Oracle® Enterprise Manager Lifecycle Management Administrator's Guide 12c Release 2 (12.1.0.2) Part Number E27046-08 |
|
|
PDF · Mobi · ePub |
This chapter explains how you can patch Linux hosts using Oracle Enterprise Manager Cloud Control (Cloud Control). In particular, this chapter covers the following:
Note:
To understand how you can use Enterprise Manager Ops Center to update or patch the Linx hosts, refer to the chapter on updating operating systems in the Oracle Enterprise Manager Ops Center Provision and Update Guide.Linux Host Patching is a feature in Cloud Control that helps in keeping the hosts in an enterprise updated with security fixes and critical bug fixes, especially in a data centre or a server farm. This feature support in Cloud Control enables you to:
Set up Linux RPM Repository based in Unbreakable Linux Network (ULN) channels
Download Advisories (Erratas) from ULN
Set up Linux Patching Group to update a group of Linux hosts and collect compliance information
Allow non-compliant packages to be patched
Rollback/Uninstall packages from host
Manage RPM repositories and channels (clone channels, copy packages from one channel into another, delete channels)
Add RPMs to custom channels
Manage Configuration file channels (create/delete channels, upload files, copy files from one channel into another)
The following are concepts related to Linux patching:
Linux Host | A host target in Cloud Control that is running the Linux operating system. |
Linux Patching Group | A set of managed Linux hosts that are associated with a common RPM repository. Every group is configured with an update schedule according to which, a recurring job is triggered that will update the hosts of the group with the associated RPM repositories. |
Unbreakable Linux Network (ULN) | Unbreakable Linux Network (ULN) is a Web site hosted by Oracle to provide updates for Oracle Linux. |
ULN Channel | A channel is a grouping of RPM packages on the ULN network. For example, el4_latest channel contains all packages for OEL 4. |
RPM Repository | RPM repository is a directory that contains RPM packages and their metadata (extracted by running yum-arch and createrepo). The RPM repository is accessible via http or ftp. An RPM repository can be organized to contain packages from multiple channels.
For example, /var/www/html/yum/Enterprise/EL4/latest might contain packages from the el4_latest channel on ULN. |
Custom Channel | A channel that is created by the user to store a set of custom RPM packages. Custom channels can be added to the RPM repository. |
Configuration Channel | A channel that is created by the user to store a set of Linux configuration files. Configuration channels can be used in the Linux patching application GUI to deploy configuration files on Linux hosts. |
Cloud Control provides the following deployment procedures for Linux patching:
Patch Linux Hosts
This deployment procedure enables you to patch Linux hosts.
Linux RPM Repository server setup
This deployment procedure enables you to set up a Linux RPM repository server. To set up the Linux RPM repository server, refer to Setting Up the RPM Repository.
The following releases are supported for Linux patching:
Feature | Linux Distributions Supported |
---|---|
Compliance |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 |
Update Job |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 SuSE Linux |
Emergency Patching |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 |
Linux Patching Deployment Procedures |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 SuSE Linux |
Undo Patching |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 |
Channel management |
Oracle Linux 4, Oracle Linux 5, Oracle Linux 6 Red Hat Enterprise Linux 4, Red Hat Enterprise Linux 5, Red Hat Enterprise Linux 6 |
This section describes the setup requirements for Linux patching. In particular, this section describes the following:
To use the Linux Patching feature, meet the following prerequisites:
Meet the basic prerequisites described in Chapter 2.
Deploy the PAR files from the Oracle Management Service (OMS) host:
${OMS_ORACLE_HOME}/bin/PARDeploy -action deploy -parDir
Install yum or up2date on all target hosts, and enable SUDO for the patch user.
Ensure that the patch user credentials to be used for patching have write access under Oracle home directory of the Management Agent.
Ensure that the operating system credentials used to create groups and set up repository have SUDO as root privilege.
Enable the following commands through SUDO:
/bin/cp
/bin/rm
/bin/chmod
/sbin/chkconfig
yum
up2date
sed
rpm
This section describes how you can set up the RPM repository. In particular, this section describes the following:
Before setting up the RPM repository, meet the following prerequisites:
Identify a Redhat or OEL host, install a Management Agent, and point to the OMS. This host must have the sudo package installed.
Obtain a valid Customer Support Identifier (CSI) number from your Oracle sales representative.
Download the up2date packages corresponding to the host version and release from https://linux.oracle.com/switch.html
.
Upload the up2date packages to the Software Library.
Note:
:For a multi-OMS setup, the following steps only need to be performed on one OMS.First compress up2date and up2date-gnome into a zip file and name it as up2date_comp.zip
.
Copy the zip file to the <ORACLE_HOME>/sysman/metadata/swlib/patch/stageServerComponents
directory present in the Oracle home of the OMS.
Edit the Patch Software Library entities metadata file swlib.xml
under the <ORACLE_HOME>/sysman/metadata/swlib/patch
directory present in the Oracle home of the OMS to upgrade the ExternalID of the Software Library entity Up2date Package Component.
Upload the zip file to Software Library by running the following command:
$ emctl register oms metadata -service swlib -file $ORACLE_HOME/sysman/metadata/swlib/patch/swlib.xml -core
Ensure that ULN staging host is able to communicate with the ULN network. If proxy is required, up2date from the host needs to be configured as well. The connectivity with ULN will be detrimental for up2date –register –nox
command.
Patch user (OS credentials used to setup the staging server) must have write permission under the agent home. Patch user must also have SUDO privilege.
To set up an RPM Repository that downloads latest RPM packages and advisories from ULN, follow these steps.
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Setup RPM Repository.
On the Setup RPM Repository page, in the RPM Repository Server section, select the RPM Repository server by clicking the search icon. Select the host assigned for subscribing to ULN.
In the Credentials section, enter the user name and password to use. Click Apply.
In the Deployment Procedure submission confirmation, click Linux RPM Repository Server Setup. The deployment procedure starts a job to download latest RPM packages and Advisories from the subscribed ULN channels.
(Optional) If you want to change the refresh mode to 30 seconds, then from the View Data list, select Real Time: 30 Second Refresh.
In the Steps tab of the Status Detail section, check the status of this step. Wait till the step Installing Up2date is completed or skipped.
Click the status of the step Register with ULN. In the Phase Status page, do the following:
Log in to the RPM Repository server machine.
Configure up2date to use a proxy server, if any, by following the instructions at:
https://linux.oracle.com/uln_faq.html - 9
Register the host to ULN by following the steps at:
https://linux.oracle.com/uln_faq.html - 2
Note:
While registering, you can choose the user name and password. This credential will be used to log in tohttp://linux.oracle.com
After registering the host, select the target and click Confirm, and then click Done to go to the main flow.
Click the status of the step Subscribe to ULN channels. In the Phase Status page, do the following:
When you register a server, it will be subscribed to a channel that has the latest Enterprise Linux packages for the appropriate architecture. To subscribe to additional channels, log in to http://linux.oracle.com
after you register your system. Click on the Systems tab to manage subscriptions for each subscribed server.
Subscribe either to el*_addon channel (this channel contains createrepo) or manually install the createrepo package.
Type the command up2date –nox –show-channels
to verify the list of subscribed channels.
Once the deployment procedure ends successfully, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository to verify if the ULN channels are displayed in the Cloud Control console.
On the Manage RPM Repository page, check if all the subscribed channels are listed and if all the packages are downloaded.
This section describes how you can set up a Linux Patching group for compliance reporting by associating the group with the RPM Repository (each subscribed ULN channel is a repository) created in Setting Up the RPM Repository.
In particular, this section describes the following:
Before setting up the Linux Patching Group, meet the following prerequisites:
RPM Repository server must be set up or a custom RPM Repository must be set as a channel in Cloud Control.
Yum or up2date should be installed in the target hosts.
Sudo must be installed on the target hosts.
You must have Operator privileges on the hosts that you want to add to the Linux host patching group.
Patch user must have write access under the agent home. Patch user must have sudo privilege.
To set up a Linux patching group, do the following:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Setup Groups.
On the Setup Groups page, click Create.
On the Create Group: Properties page, enter a unique name for the group. Select the maturity level, Linux distribution, and Linux hosts to be added to the group.
Click Next.
On the Create Group: Package Repositories page, select the RPM Repositories to be associated with the group (click the search icon to select repository).
Select Automatically Update Hosts if you want to auto-update the host, that is, to schedule an update job (schedule specified as one of the subsequent step) to update all non-compliant packages from the selected package repository.
Under the Package Compliance section, choose whether to include Rogue packages in compliance reporting or not.
Click Next.
On the Create Group: Credentials page, enter the host credentials or choose to use preferred credentials.
Click Next.
On the Create Group: Patching Script page, enter any pre/post patching operations to be done. This is not a mandatory step.
Note:
Steps (10), (11), (12), (13) will be skipped if Automatically Update Hosts was not selected.Click Next.
On the Schedule page, set the schedule for the update job.
Click Next.
On the Review page, validate all the parameters.
Click Finish.
Note:
If you had not selected the Automatically Update Hosts option, then three jobs are submitted. If the option was selected, then four jobs are submitted. Table 25-2 explains the jobs submitted. Follow the jobs submitted by clicking the job's link.From the Enterprise menu, select Provisioning and Patching, then select Linux Patching. Verify the compliance report generated. The group created will have at least one out-of-date package.
Table 25-2 Jobs Submitted for Setting Up Linux Patching Group
Job | Description |
---|---|
Patching Configuration |
This job configures all the hosts for patching. It creates configuration files to be used by yum and up2date tool. |
Compliance Collection |
Compares the packages already installed in the machine with the packages versions in the selected RPM Repositories and generates Compliance Reports. |
Package Information |
Collects metadata information from the selected RPM Repositories. |
Packages Update |
Updates non-compliant packages. |
To the patch the Linux hosts, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Procedure Library.
On the Deployment Procedure Manager page, in the Procedure Library tab, select Patch Linux Hosts, and click Launch.
On the Package Repository page, in the LINUX Distribution section, select the correct distribution and also select the update tool to use.
In the Package Repository section, click the torch icon to select the RPM Repository.
Click Next.
On the Select Updates page, select the packages to be updated.
Click Next.
On the Select Hosts page, select the targets to be updated. You can also select a group by changing the target type to group.
Click Next.
On the Credentials page, enter the credentials to be used for the updates.
Click Next.
On the Pre/Post script page, enter the pre/post scripts, if any.
Click Next.
On the Schedule page, enter the schedule to be used.
Click Next.
On the Review page, review the update parameters. Click Finish.
A deployment procedure is submitted to update the selected packages. Follow all the steps of the procedure until it completes successfully.
This section describes the following tasks you can perform on the Linux Patching Home page:
This section describes how you can view the compliance history for a selected group, for a specific time period. In particular, this section covers the following:
Ensure that you have defined at least one Linux patching group.
Ensure that you have View privileges on the Linux host comprising the patching group.
To view the compliance history of a Linux patching group, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Compliance Home page, from the Related Links section, click Compliance History.
On the Compliance History page, the Groups table lists all the accessible Linux patching groups and the number of hosts corresponding to each group.
If there are multiple Linux patching groups, the Compliance History page displays the historical data (for a specific time period) for the first group that is listed in that table.
To view the compliance history of a Linux patching group, click the View icon corresponding to that group.
Note:
By default, the compliance data that is displayed is retrieved from the last seven days. To view compliance history of a longer time period, select an appropriate value from the View Data drop-down list. The page refreshes to show compliance data for the selected time period.This section describes how you can patch non-compliant packages from the Linux Patching home page. In particular, this section covers the following:
Before patching non-compliant packages, ensure that a Linux Patching group is created and the Compliance Collection job has succeeded.
To patch non-compliant packages, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, in the Compliance Report section, select the Group and click Schedule Patching.
In the Patch Linux Hosts Wizard, provide the required details in the interview screens, and click Finish on the Review page.
A deployment procedure is submitted to update the host. Check if all the steps finished successfully.
Note:
Rolling back upgrades is supported to a certain extent. When performing an upgrade such as from OEL 5.2 to OEL 5.3, many RPMs that are dependent on others are upgraded. When you apply RPMs, this dependency can be followed. However, when rolling back patches, this dependency must be followed in reverse order. This reverse operation is not supported by YUM or up2date. Hence, you can use the rollback feature to rollback one or two packages, but not to completely rollback a major upgrade such as from OEL 5.2 to OEL 5.3.This section describes how you can rollback a patch to its previous stable version, or even uninstall the unstable version completely in case that patch version is found unsuitable for has a bug or security vulnerability. In particular, this section covers the following:
Before rolling back or deinstalling the packages, meet the following prerequisites:
Ensure that a Linux Patching group is created.
Ensure that the lower version of the package is present in the RPM repository.
To roll back or uninstall the packages, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, in the Compliance Report section, select a group, and click Undo Patching.
On the Undo Patching: Action page, select an appropriate option:
Uninstall Packages, deinstalls a package.
Rollback Packages, rolls back to an earlier version/release of a package. To perform this operation, more than one version/release of that package should be present in the packages repositories.
Rollback Last Update Session, reverts the effects of the previous patch update session.
Click Next.
Provide the required details in the wizard, and on the Review page, click Finish.
A job is submitted to rollback the updates done in the previous session.
Examine the job submitted to see if all the steps are successful.
This section describes how you can register a custom channel. In particular, this section covers the following:
Before registering a custom channel, meet the following prerequisites:
Ensure that the RPM Repository is under /var/www/html
and is accessible through HTTP protocol.
Ensure that metadata files are created by running yum-arch and createrepo commands.
Ensure that a Management Agent is installed on the RPM repository host, and ensure that Management Agent is communicating with the OMS.
To register a custom RPM Repository, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
On the Manage Repository Home page, click Register Custom Channel.
On the Register Custom Channel page, enter a unique channel name.
Click Browse and select the host where the custom RPM repository was setup.
Enter the path where RPM repository resides. The directory location must start with /var/www/html/
.
Click OK.
A Package Information job is submitted. Follow the job until it completes successfully.
This section describes how you can clone a channel. In particular, this section covers the following:
Before cloning a channel, meet the following prerequisites:
Ensure that there is at least one channel already present.
Ensure that the patching user has read/write access on both the source and target channel hosts.
Ensure that there is enough space on the target channel host.
Ensure that the patch user has write access on the agent home. Also ensure that the patch user has SUDO privileges.
To clone a channel, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
On the Manage RPM Repository page, select the source channel you want to clone, and click Create Like.
Enter the credentials to use for the source channel. The credentials must have both read and write access.
Enter a unique target channel name.
Click Browse to select the target host name.
Enter the directory location of the target channel. This directory should be under /var/www/html
.
Enter the credentials to use for the target channel. This credential should have both read and write access.
Click OK.
A Create-Like job is submitted. Follow the job until it completes successfully.
This section describes how you can copy packages from one channel to another. In particular, this section covers the following:
Before copying the packages from one channel to another, meet the following prerequisites:
Ensure that there are at least 2 channels.
Ensure that the patching user has read/write access on both the source and target channel hosts.
Ensure that the target channel machine has adequate space.
Ensure that the patch user has write access on the agent home. Also ensure that patch user has SUDO privilege.
To copy the packages from one channel to another, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
On the Manage RPM Repository page, select the source channel, and click Copy Packages.
Select the target channel.
From the source channel section, select and copy the packages to the target channel section.
Enter credentials for the source and target channels. These credentials should have read/write access to the machines.
Click OK.
A Copy Packages job is submitted. Follow the job until it completes successfully.
This section describes how you can add custom packages to a channel. In particular, this section covers the following:
Before you add custom packages to a channel, meet the following prerequisites:
Ensure that there is at least one channel.
Ensure that the patching user has write access on the channel host.
Ensure that the patch user has write access on the agent home. Also ensure that the patch user has SUDO privilege.
To add custom RPMs to a channel, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
On the Manage RPM Repository page, select the channel name where you want to add the RPM, and click Add.
Select the source target name and the credentials to be used for the host. The credentials you use must have read/write access.
On the Upload Files section, click the search icon to browse for the RPM files.
Enter the credentials to be used on the channel's host.
Click OK.
An Add Package job is submitted. Follow the job until it completes successfully.
This section describes how you can delete a channel. In particular, this section covers the following:
Before deleting a channel, meet the following prerequisites:
Ensure that there is at least one channel.
Ensure that the patching user has write access to delete the RPM files from the channel host.
Ensure that the patch user has write access on the agent home. Also, ensure that the patch user has SUDO privileges.
To delete a channel, follow these steps:
In Cloud Control, from the Setup menu, select Provisioning and Patching, then select Linux Patching.
On the Patching Setup page, in the Linux Patching Setup tab, click Manage RPM Repository.
On the Manage RPM Repository page, select the channel name you want to delete, and click Delete.
If you want to delete the packages from the RPM Repository machine, select the check box and enter the credentials for the RPM Repository machine. Click Yes.
If you have not selected to delete the packages from RPM Repository machine, you will get a confirmation message stating Package Channel <channel name> successfully deleted. If you have selected the Delete Packages option, a job will be submitted to delete the packages from the RPM Repository machine. Follow the job until it completes successfully.
This section describes how you can perform the following configuration file management activities:
Ensure that the Software Library is already configured on the OMS.
To create a configuration file channel, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, click the Configuration Files tab.
In the Configuration Files tab, click Create Config File Channel.
On the Create Configuration File Channel page, enter a unique channel name and description for the channel, and click OK.
You will see a confirmation message saying that a new configuration file is created.
This section describes how you can upload configuration files. In particular, this section covers the following:
Before uploading configuration files, ensure that there is at least one configuration file.
To upload configuration files, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, click the Configuration Files tab.
In the Configuration Files tab, select the configure file you want to upload, and click Upload Configuration Files.
Select an appropriate upload mode. You can either upload files from local host (where the browser is running) or from a remote host (agent should be installed on that host and that agent should be communicating with this OMS).
In the File Upload section, enter the file name, path where the file will be deployed in the target host, and browse for the file on the upload host.
For uploading from remote machine, click Upload from Agent Machine. Click Select Target and select the remote machine.
Before browsing for the files on this machine, set preferred credential for this machine.
After selecting the files, click OK.
You will see a confirmation message that states that files have been uploaded.
This section describes how you can import configuration files. In particular, this section covers the following:
Before importing configuration files, ensure that there are at least two channels.
To import configuration files, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, click the Configuration Files tab.
In the Configuration Files tab, select the source channel, and click Import Files.
Select the target channel.
From Source channel section, select the files and copy it to the target channel section. Click OK.
You will see a confirmation message stating that the selected files have been imported successfully.
This section describes how you can deploy configuration files. In particular, this section covers the following:
Before deploying configuration files, meet the following prerequisites:
Ensure that the patch user has write access on the agent home. Also ensure that the patch user has SUDO privilege.
Ensure that there is at least one channel with some files uploaded.
To deploy files, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, click the Configuration Files tab.
In the Configuration Files tab, select the source channel, and click Deploy Files.
In the wizard that appears, select the files you want to deploy, and click Next.
Click Add to select the targets where you want to deploy the files.
Enter the credentials for the selected targets.
Enter the Pre/Post scripts you want to run before or after deploying the files.
Review the deploy parameters and click Finish.
A deploy job is submitted. Follow the job's link until it completes successfully.
This section describes how you can delete configuration file channels. In particular, this section covers the following:
Before deleting a configuration file channel, ensure that there is at least one configuration file.
To delete a configuration file channel, follow these steps:
In Cloud Control, from the Enterprise menu, select Provisioning and Patching, then select Linux Patching.
On the Linux Patching page, click the Configuration Files tab.
In the Configuration Files tab, select the channel, and click Delete. Click Yes.
You will see a configuration message stating that the channel was successfully deleted.