This article is a little different from the previous ones - in that it takes a look at some of the useful utilities 'yum' provides in order to support the patching work.
As you'll see, 'yum' has great support for reviewing the work that has been previously done, as well as rolling back that work.
Also - don't ever forget the power of the Linux 'man' pages - they hold a wealth of useful information on the utilities that sit at your fingertips.
Before we start, the Red Hat article here is very good and well worth a look :
It's useful looking at the above document since it has some interesting parts to it, especially on describing what the flags mean on some of the commands to follow.
So, let's get started .... .
The yum-security plug-in
'yum-security' provides some very useful tools for examining the patches that are available for a system.
As a reminder - if you are finding that some of these commands do not list any information then it's possible that the 'updateinfo' information (discussed in earlier articles) isn't available or is damaged.
yum updateinfo list --> gives a list of ALL patches available, including bugfixes :
[root@server-to-be-patched yum.repos.d]# yum updateinfo list
Loaded plugins: security, ulninfo, versionlock
OVMBA-2018-0055 bugfix ConsoleKit-0.4.1-6.el6.x86_64
OVMBA-2018-0055 bugfix ConsoleKit-libs-0.4.1-6.el6.x86_64
OVMBA-2018-0191 bugfix SDL-1.2.14-7.el6_7.1.x86_64
OVMBA-2018-0045 bugfix acl-2.2.49-7.el6_9.1.x86_64
OVMBA-2018-0046 bugfix alsa-lib-1.1.0-4.el6.x86_64
OVMBA-2018-0047 bugfix at-3.1.10-49.el6.x86_64
OVMBA-2018-0048 bugfix audit-2.4.5-6.el6.x86_64
.... (some bugfixes skipped to show different entry types)
OVMBA-2018-0087 bugfix iproute-2.6.32-54.0.1.el6.x86_64
OVMEA-2017-0003 enhancement iptables-1.4.7-16.0.5.el6.x86_64
OVMEA-2017-0003 enhancement iptables-ipv6-1.4.7-16.0.5.el6.x86_64
OVMBA-2018-0088 bugfix iputils-20071127-24.el6.x86_64
OVMBA-2016-0024 bugfix irqbalance-2:1.0.9-2.el6.x86_64
OVMBA-2017-0131 bugfix irqbalance-2:1.0.9-2.0.1.el6.x86_64
OVMBA-2018-0091 bugfix kernel-headers-2.6.32-696.18.7.el6.x86_64
OVMSA-2016-0041 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
OVMBA-2016-0044 bugfix kernel-uek-4.1.12-37.2.1.el6uek.x86_64
OVMSA-2016-0047 Moderate/Sec. kernel-uek-4.1.12-37.2.2.el6uek.x86_64
OVMSA-2016-0052 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
OVMSA-2016-0083 Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64
You can list out just security related patches as well :
[root@server-to-be-patched yum.repos.d]# yum updateinfo list security
Loaded plugins: security, ulninfo, versionlock
OVMSA-2016-0041 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
OVMSA-2016-0047 Moderate/Sec. kernel-uek-4.1.12-37.2.2.el6uek.x86_64
OVMSA-2016-0052 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
OVMSA-2016-0083 Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64
OVMSA-2016-0091 Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
OVMSA-2016-0094 Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64
OVMSA-2016-0097 Important/Sec. kernel-uek-4.1.12-37.6.3.el6uek.x86_64
OVMSA-2016-0100 Important/Sec. kernel-uek-4.1.12-61.1.6.el6uek.x86_64
OVMSA-2016-0134 Important/Sec. kernel-uek-4.1.12-61.1.10.el6uek.x86_64
==================================
[root@jts-vm-res-apps-adm-01 yum.repos.d]# yum updateinfo list cves
Loaded plugins: security, ulninfo, versionlock
CVE-2016-3157 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
CVE-2016-0617 Important/Sec. kernel-uek-4.1.12-32.2.3.el6uek.x86_64
CVE-2015-8767 Moderate/Sec. kernel-uek-4.1.12-37.2.2.el6uek.x86_64
CVE-2016-0758 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
CVE-2013-4312 Important/Sec. kernel-uek-4.1.12-37.4.1.el6uek.x86_64
CVE-2016-4565 Important/Sec. kernel-uek-4.1.12-37.5.1.el6uek.x86_64
CVE-2016-6197 Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
CVE-2016-2117 Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
CVE-2016-6198 Important/Sec. kernel-uek-4.1.12-37.6.1.el6uek.x86_64
CVE-2015-8660 Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64
CVE-2016-4470 Important/Sec. kernel-uek-4.1.12-37.6.2.el6uek.x86_64
To get a summary of what's available you can use a command line like this :
[root@server-to-be-patched yum.repos.d]# yum updateinfo list all --security | grep -v 'i ' | grep -v 'list' | grep -v 'plugins:' | awk '{print $2}' | sort | uniq -c | sort -n
5 Low/Sec.
6 Critical/Sec.
100 Moderate/Sec.
887 Important/Sec.
The 'yum check-update --security' is also very useful to show just the security patches that can be applied :
[root@server-to-be-patched yum.repos.d]# yum check-update --security
Loaded plugins: security, ulninfo, versionlock
Limiting package lists to security relevant ones
2 package(s) needed for security, out of 337 available
kernel-uek.x86_64 3.8.13-118.30.1.el6uek patching_ol6_UEKR3_latest
kernel-uek-firmware.noarch 3.8.13-118.30.1.el6uek patching_ol6_UEKR3_latest
All the above commands use the 'list' sub-command - but it's also possible to replace 'list' with 'info' for far more detailed information :
[root@server-to-be-patched yum.repos.d]# yum updateinfo info security
Loaded plugins: security, ulninfo, versionlock
===============================================================================
kernel-uek security update
===============================================================================
Update ID : OVMSA-2016-0041
Release : Oracle Linux m
Type : security
Status : final
Issued : 2016-03-29
CVEs : CVE-2016-3157
: CVE-2016-0617
Description : [4.1.12-32.2.3]
: - rebuild bumping release
:
: [4.1.12-32.2.2]
: - x86/iopl/64: properly context-switch IOPL on Xen
: PV (Andy Lutomirski) [Orabug: 22997978]
: {CVE-2016-3157}
: - fs/hugetlbfs/inode.c: fix bugs in
: hugetlb_vmtruncate_list() (Mike Kravetz)
: [Orabug: 22667863]
:
: [4.1.12-32.2.1]
: - rebuild bumping release
Severity : Important
===============================================================================
kernel-uek security update
===============================================================================
Update ID : OVMSA-2016-0047
Release : Oracle Linux m
Type : security
Status : final
Issued : 2016-05-06
CVEs : CVE-2015-8767
Description : [4.1.12-37.2.2]
: - sctp: Prevent soft lockup when sctp_accept() is
: called during a timeout event (Karl Heiss)
: [Orabug: 23222731] {CVE-2015-8767}
Severity : Moderate
The above examples are just an example of the information you can retrieve with this command.
Next, a really useful piece of functionality - 'yum provides'.
yum provides
This very command will lit out which packages across the whole system are associated with a particular file - really cool stuff!
Here's some examples :
[root@server-to-be-patched network-scripts]# yum provides */ntp.conf
Loaded plugins: security, ulninfo, versionlock
ntp-4.2.6p5-5.el6_7.4.x86_64 : The NTP daemon and utilities
Repo : local_ol6_latest
Matched from:
Filename : /etc/ntp.conf
ntp-4.2.6p5-15.0.1.el6_10.x86_64 : The NTP daemon and utilities
Repo : installed
Matched from:
Filename : /etc/ntp.conf
==============================
[root@server-to-be-patched network-scripts]# yum provides */ntp.conf
Loaded plugins: security, ulninfo, versionlock
ntp-4.2.6p5-5.el6_7.4.x86_64 : The NTP daemon and utilities
Repo : local_ol6_latest
Matched from:
Filename : /etc/ntp.conf
ntp-4.2.6p5-15.0.1.el6_10.x86_64 : The NTP daemon and utilities
Repo : installed
Matched from:
Filename : /etc/ntp.conf
Finally let's take a look a 'yum-history'.
yum history
'yum history' is a very useful - and versatile command of yum that allows you to examine the transaction history of yum.
What makes this so powerful is that it brings alive the concept of yum 'transactions' - compartmentalized pieces of work yum has performed.
A yum 'transaction' can comprise of just a single piece of work - e.g. 'yum install ' or of multiple packages.
This is where the power of yum history and transactions really shines, since it's entirely possible to :
-
Install yum security patches that contain many actions (installs, updates, removes) as one transaction.
This is in fact how a security patch is applied - many actions rolled up into a single transaction. -
If a security patch needs to be rolled back, then all you need to do is roll back the transaction.
If a transaction contains many sub-parts, yum will take care of it all - ensuring that the system is rolled back to the state the system was in before the patching.
Let's take a look at some of the commands :
This first example just lists the last 20 transactions (which is the default number for the 'yum history list' command).
To get a full list, use : 'yum history list all' )
[root@server-to-be-patched yum.repos.d]# yum history list
Loaded plugins: security, ulninfo, versionlock
ID | Login user | Date and time | Action(s) | Altered
-------------------------------------------------------------------------------
92 | root <root> | 2019-02-04 21:04 | Update | 1
91 | root <root> | 2019-02-04 21:04 | Update | 1
90 | root <root> | 2019-02-04 21:04 | Update | 1
89 | root <root> | 2019-02-04 21:04 | Update | 1
88 | root <root> | 2019-02-04 21:03 | Update | 3
87 | root <root> | 2019-02-04 21:03 | Update | 1
86 | root <root> | 2019-02-04 21:03 | Update | 1
85 | root <root> | 2019-02-04 21:03 | I, U | 4
84 | root <root> | 2019-02-04 21:03 | Install | 1
83 | root <root> | 2019-02-04 21:03 | Update | 1
82 | root <root> | 2019-02-04 21:03 | Update | 1
81 | root <root> | 2019-02-04 21:03 | Update | 2
80 | root <root> | 2019-02-04 21:03 | Update | 2
79 | root <root> | 2019-02-04 21:03 | Update | 2
78 | root <root> | 2019-02-04 20:39 | Update | 46 EE
77 | <rubiconred> | 2019-02-03 22:20 | Downgrade | 9 EE
76 | root <root> | 2019-02-03 22:10 | Downgrade | 37 EE
75 | <rubiconred> | 2019-02-03 22:07 | Install | 1
74 | root <root> | 2019-02-03 21:35 | Downgrade | 2
73 | root <root> | 2019-02-03 21:35 | Downgrade | 2
history list
In case you're wondering what the some of the letters mean at the end of some lines - 'Actions' and 'Altered' (e.g. 'EE' on lines 19 - 21) you can find the definitions in the above mentioned Red Hat document - but for convenience here they are :
Possible values of the Action(s) field
Possible values of the Altered field
Let's now say we need to see what was changed for transaction 88 - we now use the 'info' sub-command to display some quite detailed information :
[root@server-to-be-patched yum.repos.d]# yum history info 88
Loaded plugins: security, ulninfo, versionlock
Transaction ID : 88
Begin time : Mon Feb 4 21:03:24 2019
Begin rpmdb : 733:e8a8c4828dd18459725ab1c57dd05cd7141aaced
End time : 21:04:45 2019 (81 seconds)
End rpmdb : 733:81364220837ead7b7fc9cd3515a21a0f6a1005c9
User : root <root>
Return-Code : Success
Command Line : update -y microcode_ctl
Transaction performed with:
Installed rpm-4.8.0-47.el6.x86_64 @anaconda-OracleLinuxServer-201507280245.x86_64/6.7
Installed yum-3.2.29-69.0.1.el6.noarch @anaconda-OracleLinuxServer-201507280245.x86_64/6.7
Packages Altered:
Updated dracut-004-388.0.1.el6.noarch @patching_ol6_base
Update 004-411.0.1.el6.noarch @patching_ol6_latest
Updated dracut-kernel-004-388.0.1.el6.noarch @patching_ol6_base
Update 004-411.0.1.el6.noarch @patching_ol6_latest
Updated microcode_ctl-1:1.17-20.el6.x86_64 @patching_ol6_base
Update 1:1.17-33.1.0.6.el6.x86_64 @patching_ol6_latest
history info
And finally we can use yum transaction history to roll back the security changes with the 'undo' sub-command :
[root@server-to-be-patched yum.repos.d]# yum history undo 88
Loaded plugins: security, ulninfo, versionlock
Undoing transaction 88, from Mon Feb 4 21:03:24 2019
Updated dracut-004-388.0.1.el6.noarch @patching_ol6_base
Update 004-411.0.1.el6.noarch @patching_ol6_latest
Updated dracut-kernel-004-388.0.1.el6.noarch @patching_ol6_base
Update 004-411.0.1.el6.noarch @patching_ol6_latest
Updated microcode_ctl-1:1.17-20.el6.x86_64 @patching_ol6_base
Update 1:1.17-33.1.0.6.el6.x86_64 @patching_ol6_latest
Resolving Dependencies
--> Running transaction check
---> Package dracut.noarch 0:004-388.0.1.el6 will be a downgrade
---> Package dracut.noarch 0:004-411.0.1.el6 will be erased
---> Package dracut-kernel.noarch 0:004-388.0.1.el6 will be a downgrade
---> Package dracut-kernel.noarch 0:004-411.0.1.el6 will be erased
---> Package microcode_ctl.x86_64 1:1.17-20.el6 will be a downgrade
---> Package microcode_ctl.x86_64 1:1.17-33.1.0.6.el6 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
==============================================================================================================================================================================
Package Arch Version Repository Size
==============================================================================================================================================================================
Downgrading:
dracut noarch 004-388.0.1.el6 local_ol6_latest 125 k
dracut-kernel noarch 004-388.0.1.el6 local_ol6_latest 26 k
microcode_ctl x86_64 1:1.17-20.el6 local_ol6_latest 736 k
Transaction Summary
==============================================================================================================================================================================
Downgrade 3 Package(s)
Total download size: 888 k
Is this ok [y/N]: N
Exiting on user Command
Your transaction was saved, rerun it with:
yum load-transaction /tmp/yum_save_tx-2019-02-07-22-45DiLvpd.yumtx
This is a very powerful piece of functionality - we'll see more of it later during the discussion on rolling back patches.
The next article in this series looks at RPM - The Red Hat Package Manager. It's worth a quick look since, like the tooling provided by 'yum', it empowers you to fix any issues that may occur during the patching process.
