Starting September 2022, security patches for 2.x are provided as a separate bundle
distributed on Fix Central periodically, between full releases of the product. Starting with version
2.0.2.1, each full release will contain all the security patches that have been released since the
last full release.
Before you begin
Security patches are tied to the version of Red Hat Linux that is installed on Cloud Pak for Data System. The patches for a specific Red Hat release are
cumulative. For example, if your system is on 8.6, you only need to install the latest patch that
applies to 8.6, there is no need to install all of them one by one.
Verify which patch can be installed on your system in Security patch release notes.
Do not apply the patch if the Red Hat Linux version on your system does not match.
If your system has FIPS enabled, or SELinux is set to enforcing, you must disable FIPS and set
SELinux to permissive before applying the patch. Upgrade does not preserve this configuration and
fails if not disabled. apupgrade verifies this before upgrading. The settings
must be re-enabled after the upgrade. For more information on these settings, see Configuring FIPS on 2.0.2 Cloud Pak for Data System, Configuring FIPS on pre-2.0.2 Cloud Pak for Data System and Configuring SELinux on Cloud Pak for Data System.
Procedure
- Download the security patch release bundle from Fix Central.
- Copy the security patch bundle to e1n1 (head node):
- Make directory under /localrepo on e1n1:
mkdir -p /localrepo/w.x.y.z_release
Note that the directory name cannot start with
release
or
icpds
prefix. Use release number, as in the following
example:
mkdir -p /localrepo/8.6.22.09.SP1_release
- Copy the security bundle downloaded in step (1) under the newly created
directory.
- Save a list of the currently installed rpms in a file using the following command:
rpm -qa > current_rpm_list
- Run the following upgrade command to apply the security patches:
apupgrade --upgrade-directory /localrepo --use-version 8.6.22.09.SP1_release --phase platform --upgrade
Note: The value for the --use-version parameter is the same as the name of the
directory you created in step (2.a).
- Collect the updated rpms list using the following command:
- Compare rpm list obtained in step (3) and step (5) to verify that rpms have been
updated:
diff current_rpm_list new_rpm_list
New rpms should be
listed. If there is no difference on the lists, your system was already on the latest security patch
version.
You can also use the
ap version -s command to verify that the patch is
installed:
[root@gt18-node1 ~]# ap version -s
Appliance software version is 2.0.2.1
All component versions are synchronized.
+-----------------------------+--------------------------------------------------------------------+
| Component Name | Version |
+-----------------------------+--------------------------------------------------------------------+
| Appliance platform software | 2.0.2.1-20221017201349b29405 |
| Security Patch | 8.6.22.10.SP2-20221018164406b29492 |
| aposcomms | ibm-apos-network-tools : 26.4.0.0-1 |
| | ibm-apos-dhcpd-config : 5.2.0.0-1 |
| | ibm-apos-udev-rules-config : 3.1.0.0-1 |
| | ibm-apos-keepalived-config : 4.3.1.0-1 |
| | ibm-apos-haproxy-config : 4.1.0.0-1 |
| | ibm-ca-os-firewall-config : 2.0.2.0-20221017153711b29374 |
| | ibm-apos-fakeroot-config : 5.1.1.0-1 |
| | ibm-apos-network-config : 7.3.0.0-1 |
| | ibm-apos-common : 11.1.0.0-1 |
| | ibm-apos-named-config : 3.5.0.0-1 |
| | ibm-apos-chrony-config : 5.0.1.0-1 |
| appmgnt | 2.0.2.0_4_gece5b29-20220929220623b28532 |
| apupgrade | 2.0.2.0-20221018225253b29486 |
| callhome | 2.0.2.0-20220929150928b1 |
| clusterlogging | 5.3.4.0-13 |
| elasticsearch | 5.3.4.0-13 |
| gpfs | 5.1.2.0-5 |
| gpfsconfig | 2.0.2.0-20221018160146b29485 |
| hpi | hpi-software : 2.0.2.1-20221014151059b3 |
| magneto | 2.0.2.1-20221003195403b28729 |
| mellanox | 5.6.0.0 |
| mvcli | 2.3.10.1095 |
| nodeos | 2.0.2.0-20221018154004b29485 |
| npstools | 2.0.2.1-20220916131523b27665 |
| ocp | 4.8.37.0 |
| ocs | 4.8.7.0 |
| ras | 2.0.2.1-20221003194032b28723 |
| solarflare | 4.15.10.1003 |
| storage | 0.0.2.0 |
| supporttools | 2.0.2.1-20220929221225b28550 |
| usermgmt | 2.0.2.0-20220929150735b28538 |
+-----------------------------+--------------------------------------------------------------------+