Scribd
Upload
29 views7 pages

How To Patch Linux Machines That Reside in A Disconnected Environment

The document describes how to set up a local repository of Linux packages and configure disconnected Linux machines to use the local repository instead of downloading packages from the internet. It involves downloading package files to one or more repository servers, configuring those servers to serve packages over HTTP, and modifying client machines to point to the local repository.

Uploaded by

Louis Basson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
29 views7 pages

How To Patch Linux Machines That Reside in A Disconnected Environment

The document describes how to set up a local repository of Linux packages and configure disconnected Linux machines to use the local repository instead of downloading packages from the internet. It involves downloading package files to one or more repository servers, configuring those servers to serve packages over HTTP, and modifying client machines to point to the local repository.

Uploaded by

Louis Basson
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

How to Patch Linux Machines That Reside in a Disconnected

Environment
If you have Linux client machines that reside in a disconnected environment, the agent will not be able to utilize YUM to download RPM packages from
the internet. You will instead need to do the following:

Set up and populate one or more local "on-premise" repositories that contains the entire library of available RPMs

Configure your client machines to look to the correct local repository for the missing RPMs rather than to the internet

The following information is meant as a general guideline for setting up and using a local repository. If you have specific questions or issues,
please contact your Linux operating system vendor.

How to Set Up a Local Repository

Requirements
You can use any supported Linux server machine as your local repository. The only requirement is that it contain enough available disk space to contain
the entire inventory of available RPM packages. There are many different public repositories that contain RPM packages. For example, there is a public
repository for RHEL 9 RPMs, another public repository for RHEL 8 RPMs, etc. As a general rule, your local repository machine should contain at least
100GB of disk space for each public repository that you will download.

You will likely need two or more Linux server machines for this process.

Scenario 1: You might choose to use one machine that will be used as the local repository for all of the different versions of RPMs. In this
scenario, the machine you use as the repository can download RPMs of the same version of the distribution that is used on the repository
machine. You will, however, need a separate machine to download the RPMs for each different version of each distribution that is used within
your organization.

For example, if your organization contains RHEL 9 x64, RHEL 8 x64 and CentOS 7 x64 client machines, you might use a RHEL 9 x64 server
machine as the local repository and use it to download all RPMs for your RHEL 9 servers, workstations, desktops, etc. You would use separate
RHEL 8 x64 and CentOS 7 x64 machines to download all the RPMs for your RHEL 8 and CentOS servers, workstation, desktops, etc. and then
transfer those RPMs to the local repository machine.
Scenario 2: You might choose to maintain three different local repositories: one for all RHEL 9 RPMs, another for all RHEL 8 RPMs and a third
for all CentOS 7 RPMs. This scenario requires three dedicated machines to act as your repositories but it eliminates the additional transfer step
and the hassle of maintaining the joint repository.

Configuration Process
Because it is likely to take several hours to download the entire library of available RPM packages to your local repository, the recommendation is to
perform the configuration process in two different phases. Phase 1, in which you will download all available RPMs, should be performed at the end of
the work day so that the download process can run overnight. Phase 2 can then be performed the following day.

You must have root privilege to execute the following commands.

Phase 1

1. Make the directory you want to use as the repository.


For example, the following command creates a directory that will be used to contain Red Hat 9 RPMs.

mkdir –p /repos/redhat/9
2. Display the list of public repositories that are available for you to use to populate your local repository.
The public repositories that are available to you is based upon your RHEL subscription.

yum repolist

3. Using YUM, install the package that includes reposync.

yum install yum-utils

4. Download all available packages from the public repository of your choosing.
For example, the following command downloads RPMs from the rhel-9-for-x86_64-baseos-rpms public repository.

reposync –-gpgcheck –l –-repoid=rhel-9-for-x86_64-baseos-rpms –-download_path=/repos/redhat/9

The download process will take a long time, so plan accordingly. The -gpgcheck option removes packages that fail the signature check during the
download process.

5. Repeat Step 3 for each required public repository variant.

For example, if your organization contains RHEL 9 on both Intel and ARM, you will need to download the RPMs from both of the associated
public repositories. You may need several days to the perform all of the necessary downloads.

Do not attempt to download RPMs for a different version of Red Hat or CentOS. For example, a RHEL 9 machine cannot be used to
download RPMs for RHEL 8 x64 machines or for RHEL 7 x64 machines.

Phase 2

The process described here creates a repository that is accessible via HTTP. There are other methods that can be used to create a repository. Feel free
to use whatever method with which you are most familiar.

1. Using YUM, install the program that provides the ability to create a repository.

yum install createrepo

2. Create the repository.

createrepo /repos/redhat/9
If you receive an error stating it cannot open a *.rpm file, verify that you have not run out of disk space. If space is not an issue, repeat the
download step (Step 3 in Phase 1). It is possible that some files were missed the first time the download was performed.

3. Install the Apache web service.


This will provide the ability to access your local repository using the HTTP protocol.

yum install httpd

4. Open Port 80 in your local firewall.


This is because we are setting up the repository to use HTTP. HTTPS is also an option but HTTP is used here to simplify the example.

5. Edit the httpd.conf file and add any of the following entries that are missing.

vi /etc/httpd/conf/httpd.conf

ServerAdmin root@localhost
DocumentRoot /var/www/html
ServerName <machinename>

6. Link your new repository to the default website location.

ln -s /repos/redhat /var/www/html/redhat

7. Verify the syntax of the Apache web service.

httpd -t

8. Start the Apache web service.

systemctl start httpd

You may need to repeat this command each time the server is restarted. You can use the following commands to automatically start the
service whenever the server is restarted:
systemctl enable httpd.

9. Get the updateinfo.xml.gz zip file.


Steps 9 - 13 apply only to Red Hat machines.

yum list-sec

10. Copy the *updateinfo.xml.gz files from the default location to the /repodata folder.

cp /var/cache/yum/x86_64/9rhServer/rhel-9-for-x86_64-baseos-rpms/*updateinfo.xml.gz
/repos/redhat/9/repodata/

11. Uncompress the *updateinfo.xml.gz file.

gzip –d /repos/redhat/9/repodata/*updateinfo.xml.gz

12. Rename the *updateinfo.xml file to eliminate unnecessary leading characters.

mv /repos/redhat/9/repodata/*updateinfo.xml /repos/redhat/9/repodata/updateinfo.xml

13. Modify the repository to acknowledge that it contains the updateinfo.xml file.

modifyrepo /repos/redhat/9/repodata/updateinfo.xml /repos/redhat/9/repodata/

14. (Applies only to machines that have SELinux enabled) Provide permission for www/html/redhat to access /repos/redhat.

cd /var/www/html
chcon -R -t httpd_sys_content_t redhat/

Repeat the Configuration Process for Other Linux Versions and Distributions

You will need to repeat some or all of the configuration process for each different version of each distribution of Linux that is supported in your
organization. For example, you must use a RHEL 9 machine to download RHEL 9 RPMs, a CentOS 7 x64 machine to download CentOS 7 x64 RPMs, a
RHEL 8 x64 machine to download RHEL 8 x64 RPMs, etc. Alter the commands as needed for each unique version of Linux.

Scenario 1: If you are using one repository for all of the different Linux versions

Assuming you are using a Red Hat 9 machine as your repository, here is what you would need to repeat in order to retrieve Red Hat 8 RPMs:

1. On the Red Hat 9 repository machine, repeat Phase 1, Step 1 except specify /repos/redhat/8.
2. On a Red Hat 8 machine, perform Phase 1, Steps 3 & 4.
In Step 3, the repos/redhat/9 directory will not exist on the Red Hat 8 machine, so either remove the -download_path option and let it go to the
default location or specify a different location.

3. When you have finished downloading the RPMs, transfer them to the repos/redhat/8 directory on your local repository.
When you are done you will have one repository on one machine that contains RPM packages for all supported versions of Red Hat.

Scenario 2: If you are maintaining separate repositories for each different Linux version

Repeat the entire configuration process for each different version of Linux that is supported by your organization.

Point Your Linux Client Machines to the Local Repository


You must modify YUM on each Linux client so that it searches the local repository for RPMs rather than on the internet.

If you chose to maintain a different local repository for each version of Linux, make sure you point each client to the correct local repository.

1. Log on to the client machine.

2. Change to the directory that lists where the repositories are located.

cd /etc/yum.repos.d

3. Create a file named local.repo and then configure it to point to your new local repository.

nano local.repo
[mylocalrepo]
name=Local Rhel9 Server Repo
baseurl=http://es-nxt-rhel9-repo.example.com/redhat/9
gpgcheck=0

4. Specify that if an RPM is missing from the local repository, the client should not try to find it on the internet (disconnects the client machine).

ls
vi any file other than local.repo (example redhat.repo)
Look for your repoid (example rhel-9-for-x86_64-baseos-rpms)
Set enabled = 0
Periodic Maintenance of Your Repository
You will need to keep your local repository current by periodically resyncing it with the public repository. When you perform the following command, only
new RPM packages will be downloaded to your local repository.

reposync –gpgcheck –l –repoid=rhel-9-for-x86_64-baseos-rpms –download_path=/repos/redhat/9


createrepo --update /repos/redhat/9

Air Gap Networks


If your organization maintains an "air gap" network, meaning no client machine is allowed to connect to any machine that has internet access, you must
configure and maintain a second repository. This is illustrated in the following diagram.

In this case, after setting up and configuring your connected repository as described above, you will set up a second repository on a disconnected
machine and then use a removable media to manually transfer the files from the connected repository to the disconnected repository. Your Linux client
machines should then be configured to point to the disconnected repository rather than to the connected repository.

Related Information
https://access.redhat.com/solutions/23016

Copyright © 2024, Ivanti, Inc. All rights reserved.


Privacy and Legal

You might also like