Suggested new functionality

My Security team requires a monthly outstanding patch/update report. I currently have to produce this manually by doing a screen-scrape from the Content-Hosts screen and then copying it to an Excel(CSV) report e.g.:

Name Subscription Status Installable Updates - Security Installable Updates - Bug Fixes Installable Updates - Enhancements Installable Updates - Package Count OS Environment
host1.test.local Simple Content Access 0 0 0 0 RedHat 8.7 ontwikkeling
6

It would be really use the Content-Host screen output could be exported to CSV and even automatically created using Hammer.

We do have a reports feature and a template for outstanding errata ā€“ would that do?

cc @Marek_Hulan

Wanted to point to the same solution, so find some docs for the feature at Managing Hosts

Hi,

Thanks for your reply. I have tried all the reports that I can see on Satellite 6.12 and tried to import some ones from Git but nothing seems to fit the bill. The problem is that my security team want the report to look pretty much exactly like what they see in the Content Hosts screen meaning three totals for each kind of patch/update.
The Cobit control says that I have to prove that there are no outstanding patches/ I have updated all the systems.

Regards,
Andrew

Hi Dirk,

I already knew about this but unfortunately the report needs to simply have a (preferably alphabetical) list of the hosts along with the number of patches:

I expected that the Export button would do this but it seems not to work for me.

Regards,
Andrew

I think one can modify the template and add the ordering to it as well as select what columns should be present.

The other option is to start using the New detail page and select columns, that should be in the export, then click the export button there. That functionality was shown today at the community demo by @ofedoren. Given itā€™s quite fresh, it will take a bit until it appears in Satellite.

Hi Marek,

I did some updates on my platform and the export button does now do what I need. It would be really useful if I could create this report via Hammer so it could be automatically produced.

The other killer feature would be if you could export/download the SCAP PDF reports.

Regards,
Andrew

Hello,

if you tailor the Applied errata report template, that could be used both from UI, through API and also generated by hammer. That would be my recommendation. Iā€™m attaching simple report that prints hosts and all errata (sum of security, bugfixes, enhancements). You would need to define the inputs according to the metadata or import the template through API.

<%#
name: Host - Applicable Errata
snippet: false
template_inputs:
- name: Hosts filter
  required: false
  input_type: user
  description: Limit the report only on hosts found by this search query. Keep empty
    for report on all available hosts.
  advanced: false
  value_type: search
  resource_type: Host
- name: Errata filter
  required: false
  input_type: user
  description: Limit the report only on errata found by this search query. Keep empty
    for report on all available errata.
  advanced: false
model: ReportTemplate
require:
- plugin: katello
ļæ¼ version: 3.16.0
-%>
<%- report_headers 'Host', 'Errata count' -%>
<%- errata_filter = input('Errata filter') -%>
<%- load_hosts(search: input('Hosts filter')).each_record do |host| -%>
<%-   errata = host_applicable_errata_filtered(host, errata_filter).size -%>
<%-   report_row(
        'Host': host.name,
        'Errata count': errata,
      ) -%>
<%- end -%>
<%= report_render order: 'Host' -%>

For the SCAP PDF reports, weā€™d have to be converting HTML to PDF first. The easiest way to get PDF out of the HTML (aka full report) is to simply open a browser print dialog and save it as pdf. If you need more automated way, e.g. through hammer, you can download the entire HTML for a given report id and feed it to some processor like this

 FILE=`hammer arf-report download-html --id 26746 --path /tmp/ | cut -d ":" -f 2`; echo "pdf_convert $FILE $FILE.pdf"

Note that I made up the pdf_convert command, it depends on what you have available on your system, but I hope you get the idea.

1 Like

Hi Marek,

Thanks very much for your assistance. The PDF export works like a dream and I tuned it for RHEL-8 as follows:

# yum install https://github.com/wkhtmltopdf/packaging/releases/download/0.12.6.1-2/wkhtmltox-0.12.6.1-2.almalinux8.x86_64.rpm
$ FILE=`hammer arf-report download-html --id 25164 --path /tmp/ | cut -d ":" -f 2`; F2=$(echo $FILE | sed 's/.html//'); /usr/local/bin/wkhtmltopdf $FILE $F2.pdf

$ hammer --no-headers arf-report list --fields id | while read A; do FILE=`hammer arf-report download-html --id $A --path /tmp/ | cut -d ":" -f 2`; F2=$(echo $FILE | sed 's/.html//'); /usr/local/bin/wkhtmltopdf $FILE $F2.pdf; done

I tried the report and strangely it gives a count of three errata whilst the GUI shows none? I tried to modify the report so it simply counted the amount of installable/missed RPMs as my COBIT control demands that I show my machines are all patched and up to date.

My report fails with: Safemode doesnā€™t allow to access ā€˜pkgā€™ on #Safemode::ScopeObject

<%#
name: Host - Applicable Errata
snippet: false
template_inputs:
- name: Hosts filter
  required: false
  input_type: user
  description: Limit the report only on hosts found by this search query. Keep empty
    for report on all available hosts.
  advanced: false
  value_type: search
  resource_type: Host
- name: Errata filter
  required: false
  input_type: user
  description: Limit the report only on errata found by this search query. Keep empty
    for report on all available errata.
  advanced: false
model: ReportTemplate
require:
- plugin: katello
ļæ¼ version: 3.16.0
-%>
<%- report_headers 'Host', 'IP Address', 'Packages', 'Errata count' -%>
<%- errata_filter = input('Errata filter') -%>
<%- pkg_filter = input('Package filter') -%>
<%- load_hosts(search: input('Hosts filter')).each_record do |host| -%>
<%-   errata = host_applicable_errata_filtered(host, errata_filter).size -%>
<%    host.installed_packages.each do |pkg| -%>
<%-   packages = pkg(host, pkg_filter).size -%>
<%-   report_row(
        'Host': host.name,
        'IP Address': host.ip,
        'Packages': packages,
        'Errata count': errata,
      ) -%>
<%-   end -%>
<%- end -%>
<%= report_render order: 'Host' -%>

Regards,
Andrew

Nice!

Interesting, it may be that different method needs to be used in the report, Iā€™m not expert on the content part, perhaps someone from @katello could help to tailor the report further.

The safe mode protects from using any potentially dangerous commands. Only methods/functions put to the allowlist (safe list) can be used. Iā€™m trying to understand the logic behind

<%    host.installed_packages.each do |pkg| -%>
<%-   packages = pkg(host, pkg_filter).size -%>

the pkg local variable refers to the installed host package, while you try to call it like a function. This is probably not the right approach. Iā€™d first try to make sure the original report shows the same data as the UI. The difference may be Applicable vs Installable Errata. I believe Applicable means ā€œerrata that the system is missing and should be updatedā€ while Installable means ā€œerrata the are applicable and actually can be updated, meaning the host has access to the contentā€. Could that be the case?

Right, applicable errata count may be more than installable errata count. Installable is a subset of applicable.

Hi Jeremy,

Do you know how to print the number of patches/updateable RPMs?

Regards,
Andrew

Currently the report templates can only show you applicable errata. Installable errata are being added in Fixes #30664 - add Katello support for installable errata reports by ianballou Ā· Pull Request #10497 Ā· Katello/katello Ā· GitHub and Fixes #36228 - add installable option to errata reports by ianballou Ā· Pull Request #9662 Ā· theforeman/foreman Ā· GitHub, expected in Katello 4.9.

1 Like