2 Configure Your Environment for Patching

1. Obtain a valid Customer Support Identifier (CSI).

   Your CSI is an identifier that is issued to you when you purchased the appliance. For more information, see CSI Administration.

2. Register both your mirror server and Oracle Private Cloud Appliance with ULN. See ULN Registration.

3. Create a local ULN mirror. For instructions, see Setting up a Local ULN Mirror. Complete these tasks as you set up your local mirror:

   1. Register your local mirror's hostname in your local DNS.

   2. Subscribe to the following ULN channels for Oracle Private Cloud Appliance. It is best to isolate Oracle Private Cloud Appliance ULN channels from other ULN channels. Reserve approximately 60Gb on your mirror for patches. Over time, you may need to increase this capacity.

      Note:

      There is no need to subscribe to the * src channels. These channels contain source RPMs for the binary channels, which are not used for patching and can take up significant space on your mirror.

      • PCA 3.0.1 Container Images

      • PCA 3.0.1 Firmware

      • PCA 3.0.1 Hypervisor

      • PCA 3.0.1 MN

      • PCA 3.0.1 OCI Compute Images

      Caution:

      Only install patches from the pca* channels. Manually updating the appliance using other channels and other methods is not supported. Security and other updates to Oracle Linux 7 will come through the pca* channels.

   3. Verify you have correctly subscribed to the Oracle Private Cloud Appliance channels using the yum repolist command.

   4. Optionally, you can add ULN channels from the command line. See Oracle Linux: Managing ULN Channel Subscriptions via Command Line.

4. In the /etc/sysconfig/uln-yum-mirror config file, set ALL_PKGS=1.

5. Confirm that you have uln mirror version 0.3.0-8.el7 or later installed.

   #  yum --disablerepo=* --enablerepo=ol7_addons install uln-yum-mirror
   Loaded plugins: langpacks, ulninfo
   Resolving Dependencies
   --> Running transaction check
   ---> Package uln-yum-mirror.noarch 0:0.3.0-8.el7 will be installed
   --> Processing Dependency: hardlinkpy for package: uln-yum-mirror-0.3.0-8.el7.noarch
   --> Processing Dependency: yum-arch for package: uln-yum-mirror-0.3.0-8.el7.noarch
   --> Running transaction check
   ---> Package hardlinkpy.noarch 0:0.0.5-1.el7 will be installed
   ---> Package yum-arch.noarch 0:2.2.2-9.el7 will be installed
   --> Finished Dependency Resolution
   
   Dependencies Resolved
   
   ================================================================================
   Package Arch Version Repository Size
   ================================================================================
   Installing:
   uln-yum-mirror noarch 0.3.0-8.el7 ol7_addons 30 k
   Installing for dependencies:
   hardlinkpy noarch 0.0.5-1.el7 ol7_addons 15 k
   yum-arch noarch 2.2.2-9.el7 ol7_addons 311 k
   
   Transaction Summary
   ================================================================================
   Install 1 Package (+2 Dependent packages)
   
   Total download size: 356 k
   Installed size: 1.3 M

6. Create soft links for your local mirror directories.

   1. During the setup of your local mirror, a directory titled "EngineeredSystems" was created. The default location of this directory is /var/www/html/yum/EngineeredSystems. In order for the patching tool to locate the correct directories, create the following soft links in the /var/www/html/yum directory, which contains the EngineeredSystems directory:

      ln -s EngineeredSystems/pca301/hypervisor/x86_64 pca301_x86_64_hypervisor
      ln -s EngineeredSystems/pca301/containers/x86_64 pca301_x86_64_container_images
      ln -s EngineeredSystems/pca301/fw/x86_64 pca301_x86_64_fw
      ln -s EngineeredSystems/pca301/mn/x86_64 pca301_x86_64_mn
      ln -s EngineeredSystems/pca301/oci/x86_64 pca301_x86_64_oci

   2. Verify that the correct repositories appear on your local mirror.

      # sudo yum repolist
      ...
      repo id                              repo name                            status 
      pca301_x86_64_containers             PCA 3.0.1 Container Images              39
      pca301_x86_64_fw                     PCA 3.0.1 Firmware                       0
      pca301_x86_64_hypervisor             PCA 3.0.1 Hypervisor                     9
      pca301_x86_64_mn                     PCA 3.0.1 MN                             0
      pca301_x86_64_oci                    PCA 3.0.1 OCI Compute Images             3

   3. Update the repositories. This could take an hour or more for the initial download.

      # /usr/bin/uln-yum-mirror

      Note:

      For yum servers running Oracle Linux 8 use the dnf reposync command.

   4. Verify a repodata directory was created at the location of a soft link.

      # ls /var/www/html/yum/pca301_x86_64_hypervisor/

7. Configure the management nodes to receive yum updates from the local mirror.

   By design, compute nodes do not have access outside the appliance. To prepare your environment to patch compute nodes, do the following:

   1. Configure a repository inside the appliance that the compute nodes can reach.

   2. Configure synchronization between that repository and the mirror, through the management nodes.

   To enable synchronization between the repository and the mirror server, set the fully qualified domain name of the datacenter mirror server using the setupstreamUlnMirror command. Both HTTP and HTTPS protocols are supported. To use HTTPS, see Using HTTPS to Reach the ULN Mirror Server.

   PCA-ADMIN> setupstreamUlnMirror ulnMirrorLocation=http://host.example.com/yum
   Command: setupstreamUlnMirror ulnMirrorLocation=http://host.example.com/yum
   Status: Success
   Time: 2022-01-06 06:15:15,469 UTC
   Data: 
     upstream channels are set UpstreamMirror status = success

   Alternatively, you can set this parameter in the GUI.

   Note:

   You must use the fully qualified domain name to reference the datacenter mirror server, not the system IP address.

Using HTTPS to Reach the ULN Mirror Server

To use https protocol to reach the ULN mirror, add the TLS trust information for the ULN mirror server to the appliance. The TLS trust information to add to the appliance must contain only a CA chain or an x509 server certificate; the trust information on the appliance must not contain keys:

• If the server certificate is signed by a commercial CA, do not add anything to the appliance. Skip this procedure.

• If the server certificate is signed by a non-commercial CA, the TLS trust information to add to the appliance is the non-commercial CA chain file, in PEM or CRT format.

• If the server certificate is self-signed, the TLS trust information to add to the appliance is a copy of the server certificate, in PEM format.

Repeat this process whenever the X509 server certificate on the ULN mirror server is replaced, such as when the certificate expires:

1. On the first management node, create the following directory if it does not already exist:

   /etc/pca3.0/vault/customer_ca/

2. Copy the CA chain or x509 server certificate to the /etc/pca3.0/vault/customer_ca/ directory.

   If the ULN server certificate is not self-signed, copy the CA chain. If the ULN server certificate is self-signed (the Subject Key Identifier is the same as the Authority Key Identifier), copy the server certificate.

3. Run the following command:

   python3 /usr/lib/python3.6/site-packages/pca_foundation/secret_service/cert_generator/cert_generator_app.py -copy_to_mns

   The resulting TLS trust/certificate bundle is in the following directory on each management node:

   /etc/pca3.0/vault/certs/ca_outside_bundle.crt

Using the Service Web UI

1. 1. In the navigation menu, click ULN Mirror.

   2. In the top-right corner of the ULN Mirror page, click Set ULN Mirror.

      The ULN Mirror window appears.

   3. Fill out the parameters:

      • ULN Mirror: the fully qualified domain name of the ULN mirror in your datacenter.

      • Proxy: If your datacenter uses a proxy server as an intermediary for Internet access, specify that server here.

   4. Click Set ULN Mirror.

      The ULN mirror is set.