第11章 Managing Errata
Red Hat では、品質管理およびリリースプロセスの一部として、お客様に Red Hat RPM の公式リリースのアップデートを提供しています。Red Hat では、アップデートを説明するアドバイザリーと共に、関連パッケージのグループをエラータにコンパイルします。アドバイザリーには以下の 3 種類があります (重要度の高い順)。
- Security Advisory
- Describes fixed security issues found in the package. The security impact of the issue can be Low, Moderate, Important, or Critical.
- Bug Fix Advisory
- Describes bug fixes for the package.
- Product Enhancement Advisory
- Describes enhancements and new features added to the package.
Red Hat Satellite 6 imports this errata information when synchronizing repositories with Red Hat’s Content Delivery Network (CDN). Red Hat Satellite 6 also provides tools to inspect and filter errata, allowing for precise update management. This way, you can select relevant updates and propagate them through Content Views to selected content hosts.
Errata are labeled according to the most important advisory type they contain. Therefore, errata labeled as Product Enhancement Advisory can contain only enhancement updates, while Bug Fix Advisory errata can contain both bug fixes and enhancements, and Security Advisory can contain all three types.
In Red Hat Satellite, there are two keywords that describe an erratum’s relationship to the available content hosts:
- Applicable
- Erratum applies to one or more content hosts, which means it updates packages present on the content host. Applicable errata are not yet accessible by the content host.
- Installable
- Erratum applies to one or more content hosts and it has been made available to the content host. Installable errata are present in the content host’s life cycle environment and Content View, but are not yet installed. This way, errata can be installed by users who have permissions to manage content hosts, but are not entitled for errata management at higher levels.
本章では、エラータの管理方法と 1 つのホストまたは複数のホストへの適用方法を説明します。
11.1. Inspecting Available Errata
The following procedure describes how to view and filter the available errata and how to display metadata of the selected advisory.
- Navigate to Content > Errata to view the list of available errata.
Use the filtering tools at the top of the page to limit the number of displayed errata:
- Select the repository to be inspected from the list. All Repositories is selected by default.
- The Applicable check box is selected by default to view only errata applicable to the selected repository. Select the Installable check box to view only errata marked as installable.
To search the table of errata, type the query in the Search field in the form of:
parameter operator value検索に使用できるパラメーターの一覧は、表11.1「Parameters Available for Errata Search」 を参照してください。適用可能な演算子の一覧は、『Red Hat Satellite の管理』の「詳細な検索に対してサポートされる演算子」を参照してください。入力時に自動サジェスト機能が利用できます。and 演算子と or 演算子を使用してクエリーを組み合わせることもできます。たとえば、kernel パッケージに関するセキュリティーアドバイザリーのみを表示するには、以下を入力します。
type = security and package_name = kernel
Press Enter to start the search.
Click the Errata ID of the erratum you want to inspect:
- The Details tab contains the description of the updated package as well as documentation of important fixes and enhancements provided by the update.
- On the Content Hosts tab, you can apply the erratum to selected content hosts as described in 「Applying Errata to Multiple Hosts」.
- The Repositories tab lists repositories that already contain the erratum. You can filter repositories by the environment and Content View, and search for them by the repository name.
表11.1 Parameters Available for Errata Search
| Parameter | Description | Example |
|---|---|---|
|
bug |
Search by the Bugzilla number. |
bug = 1172165 |
|
cve |
Search by the CVE number. |
cve = CVE-2015-0235 |
|
id |
Search by the errata ID. The auto-suggest system displays a list of available IDs as you type. |
id = RHBA-2014:2004 |
|
issued |
Search by the issue date. You can specify the exact date, like "Feb16,2015", or use keywords, for example "Yesterday", or "1 hour ago". The time range can be specified with the use of the "<" and ">" operators. |
issued < "Jan 12,2015" |
|
package |
Search by the full package build name. The auto-suggest system displays a list of available packages as you type. |
package = glib2-2.22.5-6.el6.i686 |
|
package_name |
Search by the package name. The auto-suggest system displays a list of available packages as you type. |
package_name = glib2 |
|
severity |
Search by the severity of the issue fixed by the security update. Specify Critical, Important, or Moderate. |
severity = Critical |
|
title |
Search by the advisory title. |
title ~ openssl |
|
type |
Search by the advisory type. Specify security, bugfix, or enhancement. |
type = bugfix |
|
updated |
Search by the date of the last update. You can use the same formats as with the |
updated = "6 days ago" |
11.2. Subscribing to Errata Notifications
Satellite ユーザー向けにメール通知を設定することができます。ユーザーには、リポジトリーの同期後に、適用可能かつインストール可能なエラータのまとめ、通知が、コンテンツビュープロモーションで送信されます。詳しい情報は、『Red Hat Satellite の管理』ガイドの「電子メール通知の設定」を参照してください。
11.3. Limitations to Repository Dependency Resolution
Satellite 6 には、リポジトリー依存関係の解決が必要な問題が複数あり、これは既知の問題です。詳細は、BZ#1508169、BZ#1640420、BZ#1508169、BZ#1629462 を参照してください。Satellite でコンテンツビューの増分更新を使用すると、リポジトリー依存関係の問題がいくつか解決しますが、リポジトリーレベルの依存関係の解決で問題が残る場合があります。
When a repository update becomes available with a new dependency, Satellite retrieves the newest version of the package to solve the dependency, even if there are older versions available in the existing repository package. This can create further dependency resolution problems when installing packages.
Example scenario
A repository on your client has the package example_repository-1.0 with the dependency example_repository-libs-1.0. The repository also has another package example_tools-1.0.
A security erratum becomes available with the package example_tools-1.1. The example_tools-1.1 package requires the example_repository-libs-1.1 package as a dependency.
After an incremental Content View update, the example_tools-1.1, example_tools-1.0, and example_repository-libs-1.1 are now in the repository. The repository also has the packages example_repository-1.0 and example_repository-libs-1.0. Note that the incremental update to the Content View did not add the package example_repository-1.1. Because you can install all these packages using yum, no potential problem is detected. However, when the client installs the example_tools-1.1 package, a dependency resolution problem occurs because both example_repository-libs-1.0 and example_repository-libs-1.1 cannot be installed.
現在、この問題の回避策はありません。RPM の基本セットから、適用されるエラータまでのメジャー Y リリースの期間が長いほど、依存関係の解決の問題が発生する可能性が高くなります。
11.4. Creating a Content View Filter for Errata
You can use content filters to limit errata. Such filters include:
- ID - Select specific erratum to allow into your resulting repositories.
- Date Range - Define a date range and include a set of errata released during that date range.
- Type - Select the type of errata to include such as bug fixes, enhancements, and security updates.
Create a content filter to exclude errata after a certain date. This ensures your production systems in the application life cycle are kept up to date to a certain point. Then you can modify the filter’s start date to introduce new errata into your testing environment to test the compatibility of new packages into your application life cycle.
Prerequisites
- A Content View with the repositories that contain required errata is created. For more information, see 「Creating a Content View」.
Procedure
- In the Satellite web UI, navigate to Content > Content Views and select a Content View that you want to use for applying errata.
- Yum コンテンツ > フィルターに移動し、新規フィルターをクリックします。
-
In the Name field, enter
Errata Filter. - From the Content Type list, select Erratum - Date and Type.
- From the Inclusion Type list, select Exclude.
-
In the Description field, enter
Exclude errata items from YYYY-MM-DD. - 保存をクリックします。
- For Errata Type, select the check boxes of errata types you want to exclude. For example, select the Enhancement and Bugfix check boxes and clear the Security check box to exclude enhancement and bugfix errata after certain date, but include all the security errata.
For Date Type, select one of two check boxes:
- Issued On for the issued date of the erratum.
- Updated On for the date of the erratum’s last update.
- Select the Start Date to exclude all errata on or after the selected date.
- Leave the End Date field blank.
- 保存をクリックします。
- Click Publish New Version to publish the resulting repository.
-
Enter
Adding errata filterin the Description field. 保存をクリックします。
When the Content View completes publication, notice the Content column reports a reduced number of packages and errata from the initial repository. This means the filter successfully excluded the all non-security errata from the last year.
- Click the Versions tab.
- Click Promote to the right of the published version.
- Select the environments you want to promote the Content View version to.
- In the Description field, enter the description for promoting.
- Click Promote Version to promote this Content View version across the required environments.
For CLI Users
Create a filter for the errata:
# hammer content-view filter create --name "Filter Name" \ --description "Exclude errata items from the YYYY-MM-DD" \ --content-view "CV Name" --organization "Default Organization" \ --type "erratum"
Create a filter rule to exclude all errata on or after the Start Date that you want to set:
# hammer content-view filter rule create --start-date "YYYY-MM-DD" \ --content-view "CV Name" --content-view-filter="Filter Name" \ --organization "Default Organization" --types=security,enhancement,bugfix
Publish the Content View:
# hammer content-view publish --name "CV Name" \ --organization "Default Organization"
Promote the Content View to the lifecycle environment so that the included errata are available to that lifecycle environment:
# hammer content-view version promote \ --content-view "CV Name" \ --organization "Default Organization" \ --to-lifecycle-environment "Lifecycle Environment Name"
11.5. Adding Errata to an incremental Content View
If errata are available but not installable, you can create an incremental Content View version to add the errata to your content hosts. For example, if the Content View is version 1.0, it becomes Content View version 1.1, and when you publish, it becomes Content View version 2.0.
- Satellite Web UI で、コンテンツ > エラータ に移動します。
- エラータ の一覧から、適用するエラータの名前をクリックします。
- エラータを適用するコンテンツホストを選択し、ホストに適用 をクリックします。これにより、コンテンツビューの増分更新が作成されます。
- エラータをコンテンツホストに適用する場合は、公開直後にコンテンツホストにエラータを適用する チェックボックスを選択します。
- 確認 をクリックして、エラータを適用します。
For CLI Users
List the errata and its corresponding IDs:
# hammer erratum list
List the different content-view versions and the corresponding IDs:
# hammer content-view version list
コンテンツビューバージョンに単一のエラータを適用します。コンマ区切りのリストとして、さらに ID を追加できます。
# hammer content-view version incremental-update \ --content-view-version-id 319 --errata-ids 34068b
11.6. Applying Errata to a Host
Use these procedures to review and apply errata to a host.
Prerequisites
- Synchronize Red Hat Satellite repositories with the latest errata available from Red Hat. For more information, see 「Synchronizing Red Hat Repositories」.
- Satellite Server で、環境とコンテンツビューにホストを登録します。詳細は、『ホストの管理』ガイドの「ホストの登録」を参照してください。
-
RHEL 7 ホストに、
katello-agentパッケージをインストールしてください。詳細は、ホストの管理ガイドの Katello エージェントのインストールセクションを参照してください。
For Red Hat Enterprise Linux 8
RHEL 8 ホストにエラータを適用するには、Satellite Server でリモート実行ジョブを実行するか、ホストを更新できます。リモート実行ジョブの実行の詳細は、『ホストの管理ガイドの「ホストでのジョブの実行」を参照してください。
To apply an erratum to a RHEL 8 host, complete the following steps:
On Satellite, list all errata for the host:
# hammer host errata list \ --host client.example.comエラータが含まれるモジュールのストリームを検索します。
# hammer erratum info --id ERRATUM_IDOn the host, update the module stream:
# yum update Module_Stream_Name
For Red Hat Enterprise Linux 7
To apply an erratum to a RHEL 7 host, complete the following steps:
- In the Satellite web UI, navigate to Hosts > Content Hosts and select the host you want to apply errata to.
- Navigate to the Errata tab to see the list of errata.
- 適用するエラータを選択し、Apply Selected (選択した項目を適用) をクリックします。確認画面で、適用 をクリックします。
- After the task to update all packages associated with the selected errata completes, click the Details tab to view the updated packages.
For CLI Users
To apply an erratum to a RHEL 7 host, complete the following steps:
List all errata for the host:
# hammer host errata list \ --host client.example.comホストに最新のエラータを適用します。エラータ ID を使用して適用するエラータを特定します。
# hammer host errata apply --host "Host Name" \ --errata-ids ERRATUM_ID1,ERRATUM_ID2...
11.7. Applying Errata to Multiple Hosts
Use these procedures to review and apply errata to multiple RHEL 7 hosts.
Prerequisites
- Synchronize Red Hat Satellite repositories with the latest errata available from Red Hat. For more information, see 「Synchronizing Red Hat Repositories」.
- Register the hosts to an environment and Content View on Satellite Server. For more information, see Registering a Host in the Managing Hosts guide.
-
ホストに
katello-agentパッケージをインストールします。詳細は、『ホストの管理』ガイドの「Katello エージェントのインストール」セクションを参照してください。
Procedure
- Navigate to Content > Errata.
- Click the name of an erratum you want to apply.
- Click to Content Hosts tab.
- エラータの適用先のホストを選択し、ホストへの適用 をクリックします。
- Click Confirm.
For CLI Users
Although the CLI does not have the same tools as the Web UI, you can replicate a similar procedure with CLI commands.
List all installable errata:
# hammer erratum list \ --errata-restrict-installable true \ --organization "Default Organization"Select the erratum you want to use and list the hosts that this erratum is applicable to:
# hammer host list \ --search "applicable_errata = ERRATUM_ID" \ --organization "Default Organization"
Apply the errata to a single host:
# hammer host errata apply \ --host client.example.com \ --organization "Default Organization" \ --errata-ids ERRATUM_ID1,ERRATUM_ID2...
Enter the following command for each host and replace
$HOSTwith the name of the host for each execution.# for HOST in `hammer \ --csv --csv-separator "|" host list \ --search "applicable_errata = ERRATUM_ID" \ --organization "Default Organization" | tail -n+2 | awk \ -F "|" '{ print $2 }'` ; do echo \ "== Applying to $HOST ==" ; hammer host errata apply \ --host $HOST --errata-ids ERRATUM_ID1,ERRATUM_ID2 ; doneThis command identifies all hosts with erratum_IDs as an applicable erratum and then applies the erratum to each host.
