All Products
Search

This Product

    CloudOps Orchestration Service:How a patch manager works

    Document Center

    CloudOps Orchestration Service:How a patch manager works

    Last Updated:Jan 02, 2024

    This topic describes how a patch manager works, and how to scan system patches to check their status and install missing patches.

    Linux

    Linux operating systems supported by patch managers include CentOS, Alibaba Cloud Linux, Debian, and Ubuntu. Different operating systems use different package managers. Different package managers have different principles for scanning and installing system patches.

    Operating system

    Package manager

    CentOS 7, Alibaba Cloud Linux 2, and Red Hat Enterprise Linux 7

    YUM

    CentOS 8, Alibaba Cloud Linux 3, Red Hat Enterprise Linux 8 and 9, Anolis OS 8, and AlmaLinux 8 and 9

    DNF

    Ubuntu 16.04, 18.04, 20.04, and 22.04

    APT

    Debian 8, 9, 10, and 11

    APT

    How a patch baseline works on YUM or DNF

    Operating systems such as CentOS, Alibaba Cloud Linux, Red Hat Enterprise Linux, and Anolis use YUM or DNF to manage software packages. The two package managers both support the update notification feature. In the software repository, an updateinfo.xml file stores notifications of software security updates. An update notification contains a set of software packages that fix specific issues. The software packages contained in an update notification are considered security packages. If you set the Include Non-security Updates parameter to No, the patch manager requires that the latest upgradable versions of the packages must be contained in the update notification.

    The following table describes the fields in the updateinfo.xml file.

    Field

    Description

    type

    The type of the update notification. Valid values:

    Security

    Bugfix

    Enhancement

    Recommended

    Newpackage

    title

    The title of the update notification.

    severity

    The severity level of the update notification. Valid values:

    Critical

    Important

    Moderate

    Low

    Unspecified

    summary

    The brief description of the update notification.

    description

    The detailed description of the update notification.

    references

    The reference information for the update notification. The reference information may include common vulnerabilities and exposures (CVE) and Bugzilla information.

    pkglist

    The RPM packages associated with the update notification.

    The patch manager filters the update notifications that are stored in the updateinfo.xml file based on the rule specified by a patch baseline. For example, the public baseline for CentOS specifies the following rule:

    'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Security',
            'Bugfix'
        ],
        'Key':'Classification'
    },
    {
        'Values': [
            'Critical',
            'Important'
        ],
        'Key': 'Severity'
    }
]

    The preceding rule is used to match update packages that are of the Security or Bugfix type and at the Critical or Important severity level for scanning or installation. The rule is equivalent to the following yum command:

    yum check-update --security --bugfix --secseverity=Critical,Important

    The rule is equivalent to the following dnf commands:

    dnf  check-update --security --bugfix --secseverity=Critical
dnf  check-update --security --bugfix --secseverity=Important

    If you do not specify the types and severity levels of the patches that need to be scanned or installed in a rule specified by a custom baseline that you create, the rule is equivalent to the following yum and dnf commands:

    yum check-update --security
dnf check-update --security

    After filtering, the patch manager runs the yum(update api) or dnf update command to install the patch package that needs to be installed. After the patch package is installed, the patch manager restarts the instance. If you set the Allow Restart parameter to No, the patch manager does not restart the instance.

    Note: Alibaba Cloud Linux 2 supports kernel live patching. If kernel live patching is enabled for your instance, and only kernel live patches are installed on your instance, the patch manager does not restart the instance. For more information, see Overview of the Kernel Live Patching feature

    How a patch baseline works on APT

    On Debian and Ubuntu, a patch baseline selects patches based on the Priority and Section fields of DEB packages. The Priority field indicates the priority of the package. The Section field indicates the type of the package.

    The process in which the patch manager scans or installs system patches involves the following steps:

    1. Run the apt update command to refresh the list of packages in the software repository.

    2. Use the patch baseline to match an upgradable package. If you set the Include Non-security Updates parameter to No, the patch manager requires that the latest upgradable version of the package must be in the security repository. The following content describes the names of security repositories on different operating systems:

    Debian Server 8: debian-security jessie
Debian Server 9: debian-security stretch
Debian Server 10: debian-security buster
Debian Server 11: debian-security bullseye
Ubuntu Server 16.04 LTS: xenial-security
Ubuntu Server 18.04 LTS: bionic-security
Ubuntu Server 20.04 LTS: focal-security
Ubuntu Server 22.04 LTS: jammy-security

    The public baseline for Debian or Ubuntu specifies the following rule to match the packages whose priority is Required or Important:

    'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Required',
            'Important'
        ],
        'Key': 'Severity'
}

    The preceding rule is equivalent to the following steps:

    1. Run the apt list --upgradable command to query all upgradable packages.

    2. Run the apt list -a package-name command to query all upgradable versions of a package. In the command output, the package versions are sorted from the latest to the earliest.

    3. Run the apt show package-name=={version} command to check the priority of an upgradable version of the package and whether the version meets the baseline rule.

    4. Check whether the version of the package that meets the baseline rule is in the security repository.

    The patch manager runs the apt update api command to install the patch package that needs to be installed. After the patch package is installed, the patch manager restarts the instance. If you set the Allow Restart parameter to No, the patch manager does not restart the instance.

    Windows

    How system patches are updated on Windows

    When patch updates are scanned or installed, the patch manager automatically removes the updates that are replaced by subsequent updates in the patch list. Therefore, the patch manager displays only the latest updates for you to install. For example, if the patch KB4550961 is replaced by the patch KB4556846, only the patch KB4556846 is used as a patch update.

    If the required patch updates have dependent updates, you must first install the dependent updates. Then, you can detect and install the required updates after patch updates are scanned again. For example, if the patch KB5005076 is dependent on the patch KB4566425, and the patch KB4566425 has not been installed, the patch KB5005076 cannot be detected after patch updates are scanned. In this case, you must first install the patch KB4566425.

    Note: The patch manager supports system patch updates only for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.