To apply a RHEL update to an NSP image-based OS

Purpose
WARNING 

WARNING

System Failure

Attempting to apply the OS update described below on a station that is not described in this guide may result in a catastrophic failure.

You must perform the OS-update procedure only on a station whose deployment is described in the NSP Installation and Upgrade guide.

Perform this procedure to update an NSP RHEL OS instance deployed using an NSP RHEL OS disk image. Such an OS update may include RHEL patches or security enhancements, and is typically applied as part of an NSP system upgrade.

Note: The procedure applies only to a RHEL OS instance deployed using an NSP RHEL OS disk image, and is not to be performed on a manually deployed OS.

Note: An NSP component that you are upgrading requires the latest available update for the installed RHEL version.

Applying an OS update

In order to apply an OS update, you must shut down the NSP component hosted by the OS. During an upgrade, you are directed to shut down a component before you apply an OS update.

You must shut down and restart NSP components in a specific order. For information about performing a graceful shutdown and restart of components in a standalone or DR NSP deployment, see “Workflow: stop and start DR NSP clusters” in the NSP System Administrator Guide.

CAUTION 

CAUTION

Network Visibility Loss

Applying an NSP RHEL OS update requires the shutdown of the component receiving the update, and may cause a temporary loss of network visibility, depending on the deployment.

You must perform the procedure only during a scheduled maintenance period.

Steps
 

Log in as the root user on the station that hosts the OS.


Open a console window.


If the station is an NSP deployer host, correct the node_exporter user ID, if required.

  1. Enter the following:

    id -u node_exporter ↵

    The node_exporter user ID is displayed.

  2. If the user ID is 1000, enter the following sequence of commands:

    systemctl stop node_exporter.service

    userdel -r node_exporter ↵


In order to apply the OS update on an NSP deployer host or NSP cluster VM, the NSP RHEL user named nsp requires user ID 1000; otherwise, the update fails.

If ID 1000 is assigned to a user other than nsp, make the ID available to the nsp user, for example, by doing one of the following:

  • deleting the user

  • using the RHEL usermod command to change the ID of the other user


Stop the NSP software on the component, which is one of the following, see the NSP System Administrator Guide for information, as required:

  • NSP cluster

  • NSP auxiliary database

  • NFM-P main server

  • NFM-P main database

  • NFM-P auxiliary server


Enter the following:

mkdir -p /opt/OSUpdate ↵


Download the following compressed file for the new NSP release to the /opt/OSUpdate directory:

NSP_RHELn_OEM_UPDATE_yy_mm.tar.gz

where

n is the major release of the RHEL version that you are updating, for example, 8

yy_mm is the issue date of the OS update


Enter the following:

cd /opt/OSUpdate ↵


Enter the following to expand the downloaded file:

tar -zxvf NSP_RHELn_OEM_UPDATE_yy_mm.tar.gz ↵

The update files are extracted to the following directory:

/opt/OSUpdate/R_r-RHELV.v-yy.mm.dd

where

R_r is the NSP release that introduces the OS update

V.v is the RHEL version, for example, 8.6

yy.mm.dd is the issue date of the OS update


10 

Enter the following:

cd R_r-RHELV.v-yy.mm.dd


11 

Enter the following to perform the OS update:

./yum_update.sh ↵


12 

If the station is an NSP deployer host and you have deleted the node_exporter user in Step 3, enter the following sequence of commands:

useradd -s /sbin/nologin -U node_exporter ↵

systemctl start node_exporter.service ↵


13 
CAUTION 

CAUTION

Misconfiguration Risk

Performing the procedure on an NSP station running NSP Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on an NSP Release 23.4 or later station.

Optionally, to align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts an NSP deployer host, NSP cluster node, or NSP component deployed outside the NSP cluster, to restrict file and directory access for non-root users.

To set the default RHEL login umask to 0027, perform the following steps.

  1. Back up the following files to a secure location on a station outside the management network for safekeeping:

    • /etc/bashrc

    • /etc/csh.cshrc

    • /etc/login.defs

    • /etc/profile

  2. Enter the following:

    sed -i 's/^\([[:space:]]*\)\(umask\|UMASK\)[[:space:]][[:space:]]*[0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile ↵

  3. Log out.

  4. Log in as the root user.

  5. Enter the following:

    umask ↵

    The current umask value is displayed.

  6. Verify that the umask value is 0027.


14 

Enter the following:

systemctl reboot ↵

The station reboots.


15 

Close the console window.

End of steps