Chapter 9. Managing Errata

As a part of Red Hat’s quality control and release process, we provide customers with updates for each release of official Red Hat RPMs. Red Hat compiles groups of related package into an erratum along with an advisory that provides a description of the update. There are three types of advisories (in order of importance):

Security Advisory
Describes fixed security issues found in the package. The security impact of the issue can be Low, Moderate, Important, or Critical.
Bug Fix Advisory
Describes bug fixes for the package.
Product Enhancement Advisory
Describes enhancements and new features added to the package.

Red Hat Satellite 6 imports this errata information when synchronizing repositories with Red Hat’s Content Delivery Network (CDN). Red Hat Satellite 6 also provides tools to inspect and filter errata, allowing for precise update management. This way, you can select relevant updates and propagate them through content views to selected content hosts.

In Red Hat Satellite, there are two keywords that describe an erratum’s relationship to the available content hosts:

Applicable
Erratum applies to one or more content hosts, which means it updates packages present on the content host. Applicable errata are not yet accessible by the content host.
Installable
Erratum applies to one or more content hosts and it has been made available to the content host. Installable errata are present in the content host’s life cycle environment and content view, but are not yet installed. This way, errata can be installed by users who have permissions to manage content hosts, but are not entitled for errata management at higher levels.

This chapter shows how to manage errata and apply them to either a single system or multiple systems.

Important

Install the katello-agent package on hosts registered to the Satellite. This package provides the necessary services for errata management.

9.1. Managing Errata with Content Views

Red Hat Satellite 6 provides various methods to manage and apply errata. As discussed in Section 7.4, “Defining Content Filters”, we can use content views and content filters to limit errata. Such filters include:

  • ID - We can create a filter to choose specific erratum to allow into our resulting repositories.
  • Date Range - We can define a date range and include a set of errata released during that date range.
  • Type - We can select the type of errata to include such as bug fixes, enhancements, and security updates.

As an example, we can create a content filter to exclude errata after a certain date. This ensures our production systems in the application life cycle are kept up to date to a certain point. Then we can modify the filter’s start date to introduce new errata into our testing environment. This is so we can test the compatibility of new packages into our application life cycle.

For instructions on creating a content filter, see Section 7.5, “Creating a Content Filter”.

Once a content view contains errata, we can apply it to our systems. Each system registered to your Red Hat Satellite 6 includes an errata management screen where you can apply multiple errata to the system. In addition, Red Hat Satellite 6 contains an errata management feature where you can search, review, and apply errata to multiple systems.

9.2. Applying Errata to Individual Systems

For this procedure, we aim to apply some errata to a system. This procedure follows on from Section 8.2, “Using Activation Keys” and assumes you registered a test Red Hat Enterprise Linux 7 system to your Satellite Server. In this example, we aim to apply the following erratum:

Errata ID:   RHSA-2016:0008
Title:       Moderate: openssl security update
Type:        security
Severity:    Moderate
Issued:      2016-01-07
Updated:     2016-01-07
Description: OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general purpose cryptography library.

For Web UI Users

Navigate to Hosts > Content Hosts and click on your test system. Navigate to the Errata tab. Due to the filter set up in Section 7.5, “Creating a Content Filter”, a list of security errata appears.

Let’s apply errata for OpenSSL. Navigate to the search bar and enter title ~ openssl. This searches for any errata with openssl in the title. Select the RHSA-2016:0008 errata and click Apply Selected. A confirmation message appears. Click Apply.

The Satellite Server starts a task to update all packages associated with the selected errata. When the task completes, the Satellite Server lists the packages updated and their new versions in the Details section. For example:

1:openssl-1.0.1e-51.el7_2.2.x86_64
1:openssl-libs-1.0.1e-51.el7_2.2.x86_64

Log in to the client system and confirm the errata updates:

[root@client ~]# yum list openssl openssl-libs

For CLI Users

List the OpenSSL errata for the client system:

# hammer host errata list \
--host client.example.com \
--search "title ~ openssl" \
--organization "ACME"

Apply the most recent erratum to the client system. Identify the erratum to apply using the Errata ID:

# hammer host errata apply \
--host client.danssat.net \
--errata-ids RHSA-2016:0008 \
--organization "ACME"

Log in to the client system and confirm the errata updates:

[root@client ~]# yum list openssl openssl-libs

9.3. Applying Errata to Multiple Systems

The Red Hat Satellite 6 Web UI provides an errata management tool to help review and apply errata to multiple systems. For this example, we use the same erratum (RHSA-2016:0008) from Section 9.2, “Applying Errata to Individual Systems”.

For Web UI Users

Navigate to Content > Errata. This displays all errata from synchronized repositories. In addition, the Content Host Counts shows the number of registered hosts that can apply and install each erratum.

Let’s apply a single OpenSSL errata to our systems through this tool. Navigate to the search field and enter title ~ openssl. This shows all errata relating to OpenSSL. Although this includes bug fixes and enhancements, note that the Satellite Server cannot install these errata to our test system due to the filter we created in Section 7.5, “Creating a Content Filter”.

Click on the most recent OpenSSL errata. In our example, this is RHSA-2016:0008.

The Details screen for this erratum appears and provides a description of what the erratum resolves.

Navigate to the Content Hosts subtab. This displays a list of all applicable systems for this errata. We select Only show content hosts where the errata is currently installable in the host’s Lifecycle Environment to limit this list to systems that can actually install the errata.

Select our test system and click Apply to Hosts. A confirmation screen appears regarding the errata installation. Click Confirm.

The Satellite Server starts a task to update the erratum’s packages for each selected system. When the task completes, log in to the client system and confirm the errata updates:

[root@client ~]# yum list openssl openssl-libs

For CLI Users

Although the CLI does not have the same tools as the Web UI, you can replicate a similar procedure with CLI commands.

List all OpenSSL errata:

# hammer erratum list --search "title ~ openssl" --organization "ACME"

Search again, restricting the list to installable errata:

# hammer erratum list \
--errata-restrict-installable true \
--search "title ~ openssl" --organization "ACME"

Find out details about this errata:

# hammer erratum info --id RHSA-2016:0008

List the systems that this erratum is applicable:

# hammer host list \
--search "applicable_errata = RHSA-2016:0008" \
--organization "ACME"

Apply the errata to a single system:

# hammer host errata apply \
--host client.example.com \
--errata-ids RHSA-2016:0008

You need to run this command for each client system and replace --host with the name of the system for each execution. You can accomplish this using the following command:

# for HOST in `hammer \
--csv --csv-separator "|" host list \
--search "applicable_errata = RHSA-2016:0008" \
--organization "ACME" | tail -n+2 | awk \
-F "|" '{ print $2 }'` ; do echo \
"== Applying to $HOST ==" ; hammer host errata apply \
--host $HOST --errata-ids RHSA-2016:0008 ; done

This command identifies all hosts with RHSA-2016:0008 as an applicable erratum and then applies the erratum to each host.

Log in to the client system and confirm the errata updates:

[root@client ~]# yum list openssl openssl-libs

9.4. Chapter Summary

This chapter provided some guidelines on how Red Hat Satellite 6 manage errata and applies them to systems.

The next chapter explores container management in Red Hat Satellite 6.