Linux is not a windows operating system to install the security patches and other bug fix patches for every week. At the same time , it’s not like an Unix operating system where you no need to patch it for years. You should plan to patch the Redhat Linux yearly twice to eliminate the security holes and bug fixes. Redhat recommends to connect the systems to their repository to update the system without much pain. But customers don’t want to keep the systems in direct internet facing for any reason. Some of the customers will use internet proxy service to get the systems connected with Redhat repository and some of them are rich to afford Redhat satellite server facility. What about the companies who are concerned about security and cost ? Redhat provides the options of those people to update the system using offline method.
This article is going to demonstrate the offline patching method for RHEL 7. Redhat will automatically upgrade to the minor version.
Operating System: RHEL 7.0
Full OS update:(Package update , kernel update and security update)
Note: In this method, whole operating system will be upgraded to the latest minor versions. In this case, system will upgrade to RHEL 7.2.
1. You must have valid redhat subscription to download the latest DVD from Redhat.
2.Download the latest Redhat Enterprise Linux Server 7.x (RHEL 7.x Binary DVD) ISO from Redhat portal.
3.Copy the RHEL 7.x Binary ISO to the system which you want to update(patch) it.
4. Mount the ISO .
[root@UA-HA ~]# mkdir /repo [root@UA-HA ~]# mount -o loop rhel-server-7.2-x86_64-dvd.iso /repo [root@UA-HA ~]# ls -lrt /repo total 872 -r--r--r--. 1 root root 18092 Mar 6 2012 GPL -r--r--r--. 1 root root 8266 Apr 4 2014 EULA -r--r--r--. 1 root root 3211 Oct 23 09:25 RPM-GPG-KEY-redhat-release -r--r--r--. 1 root root 3375 Oct 23 09:25 RPM-GPG-KEY-redhat-beta -r--r--r--. 1 root root 114 Oct 30 10:54 media.repo -r--r--r--. 1 root root 1568 Oct 30 11:03 TRANS.TBL dr-xr-xr-x. 2 root root 4096 Oct 30 11:03 repodata dr-xr-xr-x. 24 root root 6144 Oct 30 11:03 release-notes dr-xr-xr-x. 2 root root 835584 Oct 30 11:03 Packages dr-xr-xr-x. 2 root root 2048 Oct 30 11:03 LiveOS dr-xr-xr-x. 2 root root 2048 Oct 30 11:03 isolinux dr-xr-xr-x. 3 root root 2048 Oct 30 11:03 images dr-xr-xr-x. 3 root root 2048 Oct 30 11:03 EFI dr-xr-xr-x. 4 root root 2048 Oct 30 11:03 addons [root@UA-HA ~]#
5. Check the current version of Redhat and kernel version.
[root@UA-HA ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.0 (Maipo) [root@UA-HA ~]# uname -mrs Linux 3.10.0-123.el7.x86_64 x86_64 [root@UA-HA ~]#
6.Remove the existing yum repository. (Re-configure it later if you need those)
7.Create the new repo file in “/etc/yum.repos.d/”
[root@UA-HA yum.repos.d]# cat /etc/yum.repos.d/ua.repo [repo] gpgcheck=0 enabled=1 baseurl=file:///repo name=repo-update [root@UA-HA yum.repos.d]#
8.List the newly created repo.
[root@UA-HA yum.repos.d]# yum repolist Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. repo id repo name status repo repo-update 4,305 repolist: 4,305 [root@UA-HA yum.repos.d]# cd [root@UA-HA ~]#
9. Clean the cache,dbcache, expire-cache, headers and metadata. Perform the repo metadata clean up.
[root@UA-HA ~]# yum clean all Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Cleaning repos: repo-update Cleaning up everything [root@UA-HA ~]#
10. Update the system using “yum update” command.
[root@UA-HA ~]# yum update -y Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package ModemManager-glib.x86_64 0:1.1.0-6.git20130913.el7 will be updated ---> Package ModemManager-glib.x86_64 0:1.1.0-8.git20130913.el7 will be an update ---> Package NetworkManager.x86_64 1:0.9.9.1-13.git20140326.4dba720.el7 will be obsoleted ---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be obsoleting --> Processing Dependency: NetworkManager-libnm(x86-64) = 1:1.0.6-27.el7 for package: 1:NetworkManager-1.0.6-27.el7.x86_64 --> Processing Dependency: libnm.so.0(libnm_1_0_0)(64bit) for package: 1:NetworkManager-1.0.6-27.el7.x86_64 ^C[root@UA-HA ~]#
11. Reboot the system using init 6.
12. Login to the system and check the kernel version.
[root@UA-HA ~]# uname -mrs Linux 3.10.0-327.el7.x86_64 x86_64 [root@UA-HA ~]#
13. Check the /etc/redhat-release file.
[root@UA-HA ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.2 (Maipo) [root@UA-HA ~]#
We can see that system has been updated successfully.
System Packages Bug fix, Security updates & Enhancement Updates Only: (No Kernel Update)
Some of the customers would like to stay with same kernel but would like to update the bug fixes and security updates. In that case, you can simply exclude the kernel.
There are two ways to exclude the kernel update.
Method :1
Update the /etc/yum.conf to exclude the kernel update permanently.
[root@UA-HA ~]# cat /etc/yum.conf |grep -i exclude #Exclude kernel update exclude=kernel* [root@UA-HA ~]#
Run yum update command to update the system.
[root@UA-HA ~]# yum update -y
Method:2
While updating the system , you can just use the exclude option.
[root@UA-HA ~]# yum update --exclude=kernel* Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package ModemManager-glib.x86_64 0:1.1.0-6.git20130913.el7 will be updated ---> Package ModemManager-glib.x86_64 0:1.1.0-8.git20130913.el7 will be an update ---> Package NetworkManager.x86_64 1:0.9.9.1-13.git20140326.4dba720.el7 will be obsoleted ---> Package NetworkManager.x86_64 1:1.0.6-27.el7 will be obsoleting
Only Kernel Update:
1. List the available kernel updates .
[root@UA-HA yum.repos.d]# yum list updates 'kernel*' Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Updated Packages kernel.x86_64 3.10.0-327.el7 repo-update kernel-tools.x86_64 3.10.0-327.el7 repo-update kernel-tools-libs.x86_64 3.10.0-327.el7 repo-update [root@UA-HA yum.repos.d]#
2. Check the currently installed kernel.
[root@UA-HA yum.repos.d]# rpm -q kernel kernel-3.10.0-123.el7.x86_64 [root@UA-HA yum.repos.d]# yum list installed 'kernel*' Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Installed Packages kernel.x86_64 3.10.0-123.el7 @anaconda/7.0 kernel-tools.x86_64 3.10.0-123.el7 @anaconda/7.0 kernel-tools-libs.x86_64 3.10.0-123.el7 @anaconda/7.0 [root@UA-HA yum.repos.d]#
3. Update only the system kernel.
[root@UA-HA ~]# yum update 'kernel*'
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.el7 will be installed
--> Processing Dependency: dracut >= 033-283 for package: kernel-3.10.0-327.el7.x86_64
--> Processing Dependency: linux-firmware >= 20150904-43 for package: kernel-3.10.0-327.el7.x86_64
---> Package kernel-tools.x86_64 0:3.10.0-123.el7 will be updated
---> Package kernel-tools.x86_64 0:3.10.0-327.el7 will be an update
---> Package kernel-tools-libs.x86_64 0:3.10.0-123.el7 will be updated
---> Package kernel-tools-libs.x86_64 0:3.10.0-327.el7 will be an update
--> Running transaction check
---> Package dracut.x86_64 0:033-161.el7 will be updated
--> Processing Dependency: dracut = 033-161.el7 for package: dracut-network-033-161.el7.x86_64
--> Processing Dependency: dracut = 033-161.el7 for package: dracut-config-rescue-033-161.el7.x86_64
---> Package dracut.x86_64 0:033-359.el7 will be an update
--> Processing Dependency: systemd >= 219 for package: dracut-033-359.el7.x86_64
---> Package libertas-sd8686-firmware.noarch 0:20140213-0.3.git4164c23.el7 will be obsoleted
---> Package libertas-sd8787-firmware.noarch 0:20140213-0.3.git4164c23.el7 will be obsoleted
---> Package libertas-usb8388-firmware.noarch 2:20140213-0.3.git4164c23.el7 will be obsoleted
---> Package linux-firmware.noarch 0:20140213-0.3.git4164c23.el7 will be updated
---> Package linux-firmware.noarch 0:20150904-43.git6ebf5d5.el7 will be obsoleting
--> Running transaction check
---> Package dracut-config-rescue.x86_64 0:033-161.el7 will be updated
---> Package dracut-config-rescue.x86_64 0:033-359.el7 will be an update
---> Package dracut-network.x86_64 0:033-161.el7 will be updated
---> Package dracut-network.x86_64 0:033-359.el7 will be an update
---> Package systemd.x86_64 0:208-11.el7 will be updated
--> Processing Dependency: systemd = 208-11.el7 for package: libgudev1-208-11.el7.x86_64
--> Processing Dependency: systemd = 208-11.el7 for package: systemd-python-208-11.el7.x86_64
--> Processing Dependency: systemd = 208-11.el7 for package: systemd-sysv-208-11.el7.x86_64
---> Package systemd.x86_64 0:219-19.el7 will be an update
--> Processing Dependency: systemd-libs = 219-19.el7 for package: systemd-219-19.el7.x86_64
--> Processing Dependency: kmod >= 18-4 for package: systemd-219-19.el7.x86_64
--> Running transaction check
---> Package kmod.x86_64 0:14-9.el7 will be updated
---> Package kmod.x86_64 0:20-5.el7 will be an update
---> Package libgudev1.x86_64 0:208-11.el7 will be updated
---> Package libgudev1.x86_64 0:219-19.el7 will be an update
---> Package systemd-libs.x86_64 0:208-11.el7 will be updated
---> Package systemd-libs.x86_64 0:219-19.el7 will be an update
---> Package systemd-python.x86_64 0:208-11.el7 will be updated
---> Package systemd-python.x86_64 0:219-19.el7 will be an update
---> Package systemd-sysv.x86_64 0:208-11.el7 will be updated
---> Package systemd-sysv.x86_64 0:219-19.el7 will be an update
--> Processing Conflict: systemd-219-19.el7.x86_64 conflicts initscripts < 9.49.28-1 --> Restarting Dependency Resolution with new changes.
--> Running transaction check
---> Package initscripts.x86_64 0:9.49.17-1.el7 will be updated
---> Package initscripts.x86_64 0:9.49.30-1.el7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=================================================================================================================
Package Arch Version Repository Size
=================================================================================================================
Installing:
kernel x86_64 3.10.0-327.el7 repo-update 33 M
linux-firmware noarch 20150904-43.git6ebf5d5.el7 repo-update 24 M
replacing libertas-sd8686-firmware.noarch 20140213-0.3.git4164c23.el7
replacing libertas-sd8787-firmware.noarch 20140213-0.3.git4164c23.el7
replacing libertas-usb8388-firmware.noarch 2:20140213-0.3.git4164c23.el7
Updating:
initscripts x86_64 9.49.30-1.el7 repo-update 429 k
kernel-tools x86_64 3.10.0-327.el7 repo-update 2.4 M
kernel-tools-libs x86_64 3.10.0-327.el7 repo-update 2.3 M
Updating for dependencies:
dracut x86_64 033-359.el7 repo-update 311 k
dracut-config-rescue x86_64 033-359.el7 repo-update 49 k
dracut-network x86_64 033-359.el7 repo-update 90 k
kmod x86_64 20-5.el7 repo-update 114 k
libgudev1 x86_64 219-19.el7 repo-update 64 k
systemd x86_64 219-19.el7 repo-update 5.1 M
systemd-libs x86_64 219-19.el7 repo-update 356 k
systemd-python x86_64 219-19.el7 repo-update 97 k
systemd-sysv x86_64 219-19.el7 repo-update 52 k
Transaction Summary
==================================================================================================================
Install 2 Packages
Upgrade 3 Packages (+9 Dependent packages)
Total download size: 68 M
Is this ok [y/d/N]: y
Downloading packages:
------------------------------------------------------------------------------------------------------------------
Total 86 MB/s | 68 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Updating : systemd-libs-219-19.el7.x86_64 1/30
Updating : systemd-219-19.el7.x86_64 2/30
Updating : dracut-033-359.el7.x86_64 3/30
Updating : kmod-20-5.el7.x86_64 4/30
Updating : initscripts-9.49.30-1.el7.x86_64 5/30
Updating : kernel-tools-libs-3.10.0-327.el7.x86_64 6/30
Installing : linux-firmware-20150904-43.git6ebf5d5.el7.noarch 7/30
Installing : kernel-3.10.0-327.el7.x86_64 8/30
Updating : kernel-tools-3.10.0-327.el7.x86_64 9/30
Updating : dracut-config-rescue-033-359.el7.x86_64 10/30
Updating : dracut-network-033-359.el7.x86_64 11/30
Updating : systemd-sysv-219-19.el7.x86_64 12/30
Updating : systemd-python-219-19.el7.x86_64 13/30
Updating : libgudev1-219-19.el7.x86_64 14/30
Cleanup : systemd-sysv-208-11.el7.x86_64 15/30
Cleanup : dracut-network-033-161.el7.x86_64 16/30
Cleanup : dracut-config-rescue-033-161.el7.x86_64 17/30
Erasing : libertas-sd8787-firmware-20140213-0.3.git4164c23.el7.noarch 18/30
Erasing : libertas-sd8686-firmware-20140213-0.3.git4164c23.el7.noarch 19/30
Erasing : 2:libertas-usb8388-firmware-20140213-0.3.git4164c23.el7.noarch 20/30
Cleanup : linux-firmware-20140213-0.3.git4164c23.el7.noarch 21/30
Cleanup : dracut-033-161.el7.x86_64 22/30
Cleanup : systemd-python-208-11.el7.x86_64 23/30
Cleanup : initscripts-9.49.17-1.el7.x86_64 24/30
Cleanup : libgudev1-208-11.el7.x86_64 25/30
Cleanup : systemd-208-11.el7.x86_64 26/30
Cleanup : kernel-tools-3.10.0-123.el7.x86_64 27/30
Cleanup : kernel-tools-libs-3.10.0-123.el7.x86_64 28/30
Cleanup : kmod-14-9.el7.x86_64 29/30
Cleanup : systemd-libs-208-11.el7.x86_64 30/30
Verifying : dracut-config-rescue-033-359.el7.x86_64 1/30
Verifying : linux-firmware-20150904-43.git6ebf5d5.el7.noarch 2/30
Verifying : dracut-network-033-359.el7.x86_64 3/30
Verifying : kernel-tools-3.10.0-327.el7.x86_64 4/30
Verifying : kmod-20-5.el7.x86_64 5/30
Verifying : systemd-sysv-219-19.el7.x86_64 6/30
Verifying : libgudev1-219-19.el7.x86_64 7/30
Verifying : systemd-219-19.el7.x86_64 8/30
Verifying : kernel-3.10.0-327.el7.x86_64 9/30
Verifying : dracut-033-359.el7.x86_64 10/30
Verifying : systemd-libs-219-19.el7.x86_64 11/30
Verifying : kernel-tools-libs-3.10.0-327.el7.x86_64 12/30
Verifying : initscripts-9.49.30-1.el7.x86_64 13/30
Verifying : systemd-python-219-19.el7.x86_64 14/30
Verifying : kernel-tools-3.10.0-123.el7.x86_64 15/30
Verifying : kmod-14-9.el7.x86_64 16/30
Verifying : dracut-config-rescue-033-161.el7.x86_64 17/30
Verifying : systemd-sysv-208-11.el7.x86_64 18/30
Verifying : systemd-python-208-11.el7.x86_64 19/30
Verifying : libertas-sd8787-firmware-20140213-0.3.git4164c23.el7.noarch 20/30
Verifying : 2:libertas-usb8388-firmware-20140213-0.3.git4164c23.el7.noarch 21/30
Verifying : dracut-033-161.el7.x86_64 22/30
Verifying : initscripts-9.49.17-1.el7.x86_64 23/30
Verifying : systemd-libs-208-11.el7.x86_64 24/30
Verifying : systemd-208-11.el7.x86_64 25/30
Verifying : dracut-network-033-161.el7.x86_64 26/30
Verifying : libertas-sd8686-firmware-20140213-0.3.git4164c23.el7.noarch 27/30
Verifying : libgudev1-208-11.el7.x86_64 28/30
Verifying : linux-firmware-20140213-0.3.git4164c23.el7.noarch 29/30
Verifying : kernel-tools-libs-3.10.0-123.el7.x86_64 30/30
Installed:
kernel.x86_64 0:3.10.0-327.el7 linux-firmware.noarch 0:20150904-43.git6ebf5d5.el7
Updated:
initscripts.x86_64 0:9.49.30-1.el7 kernel-tools.x86_64 0:3.10.0-327.el7 kernel-tools-libs.x86_64 0:3.10.0-327.el7
Dependency Updated:
dracut.x86_64 0:033-359.el7 dracut-config-rescue.x86_64 0:033-359.el7 dracut-network.x86_64 0:033-359.el7 kmod.x86_64 0:20-5.el7
libgudev1.x86_64 0:219-19.el7 systemd.x86_64 0:219-19.el7 systemd-libs.x86_64 0:219-19.el7 systemd-python.x86_64 0:219-19.el7
systemd-sysv.x86_64 0:219-19.el7
Replaced:
libertas-sd8686-firmware.noarch 0:20140213-0.3.git4164c23.el7 libertas-sd8787-firmware.noarch 0:20140213-0.3.git4164c23.el7
libertas-usb8388-firmware.noarch 2:20140213-0.3.git4164c23.el7
Complete!
[root@UA-HA ~]#
4. Reboot the system.
In grub , you can see that system is booting in new kernel.
5. Login to the system again and check the kernel version.
[root@UA-HA ~]# uname -mrs Linux 3.10.0-327.el7.x86_64 x86_64 [root@UA-HA ~]#
We can see that system kernel has been upgraded to latest version.
Install Only the Security updates: (No update for kernel & packages)
Use the following command to update only the security updates.
# yum -y update --security
Refer the Redhat support article for more information.
Hope this article is informative to you. Share it ! Comment it !! Be Sociable !!!
Bhanu says
Very informative, easy to understand