OSErrata

From T2B Wiki
Jump to navigation Jump to search

What is this page about ?

On this page, we will consider all RPM updates, except for kernel updates which are fully explained here.

Most of the time, these updates are to be done after a critical vulnerability has been discovered and the patched RPMs have been released.

Where to find the updates ?

For Scientific Linux, updates can be downloaded here : http://linux.web.cern.ch/linux/updates/

Be careful when determining the list of RPM updates to download : there might be dependencies ! It is always a good thing to simulate a "yum update" of the RPMs you would like to update, that way you will see if additional RPMs are needed. As an example, after the critical vulnerability CVE-2010-4170 was discovered, it was asked to site-admins to update systemtap-runtime. Simulating a "yum update systemtap-runtime" on one of our machine, we got :

...
Dependencies Resolved

======================================================================================================================================================
 Package                                Arch                        Version                                    Repository                        Size
======================================================================================================================================================
Updating:
 systemtap                              x86_64                      1.1-3.el5_5.3                              sl-security                      2.2 M
 systemtap-runtime                      x86_64                      1.1-3.el5_5.3                              sl-security                       85 k
Installing for dependencies:
 kernel-devel                           x86_64                      2.6.18-194.26.1.el5                        sl-security                      5.4 M
...

This simulation reveals that updating RPMs systemtap and systemtap-runtime requires that we also update kernel-devel !

Adding the updates to BEgrid repository

This task is described here.

Updating the errata template

For each OS, there should be an errata template that tells the updates to apply :

cfg/sites/begrid/os/<OperatingSystem>/rpms/errata.tpl

These updates should normally be applied using the pkg_ronly function (update RPM will be installed only if a previous version is found). Note : with pkg_repl, the RPM will be installed no matter an older version was installed earlier. As an example, here is the content of the errata template for OS SL5.3 x86_64 :

#cat ~/workspace/central-begrid-v6/cfg/sites/begrid/os/sl530-x86_64/rpms/errata.tpl

template rpms/errata;

'/software/packages'=pkg_ronly('glibc','2.5-49.el5_5.7','i686');
'/software/packages'=pkg_ronly('glibc','2.5-49.el5_5.7','x86_64');
'/software/packages'=pkg_ronly('glibc-common','2.5-49.el5_5.7','x86_64');
'/software/packages'=pkg_ronly('glibc-devel','2.5-49.el5_5.7','i386');
'/software/packages'=pkg_ronly('glibc-devel','2.5-49.el5_5.7','x86_64');
'/software/packages'=pkg_ronly('glibc-headers','2.5-49.el5_5.7','x86_64');
'/software/packages'=pkg_ronly('glibc-utils','2.5-49.el5_5.7','x86_64');

Activate update deployment in your site

Updates defined in errata.tpl are only applied if the variable PKG_DEPLOY_OS_ERRATA is true. It is set by default to false at the BEgrid level. So, to activate the updates deployment, we had to add :

variable PKG_DEPLOY_OS_ERRATA = true;

in the template :

cfg/sites/iihe-production/site/global_variables.tpl


Template:TracNotice