You can also use Vulners Errata for CentOS:
While this looks nice it seems like it is limited to a 30 day free trial and I can not find much about the solution so why should I trust it? Not trying to be harsh, just want you to give us more details.
CentOS Errata is available using free license
There is 300 API calls included, so using basic cache (or config repo cache to update daily) at the client infrastructure is more than enough to get daily errata updates.
Vulners Errata itself updates every 2 hours.
So actually creating errata was not harder than making Vulnerability Assessment scanner and Scanning API that we do offer as a product
So I tried it, It fails to mention that the repository only contains Errata and no packages (which is fine by me, but took me a few minutes to understand why I didn’t see any packages) but it looks neat
There is not a lot of mention of this feature on your website, is it free for commercial (as opposed to personnal ) use as well ?
Yep, we found that there is no need to hold packages repo at our side (lot of traffic + maintenance).
The solution was to generate only applicability criteria and links to the advisories/cve at errata.
So Vulners Errata user will install packages with the updates from the OS repos.
It’s kind a fresh release, mostly for sec2sec usage, not a commercial one.
Yep, it’s free for commercial and personal usage under “free” license (300 API calls limit per month).
I am waiting for a solution for Katello with pulp 3 since the beginning of our deployment. Many threads have been created, a lot of replies have been posted, but so far I cannot see any solution.
Just a few examples.
As of today Errata are an important (and apparently the only) element in Katello to tell us, if a content view needs to be republished. There is no package diff, no change log, no sync log which will tell you if new packages have arrived, other than Errata (please correct me if I am wrong, as this is one of the major showstoppers for Foreman/Katello for us).
Seeing that there is a new approach, how can this be integrated into Katello, so that the existing repositories are augmented with Errata?
I’ve been struggling with this as well. I have a feeling that I’m going to end up mirroring the CentOS repositories locally, and I’ve found a script that generates the updateinfo.xml file. Those locations will become the URL target for Katello repositories for my implementations.
That’s one of the workaround described here : Not seeing my repos via pulp-admin - #8 by Michael
It seems to not be working on Centos8 anymore tho’
From what I can see there is no progress with this in katello 4 either. To be fair part of the problem is Centos not publishing Errata in the firstplace thus requiring third party intervention. I can understand the Katello team don’t want to maintain the list of errata but there is a very cumbersome manual process which could be automated here.
@loitho Is it worth investing effort in CentOS 8 anymore? Someone correct me if I’m wrong but I believe Oracle are publishing errata for Oracle Linux 8 so that may be a better option.
For those, who are scared of CentOS 8 Stream: it seems AlmaLinux 8 also provides errata at the moment.
CentOS project was not publishing errata info since version 6.0 if I am not mistaken. There is a reason for that - amount of repoclosure checks was too high and too time consuming and CentOS people decided not to publish it rather than providing incorrect (incomplete) data. Other projects might either solve the resource problems or ignore this completely.
@lzap Thanks for the confirmation.
The main point with CentOS8 in particular is that it will be EOL very soon anyway. Folks should be looking to move to CentOS Stream or another distro.
“Scared” is I think a little unfair. CentOS 8 was in a stable downstream position whereas Stream will be considerably less stable and certainly more volatile with more bleeding edge updates. Nothing wrong with that if stability isn’t what you care about.
Sure, I am not selling CentOS 8 Stream here, obviously not for everyone. Definitely great fit for customers who do a lot of OS development, particularly big customers. Previously it was really hard to make an impact.
CentOS Linux never had errata and it was painful experience for those who simply use it as a production OS. Now there are the free RHEL tiers as well as other alternatives. I understand the concern tho, hopefully Foreman with Katello can help for some workflows.
(adding my answer to this thread as well)
Hi, sorry for the delayed answer.
So in the end, I just ended up doing the following :
- create a docker image
- build it and use this script that basically convert the Cefs xml into proper yum readable repository GitHub - vmfarms/generate_updateinfo
- upload the created yum repository files to an AWS S3 bucket
- Get foreman to sync the S3 bucket on a specific repository
That way, I have another repository yes, but containing only errata and I don’t have to deal with injecting the errata into an existing CentOS repository.
Also, the @vulnersCom Errata example provided above does not work on Katello (sync constantly fails)
But if you successfully import the Vulners Errata into katello, be very very careful as it does not play well at all if you put the Vulners errata in a content view that also contains Official RHEL 7 Errata.
I like your approach. I tried the same but somehow the content view containing the repo with just the errata doesn’t seem to work if there are no packages included in the repo. Can someone comfirm this? I see > 5000 ERRATA in my repo containing only errata but once I add it to a content view the CV doesn’t reflect that errata.
Have you published a new content view version after adding the repo?
yes I did. I even created a completely new CV just with the errata repo. But to be 100% clear. The repo is really just a dummy repo containing no rpms at all, just the errata. And I’m not using a S3 bucket. I added the repo in Katello as usual to my CentOS 7 product and synced it.
Would be really awesome to have this working.
What version of Katello are you on? I’m pretty sure you’re seeing a bug. I haven’t personally tested with repositories that don’t have any RPMs. Are you using any filters in your content view?
If this repo is public, we’d be happy to test it out ourselves.