Hi All,

So onto part #2 of this series - setting up the Linux repositories that will be accessed from our VMs.

The reason this is required is because in a secure system application VMs should not have direct access to the Internet - even via a Proxy. Apart from the security concerns, another advantage of using local yum repositories in this way is that we know that all the VMs are synced to the same set of Repositories.

If we were just to use the publicly available Repos, and sync to 'latest', then there is no guarantee that 'latest' could be itself patched or altered by the repository provider.The result would be some VMs being synced to a different version of 'latest' than others - something we wouldn't want.

So, onto the setup ...

Part 1 - Setting up the local repositories.


Setting up repos like this comes in two parts :

Syncing the repositories from the Internet and then creating the repositories.

This is an important step, since it creates new copies of the repositories locally.
Also, for the 'base' repository (used as the install from .iso), create this as an accessible repository.
Creating the appropriate directories in Apache that the VMs to be patched will use to access the patching repositories.

So, first up, creating the Repositories.
Typically I use a 100 GB volume - although you may choose to use a larger one.

Set it up using LVM, since this allows you to expand the storage later if at all required.

pvcreate /dev/sdd
vgcreate vg_yumpatchvol /dev/sdd
lvcreate -n yumpatch_lv vg_yumpatchvol -l 100%FREE
mkfs -t ext4 /dev/vg_yumpatchvol/yumpatch_lv

Next, create a mount point and add it to /etc/fstab.
In this case, I used /u02.

# Mount yum patching volume
/dev/mapper/vg_yumpatchvol-yumpatch_lv  /u02    ext4    defaults        0       0

Next, create the directory trees that will be needed to house the new repositories :

mkdir -p /u02/patching/yum/linux6

Now we can start the 'reposync' commands - used to pull down the repositories from the Internet to the local machine. Initially I did very standard 'reposync' commands, but later realized that a few more switches were needed in order to make the repositories suitable for Security patching work.

So this would now be the modified 'reposync' commands I'd now use :

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r epel --download_path=/u02/patching/yum/linux6

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_latest --download_path=/u02/patching/yum/linux6

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_UEK_latest --download_path=/u02/patching/yum/linux6

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r ol6_UEKR3_latest --download_path=/u02/patching/yum/linux6

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --newest-only -r PublicOVM3Repo --download_path=/u02/patching/yum/ovm

Please note there is no reposync command for the ol6_base directory.
This is because it was sourced from the original .iso that was used to initially install Linux on the servers.
We actually don't want to ever reposync it - but just leave it in its original state.
.....

Next, we need to now set up the 'ol6_base' repo - that is, the repo that was used during the initial install.
Setting this up is a little different from the above, since we want to take the packages from the original install CD.

Mount up the .iso so it's available.
Then create the directory :

mkdir -p /u02/patching/yum/linux6/ol6_base/getPackage

Then copy the entire contents of the .iso/Packages directory to :

/u02/patching/yum/linux6/ol6_base/getPackage

Take care that the copied packages sit directly beneath the 'getPackage' directory.

Now 'cd' to : /u02/patching/yum/linux6/ol6_base/getPackage and you should see a list of all the packages.
Next, we need to copy across the 'repodata' directory from the oel6.iso to here ..

Something like ...

cp -R oel6.iso/repodata .

Great - so now all of the packages and repodata for the original install directory are in the repo tree.

......

The next step is now to create new repositories from the directories we have just set up :

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/epel

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_latest/getPackage

/usr/bin/createrepo --workers 10 
/u02/patching/yum/linux6/ol6_UEK_latest/getPackage

/usr/bin/createrepo --workers 10 
/u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage

/usr/bin/createrepo --workers 10 /u02/patching/yum/ovm/PublicOVM3Repo/getPackage

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_base/getPackage

In the end, your directory tree should like something like this :

[12:28 PM root@srv-utl /u02/patching]# pwd && tree -d -L 4
/u02/patching
.
└── yum
    ├── linux6
    │   ├── epel
    │   │   ├── Packages
    │   │   └── repodata
    │   ├── ol6_addons
    │   │   └── getPackage
    │   ├── ol6_base
    │   │   └── getPackage
    │   ├── ol6_latest
    │   │   └── getPackage
    │   ├── ol6_UEK_latest
    │   │   └── getPackage
    │   └── ol6_UEKR3_latest
    │       └── getPackage
    └── ovm
        └── PublicOVM3Repo
            └── getPackage

16 directories

After all this, there is one last piece of work that needs attention.

In order for the 'yum-plugin-security' functionality to work correctly, you will need to ensure that, for each repository that has been created, there is an up to date version of the : updateinfo.xml.gz file available in the ../getPackage/repodata
directory for each repository.
Without this file, the Security patching functionality will not work!

To get hold of these files, you'll need to go to the Oracle public repository for OEL, find the file you're after and then download it and place it in its correct directory.

For example, for OEL6 latest, you can find this file at :

Index of /repo/OracleLinux/OL6/latest/x86_64/repodata/ 

If these files are not installed, then you'll find that from a server preparing
to be patched, performing a :

yum check-update --security  

would result in no packages being found - even though this target system is in need of patching!

[root@server-to-be-patched-01 yum.repos.d]# yum check-update --security
Loaded plugins: security, ulninfo, versionlock
Limiting package lists to security relevant ones
No packages needed for security; 123 packages available

This issue will come up again when nightly refreshes are performed on the local patching repositories - but more on that in a later article.

Part 2 - Setting up the Apache directories.


This is the second part of preparing the Repositories. In this case, we need to present the downloaded content is such a way that the VMs to be patched can access the content. To do this, we'll use Apache to 'serve' the directories for usage by 'yum'.

If Apache isn't installed, install it first :

yum install httpd

To make it start up at boot :

(Linux 6 / Upstart) :

service httpd start
chkconfig httpd on

(Linux 7 / systemd) :

systemctl start httpd
systemctl enable https

The base Apache directory is at : /var/www/html - so it is from here that we'll create the directories we'll be needing.
  cd /var/www/html 
  mkdir patching

First for epel :

mkdir -p patching/epel/6
cd patching/epel/6
ln -s /u02/patching/yum/linux6/epel x86_64

Next for ol6_latest :

mkdir -p patching/ol67repo/OracleLinux/OL6/latest
cd patching/ol67repo/OracleLinux/OL6/latest
ln -s /u02/patching/yum/linux6/ol6_latest/getpackage x86_64

Now for ol6_base :

mkdir -p patching/ol67repo/OracleLinux/OL6/base
cd patching/ol67repo/OracleLinux/OL6/lbase
ln -s /u02/patching/yum/linux6/ol6_base/getpackage x86_64

Now for ol6_UEK_latest :

mkdir -p patching/ol67repo/OracleLinux/OL6/UEK
cd patching/ol67repo/OracleLinux/OL6/UEK
ln -s /u02/patching/yum/linux6/ol6_UEK_latest/getPackage x86_64

Now for ol6_UEKR3 latest :

mkdir -p patching/ol67repo/OracleLinux/OL6/UEKR3
cd patching/ol67repo/OracleLinux/OL6/UEKR3
ln -s /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage x86_64

Finally for Oracle VM :

mkdir -p patching/OracleVM/OVM3/34x_latest
cd patching/OracleVM/OVM3/34x_latest
ln -s patching/OracleVM/OVM3/34x_latest  x86_64

The last step is to stop / start Apache.

service httpd restart      (linux 6)
systemctl restart httpd    (linux 7)

In the end, your directory trees should like something like this :

[12:51 PM root@srv-utl /var/www/html/OracleVM]# tree /var/www/html/patching/
/var/www/html/patching/
├── epel
│   └── 6
│       └── x86_64 -> /u02/patching/yum/linux6/epel
├── ol67repo
│   └── OracleLinux
│       └── OL6
│           ├── base
│           │   └── x86_64 -> /u02/patching/yum/linux6/ol6_base/getPackage
│           ├── latest
│           │   └── x86_64 -> /u02/patching/yum/linux6/ol6_latest/getPackage
│           ├── UEK
│           │   └── x86_64 -> /u02/patching/yum/linux6/ol6_UEK_latest/getPackage
│           └── UEKR3
│               └── x86_64 -> /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage
├── ol6_addons
│   └── OracleLinux
│       └── OL6
│           └── addons
│               └── x86_64 -> /u02/patching/yum/linux6/ol6_addons/getPackage
└── OracleVM
    └── OVM3
        └── 34x_latest
            └── x86_64 -> /u02/patching/yum/ovm/PublicOVM3Repo/getPackage

21 directories, 0 files

Part 3 - Creating the 'patching.repo' file.


The last step - which allows the VMs in the farm to access these new repositories, is to create a 'patching.repo' file that will need to be distributed to each VM in the farm.

The patching.repo file should be placed in the : /etc/yum.repos.d/ directory of each VM that will need patching.

[root@server-to-be-patched yum.repos.d]# cat patching.repo
[patching-epel]
name=Extra Packages for Enterprise Linux 6 (Patching Repo) - $basearch
baseurl=http://10.10.10.10/patching/epel/6/$basearch
failovermethod=priority
enabled=0
gpgcheck=0

[patching_ol6_base]
name=Patching Oracle Linux $releasever Base ($basearch)
baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/base/$basearch/
gpgcheck=0
enabled=1

[patching_ol6_latest]
name=Patching Oracle Linux $releasever Latest ($basearch)
baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/latest/$basearch/
gpgcheck=0
enabled=1

[patching_ol6_addons]
name=Patching Oracle Linux $releasever Add ons ($basearch)
baseurl=http://10.10.10.10/patching/ol6_addons/OracleLinux/OL6/addons/$basearch/
gpgcheck=0
enabled=1

[patching_ol6_UEK_latest]
name=Patching Oracle Linux $releasever Latest ($basearch)
baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/UEK/$basearch/
gpgcheck=0
enabled=1

[patching_ol6_UEKR3_latest]
name=Patching Oracle Linux $releasever Latest ($basearch)
baseurl=http://10.10.10.10/patching/ol67repo/OracleLinux/OL6/UEKR3/$basearch/
gpgcheck=0
enabled=1

 [patching_OVM3Repo]
gpgcheck=0
baseurl=http://10.10.10.10/patching/OracleVM/OVM3/34x_latest/x86_64/
name=patching_OVM3Repo
enabled=0

And that's it. You have set up the repositories needed for patching your server environment, as well as making them accessible to 'yum' via Apache.

In the next article, we'll look at implementing nightly refreshes of these patching repositories.

See the full series on Linux Patching here.