- Oracle linux обновление системы
- Updating Software Automatically
- Disabling Updates for Particular Packages
- Tracking Security Updates and Errata Releases
- Using DNF to See Security Updates
- How to Use ULN to Manage System-Specific Errata
- How to Use ULN to Browse Available Errata
- Planning for Controlled Updates in a Production Environment
Oracle linux обновление системы
Regardless of whether you use ULN or an Oracle Linux yum server, software updates are achieved using standard dnf commands on the system and depend on the system having the appropriate ULN channel subscriptions or yum repositories enabled. You can use the dnf install and dnf update commands to handle general package installation or updates.
To update a system to use the latest packages that are available, run:
The previous dnf update command automatically runs dnf upgrade .
Update the system regularly to ensure that packages have the latest security patches and bug fixes. Consider using automatic updates so that software is properly maintained on the system.
Note than if you use the dnf install command for software that is already installed, the software packages that you specify are also updated to the latest available version.
Updating Software Automatically
The DNF Automatic tool is provided as an additional package that you can use as an alternative to manually running dnf upgrade to keep the system updated with the latest security patches and bug fixes. The tool can provide automatic notifications of updates, download updates, and then install them automatically by using systemd timers.
You can install the dnf-automatic package and enable the systemd dnf-automatic.timer timer unit to start using this service:
sudo dnf install dnf-automatic
sudo systemctl enable --now dnf-automatic.timer
You configure the DNF Automatic tool by editing the /etc/dnf/automatic.conf configuration file and then restarting the timer unit.
Note that additional alternative timer units are available and can override the default configuration that is specified in the configuration file. Frequently, these timer units are used as handy shortcuts to perform a specific behavior:
- dnf-automatic-notifyonly.timer : Notifies for available updates
- dnf-automatic-download.timer : Downloads package updates, but does not install them
- dnf-automatic-install.timer : Downloads and automatically installs package updates
You enable the required behavior by running:
sudo systemctl enable --now dnf-automatic-install.timer
See the dnf-automatic(8) manual page for more information.
By using Oracle Ksplice, you can keep your Oracle Linux kernel patched and updated all of the time, without any need to reboot. For Oracle Linux Premier Support customers, Ksplice is an essential tool to keep the systems safe, secure and updated. See Oracle Linux: Ksplice User’s Guide for more information.
Disabling Updates for Particular Packages
To disable updates for particular packages, add an exclude statement to the [main] section of the /etc/dnf/dnf.conf file. For example, to exclude updates for VirtualBox and kernel :
Excluding certain packages from being updated can cause dependency errors for other packages. Your system could also become vulnerable to security-related issues if you do not install the latest updates.
Tracking Security Updates and Errata Releases
Oracle releases important changes to the Oracle Linux and Oracle VM software as individual package updates, known as errata. These package updates are made available for download on ULN before they are gathered into a release or distributed through the _patch channel.
Errata packages can contain the following:
- Security advisories, which have names prefixed by ELSA-* (for Oracle Linux) and OVMSA-* (for Oracle VM).
- Bug fix advisories, which have names prefixed by ELBA-* and OVMBA-* .
- Feature enhancement advisories, which have names prefixed by ELEA-* and OVMEA-* .
To be notified when new errata packages are released, you can subscribe to the Oracle Linux and Oracle VM errata mailing lists at https://oss.oracle.com/mailman/listinfo/el-errata and https://oss.oracle.com/mailman/listinfo/oraclevm-errata.
If you are logged in to ULN, you can also subscribe to these mailing lists by following the Subscribe to Enterprise Linux Errata mailing list and Subscribe to Oracle VM Errata mailing list links that are provided on the Errata tab.
Oracle publishes a complete list of errata made available on ULN at https://linux.oracle.com/errata. You can also see a published listing of Common Vulnerabilities and Exposures (CVEs) and explore their details and status at https://linux.oracle.com/cve.
You can also track updates to Oracle Linux yum server repositories by visiting https://yum.oracle.com/whatsnew.html, where you can see which packages were updated within each repository for the previous six months.
- Latest code line refers to the code being developed for the next major Oracle release of the product.
- Next patch set for all non terminal releases
Using DNF to See Security Updates
DNF includes integrated options to handle any requirement for managing security and errata updates that are available for packages installed in Oracle Linux.
List the errata that are available for your system as follows:
The output from the command sorts the available errata in order of their IDs and identifies their types, which can be one of the following:
- Security patch ( severity /Sec. )
- Bug fix ( bugfix )
- Feature enhancement ( enhancement )
Security patches are also listed according to their severity, which can be Critical , Important , Moderate , or Low .
You can use the —sec-severity option to filter the security errata by severity, for example:
sudo dnf updateinfo list --sec-severity=Critical
To list the security errata by their Common Vulnerabilities and Exposures (CVE) IDs instead of their errata IDs, specify the keyword cves as an argument:
sudo dnf updateinfo list cves
Similarly, the keywords bugfix , enhancement , and security filter the list for all bug fixes, enhancements, and security errata.
You can use the —cve option to display the errata that correspond to a specific CVE ID, for example:
sudo dnf updateinfo list --cve CVE-2022-3545
To display more information about the CVE, specify info instead of list , for example:
sudo dnf updateinfo info --cve CVE-ID
To update all of the packages for which security-related errata are available to the latest versions of the packages, even if those packages that include bug fixes or new features but not security errata, use the following command:
To update all packages to the latest versions that contain security errata, ignoring any newer packages that do not contain security errata, use the following command:
sudo dnf --security upgrade-minimal
To update all kernel packages to the latest versions that contain security errata, use the following command:
sudo dnf --security upgrade-minimal kernel*
To update only those packages that correspond to a CVE or erratum, use the dnf update —cve command. For Enterprise Linux Security Advisory (ELSA) patches, use dnf update —advisory .
sudo dnf update --cve CVE-ID
sudo dnf update --advisory ELSA-ID
Some updates might require that you reboot the system. By default, the boot manager automatically enables the most recent kernel version.
For more information, see the dnf(8) manual page.
How to Use ULN to Manage System-Specific Errata
Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.
With this task, you can download a CVS report about errata that affect a specific system. Through the report, you can identify the necessary RPMs to download to update that system.
- Log in to https://linux.oracle.com with the appropriate ULN user name and password.
- On the Systems tab, click the link named for the system in the list of registered machines.
The System Details page lists the available errata for the system in the Available Errata table, which might be split over several pages.
As an alternative, use the sudo dnf upgrade command directly on the affected system to download the RPMs and update the system with all available errata updates.
- Click the link for the advisory.
- On the System Errata Detail page for an advisory, you can download the RPMs for the affected releases and system architectures.
How to Use ULN to Browse Available Errata
Monitoring available errata in ULN keeps you current on updates that might be needed on registered systems.
With this task, you can browse all available errata directly in ULN and then select to download the errata RPMs that registered systems require.
- To sort the table of available errata, click the title of the Type , Severity , Advisory , Systems Affected , or Release Date column. Click the title again to reverse the order of sorting.
- Click the link for the advisory.
- On the Errata Detail page for an advisory, you can download the RPMs for the supported releases and system architectures. The Superseded By Advisory column displays a link to the most recent advisory (if any) that replaces the advisory you are browsing.
Planning for Controlled Updates in a Production Environment
Software and OS updates can pose a problem for complex production environments that have mission critical applications that require minimal downtime. One solution might be to lock an environment to a single tested Oracle Linux release and update level to avoid updating the OS frequently. However, this approach increases the risk from security vulnerabilities and ultimately makes integration testing more difficult.
We recommend that you implement a software update strategy to ensure that the OS and underlying software on production systems are regularly updated in a way that you are able to manage the risk of application breakages because of software updates.
The following guidelines can help you to implement a software update strategy that is in line with best practice but protects the production systems from unexpected changes.
- Create a local ULN mirror. One of the challenges associated with rolling out updates on systems is that even if you have tested the updates in an integration and testing environment, if you do not manage the source of the updated packages, changes to packages can occur between the period of integration testing and the moment when you roll the package updates out to the production environment. By creating a local ULN mirror, you can control when and how often channels are synchronized to the mirror server. The selection of packages is static between synchronization periods, which gives you an opportunity to test a set of packages and then update the production environment to a known working set. By using ULN for the mirror service, you can mirror channels that contain Ksplice updates so that you are able to take advantage of an offline Ksplice service. With the offline Ksplice, you can use in-memory kernel updates to avoid reboots. At the same time, you can test these updates in an integration environment first, before applying the updates to the production environment.
- Consider a staged update strategy based on risk and threat mitigation.
- Schedule Oracle Ksplice updates for the kernel and user space to run at least weekly. Optionally, you can vet these updates within an integration test environment first.
- For security related package updates, follow a monthly maintenance schedule and in line with alerts from security tools or errata notifications. Use the dnf update —security command for these types of update.
- Apply at least a quarterly maintenance schedule to run full package updates that use a ULN mirror snapshot. Vet the updates on an integration test environment first before implementing these on production servers.
By performing regular atomic updates it is easier to resolve integration issues as they arise and you better protect your environment from potential security issues. Using an integration test environment and a Yum or ULN mirror is critical to maintaining stability of your platform and protecting it from compromise.