cloud Appliance Upgrade Guide for those directions.

Starting with release 3.0.1, Oracle Private Cloud Appliance supports patching updates for security fixes and software errata between major releases. To take advantage of this feature you must configure your environment to support channel updates.

Patches are delivered as RPM packages through a series of dedicated channels on the Unbreakable Linux Network (ULN). To gain access to these channels, you need a Customer Support Identifier (CSI) and a ULN subscription.

Oracle Private Cloud Appliance is not allowed to connect directly to Oracle ULN servers. You must use a ULN mirror on a system inside the data center. The patch channels are then synchronized on the ULN mirror, where the management nodes can access the RPMs. Compute nodes need access to a subset of the RPMs, which are copied to a designated location on the appliance internal shared storage and kept up-to-date.

Always Latest Packages

It is important to realize that the packages available from ULN are always the latest released version. While the ISO images are delivered for each appliance software version, and several versions could remain available for download for a longer time, the ULN channels do not offer that flexibility. When you synchronize the ULN mirror in your data center with the Oracle ULN servers, only the packages of the most recent appliance software release are available to patch your system.

Patching Strategy

We recommend to run the latest available software on your Oracle Private Cloud Appliance. It improves protection against vulnerabilities and allows you to take advantage of all new features, bug fixes, and functional improvements.

Systems running an appliance software version older than 3.0.2-b892153 require a two-phase process to get the latest version. The appliance must first be upgraded to version 3.0.2-b892153; patching to this version is not possible. After this upgrade operation has been completed successfully, you can upgrade or patch to the latest available version. An administrator must manually verify the upgrade path to the new target version.

The latest Upgrader code automatically enforces prerequisite software versions. During the upgrade or patch preparations, the Upgrader service validates the currently installed appliance software version against the new target version. If the appliance is not running at least the minimum required version, the Upgrader exits the process and rolls back the environment to its previous state. You must first install the prerequisite version as indicated in the log.

Patching Order

Components must be patched in a prescribed order. In appliance software version 3.0.2-b892153 and later, the upgrade plan helps manage the order of patch operations. When patching to version 3.0.2-b1081557 or later, there is an extra requirement to patch the ZFS Storage Appliance firmware before all other components. For more information, see Check Upgrade Plan Status and Progress.

Update Custom CA Certificates

If your Private Cloud Appliance has been configured to use your own CA certificates for secure connection to the external appliance interfaces, you might need to update them after upgrading or patching to a new software version. If the new software version changes the endpoints, for example because a new cloud service was added, the current certificate cannot validate connections to new endpoints. To resolve this, you generate new certificate signing requests (CSR) when the new appliance software is active, ask your Certificate Authority to provide new signed certificates, and upload those to the appliance. All current endpoints are now included in the updated certificates.

For more information about using your own CA certificates, refer to the section "Accessing External Interfaces with Your CA Trust Chain" in the Oracle Private Cloud Appliance Administrator Guide.

Update Custom CA Certificates

If your Private Cloud Appliance has been configured to use your own CA certificates for secure connection to the external appliance interfaces, you might need to update them after upgrading or patching to a new software version. If the new software version changes the endpoints, for example because a new cloud service was added, the current certificate cannot validate connections to new endpoints. To resolve this, you generate new certificate signing requests (CSR) when the new appliance software is active, ask your Certificate Authority to provide new signed certificates, and upload those to the appliance. All current endpoints are now included in the updated certificates.

For more information about using your own CA certificates, refer to the section "Accessing External Interfaces with Your CA Trust Chain" in the Oracle Private Cloud Appliance Administrator Guide.