Linux Patching Steps

This page provides detailed steps for patching Linux systems on Red Hat and Ubuntu, including both full path and manual patching methods.

Introduction

Patching is a critical process in maintaining the security and stability of Linux systems. This guide covers the steps for patching Red Hat and Ubuntu systems, including how to handle both full path updates and manual installations.

Prerequisites

• Access to the terminal with root or sudo privileges.
• Internet connection for downloading updates.
• Backup of important data before applying patches.
• Registered system with Red Hat Subscription Manager for Red Hat systems.
• Knowledge of the package manager used by the distribution (YUM for Red Hat, APT for Ubuntu).

Red Hat Patching Overview

Red Hat uses the YUM package manager for managing software packages. Patching can be done through full path updates or by manually installing specific RPM packages.

Ubuntu Patching Overview

Ubuntu uses the APT package manager for managing software packages. Patching can be done through full path updates or by manually installing specific .deb packages.

Overview of Patching

Patching Setp by step process and requirement

Path management Best Practices

1. Identify System that are non-complaince or unpatched (Scan System Daily)
2. Prioritize patched based on the potential impact calculated risk, performance and time considerations
3. Patches are usually shipped once a month or sooner
4. Test patches in a staging environment before applying them to production systems

Follow the steps below to patch your Linux system effectively.

Step1:

1. Check the patched availability

   # dnf check-update
                   or
   # yum check-update
               

2. Get the schedule down-time from there concern team and client
3. Raise the RFL or change request as per the schedule in the change management tool involing the client, higher management and all the other operations team
   like:- DB team, Backup team, Application team, etc.
4. Collect the server per-checks details and documented them into another server

   Precheck command

   uname -a
   uptime
   df -h
   free -m
   lscpu
   lspci
   lsblk
   cat /etc/redhat-release
   cat /etc/os-release
   cat /etc/issue
   cat /etc/fstab
   cat /etc/hosts
   cat /etc/resolv.conf
   cat /etc/sysctl.conf
   vgdisplay
   lvdisplay
   multipath -ll
   cat /etc/grub.cfg
   fdisk -l
   ifconfig -a
   ip addr show
   ip route show
   cat /etc/sysconfig/network-scripts/ifcfg-*

5. Then save the precheck file output into a Main server(like:- Nim server)
6. Get the details of server what type of stuff running on this server if the database is running there, so you need to engage the DB team & request to them to do "precheck" from DB end
7. check whether server running in cluster or not if running as cluster, so collect the cluster information with the respective team eg- vsc/pcs cluster
8. In case of bare metal server, check the console/ILO status
9. Check with application/database team if they required to exclude any package like kernal, sence the application/database may not have the compatibility with the updated kernal
10. Submit the change request. It will go to the CAB (change advisory board) for approval
11. Once the change got schedule, we can executed a change as per the change window time
12. At the change windows time you can apply the patches nmanually or using patch management tool like:- Redhat satellite server, katello forman, Ansible and other

Manually patch applying

Step: 1

dnf clean all
    or
yum clean all
    and
dnf repolist
    or
yum repolist
            

Step: 2

dnf check-update -y
    or
yum check-update -y
            

Step: 3

dnf update podman -y
    or
yum update podman -y
            

Step: 4

If we required some package downgrade

dnf downgrade <package-name> -y
    or
yum downgrade <package-name> -y
            

Step: 5

If we required some package install

dnf install <package-name> -y
    or
yum install <package-name> -y
            

Step: 6

If we required some package remove

dnf remove <package-name> -y
    or
yum remove <package-name> -y
            

Step: 7

If we required some package reinstall

dnf reinstall <package-name> -y
    or
yum reinstall <package-name> -y
            

Step: 8

If we check install and upgrade package history

dnf history
    or
yum history
            

Step: 9

If we check install and upgrade package history details

dnf history info <transaction-id>
    or
yum history info <transaction-id>
            

Step: 10

If we check install and upgrade package history details

   
dnf history undo <transaction-id>
    or
yum history undo <transaction-id>
            

13. Automate patching using Ansible tool

    Ansible playbook

                        vim patching.yml
    # write this content in this playbook for pathcing 
    - name: patching playbook
      host: all
      become: true
      tasks:
           - name: performaning  the pre-check operations
             script: /home/abhi/precheck.sh
             args:
                creates: /home/abhishek/precheck.sh
    
    
           - name: Appling all the available patches
             dnf:
                name: "*"
                state: latest
    
           - name: rebooting the machines
             reboot:
                reboot_timeout:6000
    
           - name: performing the post-check operations
             script: /home/abhishek/postcheck.sh
             args:
                creates: /home/abhishek/postcheck.sh
    
           - name: Finding the pre & post check result file
             shell: (cd /home/abhishek; find . -maxdepth 1 -iname "*.txt") | cut -d'/' -f 2
                    register: file_to_fetch
              
           - name: Fetching the pre & post check result file
            fetch:
                src: "/home/abhishek/{{ item }}"
                dest: "/home/abhishek/patching_result/"
                flat: yes
                with_items: "{{ file_to_fetch.stdout_lines }}"
                when: file_to_fetch.stdout_lines is defined
                    
                    
    Run the playbook
                    ansible-playbook patching.yml -i inventory
                    

14. After the patching completed, check the server status and application status
15. Check the server post-checks details and documented them into another server

    Postcheck command

    uname -a
    uptime
    df -h
    free -m
    lscpu
    lspci
    lsblk
    cat /etc/redhat-release
    cat /etc/os-release
    cat /etc/issue
    cat /etc/fstab
    cat /etc/hosts
    cat /etc/resolv.conf
    cat /etc/sysctl.conf
    vgdisplay
    lvdisplay
    multipath -ll
    cat /etc/grub.cfg
    fdisk -l
    ifconfig -a
    ip addr show
    ip route show

16. Monitor the server health status (Use monitoring tool in case of large number of server)
17. Check the server logs and application logs for any errors or issues
18. Notify the concerned teams about the successful patching and any issues encountered
19. Document the patching process, including any issues faced and resolutions applied
20. Update the change management tool with the patching details and close the change request

Red Hat Patching

Full Path Patching

1. Ensure the system is registered with Red Hat Subscription Manager:

   sudo subscription-manager register --username  --password 

2. Attach the system to a subscription:

   sudo subscription-manager attach --auto

3. Update the system:

   sudo yum update -y

Manual Patching

1. Download the required RPM package from the Red Hat Customer Portal.
2. Install the package using:

   sudo rpm -Uvh .rpm

Ubuntu Patching

Full Path Patching

1. Update the package list:

   sudo apt update

2. Upgrade all packages:

   sudo apt upgrade -y

3. Reboot the system if necessary:

   sudo reboot

Manual Patching

1. Download the required .deb package from a trusted source.
2. Install the package using:

   sudo dpkg -i .deb

3. Fix any dependency issues:

   sudo apt --fix-broken install

sudo apt install --only-upgrade nginx