Hi All,

Continuing on with the Linux patching series, this article looks at how to make sure the newly set up patching repositories are kept up to date on a nightly basis.

This task turned out to be more involved than anticipated, since apart from performing a reposync on the directories, you also need to modify the repo (the updateinfo.xml file) otherwise any new synced updates will not be usable.

In the course of this work, the importance of the 'modifyrepo' became obvious since, from a server preparing to be patched, performing a :

yum check-update --security  

would result in no packages being found - even though this target system was in need of patching!

[root@server-to-be-patched yum.repos.d]# yum check-update --security
Loaded plugins: security, ulninfo, versionlock
Limiting package lists to security relevant ones
No packages needed for security; 123 packages available

If you come across this error, then it's likely to be caused by either :

  • The updateinfo.xml file not being available on the Repo you have set up, or
  • The updaterepo.xml file is out of date.

Please note that the 'epel' repository doesn't have a corresponding 'updateinfo' file - well, none that I could find.

The script and how to run it


The following script will do the following :
  • Reposync the local repositories (except ol6_base, of course!) to the latest version of packages.
  • Create a new repository based off of the newly reposynced packages
  • Modify the 'updateinfo' so that 'yum' Security plugins will work successfully with the repository.

Although the script can be run at any time, for a nightly run it's convenient to place it at :

/etc/cron.daily   

I name it : resync-patching-repos.sh.

#!/bin/bash

#
#  Resync the Repos
#

#####################
# First lets do epel

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r epel --download_path=/u02/patching/yum/linux6/epel

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/epel


#####################
# Next for oe6_addons

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r ol6_addons --download_path=/u02/patching/yum/linux6/ol6_addons

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_addons/getPackage


# Now lets get the latest security info and apply it.

ADDONSGZFILENAME=$(ls -ltcr /u02/patching/yum/linux6/ol6_addons/getPackage/repodata | grep 'updateinfo.xml.gz' | head -n 1 | awk '{print $9}')

ADDONSXMLFILENAME=$(echo "$ADDONSGZFILENAME" | cut -f 1,2 -d '.')

# Unzip the updateinfo.xml file

/bin/gzip -d 
/u02/patching/yum/linux6/ol6_addons/getPackage/repodata/${ADDONSGZFILENAME}
mv  /u02/patching/yum/linux6/ol6_addons/getPackage/repodata/${ADDONSXMLFILENAME} 
    /u02/patching/yum/linux6/ol6_addons/getPackage/repodata/updateinfo.xml

# And now modify the Repo so that it reflects the updated security info

/usr/bin/modifyrepo 
  /u02/patching/yum/linux6/ol6_addons/getPackage/repodata/updateinfo.xml 
  /u02/patching/yum/linux6/ol6_addons/getPackage/repodata

#####################
# Next for oel67

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r ol6_latest --download_path=/u02/patching/yum/linux6/ol6_latest

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_latest/getPackage


# Now lets get the latest security info and apply it.

OELGZFILENAME=$(ls -ltcr /u02/patching/yum/linux6/ol6_latest/getPackage/repodata | grep 'updateinfo.xml.gz' | head -n 1 | awk '{print $9}')

OELXMLFILENAME=$(echo "$OELGZFILENAME" | cut -f 1,2 -d '.')

# Unzip the updateinfo.xml file

/bin/gzip -d /u02/patching/yum/linux6/ol6_latest/getPackage/repodata/${OELGZFILENAME}
mv  /u02/patching/yum/linux6/ol6_latest/getPackage/repodata/${OELXMLFILENAME} 
    /u02/patching/yum/linux6/ol6_latest/getPackage/repodata/updateinfo.xml

# And now modify the Repo so that it reflects the updated security info

/usr/bin/modifyrepo 
   /u02/patching/yum/linux6/ol6_latest/getPackage/repodata/updateinfo.xml 
   /u02/patching/yum/linux6/ol6_latest/getPackage/repodata


########################
# Now for ol6_UEK_latest

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r ol6_UEK_latest --download_path=/u02/patching/yum/linux6/ol6_UEK_latest

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_UEK_latest/getPackage


# Now lets get the latest security info and apply it.

UEKGZFILENAME=$(ls -ltcr 
  /u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata | grep 'updateinfo.xml.gz' | head -n 1 | awk '{print $9}')

UEKXMLFILENAME=$(echo "$UEKGZFILENAME" | cut -f 1,2 -d '.')

# Unzip the updateinfo.xml file

/bin/gzip -d 
/u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata/${UEKGZFILENAME}
mv  /u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata/${UEKXMLFILENAME} 
    /u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata/updateinfo.xml

# And now modify the Repo so that it reflects the updated security info

/usr/bin/modifyrepo 
  /u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata/updateinfo.xml 
  /u02/patching/yum/linux6/ol6_UEK_latest/getPackage/repodata


##########################
# Now for ol6_UEKR3_latest

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r ol6_UEKR3_latest --download_path=/u02/patching/yum/linux6/ol6_UEKR3_latest

/usr/bin/createrepo --workers 10 /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage


# Now lets get the latest security info and apply it.

UEKR3GZFILENAME=$(ls -ltcr 
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata | grep 'updateinfo.xml.gz' | head -n 1 | awk '{print $9}')

UEKR3XMLFILENAME=$(echo "$UEKR3GZFILENAME" | cut -f 1,2 -d '.')

# Unzip the updateinfo.xml file

/bin/gzip -d 
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata/${UEKR3GZFILENAME}
mv  
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata/${UEKR3XMLFILENAME} 
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata/updateinfo.xml

# And now modify the Repo so that it reflects the updated security info

/usr/bin/modifyrepo 
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata/updateinfo.xml 
  /u02/patching/yum/linux6/ol6_UEKR3_latest/getPackage/repodata


################
# Lastly for OVM

/usr/bin/reposync -c /etc/yum/yum.conf -n -d -l -g comps.xml --gpgcheck --download-metadata --norepopath -r PublicOVM3Repo --download_path=/u02/patching/yum/ovm/PublicOVM3Repo

/usr/bin/createrepo --workers 10 /u02/patching/yum/ovm/PublicOVM3Repo/getPackage


# Now lets get the latest security info and apply it.

OVMGZFILENAME=$(ls -ltcr /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata | grep 'updateinfo.xml.gz' | head -n 1 | awk '{print $9}')
OVMXMLFILENAME=$(echo "$OVMGZFILENAME" | cut -f 1,2 -d '.')

# Unzip the updateinfo.xml file

/bin/gzip -d 
  /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata/${OVMGZFILENAME}
mv  /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata/${OVMXMLFILENAME} 
    /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata/updateinfo.xml

# And now modify the Repo so that it reflects the updated security info

/usr/bin/modifyrepo 
  /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata/updateinfo.xml 
  /u02/patching/yum/ovm/PublicOVM3Repo/getPackage/repodata

OK - so at this point we now have all the required patching repositories set up and being updated nightly.

One thing that you'll want to consider is when to 'stop' this process from happening once you start patching your estate. The reason for this is that a nightly refresh occurring during your patching cycle creates the possibility for some of the earlier patched servers being patched with different (lower) versions of software that those servers done later (which would receive the very latest versions).

In the next article, we're going to take a look at the servers that are going to be patched - and in particular how to manage which repositories are and are not available during the patching process.

See the full series on Linux Patching here.