CentOS errata, what am I missing?

Problem:
Hello I have a brand new foreman-katello server and started creating some content, adding repos, etc. For some reason after successful sync, I don’t see any errata listed? Is there something extra I have to do to pull in errata? See screen shot.

Expected outcome:
Expect errara to be pulled and display in my repos.

Foreman and Proxy versions:
Pulp, Dynflow, Ansible, SSH, Templates, TFTP, Puppet CA, Puppet, Logs, and HTTPBoot
all at 1.22.0

Foreman and Proxy plugin versions:
foreman-tasks - 0.15.5
foreman_ansible - 3.0.2
foreman_remote_execution - 1.8.0
katello - 3.12.0

Other relevant data:
n/a

logs

Last time I checked CentOS didn’t publish erratas in their repos, that’s why you don’t see them. There are ways[1] how to get them from other source and “sideload” them into katello. Quick search found some tools to do that[2,3].

[1] - https://www.lisenet.com/2018/katello-import-centos-errata-into-pulp/
[2] - https://github.com/rdrgmnzs/pulp_centos_errata_import
[3] - https://github.com/nicolas-r/katello-centos-errata-import

1 Like

Thanks. I’ve been in mainly Red Hat environments and some CentOS but was never responsible for patch management of them, did not know they did not publish errata.

I’ll take a look thank you.

I recommend [3] and have used it in some customer environments successfully.

1 Like

i am used [2] on several project and works fine.

Quick note @lbetson that those instructions are currently not working without a workaround in Error Importing CentOS Errata into Pulp

something in Katello has changed to mean that we can no longer use the “mirror on sync” option.

A workaround on Spacewalk was using https://cefs.steve-meier.de/, it worked quite well for me

You can also use Vulners Errata for CentOS:

While this looks nice it seems like it is limited to a 30 day free trial and I can not find much about the solution so why should I trust it? Not trying to be harsh, just want you to give us more details. :wink:

CentOS Errata is available using free license :slight_smile:
There is 300 API calls included, so using basic cache (or config repo cache to update daily) at the client infrastructure is more than enough to get daily errata updates.
Vulners Errata itself updates every 2 hours.

We have created it using CentOS and Redhat public advisories:
https://vulners.com/search?query=type:centos
https://vulners.com/search?query=type:redhat

So actually creating errata was not harder than making Vulnerability Assessment scanner and Scanning API that we do offer as a product :slight_smile:

hi !
So I tried it, It fails to mention that the repository only contains Errata and no packages (which is fine by me, but took me a few minutes to understand why I didn’t see any packages) but it looks neat

There is not a lot of mention of this feature on your website, is it free for commercial (as opposed to personnal ) use as well ?

Hi loitho,

Yep, we found that there is no need to hold packages repo at our side (lot of traffic + maintenance).
The solution was to generate only applicability criteria and links to the advisories/cve at errata.
So Vulners Errata user will install packages with the updates from the OS repos.

It’s kind a fresh release, mostly for sec2sec usage, not a commercial one.
Yep, it’s free for commercial and personal usage under “free” license (300 API calls limit per month).

I am waiting for a solution for Katello with pulp 3 since the beginning of our deployment. Many threads have been created, a lot of replies have been posted, but so far I cannot see any solution.

Just a few examples.

As of today Errata are an important (and apparently the only) element in Katello to tell us, if a content view needs to be republished. There is no package diff, no change log, no sync log which will tell you if new packages have arrived, other than Errata (please correct me if I am wrong, as this is one of the major showstoppers for Foreman/Katello for us).

Seeing that there is a new approach, how can this be integrated into Katello, so that the existing repositories are augmented with Errata?

1 Like

I’ve been struggling with this as well. I have a feeling that I’m going to end up mirroring the CentOS repositories locally, and I’ve found a script that generates the updateinfo.xml file. Those locations will become the URL target for Katello repositories for my implementations.

That’s one of the workaround described here : Not seeing my repos via pulp-admin - #8 by Michael
It seems to not be working on Centos8 anymore tho’

From what I can see there is no progress with this in katello 4 either. To be fair part of the problem is Centos not publishing Errata in the firstplace thus requiring third party intervention. I can understand the Katello team don’t want to maintain the list of errata but there is a very cumbersome manual process which could be automated here.

@loitho Is it worth investing effort in CentOS 8 anymore? Someone correct me if I’m wrong but I believe Oracle are publishing errata for Oracle Linux 8 so that may be a better option.

For those, who are scared of CentOS 8 Stream: it seems AlmaLinux 8 also provides errata at the moment.

CentOS project was not publishing errata info since version 6.0 if I am not mistaken. There is a reason for that - amount of repoclosure checks was too high and too time consuming and CentOS people decided not to publish it rather than providing incorrect (incomplete) data. Other projects might either solve the resource problems or ignore this completely.

https://lukas.zapletalovi.com/2017/08/centos-and-security-updates.html

@lzap Thanks for the confirmation.

The main point with CentOS8 in particular is that it will be EOL very soon anyway. Folks should be looking to move to CentOS Stream or another distro.