Uploaded image for project: 'Ansible Automation Platform RFEs'
  1. Ansible Automation Platform RFEs
  2. AAPRFE-84

Security patch management for AAP requires improvements in updating and excluding packages

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • 2.2
    • content
    • False
    • Hide

      None

      Show
      None
    • False

      Feature Overview

      AAP is currently designed to be updated by running the setup playbook. The current recommendation for patching ( https://access.redhat.com/solutions/4566711 ) is to exclude a very long list of packages from yum update in order to prevent AAP from being accidentally updated without running the playbook.

      Cu is finding this process very complicated and requires changes to our standardized patching procedure. The packages to exclude aren't just limited to the AAP repository, but also include several packages from the AppStream repository.

      Solutions can be tried

      There are two ways AAP could be changed to facilitate this: -

      • The AAP repository should include all necessary dependencies with the proper version. That way, the other repositories could be kept up to date by simply keeping the AAP repository disabled.
      • AAP should be designed in a way that the setup playbook is not required to update it. A simple yum update should be sufficient to update a node.
      • There could be something known as "yum protector" feature applied in AAP. https://access.redhat.com/solutions/98873

      (Optional) Use Cases

      The current way requires changes to cu company-wide patching process. Since the list of packages is different for each version of AAP and RHEL, cu suspect it will require even more changes in future versions.

       

      Case: https://access.redhat.com/support/cases/03297138 

              rhn-sa-pgriffiths Phil Griffiths
              rhn-support-ksuthar Komal Suthar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: