Create a roll with security updates. Has been tested with Rocks 6.2
This roll fundamentally determines which packages in a rocks-dist created ditribution require security updates. It then creates a roll with those packages.
The roll was inspired by the updateinfo.xml generation process described in http://blog.vmfarms.com/2013/12/inject-little-security-in-to-your.html. The 3rd party components used in the roll:
This roll uses
errata.latest.xmlfile that is maintained and updated by CEFS project http://cefs.steve-meier.de/errata.latest.xml
a previous version used
The roll works as follows
The security information is downloaded into
The roll creates a local rocks-dist distro
the information from
errata.latest.xmlis used to determine which RPMS in the rocks-dist distro require update
It then downloads the required RPMs (and their dependencies) as RPMs for this roll. This utilizes yumdownloader
The roll can be added to the cluster, a new distro created and then
yum updatecan used to upgrade the frontend.
During the make roll run a directory
current/ and script
bin/downloadRPMS.sh are generated.
The directory contains the latest
The script lists commands used for downloading RPMs.
Binary yumdownloader must be present. If not, install with :
# yum --enablerepo=base install yum-utils
Building the roll
Checkout roll distribution from git repo :
# git clone https://github.com/rocksclusters/security-updates.git # cd security-updates/ # make roll
The roll iso image name is of the form:
Installing the roll
To install the roll :
# rocks add roll os-6.2-security-updates-08_01_2015-0.x86_64.disk1.iso # rocks enable roll os-6.2-security-updates # (cd /export/rocks/install; rocks create distro) # yum clean all # yum check-update
The output of the last command should list all the RPMs that are now available from the Rocks repo. For example:
# yum check-update Rocks-6.2 | 2.9 kB 00:00 ... Rocks-6.2/primary_db | 2.1 MB 00:00 ... cairo.x86_64 1.8.8-6.el6_6 Rocks-6.2 cairo-devel.x86_64 1.8.8-6.el6_6 Rocks-6.2 cups.x86_64 1:1.4.2-67.el6_6.1 Rocks-6.2 cups-libs.x86_64 1:1.4.2-67.el6_6.1 Rocks-6.2 kernel.x86_64 2.6.32-504.23.4.el6 Rocks-6.2 kernel-devel.x86_64 2.6.32-504.23.4.el6 Rocks-6.2 kernel-doc.noarch 2.6.32-504.23.4.el6 Rocks-6.2 kernel-firmware.noarch 2.6.32-504.30.3.el6 Rocks-6.2 kernel-headers.x86_64 2.6.32-504.23.4.el6 Rocks-6.2 nss.x86_64 3.19.1-3.el6_6 Rocks-6.2 nss-sysinit.x86_64 3.19.1-3.el6_6 Rocks-6.2 nss-tools.x86_64 3.19.1-3.el6_6 Rocks-6.2 nss-util.x86_64 3.19.1-1.el6_6 Rocks-6.2
To install RPMS :
# yum update
Or install specific updates one by one per your security requirements.
The process of building and installing a roll can be set as a cron job on a weekly/monthly or other basis.
Multiple architecture packages resolution
It may happen that there is an update for multiple architectures of RPM and both need to be installed. The roll downloads both architecutes if both are listed as security updates and makes them available but yum will still produce a dependency resolution error and suggest a work around. Here is an example of how to deal with firefox dependency nss-softokn-freebl for i686 and x86_64: ::
yum update --exclude nss-softokn-freebl.i686
The command above will install rpms for x86_64 architecture and skip i686. Verify if you really need to install the i686 rpm. If you do, install it with
yum --enablerepo=base,updates install nss-softokn-freebl.i686
yum update --setopt=protected_multilib=false to intsall updates for both architectures may have an undesired
effect of installing i686 and removing x86_64 fro the same verison of RPM.