Hi All,

This article is a little different from the previous ones - in that it takes a look at some of the useful utilities 'yum' provides in order to support the patching work.

As you'll see, 'yum' has great support for reviewing the work that has been previously done, as well as rolling back that work.

Also - don't ever forget the power of the Linux 'man' pages - they hold a wealth of useful information on the utilities that sit at your fingertips.

Before we start, the Red Hat article here is very good and well worth a look :

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/deployment_guide/sec-yum-transaction_history

It's useful looking at the above document since it has some interesting parts to it, especially on describing what the flags mean on some of the commands to follow.

So, let's get started .... .

The yum-security plug-in


'yum-security' provides some very useful tools for examining the patches that are available for a system.

As a reminder - if you are finding that some of these commands do not list any information then it's possible that the 'updateinfo' information (discussed in earlier articles) isn't available or is damaged.

yum updateinfo list --> gives a list of ALL patches available, including bugfixes :

[root@server-to-be-patched yum.repos.d]# yum updateinfo list
Loaded plugins: security, ulninfo, versionlock
OVMBA-2018-0055 bugfix         ConsoleKit-0.4.1-6.el6.x86_64
OVMBA-2018-0055 bugfix         ConsoleKit-libs-0.4.1-6.el6.x86_64
OVMBA-2018-0191 bugfix         SDL-1.2.14-7.el6_7.1.x86_64
OVMBA-2018-0045 bugfix         acl-2.2.49-7.el6_9.1.x86_64
OVMBA-2018-0046 bugfix         alsa-lib-1.1.0-4.el6.x86_64
OVMBA-2018-0047 bugfix         at-3.1.10-49.el6.x86_64
OVMBA-2018-0048 bugfix         audit-2.4.5-6.el6.x86_64

.... (some bugfixes skipped to show different entry types)

OVMBA-2018-0087 bugfix         iproute-2.6.32-54.0.1.el6.x86_64
OVMEA-2017-0003 enhancement    iptables-1.4.7-16.0.5.el6.x86_64
OVMEA-2017-0003 enhancement    iptables-ipv6-1.4.7-16.0.5.el6.x86_64
OVMBA-2018-0088 bugfix         iputils-20071127-24.el6.x86_64
OVMBA-2016-0024 bugfix         irqbalance-2:1.0.9-2.el6.x86_64
OVMBA-2017-0131 bugfix         irqbalance-2:1.0.9-2.0.1.el6.x86_64
OVMBA-2018-0091 bugfix         kernel-headers-2.6.32-696.18.7.el6.x86_64
OVMSA-2016-0041 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
OVMBA-2016-0044 bugfix         kernel-uek-4.1.12-37.2.1.el6uek.x86_64
OVMSA-2016-0047 Moderate/Sec.  kernel-uek-4.1.12-37.2.2.el6uek.x86_64
OVMSA-2016-0052 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
OVMSA-2016-0083 Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64

You can list out just security related patches as well :

[root@server-to-be-patched yum.repos.d]# yum updateinfo list security
Loaded plugins: security, ulninfo, versionlock
OVMSA-2016-0041 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
OVMSA-2016-0047 Moderate/Sec.  kernel-uek-4.1.12-37.2.2.el6uek.x86_64
OVMSA-2016-0052 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
OVMSA-2016-0083 Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64
OVMSA-2016-0091 Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
OVMSA-2016-0094 Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64
OVMSA-2016-0097 Important/Sec. kernel-uek-4.1.12-37.6.3.el6uek.x86_64
OVMSA-2016-0100 Important/Sec. kernel-uek-4.1.12-61.1.6.el6uek.x86_64
OVMSA-2016-0134 Important/Sec. kernel-uek-4.1.12-61.1.10.el6uek.x86_64


==================================


[root@jts-vm-res-apps-adm-01 yum.repos.d]# yum updateinfo list cves
Loaded plugins: security, ulninfo, versionlock
 CVE-2016-3157    Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
 CVE-2016-0617    Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
 CVE-2015-8767    Moderate/Sec.  kernel-uek-4.1.12-37.2.2.el6uek.x86_64
 CVE-2016-0758    Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
 CVE-2013-4312    Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
 CVE-2016-4565    Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64
 CVE-2016-6197    Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
 CVE-2016-2117    Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
 CVE-2016-6198    Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
 CVE-2015-8660    Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64
 CVE-2016-4470    Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64

To get a summary of what's available you can use a command line like this :

[root@server-to-be-patched yum.repos.d]# yum updateinfo list all --security | grep -v 'i ' | grep -v 'list' | grep -v 'plugins:' |  awk '{print $2}' | sort | uniq -c | sort -n
      5 Low/Sec.
      6 Critical/Sec.
    100 Moderate/Sec.
    887 Important/Sec.

The 'yum check-update --security' is also very useful to show just the security patches that can be applied :

[root@server-to-be-patched yum.repos.d]#  yum check-update --security
Loaded plugins: security, ulninfo, versionlock
Limiting package lists to security relevant ones
2 package(s) needed for security, out of 337 available

kernel-uek.x86_64           3.8.13-118.30.1.el6uek   patching_ol6_UEKR3_latest
kernel-uek-firmware.noarch  3.8.13-118.30.1.el6uek   patching_ol6_UEKR3_latest

All the above commands use the 'list' sub-command - but it's also possible to replace 'list' with 'info' for far more detailed information :

[root@server-to-be-patched yum.repos.d]# yum updateinfo info security
Loaded plugins: security, ulninfo, versionlock

===============================================================================
   kernel-uek security update
===============================================================================
  Update ID : OVMSA-2016-0041
    Release : Oracle Linux m
       Type : security
     Status : final
     Issued : 2016-03-29
       CVEs : CVE-2016-3157
            : CVE-2016-0617
Description : [4.1.12-32.2.3]
            : - rebuild bumping release
            :
            : [4.1.12-32.2.2]
            : - x86/iopl/64: properly context-switch IOPL on Xen
            :   PV (Andy Lutomirski)  [Orabug: 22997978]
            :   {CVE-2016-3157}
            : - fs/hugetlbfs/inode.c: fix bugs in
            :   hugetlb_vmtruncate_list() (Mike Kravetz)
            :   [Orabug: 22667863]
            :
            : [4.1.12-32.2.1]
            : - rebuild bumping release
   Severity : Important

===============================================================================
   kernel-uek security update
===============================================================================
  Update ID : OVMSA-2016-0047
    Release : Oracle Linux m
       Type : security
     Status : final
     Issued : 2016-05-06
       CVEs : CVE-2015-8767
Description : [4.1.12-37.2.2]
            : - sctp: Prevent soft lockup when sctp_accept() is
            :   called during a timeout event (Karl Heiss)
            :   [Orabug: 23222731]  {CVE-2015-8767}
   Severity : Moderate

The above examples are just an example of the information you can retrieve with this command.

Next, a really useful piece of functionality - 'yum provides'.

yum provides


This very command will lit out which packages across the whole system are associated with a particular file - really cool stuff!

Here's some examples :

[root@server-to-be-patched network-scripts]# yum provides */ntp.conf
Loaded plugins: security, ulninfo, versionlock
ntp-4.2.6p5-5.el6_7.4.x86_64 : The NTP daemon and utilities
Repo        : local_ol6_latest
Matched from:
Filename    : /etc/ntp.conf

ntp-4.2.6p5-15.0.1.el6_10.x86_64 : The NTP daemon and utilities
Repo        : installed
Matched from:
Filename    : /etc/ntp.conf

==============================

[root@server-to-be-patched network-scripts]# yum provides */ntp.conf
Loaded plugins: security, ulninfo, versionlock
ntp-4.2.6p5-5.el6_7.4.x86_64 : The NTP daemon and utilities
Repo        : local_ol6_latest
Matched from:
Filename    : /etc/ntp.conf

ntp-4.2.6p5-15.0.1.el6_10.x86_64 : The NTP daemon and utilities
Repo        : installed
Matched from:
Filename    : /etc/ntp.conf

Finally let's take a look a 'yum-history'.

yum history


'yum history' is a very useful - and versatile command of yum that allows you to examine the transaction history of yum.

What makes this so powerful is that it brings alive the concept of yum 'transactions' - compartmentalized pieces of work yum has performed.

A yum 'transaction' can comprise of just a single piece of work - e.g. 'yum install ' or of multiple packages.

This is where the power of yum history and transactions really shines, since it's entirely possible to :

  1. Install yum security patches that contain many actions (installs, updates, removes) as one transaction.
    This is in fact how a security patch is applied - many actions rolled up into a single transaction.

  2. If a security patch needs to be rolled back, then all you need to do is roll back the transaction.
    If a transaction contains many sub-parts, yum will take care of it all - ensuring that the system is rolled back to the state the system was in before the patching.

Let's take a look at some of the commands :

This first example just lists the last 20 transactions (which is the default number for the 'yum history list' command).
To get a full list, use : 'yum history list all' )

[root@server-to-be-patched yum.repos.d]# yum history list
Loaded plugins: security, ulninfo, versionlock
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    92 | root <root>              | 2019-02-04 21:04 | Update         |    1
    91 | root <root>              | 2019-02-04 21:04 | Update         |    1
    90 | root <root>              | 2019-02-04 21:04 | Update         |    1
    89 | root <root>              | 2019-02-04 21:04 | Update         |    1
    88 | root <root>              | 2019-02-04 21:03 | Update         |    3
    87 | root <root>              | 2019-02-04 21:03 | Update         |    1
    86 | root <root>              | 2019-02-04 21:03 | Update         |    1
    85 | root <root>              | 2019-02-04 21:03 | I, U           |    4
    84 | root <root>              | 2019-02-04 21:03 | Install        |    1
    83 | root <root>              | 2019-02-04 21:03 | Update         |    1
    82 | root <root>              | 2019-02-04 21:03 | Update         |    1
    81 | root <root>              | 2019-02-04 21:03 | Update         |    2
    80 | root <root>              | 2019-02-04 21:03 | Update         |    2
    79 | root <root>              | 2019-02-04 21:03 | Update         |    2
    78 | root <root>              | 2019-02-04 20:39 | Update         |   46 EE
    77 |  <rubiconred>            | 2019-02-03 22:20 | Downgrade      |    9 EE
    76 | root <root>              | 2019-02-03 22:10 | Downgrade      |   37 EE
    75 |  <rubiconred>            | 2019-02-03 22:07 | Install        |    1
    74 | root <root>              | 2019-02-03 21:35 | Downgrade      |    2
    73 | root <root>              | 2019-02-03 21:35 | Downgrade      |    2
history list

In case you're wondering what the some of the letters mean at the end of some lines - 'Actions' and 'Altered' (e.g. 'EE' on lines 19 - 21) you can find the definitions in the above mentioned Red Hat document - but for convenience here they are :

Possible values of the Action(s) field

Possible values of the Action(s) field

Possible values of the Altered field

Possible values of the Altered field


Let's now say we need to see what was changed for transaction 88 - we now use the 'info' sub-command to display some quite detailed information :

[root@server-to-be-patched yum.repos.d]# yum history info 88
Loaded plugins: security, ulninfo, versionlock
Transaction ID : 88
Begin time     : Mon Feb  4 21:03:24 2019
Begin rpmdb    : 733:e8a8c4828dd18459725ab1c57dd05cd7141aaced
End time       :            21:04:45 2019 (81 seconds)
End rpmdb      : 733:81364220837ead7b7fc9cd3515a21a0f6a1005c9
User           : root <root>
Return-Code    : Success
Command Line   : update -y microcode_ctl
Transaction performed with:
    Installed     rpm-4.8.0-47.el6.x86_64      @anaconda-OracleLinuxServer-201507280245.x86_64/6.7
    Installed     yum-3.2.29-69.0.1.el6.noarch @anaconda-OracleLinuxServer-201507280245.x86_64/6.7
Packages Altered:
    Updated dracut-004-388.0.1.el6.noarch            @patching_ol6_base
    Update         004-411.0.1.el6.noarch            @patching_ol6_latest
    Updated dracut-kernel-004-388.0.1.el6.noarch     @patching_ol6_base
    Update                004-411.0.1.el6.noarch     @patching_ol6_latest
    Updated microcode_ctl-1:1.17-20.el6.x86_64       @patching_ol6_base
    Update                1:1.17-33.1.0.6.el6.x86_64 @patching_ol6_latest
history info

And finally we can use yum transaction history to roll back the security changes with the 'undo' sub-command :

[root@server-to-be-patched yum.repos.d]# yum history undo 88
Loaded plugins: security, ulninfo, versionlock
Undoing transaction 88, from Mon Feb  4 21:03:24 2019
    Updated dracut-004-388.0.1.el6.noarch            @patching_ol6_base
    Update         004-411.0.1.el6.noarch            @patching_ol6_latest
    Updated dracut-kernel-004-388.0.1.el6.noarch     @patching_ol6_base
    Update                004-411.0.1.el6.noarch     @patching_ol6_latest
    Updated microcode_ctl-1:1.17-20.el6.x86_64       @patching_ol6_base
    Update                1:1.17-33.1.0.6.el6.x86_64 @patching_ol6_latest
Resolving Dependencies
--> Running transaction check
---> Package dracut.noarch 0:004-388.0.1.el6 will be a downgrade
---> Package dracut.noarch 0:004-411.0.1.el6 will be erased
---> Package dracut-kernel.noarch 0:004-388.0.1.el6 will be a downgrade
---> Package dracut-kernel.noarch 0:004-411.0.1.el6 will be erased
---> Package microcode_ctl.x86_64 1:1.17-20.el6 will be a downgrade
---> Package microcode_ctl.x86_64 1:1.17-33.1.0.6.el6 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

==============================================================================================================================================================================
 Package                                   Arch                               Version                                      Repository                                    Size
==============================================================================================================================================================================
Downgrading:
 dracut                                    noarch                             004-388.0.1.el6                              local_ol6_latest                             125 k
 dracut-kernel                             noarch                             004-388.0.1.el6                              local_ol6_latest                              26 k
 microcode_ctl                             x86_64                             1:1.17-20.el6                                local_ol6_latest                             736 k

Transaction Summary
==============================================================================================================================================================================
Downgrade     3 Package(s)

Total download size: 888 k
Is this ok [y/N]: N
Exiting on user Command
Your transaction was saved, rerun it with:
 yum load-transaction /tmp/yum_save_tx-2019-02-07-22-45DiLvpd.yumtx

This is a very powerful piece of functionality - we'll see more of it later during the discussion on rolling back patches.

The next article in this series looks at RPM - The Red Hat Package Manager. It's worth a quick look since, like the tooling provided by 'yum', it empowers you to fix any issues that may occur during the patching process.