Patching Your Oracle Private Cloud Appliance

1 Patching Your Oracle Private Cloud Appliance

This document describes the patching process for your Oracle Private Cloud Appliance. Upgrading your appliance is a different process, refer to the Oracle Private Cloud Appliance Upgrade Guide for those directions.

Starting with release 3.0.1, Oracle Private Cloud Appliance supports patching updates for security fixes and software errata between major releases. To take advantage of this feature you must configure your environment to support channel updates.

Patches are delivered as RPM packages through a series of dedicated channels on the Unbreakable Linux Network (ULN). To gain access to these channels, you need a Customer Support Identifier (CSI) and a ULN subscription.

Oracle Private Cloud Appliance is not allowed to connect directly to Oracle ULN servers. You must use a ULN mirror on a system inside the data center. The patch channels are then synchronized on the ULN mirror, where the management nodes can access the RPMs. Compute nodes need access to a subset of the RPMs, which are copied to a designated location on the appliance internal shared storage and kept up-to-date.

Caution:

Appliance software version 3.0.2-b1261765 must be upgraded to version 3.0.2-b1392231 using ISO images. During this process, the appliance migrates from Oracle Linux 7 to Oracle Linux 8. This is not supported by ULN-based patching.

Always Latest Packages

It is important to realize that the packages available from ULN are always the latest released version. While the ISO images are delivered for each appliance software version, and several versions could remain available for download for a longer time, the ULN channels do not offer that flexibility. When you synchronize the ULN mirror in your data center with the Oracle ULN servers, only the packages of the most recent appliance software release are available to patch your system.

Minimum Recommended Version

In this Patching Guide it is assumed that your system is running at least the minimum recommended appliance software version: 3.0.2-b892153. The main chapters provide detailed instructions to move your system on to the latest available version.

If your active Oracle Private Cloud Appliance software is older than the minimum recommended version, please follow the guidelines and instructions in the chapter Upgrading from Earlier Software Versions of the Oracle Private Cloud Appliance Upgrade Guide. When the appliance is running at least the minimum recommended version, follow the main instructions to patch to the latest version.

Patching Strategy

We recommend to run the latest available software on your Oracle Private Cloud Appliance. It improves protection against vulnerabilities and allows you to take advantage of all new features, bug fixes, and functional improvements.

The latest Upgrader code automatically enforces prerequisite software versions. During the upgrade or patch preparations, the Upgrader service validates the currently installed appliance software version against the new target version. If the appliance is not running at least the minimum required version, the Upgrader exits the process and rolls back the environment to its previous state. You must first install the prerequisite version as indicated in the log.

Patching Order

Components must be patched in a prescribed order. In appliance software version 3.0.2-b892153 and later, the upgrade plan helps manage the order of patch operations. When patching to version 3.0.2-b1081557 or later, there is an extra requirement to patch the ZFS Storage Appliance firmware before all other components. For more information, see Check Upgrade Plan Status and Progress.

Update Custom CA Certificates

If your Private Cloud Appliance has been configured to use your own CA certificates for secure connection to the external appliance interfaces, you might need to update them after upgrading or patching to a new software version. If the new software version changes the endpoints, for example because a new cloud service was added, the current certificate cannot validate connections to new endpoints. To resolve this, you generate new certificate signing requests (CSR) when the new appliance software is active, ask your Certificate Authority to provide new signed certificates, and upload those to the appliance. All current endpoints are now included in the updated certificates.

For more information about using your own CA certificates, refer to the section "Accessing External Interfaces with Your CA Trust Chain" in the Oracle Private Cloud Appliance Administrator Guide.