Chapter 9. Managing Errata
As a part of Red Hat’s quality control and release process, we provide customers with updates for each release of official Red Hat RPMs. Red Hat compiles groups of related package into an erratum along with an advisory that provides a description of the update. There are three types of advisories (in order of importance):
- Security Advisory
- Describes fixed security issues found in the package. The security impact of the issue can be Low, Moderate, Important, or Critical.
- Bug Fix Advisory
- Describes bug fixes for the package.
- Product Enhancement Advisory
- Describes enhancements and new features added to the package.
Red Hat Satellite 6 imports this errata information when synchronizing repositories with Red Hat’s Content Delivery Network (CDN). Red Hat Satellite 6 also provides tools to inspect and filter errata, allowing for precise update management. This way, you can select relevant updates and propagate them through Content Views to selected content hosts.
Errata are labeled according to the most important advisory type they contain. Therefore, errata labeled as Product Enhancement Advisory can contain only enhancement updates, while Bug Fix Advisory errata can contain both bug fixes and enhancements, and Security Advisory can contain all three types.
In Red Hat Satellite, there are two keywords that describe an erratum’s relationship to the available content hosts:
- Applicable
- Erratum applies to one or more content hosts, which means it updates packages present on the content host. Applicable errata are not yet accessible by the content host.
- Installable
- Erratum applies to one or more content hosts and it has been made available to the content host. Installable errata are present in the content host’s life cycle environment and Content View, but are not yet installed. This way, errata can be installed by users who have permissions to manage content hosts, but are not entitled for errata management at higher levels.
This chapter shows how to manage errata and apply them to either a single system or multiple systems.
Install the katello-agent
package on hosts registered to Satellite Server. This package provides the necessary services for errata management.
9.1. Managing Errata with Content Views
Red Hat Satellite 6 provides various methods to manage and apply errata. As discussed in Section 7.4, “Content Filters”, we can use Content Views and content filters to limit errata. Such filters include:
- ID - We can create a filter to select specific erratum to allow into our resulting repositories.
- Date Range - We can define a date range and include a set of errata released during that date range.
- Type - We can select the type of errata to include such as bug fixes, enhancements, and security updates.
As an example, we can create a content filter to exclude errata after a certain date. This ensures our production systems in the application life cycle are kept up to date to a certain point. Then we can modify the filter’s start date to introduce new errata into our testing environment. This is so we can test the compatibility of new packages into our application life cycle.
For instructions on creating a content filter, see Section 7.4.1, “Creating a Content Filter”.
When a Content View contains errata, we can apply it to our systems. Each system registered to your Red Hat Satellite 6 includes an errata management screen where you can apply multiple errata to the system. In addition, Red Hat Satellite 6 contains an errata management feature where you can search, review, and apply errata to multiple systems.
9.2. Inspecting Available Errata
The following procedure describes how to view and filter the available errata and how to display metadata of the selected advisory.
- Navigate to Content > Errata to view the list of available errata.
Use the filtering tools at the top of the page to limit the number of displayed errata:
- Select the repository to be inspected from the list. All Repositories is selected by default.
- The Applicable check box is selected by default to view only errata applicable to the selected repository. Select the Installable check box to view only errata marked as installable.
- To search the table of errata, type the query in the Search field in the form of:
parameter operator value
See Table 9.1, “Parameters Available for Errata Search” for the list of parameters available for search. Find the list of applicable operators in Supported Operators for Granular Search in Administering Red Hat Satellite. Automatic suggestion works as you type. You can also combine queries with the use of and and or operators. For example, to display only security advisories related to the kernel package, type:
type = security and package_name = kernel
Press Enter to start the search.
Click the Errata ID of the erratum you want to inspect:
- The Details tab contains the description of the updated package as well as documentation of important fixes and enhancements provided by the update.
- On the Content Hosts tab, you can apply the erratum to selected content hosts as described in Section 9.4, “Applying Errata to Multiple Systems”.
- The Repositories tab lists repositories that already contain the erratum. You can filter repositories by the environment and Content View, and search for them by the repository name.
Parameter | Description | Example |
---|---|---|
bug | Search by the Bugzilla number. | bug = 1172165 |
cve | Search by the CVE number. | cve = CVE-2015-0235 |
id | Search by the errata ID. The auto-suggest system displays a list of available IDs as you type. | id = RHBA-2014:2004 |
issued | Search by the issue date. You can specify the exact date, like "Feb16,2015", or use keywords, for example "Yesterday", or "1 hour ago". The time range can be specified with the use of the "<" and ">" operators. | issued < "Jan 12,2015" |
package | Search by the full package build name. The auto-suggest system displays a list of available packages as you type. | package = glib2-2.22.5-6.el6.i686 |
package_name | Search by the package name. The auto-suggest system displays a list of available packages as you type. | package_name = glib2 |
severity | Search by the severity of the issue fixed by the security update. Specify Critical, Important, or Moderate. | severity = Critical |
title | Search by the advisory title. | title ~ openssl |
type | Search by the advisory type. Specify security, bugfix, or enhancement. | type = bugfix |
updated |
Search by the date of the last update. You can use the same formats as with the | updated = "6 days ago" |
9.3. Applying Errata to Individual Systems
For this procedure, we aim to apply some errata to a system. This procedure follows on from Section 8.2, “Using Activation Keys” and assumes you registered a test Red Hat Enterprise Linux 7 system to your Satellite Server. In this example, we aim to apply the following erratum:
Errata ID: RHSA-2016:0008 Title: Moderate: openssl security update Type: security Severity: Moderate Issued: 2016-01-07 Updated: 2016-01-07 Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.
For Web UI Users
Navigate to Hosts > Content Hosts and click on your test system. Navigate to the Errata tab. Due to the filter set up in Section 7.4.1, “Creating a Content Filter”, a list of security errata appears.
Let’s apply errata for OpenSSL. Navigate to the search bar and enter title ~ openssl
. This searches for any errata with openssl
in the title. Select the RHSA-2016:0008
errata and click Apply Selected. A confirmation message appears. Click Apply.
Satellite Server starts a task to update all packages associated with the selected errata. When the task completes, Satellite Server lists the packages updated and their new versions in the Details section. For example:
1:openssl-1.0.1e-51.el7_2.2.x86_64 1:openssl-libs-1.0.1e-51.el7_2.2.x86_64
Log in to the client system and confirm the errata updates:
[root@client ~]# yum list openssl openssl-libs
For CLI Users
List the OpenSSL errata for the client system:
# hammer host errata list \ --host client.example.com \ --search "title ~ openssl" \ --organization "ACME"
Apply the most recent erratum to the client system. Identify the erratum to apply using the Errata ID:
# hammer host errata apply \ --host client.danssat.net \ --errata-ids RHSA-2016:0008 \ --organization "ACME"
Log in to the client system and confirm the errata updates:
[root@client ~]# yum list openssl openssl-libs
9.4. Applying Errata to Multiple Systems
The Red Hat Satellite 6 Web UI provides an errata management tool to help review and apply errata to multiple systems. For this example, we use the same erratum (RHSA-2016:0008
) from Section 9.3, “Applying Errata to Individual Systems”.
For Web UI Users
Navigate to Content > Errata. This displays all errata from synchronized repositories. In addition, the Content Host Counts shows the number of registered hosts that can apply and install each erratum.
Let’s apply a single OpenSSL errata to our systems through this tool. Navigate to the search field and enter title ~ openssl
. This shows all errata relating to OpenSSL. Although this includes bug fixes and enhancements, note that Satellite Server cannot install these errata to our test system due to the filter we created in Section 7.4.1, “Creating a Content Filter”.
Click on the most recent OpenSSL errata. In our example, this is RHSA-2016:0008
.
The Details screen for this erratum appears and provides a description of what the erratum resolves.
Navigate to the Content Hosts subtab. This displays a list of all applicable systems for this errata. We select Only show content hosts where the errata is currently installable in the host’s Lifecycle Environment to limit this list to systems that can actually install the errata.
Select our test system and click Apply to Hosts. A confirmation screen appears regarding the errata installation. Click Confirm.
Satellite Server starts a task to update the erratum’s packages for each selected system. When the task completes, log in to the client system and confirm the errata updates:
[root@client ~]# yum list openssl openssl-libs
For CLI Users
Although the CLI does not have the same tools as the Web UI, you can replicate a similar procedure with CLI commands.
List all OpenSSL errata:
# hammer erratum list --search "title ~ openssl" --organization "ACME"
Search again, restricting the list to installable errata:
# hammer erratum list \ --errata-restrict-installable true \ --search "title ~ openssl" --organization "ACME"
Find out details about this errata:
# hammer erratum info --id RHSA-2016:0008
List the systems that this erratum is applicable:
# hammer host list \ --search "applicable_errata = RHSA-2016:0008" \ --organization "ACME"
Apply the errata to a single system:
# hammer host errata apply \ --host client.example.com \ --errata-ids RHSA-2016:0008
Enter the following command for each client system and replace --host
with the name of the system for each execution.
# for HOST in `hammer \ --csv --csv-separator "|" host list \ --search "applicable_errata = RHSA-2016:0008" \ --organization "ACME" | tail -n+2 | awk \ -F "|" '{ print $2 }'` ; do echo \ "== Applying to $HOST ==" ; hammer host errata apply \ --host $HOST --errata-ids RHSA-2016:0008 ; done
This command identifies all hosts with RHSA-2016:0008 as an applicable erratum and then applies the erratum to each host.
Log in to the client system and confirm the errata updates:
[root@client ~]# yum list openssl openssl-libs
9.5. Subscribing to Errata Notifications
You can configure email notifications for Satellite users as described in Configuring Email Notifications in Administering Red Hat Satellite. Users can receive a summary of applicable and installable errata, notifications on Content View promotion or after synchronizing a repository.
9.6. Chapter Summary
This chapter provided some guidelines on how Red Hat Satellite 6 manage errata and applies them to systems.
The next chapter explores container management in Red Hat Satellite 6.