My RHEL8 servers are not internet facing and get the latest OS patches from a surrogate repository that synchronises (real time) externally.
At the beginning of every month, I run a shell script to identify the latest RHEL8 OS patches.. these are downloaded to a local directory and each patch is added to a patch list text file. This OS bundle is then zipped and used in every RHEL8 server. Doing so ensures (or so I thought!) the same patches and dependencies are applied to all RHEL8 servers in a given month.
On each server, after downloading/untarring the latest OS bundle, I run another script to loop through the patch list text file installing/updating the patch from the local directory... adding the patch output to a log file:
yum -y install $patch >> /var/patch/"installListing_$(date +%b%y).log"
(Note: need to replace yum with dnf)
How can I ensure that the patch list and associated dependencies applied at the beginning of the month are the same dependences that are applied at the end of the month ?
Can I / should I disable the connection to the internal repo so there is no dependency check or instead of downloading to a local directory, should I create a local repository and download the patch /dependency updates to that local repository ?
Hello,
It sounds like, for your requirements, it might actually be simpler to run your own local repository server and point your local servers at that for patching purposes, yes. You could then populate that local repository with just the updates/packages you wanted to be present, thus being totally sure that: A) the client servers could never install anything else since all that's available is what's in the repository; and B) the repository only contains exactly what you expect it to at all times, since it only updates when you update it.
1 Like
Well, if your server have access to local repository (which is in turn synced from internet mirrors), why are you copying RPM files to your servers ?
RPM repository, among other things, contains metadata files/sqlite database which describe packages (versions present, errata included etc.)
Updating your system like you do is kinda broken but doable 
If you really like to copy stuff around, then make an ISO out of entire repository, mount on client and use local defined repository on your servers with every other repo disabled.
Then do a yum update
As for exact patches match i would recommend using Foreman and locking your versions (content promote) before patching - it is a free software (paid would be RHEL satellite).
This will ensure that you are applying versions you want and you would use Foreman server (or proxy if required) as a yum repository.
After subscribing your server to foreman and installing a specific package it would auto configure those repositories on your servers and add the servers to be managed by Foreman.
It has a bit learning curve, but benefits are great since you have a central place from which you see what has /needs to be patched, in what environment.
You can also use it to patch your servers remotely from Foreman against your servers.
And you are not limited to RHEL ecosystem by using foreman, it support many other distributions as well.
Hope that helps
Regards
Peasant.
1 Like