Step-by-Step Guide to Centralized Patching for RHEL Using Reposync

one of challenges I had faced in my LAB was regarding patching my servers which are mostly based on redhat.
I used to subscribe all my servers to my developer account and update them via RHSM.
but recently I came across below link and thought to implement it in my home LAB
https://access.redhat.com/solutions/7019225
So by publishing the repo over the network, you can achieve a few things , including:
– limit Internet access to your repo server only which will reduce the exposure of your internal servers
– reducing the Internet download to Repo server, as packages will be downloaded only once!
I need to mention that, even though this way we are centralizing the RHEL based servers,
we can’t compare it to available patching software available in the market, such as Red hat satellite, as this only provides us a way to centralize patching of Red hat OS’s.
for testing, I have two servers, one will act as repo server and one as client
both servers, have RHEL OS 8.6 available.

Repo server

let’s start with preparing our Repo server:

-Repo Server make sure the Repo server has a valid IP address and it has the correct time and date set on it. the Repo server must have access to Internet or at least it should be able to reach red hat download websites.

once above action are done, if you do not have a Red hat developer account, go to below website and create one
https://developers.redhat.com/
and if you do , you can use the same account and password to register your repo server with RHSM using below command
#subscription-manager register
you should receive “the system has been registered with ID <ID number>
list available repo(throughout this article, I will use yum, but you can replace it with dnf if you are more comfortable with it)
#yum repolist Updating Subscription Management repositories. repo id repo name rhel-8-for-x86_64-appstream-rpms Red Hat Enterprise Linux 8 for x86_64 - AppStream (RPMs) rhel-8-for-x86_64-baseos-rpms Red Hat Enterprise Linux 8 for x86_64 - BaseOS (RPMs)
As always, we will have two repo’s,appstream and baseos listed.
as latest release of redhat 8 is 8.10 and I want to have repo only for that release, I will set the release to 8.10
#subscription-manager release --set=8.10 && rm -rf /var/cache/dnf
this will ensure that we will have access to RHEL8.o-8.10.

make sure you have createrepo and yum utils installed on the system using below command
#yum install -y createrepo yum-utils
install the latest update on the system (and if you were on lower version than 8.10, it will automatically upgrade your OS to 8.10
#yum update -y
I am going to host my repo files in a customer location under /home/local/repo/rhel8/ ,
#mkdir /home/local/repo/rhel8
to download rpm files from redhat , we will use below command
#reposync -n -p /home/local/repo/rhel8/ --download-metadata --repoid=<repo ID from above >
for my case , it will be
#reposync -n -p /home/local/repo/rhel8/ --download-metadata --repoid=rhel-8-for-x86_64-appstream-rpms #reposync -n -p /home/local/repo/rhel8/ --download-metadata --repoid=rhel-8-for-x86_64-baseos-rpms
reposync will automatically create the repo, in the above command, I have used -n , which is for latest (newest) version of each package, this will save space and you should use it unless you need all version of packages to be available in your repo.
once reposync download is finished, I am going to demonstrate on how to host repo using HTTP and HTTPS.
obvisoly, you will not need both of them, but you can use any of these two methods.
make sure you apache is installed (httpd) on the system and it is enabled and running
#yum install -y apache #systemctl enable httpd #systemctl start httpd
if firewall is running, allow port and service in firewall
# firewall-cmd --state running # firewall-cmd --add-service=http --permanent success # firewall-cmd --reload success
since I have used a different path for hosting files, than default path (default path is /var/www/html),
and when I accessed the downloaded RPM, repo files are presented under /home/local/repo/rhel8/<repoid>/ , We need to change apache’s default configuration file.
1-HTTP
as I am hosting my repo on a folder other than default local (/var/www/html)I have two options,
1-1 create a conf file in /etc/httpd/conf.d/localrepo.conf and present these locations as alias

1-2, we can create a soft link for baseos and appstream which I will use here:
ln -s /home/local/repo/rhel8/rhel-8-for-x86_64-appstream-rpms /var/www/html/appstream ln -s /home/local/repo/rhel8/rhel-8-for-x86_64-baseos-rpms /var/www/html/baseos

2- HTTPS
for HTTPS it will be pretty same as HTTP, except we will have to generate certificate and the public certificate needs to be copied to each client before they can sync from repo server.
make sure, httpd and mod_ssl is installed on the repo server and allow https on firewall (if firewall is running)
#yum install httpd mod_ssl #firewall-cmd --add-service=https --permanent
Generate the certificate , (the same common name (IP or hostname) will be used on client-side repo file)
# openssl genrsa -out /var/lib/dnf/server.key 2048 # openssl req -new -x509 -text -key /var/lib/dnf/server.key -out /var/lib/dnf/server.cert # chmod 600 /var/lib/dnf/server.key

if you have selinux enabled, ensure you run below commands to change the label and allow httpd process access it:
# semanage fcontext -a -s system_u -t cert_t /var/lib/dnf/server.cert # semanage fcontext -a -s system_u -t cert_t /var/lib/dnf/server.key # restorecon -vF /var/lib/dnf/server.key /var/lib/dnf/server.cert

now we need to add below lines to our default ssl.conf file:
# vi /etc/httpd/conf.d/ssl.conf SSLCertificateFile /var/lib/dnf/server.cert SSLCertificateKeyFile /var/lib/dnf/server.key
,if you are hosting the repo in a custom location, we need to use any of below method to infrom apache of that location:
2-1 creating alias in ssl.conf
2-2 using symbolic link:
ln -s /home/local/repo/rhel8/rhel-8-for-x86_64-appstream-rpms /var/www/html/appstream ln -s /home/local/repo/rhel8/rhel-8-for-x86_64-baseos-rpms /var/www/html/baseos

since we are hosting repo on a custom path, we must provide access and permission to apache process user:
#sudo chown -R apache:apache /home/local/repo #sudo chmod -R 755 /home/local/repo
and since I have my SELinux enabled, I will use below command to set the correct label on my path
#semanage fcontext -a -t httpd_sys_content_t "/home/local/repo(/.*)?" #restorecon -Rv /home/local/repo
one last thing is to ensure Apache’s default page is removed or renamed.
#rm -f /etc/httpd/conf.d/welcome.conf
restart apache service and ensure it is running fine
#systemctl restart httpd #httpd -t
above command should give you an OK signal, which confirms your apache configuration file does not have an

Client

on client side, we do not have much work to do ,
make sure , your firewall allows http/https as per your requirement

for http:
# firewall-cmd --add-service=http --permanent
for https:
# firewall-cmd --add-service=https --permanent
reload the firewall
# firewall-cmd --reload
make sure the repo name can be resolved by client, otherwise, add the IP and DNS name in the /etc/hosts file
if repo server is configured with HTTPS, then we need to copy the server.cert from repo to client trust store
#cp server.cert /etc/pki/ca-trust/source/anchors #update-ca-trust
we need to modify our repo file or we can create a new repo file.
for HTTP, our repo file will look like below :
[rhel8-appstream] baseurl=http://172.20.3.50/appstream/ gpgcheck=0 enabled=1 [rhel8-baseos] baseurl=http://172.20.3.50/baseos/ gpgcheck=0 enabled=1
for HTTPS, our repo file will look like below :
[rhel8-appstream] name=Local https repository baseurl=https://rhel8repo.kiyanlab.local/appstream/ enabled=1 sslverify=true gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release [rhel8-baseos] name=Local https repository baseurl=https://rhel8repo.kiyanlab.local/baseos/ enabled=1 sslverify=true gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

make sure, you rename other repo files ( to repo.bak for example) or remove them if you dont need them anymore.
run below commands on the client side, to clean cache, make cache and update the OS
#yum clean all #yum makecache #yum update
and try to update the os ,if the client OS release is less than the release set which provided earlier, it will be upgraded to same release

one last thing to add here is ,we can add multiple minor release set on same repo server (for example, 8.8,8.9 and 8.10)but we will not be able to host repo of a different major release (for example 9.5) and we have to create another repo for that release.

References:
https://access.redhat.com/solutions/5868401
https://access.redhat.com/solutions/2785791
https://access.redhat.com/solutions/4888921
https://access.redhat.com/solutions/3418871
https://access.redhat.com/solutions/7050710
https://access.redhat.com/solutions/7019225
https://access.redhat.com/solutions/238533

tech journey

my experinces in tech

Step-by-Step Guide to Centralized Patching for RHEL Using Reposync

Leave a comment Cancel reply

Share this:

Related

Leave a comment Cancel reply