45 Patching Linux Hosts
This chapter explains how you can patch Linux hosts using Oracle Enterprise Manager Cloud Control (Cloud Control). In particular, this chapter covers the following:
Overview of Patching Linux Hosts
Linux Host Patching is a feature in Cloud Control that keeps the hosts in an enterprise updated with security fixes and critical bug fixes, especially in a data centre or a server farm. This feature in Cloud Control enables you to:
-
Set up Linux RPM Repository based on Unbreakable Linux Network (ULN) channels
-
Download Advisories (Erratas) from ULN
-
Set up a Linux Patching group to update a group of Linux hosts and collect compliance information
-
Allow non-compliant packages to be patched
-
Rollback/uninstall packages from a host
-
Manage RPM repositories and channels (clone channels, copy packages from one channel into another, delete channels)
-
Add RPMs to custom channels
-
Manage configuration file channels (create/delete channels, upload files, copy files from one channel into another)
The following are concepts related to Linux patching:
About the Deployment Procedure for Patching Linux Hosts
Cloud Control provides the following deployment procedures for Linux patching:
-
Patch Linux Hosts
This deployment procedure enables you to patch Linux hosts.
-
Linux RPM Repository server setup
This deployment procedure enables you to set up a Linux RPM repository server. To set up the Linux RPM repository server, see Setting Up the RPM Repository for Patching.
Supported Linux Releases
The following releases are supported for Linux patching:
-
Oracle Linux 5
-
Oracle Linux 6
-
Oracle Linux 7
-
Red Hat Enterprise Linux 5
-
Red Hat Enterprise Linux 6
Setting Up Infrastructure for Linux Patching
This section describes the setup requirements for Linux patching. In particular, this section describes the following:
Prerequisites for Using the Linux Patching Feature
To use the Linux Patching feature, meet the following prerequisites:
-
Meet the basic prerequisites described in Setting Up Your Infrastructure.
-
Install yum on all your Oracle Linux 6 target hosts. Install yum and up2date on all your Oracle Linux 5 target hosts.
-
Enable the following commands through SUDO:
-
/bin/cp
-
/bin/rm
-
/bin/chmod
-
/sbin/chkconfig
-
yum
-
up2date
-
sed
-
rpm
-
Setting Up the RPM Repository for Linux Patching
This section describes how you can set up the RPM repository. In particular, this section describes the following:
Note:
The RPM repository can be set up in a shared location. This configuration is supported. The same EM repository is shared by using the symlink
(symbolic link) in the folder /var/www/html
to a shared file system. In case the host target goes down then the RPM repository also is unavailable.
The RPM repository can exist on the OMS or on a non-OMS designated host target.
Prerequisites for Setting Up the RPM Repository
Before setting up the RPM repository, meet the following prerequisites:
-
Identify a Redhat or Oracle Linux host, install a Management Agent, and point to the OMS. This host must have the sudo package installed.
-
Obtain a valid Customer Support Identifier (CSI) number from your Oracle sales representative.
After obtaining a valid CSI number, ensure that you create a ULN account. To create a ULN account, access the following URL:
-
Download the up2date packages ( Oracle Linux 5 only) from the following URL:
https://linux.oracle.com/switch.html
Upload the downloaded packages to Software Library if the host on which you plan to set up the RPM repository is running on one of the following platforms:
-
Red Hat Enterprise Linux 5 (i386)
-
Red Hat Enterprise Linux 5 (x86_64)
-
Red Hat Enterprise Linux 5 (ia64)
Note:
You do not need to upload the up2date packages to Software Library if the host on which you plan to set up the RPM Repository is running on an Oracle Linux platform.
Follow these steps to upload up2date packages to the Software Library:
Note:
For a multi-OMS setup, the following steps only need to be performed on one OMS.
-
Compress up2date and up2date-gnome into a zip file, and name it as
up2date_comp.zip
. -
Copy the zip file to the
<ORACLE_HOME>/sysman/metadata/swlib/patch/stageServerComponents
directory present in the Oracle home of the OMS. -
Edit the Patch Software Library entities metadata file
swlib.xml
present in the Oracle home of the OMS to upgrade the ExternalID of the Software Library entity Up2date Package Component.To do so, follow these steps:
(1) Open the
swlib.xml
file present at the following location:$ORACLE_HOME/sysman/metadata/swlib/patch/
(2) Search for the tag
<Entity name="Install up2date RPM">
, which in turn has a subtagExternalID.
(3) Increase the values of the ExternalID by 0.1.
For example, if the original value of the entity in the software library's ExternalID is 2.0, then update the value by 0.1 to upgrade the ExternalID to 2.1.
-
Upload the zip file to Software Library by running the following command:
$ emctl register oms metadata -service swlib -file $ORACLE_HOME/sysman/metadata/swlib -core
-
-
Ensure that the
/var/www/html/
directory on the host on which you plan to set up the RPM repository has at least 60 GB of free disk space per channel. -
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL:
http://host
.For example:
http://h1.example.com
. If this works, then it is confirmed that Apache is installed and listening on port 80. -
Ensure that the
createrepo
package is installed on the RPM Repository host. To obtain this package, subscribe to theel*_addon
or theol*_addon
channel. -
Ensure that the
yum-arch,uln-yum-proxy
(for Oracle Linux 5) oruln-yum-mirror
(for Oracle Linux 6 and 7), andyum-utils
packages are installed on the RPM Repository host. To obtain theyum-arch
and theuln-yum-proxy/uln-yum-mirrors
packages, subscribe to the add ons channel. To obtain theyum-utils
package, subscribe to the latest channel. -
If the RPM Repository host is not running on Oracle Linux 6 (OL6), but is subscribed to an OL6 channel whose name is of the format
ol6_*
, then you must import the OL6 public key manually. To do so, follow these steps:-
Download the OL 6 key from:
-
Store it under the following directory on your host:
/usr/share/rhn
-
Run the following command:
rpm --import /usr/share/rhn/RPM-GPG-KEY-oracle-ol6
-
-
Ensure that the Enterprise Manager user has the
EM_LINUX_PATCHING_ADMIN
role and theFULL_LINUX_PATCHING_SETUP
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them. -
Ensure that the Oracle GPG keys are installed on the host on which you plan to set up the RPM Repository.
To install the Oracle GPG keys on a host running on the Oracle Linux 5 or Oracle Linux 6 platforms, run the following command:
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY
Setting Up the RPM Repository for Patching
Log in with super user privileges to set up an RPM Repository that downloads latest RPM packages and advisories from ULN. Follow these steps:
To set up an RPM Repository that downloads the latest RPM packages and advisories from ULN, follow these steps:
-
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
-
On the Patching Setup page, in the Linux Patching Setup tab, click Setup RPM Repository.
-
On the Setup RPM Repository page, in the RPM Repository Server section, select the RPM Repository server by clicking the search icon. Select the host assigned for subscribing to ULN.
-
In the Credentials section, ensure that the Normal Host Credential user has write access to the stage location, and the Privileged Host Credential user can sudo with root privilege. Click Apply.
-
In the Deployment Procedure submission confirmation, click Linux RPM Repository Server Setup. The deployment procedure starts a job to download latest RPM packages and Advisories from the subscribed ULN channels.
-
(Optional) If you want to change the refresh mode to 30 seconds, then from the View Data list, select Real Time: 30 Second Refresh.
-
In the Steps tab of the Status Detail section, check the status of this step. Wait till the step Installing Up2date is completed or skipped.
-
Click the status of the manual step Register with ULN to verify if your host has been registered to ULN.
If you have registered your host to ULN, then select the target and click Confirm, and then click Done to go to the main flow.
If you have not registered your host to ULN, then perform the following steps on your Linux host:
-
Log in to the RPM Repository server machine.
-
Check if your host can connect to ULN. If your host cannot connect to the ULN directly, you can configure up2date (for Oracle Linux 5) or uln_register (for Oracle Linux 6 or 7) to use a proxy server. To configure access to ULN using a proxy server, follow these instructions:
https://linux.oracle.com/uln_faq.html#9
-
Register the host to ULN by following the steps at:
https://linux.oracle.com/uln_faq.html#2
Note:
While registering, you can choose the user name and password. This credential will be used to log in to
http://linux.oracle.com
-
-
Click the status of the step Subscribe to ULN channels.
When you register a Linux server to ULN, it will be subscribed to a channel that has the latest Oracle Linux packages for the appropriate architecture. If no additional channels are needed to be subscribed to your host, then select the target and click Confirm, and then click Done to go to the main flow.
If some additional channels are needed to be subscribed to your host, then perform the following steps:
-
Log in to ULN:
-
Click on the Systems tab to manage subscriptions for each subscribed server.
-
Subscribe to all the additional channels you need.
Note:
-
If the
createrepo
package is not installed on your Linux host, subscribe to theel*_addon
or theol*_addon
channel. -
Ensure that the
yum-arch, uln-yum-proxy,
(for Oracle Linux 5) oruln-yum-mirror
(for Oracle Linux 6 or 7) andyum-utils
packages are installed on your Linux host. To obtain theyum-arch
and theuln-yum-proxy/uln-yum-mirror
packages, subscribe to the add ons channel. To obtain theyum-utils
package, subscribe to the latest channel.
-
-
Verify the list of subscribed channels on ULN.
-
-
Once the deployment procedure ends successfully, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
-
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository to verify if the ULN channels are displayed in the Cloud Control console.
-
On the Manage RPM Repository page, check if all the subscribed channels are listed and if all the packages are downloaded.
Setting Up Linux Patching Group for Compliance Reporting
This section describes how you can set up a Linux Patching group for compliance reporting by associating the group with the RPM Repository (each subscribed ULN channel is a repository) created in Setting Up the RPM Repository for Linux Patching.
In particular, this section describes the following:
Prerequisites for Setting Up Linux Patching Group
Before setting up the Linux Patching Group, meet the following prerequisites:
-
Set up RPM Repository server or set a custom RPM Repository as a channel in Cloud Control.
-
Install yum on all your Oracle Linux 6 target hosts. Install yum and up2date on all your Oracle Linux 5 target hosts.
-
Install Sudo on the target hosts.
-
Ensure that the Enterprise Manager user logs in to the OMS with super user privileges.
-
Ensure that the Enterprise Manager user has the
EM_LINUX_PATCHING_ADMIN
role and theFULL_LINUX_PATCHING_SETUP
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them.
Patching Linux Hosts
This section describes how to patch your Linux hosts. It consists of the following:
Note:
Before patching your Linux hosts, ensure that the Enterprise Manager user has the EM_PATCH_DESIGNER
role and the OPERATOR_ANY_TARGET
privilege. If the Enterprise Manager user does not have these, ensure that the super user grants them.
Applying Patches on a Linux Patching Group Based on Compliance
If the Linux Patching Compliance Home page reports that a particular Linux patching group is not compliant, you can choose to patch the group. To apply patches on this Linux patching group, follow these steps:
Managing Linux Configuration Files
This section describes how you can manage your Linux configuration files. It consists of the following:
Overview of Linux Configuration Files
The configuration file feature enables you to manage your Linux configuration files in an efficient and convenient manner. Using this feature (which is accessible from the Linux Patching home page), you can create a Linux configuration file channel, upload the required Linux configuration files present on your local host (or on a remote host that has a Management Agent deployed on it) to the created channel, then deploy the configuration files present in the channel to a large number of target hosts in a single operation.
This feature saves you the effort of manually copying the required Linux configuration files to each target host. For example, if a HTTP server configuration file that you want to copy to a large number of target hosts is present on your local host, you can use the Linux Patching home page to create a Linux configuration file channel, upload the HTTP server configuration file to this channel, then deploy the file from this channel to the target hosts.
Prerequisites for Managing Configuration Files
Ensure that the Software Library is already configured on the OMS.
Creating a Linux Configuration File Channel
To create a configuration file channel, follow these steps:
Uploading Linux Configuration Files to a Particular Channel
This section describes how you can upload configuration files to a particular channel. In particular, this section covers the following:
Prerequisites for Uploading Linux Configuration Files
Before uploading configuration files to a particular channel, ensure that there exists at least one configuration file on the local host or on a remote host.
Importing Linux Configuration Files from One Channel to Another
This section describes how you can import configuration files from one channel to another. In particular, this section covers the following:
Prerequisites for Importing Linux Configuration Files
Before importing configuration files, ensure that there are at least two channels.
Deploying Linux Configuration Files From a Particular Channel
This section describes how you can deploy configuration files from a particular channel. In particular, this section covers the following:
Prerequisites for Deploying Linux Configuration Files
Before deploying configuration files, meet the following prerequisites:
-
Ensure that the privileged patching user has write permission on the target machine location where each configuration file will be staged, and has SUDO privileges too.
-
Ensure that there is at least one channel with some files uploaded.
Deleting a Linux Configuration File Channel
This section describes how you can delete configuration file channels. In particular, this section covers the following:
Prerequisites for Deleting a Linux Configuration File Channel
Before deleting a configuration file channel, ensure that there is at least one configuration file.
Oracle Grid Infrastructure and Oracle RAC Configuration Support
This section describes the configurations that OPlan supports for patching GI and RAC databases of versions 11.2.0.2 or higher, on Linux X64, Solaris X64, Solaris SPARC and AIX platforms. Enterprise Manager integrates with OPlan to generate the procedure dynamically. If you use OPlan, then the commands that run as root will use the script available in the target Oracle Home. The commands required to run as root depend on the version and the mode of patching.
The following table lists the details:
Table 45-2 Oracle Grid Infrastructure and Oracle RAC Configuration Support
Version | Mode | Command |
---|---|---|
11.2 |
In-Place |
|
11.2 |
Out Of Place |
|
12.1 |
In-Place |
|
12.1 |
Out of Place |
|
Additional Linux Patching Tasks You Can Perform
This section describes the additional tasks you can perform using the Linux Patching Home page:
Viewing Linux Patching Compliance History
This section describes how you can view the compliance history for a selected group, for a specific time period. In particular, this section covers the following:
Prerequisites for Viewing Linux Patching Compliance History
-
Ensure that you have defined at least one Linux patching group.
-
Ensure that you have View privileges on the Linux host comprising the patching group.
Viewing Linux Patching Compliance History
To view the compliance history of a Linux patching group, follow these steps:
- In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
- On the Compliance Home page, from the Related Links section, click Compliance History.
- On the Compliance History page, the Groups table lists all the accessible Linux patching groups and the number of hosts corresponding to each group.
- If there are multiple Linux patching groups, the Compliance History page displays the historical data (for a specific time period) for the first group that is listed in that table.
- To view the compliance history of a Linux patching group, click the View icon corresponding to that group.
Note:
By default, the compliance data that is displayed is retrieved from the last seven days. To view compliance history of a longer time period, select an appropriate value from the View Data drop-down list. The page refreshes to show compliance data for the selected time period.
Patching Non-Compliant Linux Packages
This section describes how you can patch non-compliant packages from the Linux Patching home page. In particular, this section covers the following:
Prerequisites for Patching Non-Compliant Linux Packages
Before patching non-compliant packages, ensure that a Linux Patching group is created and the Compliance Collection job has succeeded.
Patching Non-Compliant Linux Packages
To patch non-compliant packages, follow these steps:
- In the Patch Linux Hosts Wizard, provide the required details in the interview screens, and click Finish on the Review page.
- A deployment procedure is submitted to update the host. Check if all the steps finished successfully.
Rolling Back Linux Patch Update Sessions or Deinstalling Packages
This section describes how you can rollback a patch update session, or even uninstall the unstable version completely in case that patch version is found unsuitable for has a bug or security vulnerability. In particular, this section covers the following:
-
Prerequisites for Rolling Back Linux Patch Update Sessions or Deinstalling Packages
-
Rolling Back Linux Patch Update Sessions or Deinstalling Packages
Note:
-
Rolling back upgrades is supported to a certain extent. When performing an upgrade such as from OEL 5.2 to OEL 5.3, many RPMs that are dependent on others are upgraded. When you apply RPMs, this dependency can be followed. However, when rolling back patch update sessions, this dependency must be followed in reverse order. This reverse operation is not supported by yum or up2date. Hence, you can use the rollback feature to rollback a patch update session, but not to completely rollback a major upgrade such as from OEL 5.2 to OEL 5.3.
-
Rolling back upgrades is not supported on hosts running on Oracle Linux 6.
Prerequisites for Rolling Back Linux Patch Update Sessions or Deinstalling Packages
Before rolling back patch update sessions or deinstalling packages, meet the following prerequisites:
-
Ensure that a Linux Patching group is created.
-
Ensure that the lower version of the packages are present in the RPM repository.
Registering a Custom Package Channel
This section describes how you can register a custom channel. In particular, this section covers the following:
Prerequisites for Registering a Custom Package Channel
Before registering a custom channel, meet the following prerequisites:
-
Ensure that the RPM Repository is under
/var/www/html
and is accessible through HTTP protocol. -
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host.
For example: http://h1.example.com. If this works, then it is confirmed that Apache is installed and listening on port 80.
-
Ensure that metadata files are created by running yum-arch and createrepo commands.
-
Ensure that a Management Agent is installed on the RPM repository host, and ensure that Management Agent is communicating with the OMS.
-
Ensure that the Enterprise Manager User logs in with Super User privileges for registering a custom channel.
Cloning a Package Channel
This section describes how you can clone a channel. In particular, this section covers the following:
Prerequisites for Cloning a Package Channel
Before cloning a channel, meet the following prerequisites:
-
Ensure that there is at least one channel already present.
-
Ensure that there is enough space on the target channel host.
-
Ensure that the stage location of the source host does not have a directory named
createLikeSrc
, and the Directory for the Target Channel does not exist. -
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL:
http://host
.For example:
http://h1.example.com
. If this works, then it is confirmed that Apache is installed and listening on port 80. -
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
Copying Packages from One Channel to Another
This section describes how you can copy packages from one channel to another. In particular, this section covers the following:
Prerequisites for Copying Packages from One Channel to Another
Before copying the packages from one channel to another, meet the following prerequisites:
-
Ensure that there are at least 2 channels.
-
Ensure that the target channel machine has adequate space.
-
Ensure that the stage location of the source host does not have a directory named
copyPkgsSrc,
and the stage location of Target Host does not have a directory namedcopyPkgsDest
. -
Ensure that Apache is installed, and listening on port 80. To verify this, you can try connecting to the URL: http://host.
For example: http://h1.example.com. If this works, then it is confirmed that Apache is installed and listening on port 80.
-
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
Adding Custom Packages to a Channel
This section describes how you can add custom packages to a channel. In particular, this section covers the following:
Prerequisites for Adding Custom Packages to a Channel
Before you add custom packages to a channel, meet the following prerequisites:
-
Ensure that there is at least one channel.
-
Ensure that the stage location of the source host does not have a directory named
addPkgsSrc
, and the stage location of the destination channel does not have a directory namedaddPkgsDest
.
Deleting a Package Channel
This section describes how you can delete a channel. In particular, this section covers the following:
Prerequisites for Deleting a Package Channel
Before deleting a channel, meet the following prerequisites:
-
Ensure that there is at least one channel.
-
Ensure that the Enterprise Manager User logs in to the OMS with Super User privileges.
Deleting a Package Channel
To delete a channel, follow these steps:
- In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
- On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
- On the Manage RPM Repository page, select the channel name you want to delete, and click Delete.
- If you want to delete the packages from the RPM Repository machine, select the check box and enter the credentials for the RPM Repository machine. Click Yes.
- If you have not selected to delete the packages from RPM Repository machine, you will get a confirmation message stating Package Channel <channel name> successfully deleted. If you have selected the Delete Packages option, a job will be submitted to delete the packages from the RPM Repository machine. Follow the job until it completes successfully.