So onto part #2 of this series - setting up the Linux repositories that will be accessed from our VMs.
The reason this is required is because in a secure system application VMs should not have direct access to the Internet - even via a Proxy. Apart from the security concerns, another advantage of using local yum repositories in this way is that we know that all the VMs are synced to the same set of Repositories.
If we were just to use the publicly available Repos, and sync to 'latest', then there is no guarantee that 'latest' could be itself patched or altered by the repository provider.The result would be some VMs being synced to a different version of 'latest' than others - something we wouldn't want.
So, onto the setup ...
Part 1 - Setting up the local repositories.
Setting up repos like this comes in two parts :
Syncing the repositories from the Internet and then creating the repositories.
This is an important step, since it creates new copies of the repositories locally.
Also, for the 'base' repository (used as the install from .iso), create this as an accessible repository.
Creating the appropriate directories in Apache that the VMs to be patched will use to access the patching repositories.
So, first up, creating the Repositories.
Typically I use a 100 GB volume - although you may choose to use a larger one.
Set it up using LVM, since this allows you to expand the storage later if at all required.
pvcreate /dev/sdd vgcreate vg_yumpatchvol /dev/sdd lvcreate -n yumpatch_lv vg_yumpatchvol -l 100%FREE mkfs -t ext4 /dev/vg_yumpatchvol/yumpatch_lv
Next, create a mount point and add it to /etc/fstab.
In this case, I used /u02.
# Mount yum patching volume /dev/mapper/vg_yumpatchvol-yumpatch_lv /u02 ext4 defaults 0 0
Next, create the directory trees that will be needed to house the new repositories :
mkdir -p /u02/patching/yum/linux6
Now we can start the 'reposync' commands - used to pull down the repositories from the Internet to the local machine. Initially I did very standard 'reposync' commands, but later realized that a few more switches were needed in order to make the repositories suitable for Security patching work.
So this would now be the modified 'reposync' commands I'd now use :
/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r epel --download_path=/u02/patching/yum/linux6 /usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_latest --download_path=/u02/patching/yum/linux6 /usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_UEK_latest --download_path=/u02/patching/yum/linux6 /usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_UEKR3_latest --download_path=/u02/patching/yum/linux6 /usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r PublicOVM3Repo --download_path=/u02/patching/yum/ovm
Please note there is no reposync command for the ol6_base directory.
This is because it was sourced from the original .iso that was used to initially install Linux on the servers.
We actually don't want to ever reposync it - but just leave it in its original state.
Next, we need to now set up the 'ol6_base' repo - that is, the repo that was used during the initial install.
Setting this up is a little different from the above, since we want to take the packages from the original install CD.
Mount up the .iso so it's available.
Then create the directory :
mkdir -p /u02/patching/yum/linux6/ol6_base/getPackage
Then copy the entire contents of the .iso/Packages directory to :
Take care that the copied packages sit directly beneath the 'getPackage' directory.
Now 'cd' to : /u02/patching/yum/linux6/ol6_base/getPackage and you should see a list of all the packages.
Next, we need to copy across the 'repodata' directory from the oel6.iso to here ..
Something like ...
cp -R oel6.iso/repodata .
Great - so now all of the packages and repodata for the original install directory are in the repo tree.
The next step is now to create new repositories from the directories we have just set up :
/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/epel /usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_latest/getPackage /usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_UEK_latest/getPackage /usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage /usr/bin/createrepo --workers 10 /u02/patching/yum/ovm/PublicOVM3Repo/getPackage /usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_base/getPackage
In the end, your directory tree should like something like this :
[12:28 PM root@srv-utl /u02/patching]# pwd && tree -d -L 4 /u02/patching . └── yum ├── linux6 │ ├── epel │ │ ├── Packages │ │ └── repodata │ ├── ol6_addons │ │ └── getPackage │ ├── ol6_base │ │ └── getPackage │ ├── ol6_latest │ │ └── getPackage │ ├── ol6_UEK_latest │ │ └── getPackage │ └── ol6_UEKR3_latest │ └── getPackage └── ovm └── PublicOVM3Repo └── getPackage 16 directories
After all this, there is one last piece of work that needs attention.
In order for the 'yum-plugin-security' functionality to work correctly, you will need to ensure that, for each repository that has been created, there is an up to date version of the : updateinfo.xml.gz file available in the ../getPackage/repodata
directory for each repository.
Without this file, the Security patching functionality will not work!
To get hold of these files, you'll need to go to the Oracle public repository for OEL, find the file you're after and then download it and place it in its correct directory.
For example, for OEL6 latest, you can find this file at :
Index of /repo/OracleLinux/OL6/latest/x86_64/repodata/
If these files are not installed, then you'll find that from a server preparing
to be patched, performing a :
yum check-update --security
would result in no packages being found - even though this target system is in need of patching!
[root@server-to-be-patched-01 yum.repos.d]# yum check-update --security Loaded plugins: security, ulninfo, versionlock Limiting package lists to security relevant ones No packages needed for security; 123 packages available
This issue will come up again when nightly refreshes are performed on the local patching repositories - but more on that in a later article.
Part 2 - Setting up the Apache directories.
This is the second part of preparing the Repositories. In this case, we need to present the downloaded content is such a way that the VMs to be patched can access the content. To do this, we'll use Apache to 'serve' the directories for usage by 'yum'.
If Apache isn't installed, install it first :
yum install httpd
To make it start up at boot :
(Linux 6 / Upstart) :
service httpd start chkconfig httpd on
(Linux 7 / systemd) :
systemctl start httpd systemctl enable https
The base Apache directory is at : /var/www/html - so it is from here that we'll create the directories we'll be needing.
cd /var/www/html mkdir patching
First for epel :
mkdir -p patching/epel/6 cd patching/epel/6 ln -s /u02/patching/yum/linux6/epel x86_64
Next for ol6_latest :
mkdir -p patching/ol67repo/OracleLinux/OL6/latest cd patching/ol67repo/OracleLinux/OL6/latest ln -s /u02/patching/yum/linux6/ol6_latest/getpackage x86_64
Now for ol6_base :
mkdir -p patching/ol67repo/OracleLinux/OL6/base cd patching/ol67repo/OracleLinux/OL6/lbase ln -s /u02/patching/yum/linux6/ol6_base/getpackage x86_64
Now for ol6_UEK_latest :
mkdir -p patching/ol67repo/OracleLinux/OL6/UEK cd patching/ol67repo/OracleLinux/OL6/UEK ln -s /u02/patching/yum/linux6/ol6_UEK_latest/getPackage x86_64
Now for ol6_UEKR3 latest :
mkdir -p patching/ol67repo/OracleLinux/OL6/UEKR3 cd patching/ol67repo/OracleLinux/OL6/UEKR3 ln -s /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage x86_64
Finally for Oracle VM :
mkdir -p patching/OracleVM/OVM3/34x_latest cd patching/OracleVM/OVM3/34x_latest ln -s patching/OracleVM/OVM3/34x_latest x86_64
The last step is to stop / start Apache.
service httpd restart (linux 6) systemctl restart httpd (linux 7)
In the end, your directory trees should like something like this :
[12:51 PM root@srv-utl /var/www/html/OracleVM]# tree /var/www/html/patching/ /var/www/html/patching/ ├── epel │ └── 6 │ └── x86_64 -> /u02/patching/yum/linux6/epel ├── ol67repo │ └── OracleLinux │ └── OL6 │ ├── base │ │ └── x86_64 -> /u02/patching/yum/linux6/ol6_base/getPackage │ ├── latest │ │ └── x86_64 -> /u02/patching/yum/linux6/ol6_latest/getPackage │ ├── UEK │ │ └── x86_64 -> /u02/patching/yum/linux6/ol6_UEK_latest/getPackage │ └── UEKR3 │ └── x86_64 -> /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage ├── ol6_addons │ └── OracleLinux │ └── OL6 │ └── addons │ └── x86_64 -> /u02/patching/yum/linux6/ol6_addons/getPackage └── OracleVM └── OVM3 └── 34x_latest └── x86_64 -> /u02/patching/yum/ovm/PublicOVM3Repo/getPackage 21 directories, 0 files
Part 3 - Creating the 'patching.repo' file.
The last step - which allows the VMs in the farm to access these new repositories, is to create a 'patching.repo' file that will need to be distributed to each VM in the farm.
The patching.repo file should be placed in the : /etc/yum.repos.d/ directory of each VM that will need patching.
[root@server-to-be-patched yum.repos.d]# cat patching.repo [patching-epel] name=Extra Packages for Enterprise Linux 6 (Patching Repo) - $basearch baseurl=http://10.10.10.10/patching/epel/6/$basearch failovermethod=priority enabled=0 gpgcheck=0 [patching_ol6_base] name=Patching Oracle Linux $releasever Base ($basearch) baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/base/$basearch/ gpgcheck=0 enabled=1 [patching_ol6_latest] name=Patching Oracle Linux $releasever Latest ($basearch) baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/latest/$basearch/ gpgcheck=0 enabled=1 [patching_ol6_addons] name=Patching Oracle Linux $releasever Add ons ($basearch) baseurl=http://10.10.10.10/patching/ol6_addons/OracleLinux/OL6/addons/$basearch/ gpgcheck=0 enabled=1 [patching_ol6_UEK_latest] name=Patching Oracle Linux $releasever Latest ($basearch) baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/UEK/$basearch/ gpgcheck=0 enabled=1 [patching_ol6_UEKR3_latest] name=Patching Oracle Linux $releasever Latest ($basearch) baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/UEKR3/$basearch/ gpgcheck=0 enabled=1 [patching_OVM3Repo] gpgcheck=0 baseurl=http://10.10.10.10/patching/OracleVM/OVM3/34x_latest/x86_64/ name=patching_OVM3Repo enabled=0
And that's it. You have set up the repositories needed for patching your server environment, as well as making them accessible to 'yum' via Apache.
In the next article, we'll look at implementing nightly refreshes of these patching repositories.
See the full series on Linux Patching here.