Chapter 9 Updating Client Systems

This chapter describes how to configure client systems to receive software through Oracle Linux Manager server.

9.1 Subscribing Client Systems to Software Channels

Client systems must subscribe to software channels to receive software update.

9.1.1 Using the Oracle Linux Manager Web Interface

Figure 9.1 Software Channel Subscriptions Page

To subscribe systems to software channels:

  1. Go to Systems and click the system name.

  2. Select Software and then select the Software Channels tab.

  3. Change the child or base software channels to which a system is subscribed.

    • To change the child software channels:

      1. In the Software Channel Subscriptions section, select or deselect the check boxes next to the child software channels to which you want to want to subscribe or unsubscribe the client.

      2. Click Change Subscriptions.

    • To change the base software channel:

      1. In the Base Software Channel section, select the new base software channel.

      2. Click Confirm.

      3. On the Confirm Base Software Channel page, click Modify Base Software Change.

        Note

        Changing the base software channel unsubscribes a system from all other software channels.

9.1.2 Using Commands in a spacecmd Session

To list the base and child software channels to which a system is subscribed, use the system_listbasechannel system-name and system_listchildchannels system-name commands.

To add or remove child channels, use the system_addchildchannels and system_removechildchannels commands. For both commands, a confirmation of the command action is required, as shown in bold in the following example:

spacecmd {SSM:0}> system_removechildchannels svr1.mydom.com ol7_x86_64_addons
Systems
-------
svr1.mydom.com

Removing Channels
-----------------
ol7_x86_64_addons

Is this ok [y/N]: y

spacecmd {SSM:0}> system_addchildchannels svr2.mydom.com ol7_x86_64_playground
Systems
-------
svr2.mydom.com

Adding Channels
---------------
ol7_x86_64_playground

Is this ok [y/N]: y

To list the available base channels, use the softwarechannel_listbasechannels command.

To list the available child channels of a base channel, use the softwarechannel_listchildchannels base-channel-name command, for example:

spacecmd {SSM:0}> softwarechannel_listchildchannels oraclelinux7-x86_64

To change the base channel to which a system is subscribed, use the system_setbasechannel system-name new-base-channel-name command. A confirmation of the command action is required. The following example shows the information that is displayed when you run the command.

spacecmd {SSM:0}> system_setbasechannel svr5.mydom.com oraclelinux7u4-x86_64
System:           svr5.mydom.com
Old Base Channel: oraclelinux7u3-x86_64
New Base Channel: oraclelinux7u4-x86_64

Is this ok [y/N]: y
Note

Changing the base software channel unsubscribes a system from all other software channels.

You can change the subscribed channels for multiple systems by specifying the following arguments in place of a system name. Confirmation of the command actions is required.

  • channel:channel_name: Matches systems that are subscribed to the specified software channel.

  • group:group_name: Specifies the systems in the named system group, for example

    spacecmd {SSM:0}> system_removechildchannels group:group3 ol7_x86_64_playground
    Systems
    -------
    svr1.mydom.com
    svr2.mydom.com
    
    Removing Channels
    -----------------
    ol7_x86_64_playground
    
    Is this ok [y/N]: y
  • search:criterion:value: Matches systems that fulfill a search criterion. See Section 8.2, “Searching for Systems by Using the system_search Command”.

  • ssm: Specifies the systems that are currently in the system set.

9.1.3 Using the spacewalk-channel Command

Use the spacewalk-channel command to subscribe an individual client system to specific software channels. You do not need to be logged into an Oracle Linux Manager server to use this command. The same command is also used to unsubscribe individual client systems from specific software channels.

The command supports the following options:

-c channel, --channel=channel

Specify channel to which to subscribe or unsubscribe.

-a, --add

Subscribe to channel.

-r, --remove

Unsubscribe from channel.

-l, --list

List subscribed channels.

-L, --available-channels

List available channels.

-v, --verbose

Specify verbose output.

-u user_name, --user=user_name

Specify your user name.

-p your_password, --password=your_password

Specify your password.

The following examples show different usages of the spacewalk-channel command:

  • To subscribe a client system to a specific software channel:

    sudo spacewalk-channel --add -c ol7_x86_64_ksplice -u user_name -p your_password
  • To subscribe a client system to multiple software channels:

    sudo spacewalk-channel --add -c ol7_x86_64_ksplice -c ol6_x86_64_ksplice -u user_name -p your_password
  • To unsubscribe a client system from a specific software channel:

    sudo spacewalk-channel --remove -c ol7_x86_64_ksplice -u user_name -p your_password
  • To unsubscribe a client system from multiple software channels:

    sudo spacewalk-channel --remove -c ol7_x86_64_ksplice -c ol6_x86_64_ksplice -u user_name -p your_password 
    

9.2 Applying Available Security Updates and Errata

You can make queries on available updates and errata that can be installed on client systems.

When you apply errata on client channels that have modules and streams defined, the software enforces a filtering mechanism. The filtering action ensures that only errata that are relevant to the modules:streams combination are installed on the client. Oracle Linux Manager correctly installs the errata for individual systems, groups of systems, as well as system sets.

9.2.1 Using the Oracle Linux Manager Web Interface

Figure 9.2 Relevant Errata Page

To list the available security updates and other errata for systems or system groups:

  1. For systems:

    1. Go to Systems and click the system name.

    2. Select Software and then select the Errata tab.

      Alternatively, click Critical or Non-Critical in the System Status pane to display the Relevant Errata page with security advisory or non-critical errata selected for display.

    For system groups:

    1. Go to System Groups and click the system group name.

    2. On the Details page, click work with group.

      Oracle Linux Manager loads the group into the System Set Manager.

    3. In the System Set Manager, select the Errata tab.

  2. On the Relevant Errata List page, select All, Non-Critical, Bug Fix Advisory, Product Enhancement Advisory, or Security Advisory from the pull-down list and click Show.

    • You can filter the list on the Synopsis value or sort the list by clicking Advisory, Synopsis, Status, Affected (system groups only), or Updated.

    • To see more details about an erratum listed under Advisory, select its name.

      The CVEs section lists the CVEs that are fixed by an erratum. Click on a CVE name for more details.

    • To display the packages that are affected by an erratum, select the Packages tab.

    • To display the systems to which you can apply the erratum, select the Affected Systems tab.

  3. Apply errata to systems or system groups:

    1. Select the check boxes for the errata that you want to apply, or click Select All to select all of the listed errata.

    2. Click Apply Errata.

    3. On the Relevant Errata Confirm page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the client, the OSA daemon usually installs the errata packages immediately. Otherwise, rhnsd applies the errata when it next runs on the client.

    4. Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the status and details of the errata update on the client.

9.2.2 Using the system_applyerrata Command

To list the security, bug fix, and product-enhancement advisory errata that are available for a client system, use the system_listerrata command:

To find out more details about an erratum, use the errata_details erratum-name command.

The following example lists the details of ELSA-2017-1095.

spacecmd {SSM:0}> errata_details ELSA-2017-1095
Name: ELSA-2017-1095
Product: Oracle Linux 7
Type: Security Advisory
Issue Date: 4/19/17

Topic
-----


Description
-----------
[32:9.9.4-38.3] - Fix CVE-2017-3136 (ISC change 4575) - Fix
CVE-2017-3137 (ISC change 4578)

CVEs
----
CVE-2017-3136
CVE-2017-3137

Solution
--------
This update is available via the Unbreakable Linux Network (ULN) and
the Oracle Yum Server Server. Details on how to use ULN or http
://yum.oracle.com to apply this update are available at
https://linux.oracle.com/applying_updates.html.

References
----------
https://linux.oracle.com/errata/ELSA-2017-1095.html

Affected Channels
-----------------
ol7-x86_64-u3-patch

Affected Systems
----------------
3

Affected Packages
-----------------
bind-9.9.4-38.el7_3.3:32.x86_64
bind-chroot-9.9.4-38.el7_3.3:32.x86_64
bind-libs-9.9.4-38.el7_3.3:32.i686
bind-libs-9.9.4-38.el7_3.3:32.x86_64
bind-libs-lite-9.9.4-38.el7_3.3:32.i686
bind-libs-lite-9.9.4-38.el7_3.3:32.x86_64
bind-license-9.9.4-38.el7_3.3:32.noarch
bind-pkcs11-9.9.4-38.el7_3.3:32.x86_64
bind-pkcs11-libs-9.9.4-38.el7_3.3:32.i686
bind-pkcs11-libs-9.9.4-38.el7_3.3:32.x86_64
bind-pkcs11-utils-9.9.4-38.el7_3.3:32.x86_64
bind-utils-9.9.4-38.el7_3.3:32.x86_64

To find the errata that fix a CVE, use the errata_findbycve command:

spacecmd {SSM:0}> errata_findbycve CVE-2017-3136

To list the systems to which you could apply an erratum, use the errata_listaffectedsystems command:

spacecmd {SSM:0}> errata_listaffectedsystems ELSA-2017-1095

To apply an erratum to a system, use the following syntax:system_applyerrata sys command. Confirmation of command actions is required.

system_applyerrata system erratum-name

The following example applies the command to ELSA-2017-1095 for the server svr1.mydom.com:

spacecmd {SSM:0}> system_applyerrata svr1.mydom.com ELSA-2017-1095
Start Time [now]:
Errata Systems
-------------- -------
ELSA-2017-1095 1

Start Time: 20170421T10:01:40

Apply these errata [y/N]: y
INFO: Scheduled 1 system(s) for ELSA-2017-1095

You can apply errata to multiple systems by specifying the following arguments in place of a system name:

  • channel:channel_name: Matches systems that are subscribed to the specified software channel.

  • group:group_name: Specifies the systems in the named system group.

  • search:criterion:value: Matches systems that match a search criterion. See Section 8.2, “Searching for Systems by Using the system_search Command”.

  • ssm: Specifies the systems that are currently in the system set, for example:

    spacecmd {SSM:0}> ssm_add svr2.mydom.com svr3.mydom.com
    spacecmd {SSM:2}> system_applyerrata ssm ELSA-2017-1095

9.3 Managing Client Packages for Systems

Managing packages for client systems involves listing, removing, instsalling, and upgrading packages and all other related administrative tasks.

When you upgrade packages on channels that have modules and streams defined, the software enforces a filtering mechanism. The filterring action ensures that only those packages that are relevant to the modules:streams combination are installed on the client. Oracle Linux Manager correctly installs the packages for individual systems, groups of systems, as well as system sets.

Note

The upgrade functionality applies only to packages and errata that are provided by Oracle Linux. The functionality does not work with errata from third party vendors or with those that were created by the customer.

9.3.1 Using the Oracle Linux Manager Web Interface

Figure 9.3 Packages Page

To manage packages for a system:

  1. Go to Systems and click the system name.

  2. Select Software.

  3. On the Packages page, select the tab or link for the package operation that you want to perform:

    List/Remove

    1. On the Removable Packages page, select the packages that you want to remove and click Remove Packages.

    2. On the Confirm Package Removal page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually removes the packages immediately.

      Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the details and status of the package removals.

    Upgrade

    1. On the Upgradable Packages page, select the packages that you want to upgrade and click Upgrade Packages.

    2. On the Confirm Package Upgrade page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually upgrades the packages immediately.

      Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the details and status of the package upgrades.

    Install

    1. On the Installable Packages page, select the packages that you want to install and click Install Selected Packages.

      To see more information about a package, click its name.

      The Details page for the package lists any errata that include the package. To find out more information about an erratum, click its name.

      The Details page for the erratum lists the CVEs that the erratum fixes. To find out more information about a CVE, click its name.

    2. On the Confirm Package Install page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually installs the packages immediately.

      Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the details and status of the package installations.

    Verify

    1. On the Verifiable Packages page, select the packages that you want to verify and click Verify Selected Packages.

    2. On the Confirm Package Verification page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually verifies the packages immediately.

      Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the details and status of the package verifications.

    Profiles

    On the Profiles page, you can do the following:

    • Create a package profile from the set of packages that are currently installed on the system:

      1. Click Create System Profile.

      2. On the Create Stored Profile page, enter a name and description for the profile and then click Create Profile.

    • Compare the packages installed on this system with a stored package profile for this system or for another system:

      • In the Compare to Stored Profile section, select the profile name from the pull-down list and click Compare.

    • Compare the packages installed on this system with those installed on another system:

      • In the Compare to System section, select the system name from the pull-down list and click Compare.

    Extra Packages

    The Extra Packages page displays packages that are installed on a system, but which are not present in any of the subscribed channels.

    Note

    If you registered an existing system, such as the Oracle Linux Manager server itself, as a client, some of the installed packages might not be present in any subscribed channel.

    If Oracle Linux Manager server is a client of itself, Oracle recommends that you synchronize Oracle Linux Manager server repository and associate it with the server so that the server receives Oracle Linux Manager server software updates.

    If one or more packages should not have been installed on a system:

    1. Select the packages that you want to remove and click Remove Packages.

    2. On the Confirm Package Removal page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually removes the packages immediately.

      Select Events and then select the Pending or History tab to view scheduled or completed actions. Click the summary name to display the details and status of the package removals.

9.3.2 Using Commands in a spacecmd Session

Inside a spacecmd session, you can use various commands to manage client packages.

To create a package profile from the set of packages that are currently installed on a system, use the system_createpackageprofile command, for example:

spacecmd {SSM:0}> system_createpackageprofile svr1.mydom.com -n svr1-profile1 -d "svr1 profile 1"

To compare the packages installed on this system with a stored package profile for this system or for another system, use the system_comparepackageprofile command as follows:

spacecmd {SSM:0}> spacecmd {SSM:0}> system_comparepackageprofile svr2.mydom.com svr1-profile1

Use the same command to compare the packages installed on this system with those installed on another system, for example:

spacecmd {SSM:0}> system_comparepackages svr1.mydom.com svr2.mydom.com

To display the details of an installable package, use the package_details package-name command, for example:

spacecmd {SSM:0}> package_details zsh

To install a package on a system, use the system_installpackage system-name package-name command. A command confirmation is required, for example:

spacecmd {SSM:0}> system_installpackage svr1.mydom.com zsh
svr1.mydom.com:
** Generating package cache **
zsh-4.3.10-9.el6.x86_64       

Install these packages [y/N]: y
INFO: Scheduled 1 system(s)

Use schedule_list to list pending actions the system needs to perform, including package installation. Each schedule has a corresponding event ID number. To obtain details about a specific scheduled event, use the schedule_details event-ID

To list the package upgrades that are available for a system, use the system_listupgrades command:

spacecmd {SSM:0}> system_listupgrades svr1.mydom.com

To upgrade the packages on a system, use the system_upgradepackage system-name [ackage-name command. For names of packages, you can use a wildcard (*). Note that a confirmation of the command action is required.

spacecmd {SSM:0}> system_upgradepackage svr1.mydom.com *

To remove a package from a system, use the system_removepackage command. Prompts for confirmation are displayed during the process.

spacecmd {SSM:0}> system_removepackage svr1.mydom.com busybox*

9.4 Managing Packages for System Groups

This section describes how to manage packages for multple systems that belong to a group.

9.4.1 Using the Oracle Linux Manager Web Interface

Figure 9.4 Package Operations Page

To manage packages for system groups, follow these steps:

  1. Go to System Groups and click the system group name.

  2. On the Details page, click work with group.

    Oracle Linux Manager loads the group into the System Set Manager.

  3. In the System Set Manager, select the Packages tab.

  4. On the Package Operations page, select the tab or link for the package operation that you want to perform:

    Install

    1. On the Select Channel page, select the channel that contains the packages that you want to install on the systems in the system group.

    2. On the Select Packages to Install page, select the packages that you want to install and click Install Selected Packages.

      To see more information about a package, click its name.

      The Details page for the package lists any errata that include the package. To find out more information about an erratum, click its name.

      The Details page for the erratum lists the CVEs that the erratum fixes. To find out more information about a CVE, click its name.

    3. On the Confirm Package Install page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually installs the packages immediately.

      The Tasks Log page in the System Set Manager shows the status of the package installations.

    Remove

    1. On the Package Removal page, select the packages that you want to remove and click Remove Selected Packages.

    2. On the Confirm Package Removal page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually removes the packages immediately.

      The Tasks Log page in the System Set Manager shows the status of the package removals.

    Upgrade

    1. On the Select Packages to Upgrade page, select the packages that you want to upgrade and click Upgrade Selected Packages.

    2. On the Confirm Package Upgrade page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually upgrades the packages immediately.

      The Tasks Log page in the System Set Manager shows the status of the package upgrades.

    Verify

    1. On the Verifiable Packages page, select the packages that you want to verify and click Verify Selected Packages.

    2. On the Confirm Package Verification page, change the schedule if required, and click Confirm.

      The page updates to include a link to the scheduled action.

      If you have not edited the schedule and you have enabled the OSA daemon on the clients, the OSA daemon usually verifies the packages immediately.

      The Tasks Log page in the System Set Manager shows the status of the package verifications.

9.4.2 Using Commands in a spacecmd Session

Compare the packages that are installed on the systems in a system group with a stored package profile by using the system_comparepackageprofile command, as shown in the following example:

spacecmd {SSM:0}> system_comparepackageprofile group:group1 svr1-profile1

To install a package on the systems in a system group, use the following syntax:

system_installpackage system-name

The command requires confirmation of the action to be performed, as shown in bold in the following example:

system_installpackage svr3.mydom.com
svr3.mydom.com:
zsh-4.3.10-9.el6.x86_64

##############################

svr4.mydom.com:
zsh-4.3.10-9.el6.x86_64

Install these packages [y/N]: y
INFO: Scheduled 2 system(s)

To list the package upgrades that are available for the systems in a system group, use the system_listupgrades group:group-name command:

To upgrade the packages on the systems in a system group, use the system_upgradepackage group:group-name command. A command action confirmation is reuquired.

spacecmd {SSM:0}> system_upgradepackage group:group1 *
svr3.mydom.com:
bash-4.1.2-29.el6.0.1.x86_64
wget-1.12-5.el6_6.1.x86_64

##############################

svr4.mydom.com:
wget-1.12-5.el6_6.1.x86_64

Install these packages [y/N]: y
INFO: Scheduled 2 system(s)

To remove a package from the systems in a system group, use the system_removepackage command. Ensure that you confirm the action when prompted.

spacecmd {SSM:0}> system_removepackage svr1.mydom.com busybox*