To apply a RHEL update to a CLM image-based OS

Purpose
WARNING 

WARNING

System Failure

Attempting to apply the OS update described below on a station that is not described in this guide may result in a catastrophic failure.

You must perform the OS-update procedure only on a station whose deployment is described in the CLM Installation and Upgrade guide.

Perform this procedure to update a RHEL OS instance deployed using an RHEL OS disk image. Such an OS update may include RHEL patches or security enhancements, and is typically applied as part of a CLM system upgrade.

Note: The procedure applies only to a RHEL OS instance deployed using an RHEL OS disk image, and is not to be performed on a manually deployed OS.

Note: Upgrading CLM requires the latest available update for the installed RHEL version.

Applying an OS update

In order to apply an OS update, you must shut down either the deployer or cluster node, depending on which one you are updating. During an upgrade, you are directed to shut down a component before you apply an OS update.

CAUTION 

CAUTION

Network Visibility Loss

Applying a RHEL OS update requires the shutdown of the entity receiving the update, and may cause a temporary loss of network visibility, depending on the deployment.

You must perform the procedure only during a scheduled maintenance period.

Steps
 

Log in as the root user on the station that hosts the OS.


Open a console window.


If the station is a CLM deployer host, correct the node_exporter user ID, if required.

  1. Enter the following:

    id -u node_exporter ↵

    The node_exporter user ID is displayed.

  2. If the user ID is 1000, enter the following sequence of commands:

    systemctl stop node_exporter.service

    userdel -r node_exporter ↵


In order to apply the OS update on a CLM deployer host or CLM cluster VM, the RHEL user named nsp requires user ID 1000; otherwise, the update fails.

If ID 1000 is assigned to a user other than nsp, make the ID available to the nsp user, for example, by doing one of the following:

  • deleting the user

  • using the RHEL usermod command to change the ID of the other user


Stop the CLM software on the CLM cluster, as required.


Enter the following:

mkdir -p /opt/OSUpdate ↵


Download the following compressed file for the new CLM release to the /opt/OSUpdate directory:

NSP_RHELn_OEM_UPDATE_yy_mm.tar.gz

where

n is the major release of the RHEL version that you are updating, for example, 8

yy_mm is the issue date of the OS update


Enter the following:

cd /opt/OSUpdate ↵


Enter the following to expand the downloaded file:

tar -zxvf NSP_RHELn_OEM_UPDATE_yy_mm.tar.gz ↵

The update files are extracted to the following directory:

/opt/OSUpdate/R_r-RHELV.v-yy.mm.dd

where

R_r is the CLM release that introduces the OS update

V.v is the RHEL version, for example, 8.6

yy.mm.dd is the issue date of the OS update


10 

Enter the following:

cd R_r-RHELV.v-yy.mm.dd


11 

Enter the following to perform the OS update:

./yum_update.sh ↵


12 

If the station is a CLM deployer host and you have deleted the node_exporter user in Step 3, enter the following sequence of commands:

useradd -s /sbin/nologin -U node_exporter ↵

systemctl start node_exporter.service ↵


13 
CAUTION 

CAUTION

Misconfiguration Risk

Performing the procedure on a CLM station running CLM Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on a CLM Release 23.4 or later station.

Optionally, to align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts a CLM deployer host or CLM cluster node to restrict file and directory access for non-root users.

To set the default RHEL login umask to 0027, perform the following steps.

  1. Back up the following files to a secure location on a station outside the management network for safekeeping:

    • /etc/bashrc

    • /etc/csh.cshrc

    • /etc/login.defs

    • /etc/profile

  2. Enter the following:

    sed -i 's/^\([[:space:]]*\)\(umask\|UMASK\)[[:space:]][[:space:]]*[0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile ↵

  3. Log out.

  4. Log in as the root user.

  5. Enter the following:

    umask ↵

    The current umask value is displayed.

  6. Verify that the umask value is 0027.


14 

Enter the following:

systemctl reboot ↵

The station reboots.


15 

Close the console window.

End of steps