Centralized Patch Management Solutions for RHEL-based Linux Servers (CentOS/Oracle Linux 5/6)


4 views

When maintaining a fleet of RHEL-based servers (CentOS/Oracle Linux 5/6), manually patching each machine via yum becomes increasingly impractical as your environment grows. The need for consistency, audit trails, and change control makes centralized patch management essential.

Puppet provides a declarative approach to system configuration. Here's a basic manifest to manage packages:


class system_updates {
  exec { 'yum_update':
    command => '/usr/bin/yum -y update',
    timeout => 1800,
    returns => [0, 100],
    onlyif  => '/usr/bin/test $(/usr/bin/yum check-update | /usr/bin/wc -l) -gt 0'
  }
}

For environments where Puppet seems too heavy, Spacewalk (upstream of Red Hat Satellite) offers a web interface for managing updates:


# Install Spacewalk client
rpm -Uvh http://yum.spacewalkproject.org/2.6/RHEL/6/x86_64/spacewalk-client-repo-2.6-3.el6.noarch.rpm
yum install rhn-client-tools rhn-check rhn-setup rhnsd m2crypto

For smaller environments, setting up a local yum repository might suffice:


# On your repo server:
yum install createrepo httpd
mkdir -p /var/www/html/repos/{centos5,centos6,oracle5,oracle6}
createrepo /var/www/html/repos/centos6

# On clients:
cat > /etc/yum.repos.d/local.repo <

Ansible provides a lightweight alternative with simple YAML syntax:


- name: Patch all servers
  hosts: all
  become: yes
  tasks:
    - name: Update all packages
      yum:
        name: '*'
        state: latest
      register: yum_result

    - name: Reboot if kernel updated
      reboot:
        msg: "Reboot initiated by Ansible for kernel updates"
        connect_timeout: 5
        reboot_timeout: 600
        pre_reboot_delay: 0
        post_reboot_delay: 30
      when: "'kernel' in yum_result.changes"

Remember that older systems (like CentOS 5) may require special handling due to discontinued support and outdated package formats. Consider upgrading these systems or implementing additional security measures.

Managing updates across multiple Linux distributions and versions presents unique challenges. In environments running both CentOS and Oracle Linux (versions 5 and 6), administrators often face:

  • Different package repositories for each distribution
  • Varying dependency requirements
  • Discontinued support for older versions
  • Manual update processes consuming excessive time

While Puppet is indeed a popular choice, let's examine several approaches with concrete examples:

Red Hat Satellite (or its upstream Spacewalk project) provides robust centralized management:


# Install Spacewalk server
yum install spacewalk-setup-postgresql
spacewalk-setup --disconnected

Key benefits:

  • Unified repository mirroring
  • System grouping by environment
  • Compliance reporting

For those preferring infrastructure-as-code:


# Sample Puppet manifest for patching
class security_updates {
  exec { 'yum_update':
    command => "/usr/bin/yum -y update",
    onlyif  => "/usr/bin/yum check-update",
    timeout => 300
  }
}

node /server\d+/ {
  include security_updates
}

Advanced implementation might include:


# Hiera-based patch scheduling
if $::osfamily == 'RedHat' {
  $update_cron = $::operatingsystemmajrelease ? {
    '5'     => '0 3 * * 6',
    '6'     => '0 2 * * 6',
    default => undef
  }
  
  cron { 'security_updates':
    command => "/usr/bin/yum -y --security update",
    hour    => $update_cron ? { /(\d+)/ => $1 },
    minute  => '0',
    weekday => $update_cron ? { /(\d+)$/ => $1 }
  }
}

For those preferring push-based management:


---
- name: Apply security updates
  hosts: all
  become: yes
  tasks:
    - name: Check for security updates
      yum:
        update_type: security
        list: updates
      register: yum_updates
    
    - name: Apply security updates (CentOS)
      yum:
        name: "*"
        update_type: security
        exclude: "kernel*"
      when: 
        - ansible_distribution == "CentOS"
        - yum_updates.results|length > 0
    
    - name: Apply security updates (Oracle Linux)
      yum:
        name: "*"
        security: yes
        exclude: "kernel*,oracle*"
      when: 
        - ansible_distribution == "OracleLinux"
        - yum_updates.results|length > 0

For environments without internet access:


# Create local repo for CentOS 6
reposync -l -n -d --repoid=updates --download_path=/var/www/html/repos/centos6
createrepo /var/www/html/repos/centos6/updates

# Oracle Linux 6 equivalent
reposync -l -n -d --repoid=ol6_latest --download_path=/var/www/html/repos/ol6
createrepo /var/www/html/repos/ol6/ol6_latest

Critical factors when choosing a solution:

  • Network bandwidth between servers
  • Downtime windows available
  • Regulatory compliance requirements
  • Existing configuration management tools in use
  • Staff expertise with various solutions

For Oracle Linux 5/CentOS 5 systems:


# Special handling for Python 2.4 compatibility
yum -y --exclude="*.i686" update bash openssl openssh

Recommended additional steps:

  • Maintain separate repositories for EOL systems
  • Implement stricter firewall rules
  • Consider system isolation