Managing errata

ATIX provides errata for hosts running Ubuntu. There are three types of advisories (in order of importance):

Security Advisory

Describes fixed security issues found in the package. The security impact of the issue can be Low, Moderate, Important, or Critical.

Bug Fix Advisory

Describes bug fixes for the package.

Product Enhancement Advisory

Describes enhancements and new features added to the package.

orcharhino imports this errata information when synchronizing upstream repositories. orcharhino also provides tools to inspect and filter errata, allowing for precise update management. This way, you can select relevant updates and propagate them through content views to selected content hosts.

Errata are labeled according to the most important advisory type they contain. Therefore, errata labeled as Product Enhancement Advisory can contain only enhancement updates, while Bug Fix Advisory errata can contain both bug fixes and enhancements, and Security Advisory can contain all three types.

In orcharhino, there are two keywords that describe an erratum’s relationship to the available content hosts:

Applicable

An erratum that applies to one or more content hosts, which means it updates packages present on the content host. Although these errata apply to content hosts, until their state changes to Installable, the errata are not ready to be installed. Installable errata are automatically applicable.

Installable

An erratum that applies to one or more content hosts and is available to install on the content host. Installable errata are available to a content host from lifecycle environment and the associated content view, but are not yet installed.

This chapter shows how to manage errata and apply them to either a single host or multiple hosts.

The ATIX AG Debian and Ubuntu Errata service provides errata for Debian and Ubuntu. When creating a repository of type deb, point the Errata URL to ATIX AG Debian and Ubuntu Errata service. Use https://dep.atix.de/dep/api/v1/debian for Debian, https://dep.atix.de/dep/api/v1/ubuntu for Ubuntu, and https://dep.atix.de/dep/api/v1/ubuntu-esm for Ubuntu-ESM.

An erratum contains the information which packages have to be updated to fix a security issue. Debian and Ubuntu errata are derived from the Debian security announcements (DSA) and the Ubuntu security notices (USN).

You must add Debian and Ubuntu errata to the security repository. For Debian, you need the My_Debian_Release-security repository, for example, bookworm-security. For Ubuntu, you need the My_Ubuntu_Release-security repository, for example, noble-security.

Email notifications can help you keeping track of available errata for specific hosts. You can enable email notifications on the Email Preferences tab when editing a user. For more information, see Managing Users in Administering orcharhino.

Best practices for errata

  • Use errata to add patches for security issues to a frozen set of content without unnecessarily updating other unaffected packages.

  • Automate errata management by using a Hammer script or an Ansible playbook.

  • You can subsequently add synchronized errata which are applicable to at least one content host to your content views.

    • In the orcharhino management UI, navigate to Content > Content Types > Errata to find errata for a specific repository or name of an erratum.

    • Applicable errata indicate that a host contains packages that have errata available.

    • Installable errata indicate that a host has updated packages available in its content view ready to be installed.

    • If an erratum is applicable but not installable, select the erratum and click Apply. This lists all hosts that are affected by the erratum. Trying to install the erratum prompts you to create an incremental content view version and install the erratum afterwards.

    • An incremental update publishes a new minor version of the content view and promotes it to the necessary lifecycle environment. Use bulk actions to apply errata to multiple content hosts at once.

    • You cannot manually increment a content view without adding errata and any affected hosts.

  • View errata on the content hosts page and compare the errata of the current content view and lifecycle environment to the Library lifecycle environment, which contains the latest synchronized packages.

    You can only apply errata included in the content view version of the lifecycle of your host. You can view applicable errata as a recommendation to create an incremental content view to provide errata to hosts. For more information, see Adding Errata To An Incremental Content View.

  • Your orcharhino subscription contains access to errata for Ubuntu provided by ATIX AG.

Inspecting available errata

The following procedure describes how to view and filter the available errata and how to display metadata of the selected advisory. To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Content Types > Errata to view the list of available errata.

  2. Use the filtering tools at the top of the page to limit the number of displayed errata:

    • Select the repository to be inspected from the list. All Repositories is selected by default.

    • The Applicable checkbox is selected by default to view only applicable errata in the selected repository. Select the Installable checkbox to view only errata marked as installable.

    • To search the table of errata, type the query in the Search field in the form of:

      parameter operator value

      See Parameters Available for Errata Search for the list of parameters available for search. Find the list of applicable operators in Supported Operators for Granular Search in Administering orcharhino. Automatic suggestion works as you type. You can also combine queries with the use of and and or operators. For example, to display only security advisories related to the kernel package, type:

      type = security and package_name = kernel

      Press Enter to start the search.

  3. Click the Errata ID of the erratum you want to inspect:

    • The Details tab contains the description of the updated package as well as documentation of important fixes and enhancements provided by the update.

    • On the Content Hosts tab, you can apply the erratum to selected content hosts as described in Applying Errata to Multiple Hosts.

    • The Repositories tab lists repositories that already contain the erratum. You can filter repositories by the environment and content view, and search for them by the repository name.

You can also use the new Host page to view to inspect available errata and select errata to install.

  1. In the orcharhino management UI, navigate to Hosts > All Hosts and select the host you require.

  2. If there are errata associated with the host, an Installable Errata card on the new Host page displays an interactive pie chart showing a breakdown of the security advisories, bugfixes, and enhancements.

  3. On the new Host page, select the Content tab.

  4. On the Content page select the Errata tab.

  5. The page displays installable errata for the chosen host.

  6. Click the checkbox for any errata you wish to install.

  7. Select Apply via Remote Execution to use Remote Execution, or Apply via customized remote execution if you want to customize the remote execution.

  8. Click Submit.

CLI procedure
  • To view errata that are available for all organizations, enter the following command:

    $ hammer erratum list
  • To view details of a specific erratum, enter the following command:

    $ hammer erratum info --id erratum_ID
  • You can search errata by entering the query with the --search option. For example, to view applicable errata for the selected product that contains the specified bugs ordered so that the security errata are displayed on top, enter the following command:

    $ hammer erratum list \
    --product-id 7 \
    --search "bug = 1213000 or bug = 1207972" \
    --errata-restrict-applicable 1 \
    --order "type desc"

Parameters available for errata search

Parameter Description Example

bug

Search by the Bugzilla number.

bug = 1172165

cve

Search by the CVE number.

cve = CVE-2015-0235

id

Search by the errata ID. The auto-suggest system displays a list of available IDs as you type.

id = RHBA-2014:2004

issued

Search by the issue date. You can specify the exact date, like "Feb16,2015", or use keywords, for example "Yesterday", or "1 hour ago". The time range can be specified with the use of the "<" and ">" operators.

issued < "Jan 12,2015"

package

Search by the full package build name. The auto-suggest system displays a list of available packages as you type.

package = glib2-2.22.5-6.el6.i686

package_name

Search by the package name. The auto-suggest system displays a list of available packages as you type.

package_name = glib2

severity

Search by the severity of the issue fixed by the security update. Specify Critical, Important, or Moderate.

severity = Critical

title

Search by the advisory title.

title ~ openssl

type

Search by the advisory type. Specify security, bugfix, or enhancement.

type = bugfix

updated

Search by the date of the last update. You can use the same formats as with the issued parameter.

updated = "6 days ago"

Applying installable errata

Use the following procedure to view a list of installable errata and select errata to install.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > All Hosts and select the host you require.

  2. If there are errata associated with the host, they are displayed in an Installable Errata card on the new Host page.

  3. On the Content tab, Errata displays installable errata for the chosen host.

  4. Click the checkbox for any errata you wish to install.

  5. Using the vertical ellipsis icon next to the errata you want to add to the host, select Apply via Remote Execution to use Remote Execution. Select Apply via customized remote execution if you want to customize the remote execution.

  6. Click Submit.

Creating custom snippets to apply errata

Custom snippets allow you to execute custom code when applying errata on hosts. You can run code before and/or after applying errata.

Prerequisites
  • Depending on the used template, multiple custom snippet hooks exist which you can use to include custom snippets. Ensure that you check your template first to verify which custom snippets you can use.

    You can view used job templates under Administer > Remote Execution Features.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Templates > Job Templates.

  2. Click Create Template.

  3. In the Name field, enter a name for your custom snippet. The name has to start with the name of a template that supports including custom snippets:

    • Append ` custom pre` to the name of a template to run code before applying errata on hosts.

    • Append ` custom post` to the name of a template to run code after applying errata on hosts.

  4. On the Type tab, select Snippet.

  5. Click Submit to create your custom snippet.

CLI procedure
  1. Before you create a template with the CLI, create a plain text file that contains your custom snippet.

  2. Create the template using hammer:

    $ hammer template create \
    --file "~/My_Snippet" \
    --locations "My_Location" \
    --name "My_Template_Name_custom_pre" \
    --organizations "_My_Organization" \
    --type snippet

Subscribing to errata notifications

You can configure email notifications for orcharhino users. Users receive a summary of applicable and installable errata, notifications on content view promotion or after synchronizing a repository. For more information, see Configuring Email Notification Preferences in Administering orcharhino.

Limitations to repository dependency resolution

With orcharhino, using incremental updates to your content views solves some repository dependency problems. However, dependency resolution at a repository level still remains problematic on occasion.

When a repository update becomes available with a new dependency, orcharhino retrieves the newest version of the package to solve the dependency, even if there are older versions available in the existing repository package. This can create further dependency resolution problems when installing packages.

Example scenario

A repository on your client has the package example_repository-1.0 with the dependency example_repository-libs-1.0. The repository also has another package example_tools-1.0.

A security erratum becomes available with the package example_tools-1.1. The example_tools-1.1 package requires the example_repository-libs-1.1 package as a dependency.

After an incremental content view update, the example_tools-1.1, example_tools-1.0, and example_repository-libs-1.1 are now in the repository. The repository also has the packages example_repository-1.0 and example_repository-libs-1.0. Note that the incremental update to the content view did not add the package example_repository-1.1. Because you can install all these packages using dnf, no potential problem is detected. However, when the client installs the example_tools-1.1 package, a dependency resolution problem occurs because both example_repository-libs-1.0 and example_repository-libs-1.1 cannot be installed.

There is currently no workaround for this problem. The larger the time frame, and minor Y releases between the base set of packages and the errata being applied, the higher the chance of a problem with dependency resolution.

Creating a content view filter for errata

You can use content filters to limit errata. Such filters include:

  • ID – Select specific erratum to allow into your resulting repositories.

  • Date Range – Define a date range and include a set of errata released during that date range.

  • Type – Select the type of errata to include such as bug fixes, enhancements, and security updates.

Create a content filter to exclude errata after a certain date. This ensures your production systems in the application lifecycle are kept up to date to a certain point. Then you can modify the filter’s start date to introduce new errata into your testing environment to test the compatibility of new packages into your application lifecycle.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Prerequisites
  • A content view with the repositories that contain required errata is created. For more information, see Creating a Content View.

Procedure
  1. In the orcharhino management UI, navigate to Content > Lifecycle > Content Views.

  2. Select a content view that you want to use for applying errata.

  3. Select Yum Content > Filters and click New Filter.

  4. In the Name field, enter Errata Filter.

  5. From the Content Type list, select Erratum – Date and Type.

  6. From the Inclusion Type list, select Exclude.

  7. In the Description field, enter Exclude errata items from YYYY-MM-DD.

  8. Click Save.

  9. For Errata Type, select the checkboxes of errata types you want to exclude. For example, select the Enhancement and Bugfix checkboxes and clear the Security checkbox to exclude enhancement and bugfix errata after certain date, but include all the security errata.

  10. For Date Type, select one of two checkboxes:

    • Issued On for the issued date of the erratum.

    • Updated On for the date of the erratum’s last update.

  11. Select the Start Date to exclude all errata on or after the selected date.

  12. Leave the End Date field blank.

  13. Click Save.

  14. Click Publish New Version to publish the resulting repository.

  15. Enter Adding errata filter in the Description field.

  16. Click Save.

    When the content view completes publication, notice the Content column reports a reduced number of packages and errata from the initial repository. This means the filter successfully excluded the all non-security errata from the last year.

  17. Click the Versions tab.

  18. Click Promote to the right of the published version.

  19. Select the environments you want to promote the content view version to.

  20. In the Description field, enter the description for promoting.

  21. Click Promote Version to promote this content view version across the required environments.

CLI procedure
  1. Create a filter for the errata:

    $ hammer content-view filter create \
    --content-view "My_Content_View" \
    --description "Exclude errata items from the YYYY-MM-DD" \
    --name "My_Filter_Name" \
    --organization "My_Organization" \
    --type "erratum"
  2. Create a filter rule to exclude all errata on or after the Start Date that you want to set:

    $ hammer content-view filter rule create \
    --content-view "My_Content_View" \
    --content-view-filter="My_Content_View_Filter" \
    --organization "My_Organization" \
    --start-date "YYYY-MM-DD" \
    --types=security,enhancement,bugfix
  3. Publish the content view:

    $ hammer content-view publish \
    --name "My_Content_View" \
    --organization "My_Organization"
  4. Promote the content view to the lifecycle environment so that the included errata are available to that lifecycle environment:

    $ hammer content-view version promote \
    --content-view "My_Content_View" \
    --organization "My_Organization" \
    --to-lifecycle-environment "My_Lifecycle_Environment"

Adding errata to an incremental content view

If errata are available but not installable, you can create an incremental content view version to add the errata to your content hosts. For example, if the content view is version 1.0, it becomes content view version 1.1, and when you publish, it becomes content view version 2.0.

If your content view version is old, you might encounter incompatibilities when incrementally adding enhancement errata. This is because enhancements are typically designed for the most current software in a repository.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Content > Content Types > Errata.

  2. From the Errata list, click the name of the errata that you want to apply.

  3. Select the content hosts that you want to apply the errata to, and click Apply to Hosts. This creates the incremental update to the content view.

  4. If you want to apply the errata to the content host, select the Apply Errata to Content Hosts immediately after publishing checkbox.

  5. Click Confirm to apply the errata.

CLI procedure
  1. List the errata and its corresponding IDs:

    $ hammer erratum list
  2. List the different content-view versions and the corresponding IDs:

    $ hammer content-view version list
  3. Apply a single erratum to content-view version. You can add more IDs in a comma-separated list.

    $ hammer content-view version incremental-update \
    --content-view-version-id 319 --errata-ids 34068b

ATIX AG strongly recommends disabling and not using phased updates on hosts running Ubuntu. Phased updates effectively obstruct orcharhino from managing content on registered hosts. If enabled, orcharhino cannot ensure updates and errata are deployed as intended on all selected hosts running Ubuntu.

Disabling Phased Updates

Follow this procedure to disable phased updates on your managed hosts running Ubuntu.

Disabling Phased Updates during Provisioning
  • Ensure the following section is part of your provisioning template:

    <% if @host.operatingsystem.name == 'Ubuntu' -%>
    $ Disable phased updates on Ubuntu
    cat << EOF >/etc/apt/apt.conf.d/98phased-updates
    APT::Get::Always-Include-Phased-Updates "true";
    EOF
    <% end -%>

    This is already part of the or_deb_client snippet which is included in all Preseed templates provided by ATIX AG.

Disabling Phased Updates on Existing Hosts
  1. In the orcharhino management UI, navigate to Hosts > Job templates.

  2. Locate the Disable Phased Updates - SSH Default template and click Run.

  3. In the Search Query field, enter all hosts on which you want to disable phased updates.

  4. Click Submit to start the remote execution job.

Applying errata to hosts

Use these procedures to review and apply errata to hosts.

Prerequisites
  • Register the host to an environment and content view on orcharhino Server. For more information, see Registering Hosts in Managing Hosts.

  • Configure the host for remote execution. For more information about running remote execution jobs, see Configuring and Setting Up Remote Jobs in Managing Hosts.

The procedure to apply an erratum to a host depends on its operating system.

Applying errata to hosts running Ubuntu 24.04

Use this procedure to review and apply errata to a host running Ubuntu 24.04.

To use the CLI instead of the orcharhino management UI, see the CLI procedure.

Procedure
  1. In the orcharhino management UI, navigate to Hosts > Content Hosts and select the host you want to apply errata to.

  2. Navigate to the Errata tab to see the list of errata.

  3. Select the errata to apply and click Apply Selected. In the confirmation window, click Apply.

  4. After the task to update all packages associated with the selected errata completes, click the Details tab to view the updated packages.

CLI procedure
  1. List all errata for the host:

    $ hammer host errata list \
    --host client.example.com
  2. Apply the most recent erratum to the host. Identify the erratum to apply using the erratum ID:

    $ hammer job-invocation create \
    --feature katello_errata_install \
    --inputs errata=ERRATUM_ID1,ERRATUM_ID2 \
    --search-query "name = client.example.com"

Applying errata to multiple hosts

Use these procedures to review and apply errata to multiple RHEL hosts.

Prerequisites
  • Synchronize orcharhino repositories with the latest errata available from Red Hat. For more information, see Synchronizing Repositories.

  • Register the hosts to an environment and content view on orcharhino Server. For more information, see Registering Hosts in Managing Hosts.

  • Configure the host for remote execution. For more information about running remote execution jobs, see Configuring and Setting Up Remote Jobs in Managing Hosts.

Procedure
  1. In the orcharhino management UI, navigate to Content > Content Types > Errata.

  2. Click the name of an erratum you want to apply.

  3. Click to Content Hosts tab.

  4. Select the hosts you want to apply errata to and click Apply to Hosts.

  5. Click Confirm.

CLI procedure
  1. List all installable errata:

    $ hammer erratum list \
    --errata-restrict-installable true \
    --organization "Default Organization"
  2. Apply one of the errata to multiple hosts:

    Using Remote Execution

    $ hammer job-invocation create \
    --feature katello_errata_install \
    --inputs errata=ERRATUM_ID \
    --search-query "applicable_errata = ERRATUM_ID"

    The following Bash script applies an erratum to each host for which this erratum is available:

    for HOST in hammer --csv --csv-separator "|" host list --search "applicable_errata = ERRATUM_ID" --organization "Default Organization" | tail -n+2 | awk -F "|" '{ print $2 }' ;
    do
      echo "== Applying to $HOST ==" ; hammer host errata apply --host $HOST --errata-ids ERRATUM_ID1,ERRATUM_ID2 ;
    done

    This command identifies all hosts with erratum_IDs as an applicable erratum and then applies the erratum to each host.

  3. To see if an erratum is applied successfully, find the corresponding task in the output of the following command:

    $ hammer task list
  4. View the state of a selected task:

    $ hammer task progress --id task_ID

Applying errata to a host collection

Using Remote Execution
$ hammer job-invocation create \
--feature katello_errata_install \
--inputs errata=ERRATUM_ID1,ERRATUM_ID2,... \
--search-query "host_collection = HOST_COLLECTION_NAME"

The text and illustrations on this page are licensed by ATIX AG under a Creative Commons Attribution Share Alike 4.0 International ("CC BY-SA 4.0") license. This page also contains text from the official Foreman documentation which uses the same license ("CC BY-SA 4.0").