Chapter 11. Managing Errata

As a part of Red Hat’s quality control and release process, we provide customers with updates for each release of official Red Hat RPMs. Red Hat compiles groups of related package into an erratum along with an advisory that provides a description of the update. There are three types of advisories (in order of importance):

Security Advisory
Describes fixed security issues found in the package. The security impact of the issue can be Low, Moderate, Important, or Critical.
Bug Fix Advisory
Describes bug fixes for the package.
Product Enhancement Advisory
Describes enhancements and new features added to the package.

Red Hat Satellite 6 imports this errata information when synchronizing repositories with Red Hat’s Content Delivery Network (CDN). Red Hat Satellite 6 also provides tools to inspect and filter errata, allowing for precise update management. This way, you can select relevant updates and propagate them through Content Views to selected content hosts.

Errata are labeled according to the most important advisory type they contain. Therefore, errata labeled as Product Enhancement Advisory can contain only enhancement updates, while Bug Fix Advisory errata can contain both bug fixes and enhancements, and Security Advisory can contain all three types.

In Red Hat Satellite, there are two keywords that describe an erratum’s relationship to the available content hosts:

Applicable
An erratum that applies to one or more content hosts, which means it updates packages present on the content host. Although these errata apply to content hosts, until their state changes to Installable, the errata are not ready to be installed. Installable errata are automatically applicable.
Installable
An erratum that applies to one or more content hosts and is available to install on the content host. Installable errata are available to a content host from life cycle environment and the associated Content View, but are not yet installed.

This chapter shows how to manage errata and apply them to either a single host or multiple hosts.

11.1. Inspecting Available Errata

The following procedure describes how to view and filter the available errata and how to display metadata of the selected advisory.

  1. Navigate to Content > Errata to view the list of available errata.
  2. Use the filtering tools at the top of the page to limit the number of displayed errata:

    • Select the repository to be inspected from the list. All Repositories is selected by default.
    • The Applicable check box is selected by default to view only errata applicable to the selected repository. Select the Installable check box to view only errata marked as installable.
    • To search the table of errata, type the query in the Search field in the form of:

      parameter operator value

      See Table 11.1, “Parameters Available for Errata Search” for the list of parameters available for search. Find the list of applicable operators in Supported Operators for Granular Search in Administering Red Hat Satellite. Automatic suggestion works as you type. You can also combine queries with the use of and and or operators. For example, to display only security advisories related to the kernel package, type:

      type = security and package_name = kernel

      Press Enter to start the search.

  3. Click the Errata ID of the erratum you want to inspect:

    • The Details tab contains the description of the updated package as well as documentation of important fixes and enhancements provided by the update.
    • On the Content Hosts tab, you can apply the erratum to selected content hosts as described in Section 11.7, “Applying Errata to Multiple Hosts”.
    • The Repositories tab lists repositories that already contain the erratum. You can filter repositories by the environment and Content View, and search for them by the repository name.

For CLI Users

  • To view errata that are available for all organizations, enter the following command:

    # hammer erratum list
  • To view details of a specific erratum, enter the following command:

    # hammer erratum info --id erratum_ID
  • You can search errata by entering the query with the --search option. For example, to view applicable errata for the selected product that contains the specified bugs ordered so that the security errata are displayed on top, enter the following command:

    # hammer erratum list \
    --product-id 7 \
    --search "bug = 1213000 or bug = 1207972" \
    --errata-restrict-applicable 1 \
    --order "type desc"

11.2. Subscribing to Errata Notifications

You can configure email notifications for Satellite users. Users receive a summary of applicable and installable errata, notifications on Content View promotion or after synchronizing a repository. For more information, see the Configuring Email Notifications section in the Administering Red Hat Satellite guide.

11.3. Limitations to Repository Dependency Resolution

There are a number of challenges to solving repository dependencies in Satellite 6. This is a known issue. For more information, see BZ#1508169, BZ#1640420, BZ#1508169, and BZ#1629462. With Satellite, using incremental updates to your Content Views solves some repository dependency problems. However, dependency resolution at a repository level still remains problematic on occasion.

When a repository update becomes available with a new dependency, Satellite retrieves the newest version of the package to solve the dependency, even if there are older versions available in the existing repository package. This can create further dependency resolution problems when installing packages.

Example scenario

A repository on your client has the package example_repository-1.0 with the dependency example_repository-libs-1.0. The repository also has another package example_tools-1.0.

A security erratum becomes available with the package example_tools-1.1. The example_tools-1.1 package requires the example_repository-libs-1.1 package as a dependency.

After an incremental Content View update, the example_tools-1.1, example_tools-1.0, and example_repository-libs-1.1 are now in the repository. The repository also has the packages example_repository-1.0 and example_repository-libs-1.0. Note that the incremental update to the Content View did not add the package example_repository-1.1. Because you can install all these packages using yum, no potential problem is detected. However, when the client installs the example_tools-1.1 package, a dependency resolution problem occurs because both example_repository-libs-1.0 and example_repository-libs-1.1 cannot be installed.

There is currently no workaround for this problem. The larger the time frame, and major Y releases between the base set of RPMs and the errata being applied, the higher the chance of a problem with dependency resolution.

11.4. Creating a Content View Filter for Errata

You can use content filters to limit errata. Such filters include:

  • ID - Select specific erratum to allow into your resulting repositories.
  • Date Range - Define a date range and include a set of errata released during that date range.
  • Type - Select the type of errata to include such as bug fixes, enhancements, and security updates.

Create a content filter to exclude errata after a certain date. This ensures your production systems in the application life cycle are kept up to date to a certain point. Then you can modify the filter’s start date to introduce new errata into your testing environment to test the compatibility of new packages into your application life cycle.

Prerequisites

Procedure

  1. In the Satellite web UI, navigate to Content > Content Views and select a Content View that you want to use for applying errata.
  2. Navigate to Yum Content > Filters and click New Filter.
  3. In the Name field, enter Errata Filter.
  4. From the Content Type list, select Erratum - Date and Type.
  5. From the Inclusion Type list, select Exclude.
  6. In the Description field, enter Exclude errata items from YYYY-MM-DD.
  7. Click Save.
  8. For Errata Type, select the check boxes of errata types you want to exclude. For example, select the Enhancement and Bugfix check boxes and clear the Security check box to exclude enhancement and bugfix errata after certain date, but include all the security errata.
  9. For Date Type, select one of two check boxes:

    • Issued On for the issued date of the erratum.
    • Updated On for the date of the erratum’s last update.
  10. Select the Start Date to exclude all errata on or after the selected date.
  11. Leave the End Date field blank.
  12. Click Save.
  13. Click Publish New Version to publish the resulting repository.
  14. Enter Adding errata filter in the Description field.
  15. Click Save.

    When the Content View completes publication, notice the Content column reports a reduced number of packages and errata from the initial repository. This means the filter successfully excluded the all non-security errata from the last year.

  16. Click the Versions tab.
  17. Click Promote to the right of the published version.
  18. Select the environments you want to promote the Content View version to.
  19. In the Description field, enter the description for promoting.
  20. Click Promote Version to promote this Content View version across the required environments.

For CLI Users

  1. Create a filter for the errata:

    # hammer content-view filter create --name "Filter Name" \
    --description "Exclude errata items from the YYYY-MM-DD" \
    --content-view "CV Name" --organization "Default Organization" \
    --type "erratum"
  2. Create a filter rule to exclude all errata on or after the Start Date that you want to set:

    # hammer content-view filter rule create --start-date "YYYY-MM-DD" \
    --content-view "CV Name" --content-view-filter="Filter Name" \
    --organization "Default Organization" --types=security,enhancement,bugfix
  3. Publish the Content View:

    # hammer content-view publish --name "CV Name" \
    --organization "Default Organization"
  4. Promote the Content View to the lifecycle environment so that the included errata are available to that lifecycle environment:

    # hammer content-view version promote \
    --content-view "CV Name" \
    --organization "Default Organization" \
    --to-lifecycle-environment "Lifecycle Environment Name"

11.5. Adding Errata to an incremental Content View

If errata are available but not installable, you can create an incremental Content View version to add the errata to your content hosts. For example, if the Content View is version 1.0, it becomes Content View version 1.1, and when you publish, it becomes Content View version 2.0.

  1. In the Satellite web UI, navigate to Content > Errata.
  2. From the Errata list, click the name of the errata that you want to apply.
  3. Select the content hosts that you want to apply the errata to, and click Apply to Hosts. This creates the incremental update to the Content View.
  4. If you want to apply the errata to the content host, select the Apply Errata to Content Hosts immediately after publishing check box.

    Note

    Until BZ#1459807 is resolved, if you apply non-installable errata to hosts registered to Capsule Servers, do not select the Apply errata to Content Hosts immediately after publishing check box.

    Instead, after clicking Confirm, wait for the errata Content View to be promoted and for the Capsule synchronization task to finish. Then, the errata will be marked as Installable and you can use the procedure again to apply it.

  5. Click Confirm to apply the errata.

For CLI Users

  1. List the errata and its corresponding IDs:

    # hammer erratum list
  2. List the different content-view versions and the corresponding IDs:

    # hammer content-view version list
  3. Apply a single erratum to content-view version. You can add more IDs in a comma-separated list.

    # hammer content-view version incremental-update \
    --content-view-version-id 319 --errata-ids 34068b

11.6. Applying Errata to a Host

Use these procedures to review and apply errata to a host.

Prerequisites

For Red Hat Enterprise Linux 8

To apply an erratum to a RHEL 8 host, you can run a remote execution job on Satellite Server or update the host. For more information about running remote execution jobs, see Running Jobs on Hosts in the Managing Hosts guide.

To apply an erratum to a RHEL 8 host, complete the following steps:

  1. On Satellite, list all errata for the host:

    # hammer host errata list \
    --host client.example.com
  2. Find the module stream an erratum belongs to:

    # hammer erratum info --id ERRATUM_ID
  3. On the host, update the module stream:

    # yum update Module_Stream_Name

For Red Hat Enterprise Linux 7

To apply an erratum to a RHEL 7 host, complete the following steps:

  1. In the Satellite web UI, navigate to Hosts > Content Hosts and select the host you want to apply errata to.
  2. Navigate to the Errata tab to see the list of errata.
  3. Select the errata to apply and click Apply Selected. In the confirmation window, click Apply.
  4. After the task to update all packages associated with the selected errata completes, click the Details tab to view the updated packages.

For CLI Users

To apply an erratum to a RHEL 7 host, complete the following steps:

  1. List all errata for the host:

    # hammer host errata list \
    --host client.example.com
  2. Apply the most recent erratum to the host. Identify the erratum to apply using the erratum ID:

    # hammer host errata apply --host "Host Name" \
    --errata-ids ERRATUM_ID1,ERRATUM_ID2...

11.7. Applying Errata to Multiple Hosts

Use these procedures to review and apply errata to multiple RHEL 7 hosts.

Prerequisites

Procedure

  1. Navigate to Content > Errata.
  2. Click the name of an erratum you want to apply.
  3. Click to Content Hosts tab.
  4. Select the hosts you want to apply errata to and click Apply to Hosts.
  5. Click Confirm.

For CLI Users

Although the CLI does not have the same tools as the Web UI, you can replicate a similar procedure with CLI commands.

  1. List all installable errata:

    # hammer erratum list \
    --errata-restrict-installable true \
    --organization "Default Organization"
  2. Select the erratum you want to use and list the hosts that this erratum is applicable to:

    # hammer host list \
    --search "applicable_errata = ERRATUM_ID" \
    --organization "Default Organization"
  3. Apply the errata to a single host:

    # hammer host errata apply \
    --host client.example.com \
    --organization "Default Organization" \
    --errata-ids ERRATUM_ID1,ERRATUM_ID2...
  4. The following Bash script applies an erratum to each host for which this erratum is available:

    for HOST in hammer --csv --csv-separator "|" host list --search "applicable_errata = ERRATUM_ID" --organization "Default Organization" | tail -n+2 | awk -F "|" '{ print $2 }' ;
    do
      echo "== Applying to $HOST ==" ; hammer host errata apply --host $HOST --errata-ids ERRATUM_ID1,ERRATUM_ID2 ;
    done

    This command identifies all hosts with erratum_IDs as an applicable erratum and then applies the erratum to each host.

  5. To see if an erratum is applied successfully, find the corresponding task in the output of the following command:

    # hammer task list
  6. View the state of a selected task:

    # hammer task progress --id task_ID

11.8. Applying Errata to a Host Collection

To apply selected errata to a host collection, enter the following command:

# hammer host-collection erratum install \
--errata "erratum_ID1,erratum_ID2,..." \
--name "host_collection_name"\
--organization "Your_Organization"