Security Controls

How to Patch Linux Machines That Reside in a Disconnected Environment

If you have Linux client machines that reside in a disconnected environment, the agent will not be able to utilize YUM to download RPM packages from the internet. You will instead need to do the following:

Set up and populate one or more local "on-premise" repositories that contains the entire library of available RPMs

Configure your client machines to look to the correct local repository for the missing RPMs rather than to the internet

How to Set Up a Local Repository

Requirements

You can use any supported Linux server machine as your local repository. The only requirement is that it contain enough available disk space to contain the entire inventory of available RPM packages. There are many different public repositories that contain RPM packages. For example, there is a public repository for RHEL 7 server RPMs, another public repository for RHEL 7 workstation RPMs, etc. As a general rule, your local repository machine should contain at least 100GB of disk space for each public repository that you will download.

You will likely need two or more Linux server machines for this process.

Scenario 1: You might choose to use one machine that will be used as the local repository for all of the different versions of RPMs. In this scenario, the machine you use as the repository can download RPMs of the same RHEL or CentOS version that is used on the repository machine. You will, however, need a separate machine to download the RPMs for each different RHEL and CentOS version that is used within your organization.

For example, if your organization contains RHEL 7 x64, RHEL 6 x64 and CentOS 7 x64 client machines, you might use a RHEL 7 x64 server machine as the local repository and use it to download all RPMs for your RHEL 7 servers, workstations, desktops, etc. You would use separate RHEL 6 x64 and CentOS 7 x64 machines to download all the RPMs for your RHEL 6 and CentOS servers, workstation, desktops, etc. and then transfer those RPMs to the local repository machine.

Scenario 2: You might choose to maintain three different local repositories: one for all RHEL 7 RPMs, another for all RHEL 6 RPMs and a third for all CentOS 7 RPMs. This scenario requires three dedicated machines to act as your repositories but it eliminates the additional transfer step and the hassle of maintaining the joint repository.

Configuration Process

Because it is likely to take several hours to download the entire library of available RPM packages to your local repository, the recommendation is to perform the configuration process in two different phases. Phase 1, in which you will download all available RPMs, should be performed at the end of the work day so that the download process can run overnight. Phase 2 can then be performed the following day.

You must have root privilege to execute the following commands.

Phase 1

1.Make the directory you want to use as the repository.

For example, the following command creates a directory that will be used to contain Red Hat 7 RPMs.

mkdir –p /repos/redhat/7

2.Display the list of public repositories that are available for you to use to populate your local repository.

The public repositories that are available to you is based upon your RHEL subscription.

yum repolist

3.Using YUM, install the package that includes reposync.

yum install yum-utils

4.Download all available packages from the public repository of your choosing.

For example, the following command downloads RPMs from the rhel-7-server-rpms public repository.

reposync –-gpgcheck –l –-repoid=rhel-7-server-rpms –-download_path=/repos/redhat/7

The download process will take a long time, so plan accordingly. The -gpgcheck option removes packages that fail the signature check during the download process.

5.Repeat Step 3 for each required public repository variant.

For example, if your organization contains RHEL 7 servers, workstations and desktops, you will need to download the RPMs from all three of the associated public repositories. You may need several days to the perform all of the necessary downloads.

Do not attempt to download RPMs for a different version of Red Hat or CentOS. For example, a RHEL 7 machine cannot be used to download RPMs for RHEL 6 x32 machines or for RHEL 6 x64 machines.

Phase 2

The process described here creates a repository that is accessible via HTTP. There are other methods that can be used to create a repository. Feel free to use whatever method with which you are most familiar.

1.Using YUM, install the program that provides the ability to create a repository.

yum install createrepo

2.Create the repository.

createrepo /repos/redhat/7

If you receive an error stating it cannot open a *.rpm file, verify that you have not run out of disk space. If space is not an issue, repeat the download step (Step 3 in Phase 1). It is possible that some files were missed the first time the download was performed.

3.Install the Apache web service.

This will provide the ability to access your local repository using the HTTP protocol.

yum install httpd

4.Open Port 80 in your local firewall.

This is because we are setting up the repository to use HTTP. HTTPS is also an option but HTTP is used here to simplify the example.

5.Edit the httpd.conf file and add any of the following entries that are missing.

vi /etc/httpd/conf/httpd.conf

 

ServerAdmin [email protected]

DocumentRoot /var/www/html

ServerName <machinename>

6.Link your new repository to the default website location.

ln -s /repos/redhat /var/www/html/redhat

7.Verify the syntax of the Apache web service.

httpd -t

8.Start the Apache web service.

systemctl start httpd

You may need to repeat this command each time the server is restarted. You can use the following commands to automatically start the service whenever the server is restarted:
systemctl enable httpd.

9.Get the updateinfo.xml.gz zip file.

Steps 9 - 13 apply only to Red Hat machines.

yum list-sec

10.Copy the *updateinfo.xml.gz files from the default location to the /repodata folder.

cp /var/cache/yum/x86_64/7rhServer/rhel-7-server-rpms/*updateinfo.xml.gz /repos/redhat/7/repodata/

11.Uncompress the *updateinfo.xml.gz file.

gzip –d /repos/redhat/7/repodata/*updateinfo.xml.gz

12.Rename the *updateinfo.xml file to eliminate unnecessary leading characters.

mv /repos/redhat/7/repodata/*updateinfo.xml /repos/redhat/7/repodata/updateinfo.xml

13.Modify the repository to acknowledge that it contains the updateinfo.xml file.

modifyrepo /repos/redhat/7/repodata/updateinfo.xml /repos/redhat/7/repodata/

14.(Applies only to Red Hat and CentOS 7 machines that have SELinux enabled) Provide permission for www/html/redhat to access /repos/redhat.

cd /var/www/html

chcon -R -t httpd_sys_content_t redhat/

Repeat the Configuration Process for Other Red Hat Versions

You will need to repeat some or all of the configuration process for each different version of Red Hat or CentOS that is supported in your organization. For example, you must use a RHEL 7 machine to download RHEL 7 RPMs, a CentOS 7 x64 machine to download CentOS 7 x64 RPMs, a RHEL 6 x64 machine to download RHEL 6 x64 RPMs, etc. Alter the commands as needed for each unique version of Linux.

Scenario 1: If you are using one repository for all of the different Linux versions

Assuming you are using a Red Hat 7 machine as your repository, here is what you would need to repeat in order to retrieve Red Hat 6 RPMs:

1.On the Red Hat 7 repository machine, repeat Phase 1, Step 1 except specify /repos/redhat/6.

2.On a Red Hat 6 machine, perform Phase 1, Steps 3 & 4.

In Step 3, the repos/redhat/7 directory will not exist on the Red Hat 6 machine, so either remove the -download_path option and let it go to the default location or specify a different location.

3.When you have finished downloading the RPMs, transfer them to the repos/redhat/6 directory on your local repository.

When you are done you will have one repository on one machine that contains RPM packages for all supported versions of Red Hat.

Scenario 2: If you are maintaining separate repositories for each different Linux version

Repeat the entire configuration process for each different version of Linux that is supported by your organization.

Point Your Linux Client Machines to the Local Repository

You must modify YUM on each Linux client so that it searches the local repository for RPMs rather than on the internet.

If you chose to maintain a different local repository for each version of Linux, make sure you point each client to the correct local repository.

1.Log on to the client machine.

2.Change to the directory that lists where the repositories are located.

cd /etc/yum.repos.d

3.Create a file named local.repo and then configure it to point to your new local repository.

nano local.repo

[mylocalrepo]

name=Local Rhel7 Server Repo

baseurl=http://es-nxt-rhel7-repo.shavlik.com/redhat/7

gpgcheck=0

4.Specify that if an RPM is missing from the local repository, the client should not try to find it on the internet (disconnects the client machine).

ls

vi any file other than local.repo (example redhat.repo)

Look for your repoid (example rhel-7-server-rpms)

Set enabled = 0

Periodic Maintenance of Your Repository

You will need to keep your local repository current by periodically resyncing it with the public repository. When you perform the following command, only new RPM packages will be downloaded to your local repository.

reposync –gpgcheck –l –repoid=rhel-7-server-rpms –download_path=/repos/redhat/7

createrepo --update /repos/redhat/7

Air Gap Networks

If your organization maintains an "air gap" network, meaning no client machine is allowed to connect to any machine that has internet access, you must configure and maintain a second repository. This is illustrated in the following diagram.

In this case, after setting up and configuring your connected repository as described above, you will set up a second repository on a disconnected machine and then use a removable media to manually transfer the files from the connected repository to the disconnected repository. Your Linux client machines should then be configured to point to the disconnected repository rather than to the connected repository.

Related Information

https://access.redhat.com/solutions/23016


Was this article useful?