Redhat Linux Patching

OS patching in Linux is a small text document containing a delta of changes between two different versions of a source tree. Patches are created with the diff programs.

Patch attempts to determine the type of the diff listing, unless overruled by a -c (--context), -e (--ed), -n (--normal), or -u (--unified) option. Context diffs (old-style, new-style, and unified) and normal diffs are applied by the patch programs itself, while ed diffs are simply fed to the ed editor via a pipe.

Now lets see how patching done in Linux while Installation,

Like every OSes, every once in a while you need to update the software running on your Linux server. You can perform this in one of three ways :

Download the updated packages and manually install them yourself on System.

Use a built-in open source application that comes with the OS distribution.

Use a third party application that downloads the file and then runs the installation for you.

Let’s look at these in more detail.

Manual Updates

One way you can update your RedHat or SuSE machine is by going to your particular vendor’s Web or FTP site, and downloading the packages directly from the online file repository or a trusted mirror site. For recent products, like Novell’s SLES or RedHat Enterprise Servers, once you get the file onto your machine you can then run the RedHat Package Manager (aka “rpm”) and update the target program you choose.

After downloading the rrdtool’s latest RPM, you can run “rpm –i" to install the new package, or “rpm –u” if you are updating rrdtool. The next RPM command queries all the installed RPMs, and extracts only the information you want, using the grep command. The third command uninstalls the rrdtool using “rpm –e”. Finally, the last line confirms that the application rrdtool is not installed anymore.

WHAT IS A PATCH?

A patch is a piece of software code which will be inserted into existing programme in the system. This is an imidate fix to existing software before a minor release is planned. A patch is a kind of temporary and quick fix to existing software.

Applying periodic updates on the system in the form of patches to keep the operating system updated and secure is an important job function of every system administrator. Patching the operating system certainly enhances the functionality and health of the system for the better but in case of few isolated instances patching operating systems may cause problems in the working of the application or database.

Redhat Linux Patching

1. Check if the machine is a physical or VM. and check for System Information
# dmidecode -t system

#dmidecode -s system-product-name
#lspci \| grep -i vmware
#dmidecode \| less

#cat /etc/info.server

Example :
For Physical :
System Information
Manufacturer: HP
Product Name: ProLiant DL385 G5
For Virtual :
System Information
Manufacturer: VMware, Inc.
Product Name: VMware Virtual Platform

2. Take System Backup:

For Virtual machines,We can take a snapshot & revert to it in case required.

For Physical machines, check for the ILO address & Take backup using tools if configured.for e.g. TSM backup client,etc.In some environment you may have script to do backup of the whole rootvg via LVM snapshot.

3. On day of activity use your monitoring tool to acknowledge alerts.

4. Bring App and DB down on server.
5. Go for a simple reboot to ensure server doesn’t have any prior file system issues.
6. Update the kernel on the machine. It is preferable to go for --install instead of --update option.
7. Do a yum update for security and rest patches to complete the update.
8. Reboot the machine.
9. Once up, confirm the server is updated by uname -a and yum check-update.
10. Put server out of Maintenance mode once confirmed Application/DB is up and running.
11. In case of issue, kindly rollback using yum history (RHEL 6) for RHEL5.

Useful Commands during server patching

Pre-Patching

Below Commands can be run at once to take prior configuration backup of important files:

mkdir -p /tmp/patching`date +%y%m%d`

cd /tmp/patching`date +%y%m%d`

df -Ph >df.bkp

uptime | tee uptime_before

cat /etc/fstab >fstab.bkp

pvs >pvs.bkp

vgs >vgs.bkp

lvs >lvs.bkp

uname -r | tee kernel.bkp

cat /etc/grub.conf >grub.bkp

cat /proc/cpuinfo >cpu.bkp

cat /proc/meminfo >mem.bkp

ifconfig -a >ifconfig.bkp

cat /proc/mdstat >mdstat.bkp

netstat -nr >routingtable_before

ls -lhR /boot >bootdir.bkp

fdisk -l >fdisk.bkp

ps -ef >ps_bkp

chkconfig --list >chkconfig.bkp

service --status-all >services_bkp

top -b1 -n1 >top_bkp

dmidecode -t system | more

multipath -ll >multipath.bkp

powermt display dev=all >powermt.bkp

cat /etc/grub.conf >grub.pre

ls -lhtr

echo "configuration backup done"

cat /etc/info.server

Patching

yum list (see available package)

yum update (ask for Y or N to update packages)

yum update -y (will directly patch the available packages)

yum update -x kernel (exclude kernel update)

Post-Patching

cat /etc/fstab >fstab.bkp.post

top -b1 -n1 >top_bkp.post

uname -a

yum check-update
mount -a

/etc/init.d/PowerPath status

Rollback

RollBack Configuration for RHEL 5

edit /etc/rpm/macros

vi /etc/rpm/macros
and add the following line
%_repackage_all_erasures 1

edit /etc/yum.conf
vi /etc/yum.conf
and add the following line
tsflags=repackage

Enable monthly cleanup of old packages, otherwise use too much space
vi /etc/cron.daily/tmpwatch
and add the following line
/usr/sbin/tmpwatch "$flags" 720 /var/spool/repackage

RollBack Configuration for RHEL 6
It’s built-in.

Perform RollBack for RHEL 5
ROLL back RPM:

If OS updated with in one hour period, use the following command
rpm -Uvh --rollback '1 hour ago'

if yesterday
rpm -Uvh --rollback '1 day ago'

if OS updated on a week ago,
rpm -Uvh --rollback '1 week ago'

if OS updated on a month ago,
rpm -Uvh --rollback '1 month ago'

if OS update on Mar 20th,
rpm -Uvh --rollback 'March 20'

Check info of a particular update
yum history info 46

To rollback to before update ID 47
yum history rollback 46

Undo an update
yum history undo 46

To repeat an update
yum history repeat 46

Offline patching method for RHEL 7

Linux is not a windows operating system to install the security patches and other bug fix patches for every week. At the same time , it’s not like an Unix operating system where you no need to patch it for years. You should plan to patch the Redhat Linux yearly twice to eliminate the security holes and bug fixes. Redhat recommends to connect the systems to their repository to update the system without much pain. But customers don’t want to keep the systems in direct internet facing for any reason. Some of the customers will use internet proxy service to get the systems connected with Redhat repository and some of them are rich to afford Redhat satellite server facility. What about the companies who are concerned about security and cost ? Redhat provides the options of those people to update the system using offline method.

This article is going to demonstrate the offline patching method for RHEL 7. Redhat will automatically upgrade to the minor version.

Operating System: RHEL 7.0

Full OS update:(Package update , kernel update and security update)

Note: In this method, whole operating system will be upgraded to the latest minor versions. In this case, system will upgrade to RHEL 7.2.

1. You must have valid redhat subscription to download the latest DVD from Redhat.

2.Download the latest Redhat Enterprise Linux Server 7.x (RHEL 7.x Binary DVD) ISO from Redhat portal.

3.Copy the RHEL 7.x Binary ISO to the system which you want to update(patch) it.

4. Mount the ISO .

[root@Server ~]# mkdir /repo

[root@Server ~]# mount -o loop rhel-server-7.2-x86_64-dvd.iso /repo

[root@Server ~]# ls -lrt /repo

total 872

-r--r--r--.  1 root root  18092 Mar  6  2020 GPL

-r--r--r--.  1 root root   8266 Apr  4  2014 EULA

-r--r--r--.  1 root root   3211 Oct 23 09:25 RPM-GPG-KEY-redhat-release

-r--r--r--.  1 root root   3375 Oct 23 09:25 RPM-GPG-KEY-redhat-beta

-r--r--r--.  1 root root    114 Oct 30 10:54 media.repo

-r--r--r--.  1 root root   1568 Oct 30 11:03 TRANS.TBL

dr-xr-xr-x.  2 root root   4096 Oct 30 11:03 repodata

dr-xr-xr-x. 24 root root   6144 Oct 30 11:03 release-notes

dr-xr-xr-x.  2 root root 835584 Oct 30 11:03 Packages

dr-xr-xr-x.  2 root root   2048 Oct 30 11:03 LiveOS

dr-xr-xr-x.  2 root root   2048 Oct 30 11:03 isolinux

dr-xr-xr-x.  3 root root   2048 Oct 30 11:03 images

dr-xr-xr-x.  3 root root   2048 Oct 30 11:03 EFI

dr-xr-xr-x.  4 root root   2048 Oct 30 11:03 addons

5. Check the current version of Redhat and kernel version.

[root@Server ~]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.0 (Maipo)

[root@Server ~]# uname -mrs

Linux 3.10.0-123.el7.x86_64 x86_64

6.Remove the existing yum repository. (Re-configure it later if you need those)

7.Create the new repo file in “/etc/yum.repos.d/”

[root@Server yum.repos.d]# cat /etc/yum.repos.d/ua.repo

[repo]

gpgcheck=0

enabled=1

baseurl=file:///repo

name=repo-update

[root@Server yum.repos.d]#

8.List the newly created repo.

[root@Server yum.repos.d]# yum repolist

Loaded plugins: langpacks, product-id, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

repo id                                                                       repo name                                                                        status

repo                                                                          repo-update                                                                        4,305

repolist: 4,305

[root@Server yum.repos.d]# cd

[root@Server ~]#

9. Clean the cache,dbcache, expire-cache, headers and metadata. Perform the repo metadata clean up.

[root@Server ~]# yum clean all

Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Cleaning repos: repo-update

Cleaning up everything

[root@Server ~]#

10. Update the system using “yum update” command.

[root@Server ~]# yum update -y

Loaded plugins: langpacks, product-id, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Resolving Dependencies

--> Running transaction check

---> Package ModemManager-glib.x86_64 0:1.1.0-6.git20130913.el7 will be updated

---> Package ModemManager-glib.x86_64 0:1.1.0-8.git20130913.el7 will be an update

---> Package NetworkManager.x86_64 1:0.9.9.1-13.git20140326.4dba720.el7 will be obsoleted

---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be obsoleting

--> Processing Dependency: NetworkManager-libnm(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-1.0.6-27.el7.x86_64

--> Processing Dependency: libnm.so.0(libnm_1_0_0)(64bit) for package: 1:NetworkManager-1.0.6-27.el7.x86_64

^C[root@Server ~]#

11. Reboot the system using init 6.

12. Login to the system and check the kernel version.

[root@Server ~]# uname -mrs

Linux 3.10.0-327.el7.x86_64 x86_64

[root@Server ~]#

13. Check the /etc/redhat-release file.

[root@Server ~]# cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

[root@Server ~]#

We can see that system has been updated successfully.

Redhat Linux Patching

WHAT IS A PATCH?

Redhat Linux Patching

Rollback

Offline patching method for RHEL 7

1 Comments

Contact Form