Applying security patches

Starting September 2022, security patches for 2.x are provided as a separate bundle distributed on Fix Central periodically, between full releases of the product. Starting with version 2.0.2.1, each full release will contain all the security patches that have been released since the last full release.

Before you begin

Security patches are tied to the version of Red Hat Linux that is installed on Cloud Pak for Data System. The patches for a specific Red Hat release are cumulative. For example, if your system is on 8.6, you only need to install the latest patch that applies to 8.6, there is no need to install all of them one by one.

Verify which patch can be installed on your system in Security patch release notes. Do not apply the patch if the Red Hat Linux version on your system does not match.

If your system has FIPS enabled, or SELinux is set to enforcing, you must disable FIPS and set SELinux to permissive before applying the patch. Upgrade does not preserve this configuration and fails if not disabled. apupgrade verifies this before upgrading. The settings must be re-enabled after the upgrade. For more information on these settings, see Configuring FIPS on 2.0.2 Cloud Pak for Data System, Configuring FIPS on pre-2.0.2 Cloud Pak for Data System and Configuring SELinux on Cloud Pak for Data System.

Procedure

  1. Download the security patch release bundle from Fix Central.
  2. Copy the security patch bundle to e1n1 (head node):
    1. Make directory under /localrepo on e1n1:
      mkdir -p /localrepo/w.x.y.z_release
      Note that the directory name cannot start with release or icpds prefix. Use release number, as in the following example:
      mkdir -p /localrepo/8.6.22.09.SP1_release
    2. Copy the security bundle downloaded in step (1) under the newly created directory.
  3. Save a list of the currently installed rpms in a file using the following command:
    rpm -qa > current_rpm_list
  4. Run the following upgrade command to apply the security patches:
    apupgrade --upgrade-directory /localrepo --use-version 8.6.22.09.SP1_release --phase platform --upgrade
    Note: The value for the --use-version parameter is the same as the name of the directory you created in step (2.a).
  5. Collect the updated rpms list using the following command:
    rpm -qa > new_rpm_list
  6. Compare rpm list obtained in step (3) and step (5) to verify that rpms have been updated:
    diff current_rpm_list new_rpm_list
    New rpms should be listed. If there is no difference on the lists, your system was already on the latest security patch version.
    You can also use the ap version -s command to verify that the patch is installed:
    [root@gt18-node1 ~]# ap version -s
    Appliance software version is 2.0.2.1
    
    All component versions are synchronized.
    
    +-----------------------------+--------------------------------------------------------------------+
    | Component Name              | Version                                                            |
    +-----------------------------+--------------------------------------------------------------------+
    | Appliance platform software | 2.0.2.1-20221017201349b29405                                       |
    | Security Patch              | 8.6.22.10.SP2-20221018164406b29492                                 |
    | aposcomms                   | ibm-apos-network-tools              : 26.4.0.0-1                   |
    |                             | ibm-apos-dhcpd-config               : 5.2.0.0-1                    |
    |                             | ibm-apos-udev-rules-config          : 3.1.0.0-1                    |
    |                             | ibm-apos-keepalived-config          : 4.3.1.0-1                    |
    |                             | ibm-apos-haproxy-config             : 4.1.0.0-1                    |
    |                             | ibm-ca-os-firewall-config           : 2.0.2.0-20221017153711b29374 |
    |                             | ibm-apos-fakeroot-config            : 5.1.1.0-1                    |
    |                             | ibm-apos-network-config             : 7.3.0.0-1                    |
    |                             | ibm-apos-common                     : 11.1.0.0-1                   |
    |                             | ibm-apos-named-config               : 3.5.0.0-1                    |
    |                             | ibm-apos-chrony-config              : 5.0.1.0-1                    |
    | appmgnt                     | 2.0.2.0_4_gece5b29-20220929220623b28532                            |
    | apupgrade                   | 2.0.2.0-20221018225253b29486                                       |
    | callhome                    | 2.0.2.0-20220929150928b1                                           |
    | clusterlogging              | 5.3.4.0-13                                                         |
    | elasticsearch               | 5.3.4.0-13                                                         |
    | gpfs                        | 5.1.2.0-5                                                          |
    | gpfsconfig                  | 2.0.2.0-20221018160146b29485                                       |
    | hpi                         | hpi-software                        : 2.0.2.1-20221014151059b3     |
    | magneto                     | 2.0.2.1-20221003195403b28729                                       |
    | mellanox                    | 5.6.0.0                                                            |
    | mvcli                       | 2.3.10.1095                                                        |
    | nodeos                      | 2.0.2.0-20221018154004b29485                                       |
    | npstools                    | 2.0.2.1-20220916131523b27665                                       |
    | ocp                         | 4.8.37.0                                                           |
    | ocs                         | 4.8.7.0                                                            |
    | ras                         | 2.0.2.1-20221003194032b28723                                       |
    | solarflare                  | 4.15.10.1003                                                       |
    | storage                     | 0.0.2.0                                                            |
    | supporttools                | 2.0.2.1-20220929221225b28550                                       |
    | usermgmt                    | 2.0.2.0-20220929150735b28538                                       |
    +-----------------------------+--------------------------------------------------------------------+