Configure Your Environment for Patching

2 Configure Your Environment for Patching

References in this section to CSI administration, ULN registration, and setting up a local ULN mirror are to the Oracle Linux Unbreakable Linux Network User's Guide for Oracle Linux 6 and Oracle Linux 7.

Obtain a valid Customer Support Identifier (CSI).

Your CSI is an identifier that is issued to you when you purchased the appliance. For more information, see CSI Administration.
Register both your mirror server and Oracle Private Cloud Appliance with ULN. See ULN Registration.
Create a local ULN mirror. See Setting up a Local ULN Mirror.
Register the hostname of your local mirror in your local DNS.
Reserve space for patches.

Best practice is to isolate Oracle Private Cloud Appliance ULN channels from other ULN channels. Reserve approximately 60Gb on your mirror for patches. Over time, you may need to increase this capacity.
Subscribe the mirror server to Private Cloud Appliance ULN channels.

Caution:

Only install patches from the "PCA" channels. Manually updating the appliance using other channels and other methods is not supported. Security and other updates to Oracle Linux will come through the "PCA" channels.

If your site has both Private Cloud Appliance 3.0.1 and Private Cloud Appliance 3.0.2 appliances, your local mirror can subscribe to both PCA 3.0.1 and PCA 3.0.2 channels. Updates for both will be downloaded from ULN. Private Cloud Appliance 3.0.1 appliances will only sync from the PCA 3.0.1 softlinks and Private Cloud Appliance 3.0.2 appliances will only sync from the PCA 3.0.2 softlinks.

If your local mirror is subscribed to PCA 3.0.1 channels, but you no longer maintain any Private Cloud Appliance 3.0.1 appliances, unsubscribe from those channels in ULN and recover the disk space on the mirror.

Note:
ULN channels for a given release are not available at initial release, because there are no updates at that time. The channels become available once there are updates available for download.
1. Subscribe to the following ULN channels for Private Cloud Appliance.
  - PCA 3.0.2 Container Images
  - PCA 3.0.2 Firmware
  - PCA 3.0.2 Hypervisor
  - PCA 3.0.2 MN
  - PCA 3.0.2 OCI Compute Images
  In the Available channels list, scroll down to the "PCA 3.0.2" channels. Use the > button to move the five channels in the preceding list to the Subscribed channels column. Click the Save Subscriptions button.
  
  Note that the list of available "PCA 3.0.2" channels looks like the following:
  - PCA 3.0.2 Container Images
  - PCA 3.0.2 Container Images src
  - PCA 3.0.2 Firmware
  - PCA 3.0.2 Hypervisor
  - PCA 3.0.2 Hypervisor src
  - PCA 3.0.2 MN
  - PCA 3.0.2 MN src
  - PCA 3.0.2 OCI Compute Images
  You do not need to subscribe to the "src" channels. These channels contain source RPMs for the binary channels. The "src" channels are not used for patching and use significant space on your mirror.
2. Use the yum repolist command to verify that you have correctly subscribed to the Private Cloud Appliance channels.
Alternatively, you can add ULN channels from the command line. See Oracle Linux: Managing ULN Channel Subscriptions via Command Line (Doc ID 1674425.1).
In the /etc/sysconfig/uln-yum-mirror config file, set ALL_PKGS=1.

Confirm that you have uln mirror version 0.3.0-8.el7 or later installed.

#  yum --disablerepo=* --enablerepo=ol7_addons install uln-yum-mirror
Loaded plugins: langpacks, ulninfo
Resolving Dependencies
--> Running transaction check
---> Package uln-yum-mirror.noarch 0:0.3.0-8.el7 will be installed
--> Processing Dependency: hardlinkpy for package: uln-yum-mirror-0.3.0-8.el7.noarch
--> Processing Dependency: yum-arch for package: uln-yum-mirror-0.3.0-8.el7.noarch
--> Running transaction check
---> Package hardlinkpy.noarch 0:0.0.5-1.el7 will be installed
---> Package yum-arch.noarch 0:2.2.2-9.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
uln-yum-mirror noarch 0.3.0-8.el7 ol7_addons 30 k
Installing for dependencies:
hardlinkpy noarch 0.0.5-1.el7 ol7_addons 15 k
yum-arch noarch 2.2.2-9.el7 ol7_addons 311 k

Transaction Summary
================================================================================
Install 1 Package (+2 Dependent packages)

Total download size: 356 k
Installed size: 1.3 M

Create soft links for your local mirror directories.

During the setup of your local mirror, a directory titled "EngineeredSystems" was created. The default location of this directory is /var/www/html/yum/EngineeredSystems. In order for the patching tool to locate the correct directories, create the following soft links in the /var/www/html/yum directory, which contains the EngineeredSystems directory:
```
ln -s EngineeredSystems/pca302/hypervisor/x86_64 pca302_x86_64_hypervisor
ln -s EngineeredSystems/pca302/containers/x86_64 pca302_x86_64_container_images
ln -s EngineeredSystems/pca302/fw/x86_64 pca302_x86_64_fw
ln -s EngineeredSystems/pca302/mn/x86_64 pca302_x86_64_mn
ln -s EngineeredSystems/pca302/oci/x86_64 pca302_x86_64_oci
```

Verify that the correct repositories appear on your local mirror.

# sudo yum repolist
...
repo id                              repo name                            status 
pca302_x86_64_containers             PCA 3.0.2 Container Images              39
pca302_x86_64_fw                     PCA 3.0.2 Firmware                       0
pca302_x86_64_hypervisor             PCA 3.0.2 Hypervisor                     9
pca302_x86_64_mn                     PCA 3.0.2 MN                             0
pca302_x86_64_oci                    PCA 3.0.2 OCI Compute Images             3

Update the repositories. This could take an hour or more for the initial download.
```
# /usr/bin/uln-yum-mirror
```
Note:
For yum servers running Oracle Linux 8 use the dnf reposync command.
Verify a repodata directory was created at the location of a soft link.
```
# ls /var/www/html/yum/pca302_x86_64_hypervisor/
```

Configure the management nodes to receive yum updates from the local mirror.

By design, compute nodes do not have access outside the appliance. To prepare your environment to patch compute nodes, do the following:
1. Configure a repository inside the appliance that the compute nodes can reach.
2. Configure synchronization between that repository and the mirror, through the management nodes.
To enable synchronization between the repository and the mirror server, set the fully qualified domain name of the datacenter mirror server using the setupstreamUlnMirror command. Both HTTP and HTTPS protocols are supported. To use HTTPS, see Using HTTPS to Reach the ULN Mirror Server.
```
PCA-ADMIN> setupstreamUlnMirror ulnMirrorLocation=http://host.example.com/yum
Command: setupstreamUlnMirror ulnMirrorLocation=http://host.example.com/yum
Status: Success
Time: 2022-01-06 06:15:15,469 UTC
Data: 
  upstream channels are set UpstreamMirror status = success
```
Alternatively, you can set this parameter in the GUI.

Note:
You must use the fully qualified domain name to reference the datacenter mirror server, not the system IP address.

Using HTTPS to Reach the ULN Mirror Server

To use https protocol to reach the ULN mirror, add the TLS trust information for the ULN mirror server to the appliance. The TLS trust information to add to the appliance must contain only a CA chain or an x509 server certificate; the trust information on the appliance must not contain keys:

If the server certificate is signed by a commercial CA, do not add anything to the appliance. Skip this procedure.
If the server certificate is signed by a non-commercial CA, the TLS trust information to add to the appliance is the non-commercial CA chain file, in PEM or CRT format.
If the server certificate is self-signed, the TLS trust information to add to the appliance is a copy of the server certificate, in PEM format.

Repeat this process whenever the X509 server certificate on the ULN mirror server is replaced, such as when the certificate expires:

On the first management node, create the following directory if it does not already exist:
```
/etc/pca3.0/vault/customer_ca/
```
Copy the CA chain or x509 server certificate to the /etc/pca3.0/vault/customer_ca/ directory.

If the ULN server certificate is not self-signed, copy the CA chain. If the ULN server certificate is self-signed (the Subject Key Identifier is the same as the Authority Key Identifier), copy the server certificate.

Run the following command:

python3 /usr/lib/python3.6/site-packages/pca_foundation/secret_service/cert_generator/cert_generator_app.py -copy_to_mns

The resulting TLS trust/certificate bundle is in the following directory on each management node:

/etc/pca3.0/vault/certs/ca_outside_bundle.crt

Using the Service Web UI

1. In the navigation menu, click ULN Mirror.
2. In the top-right corner of the ULN Mirror page, click Set ULN Mirror.
  
  The ULN Mirror window appears.
3. Fill out the parameters:
  - ULN Mirror: the fully qualified domain name of the ULN mirror in your datacenter.
  - Proxy: If your datacenter uses a proxy server as an intermediary for Internet access, specify that server here.
4. Click Set ULN Mirror.
  
  The ULN mirror is set.