How a patch manager works - CloudOps Orchestration Service - Alibaba Cloud ドキュメントセンター

This topic describes how a patch manager works, and how to scan system patches to check their status and install missing patches.

Linux

Linux operating systems supported by patch managers include CentOS, Alibaba Cloud Linux, Debian, and Ubuntu. Different operating systems use different package managers. Different package managers have different principles for scanning and installing system patches.

Operating system	Package manager
CentOS 7, Alibaba Cloud Linux 2, and Red Hat Enterprise Linux 7	YUM
CentOS Stream 9, Alibaba Cloud Linux 3, Red Hat Enterprise Linux 8 and 9, Anolis OS 8, AlmaLinux OS 8 and 9, Rocky Linux 8 and 9, and Fedora 37, 38, and 39	DNF
Ubuntu 16.04, 18.04, 20.04, and 22.04	APT
Debian 11/12	APT
SUSE Linux Enterprise Server (SLES) 12 and 15, and openSUSE 15	Zypper

How a patch baseline works on YUM or DNF

Operating systems such as CentOS, Alibaba Cloud Linux, Red Hat Enterprise Linux, and Anolis OS use YUM or DNF to manage software packages. The two package managers both support the update notification feature. In the software repository, a file named updateinfo.xml stores notifications of software security updates. An update notification contains a set of software packages that fix specific issues. The software packages contained in an update notification are considered security packages. If you do not select Include Non-security Updates when you create the patch baseline, the patch manager requires that the latest upgradable versions of the packages must be contained in the update notification.

The following table describes the fields in the updateinfo.xml file.

Parameter	Description
type	The type of the update notification. Valid values: Security Bugfix Enhancement Recommended Newpackage
title	The title of the update notification.
severity	The severity level of the update notification. Valid values: Critical Important Moderate Low Unspecified
summary	The brief description of the update notification.
description	The detailed description of the update notification.
references	The reference information for the update notification. The reference information may include common vulnerabilities and exposures (CVE) and Bugzilla information.
pkglist	The RPM packages associated with the update notification.

The patch manager filters the update notifications that are stored in the updateinfo.xml file based on the rule specified by a patch baseline. For example, the public baseline for CentOS specifies the following rule:

'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Security',
            'Bugfix'
        ],
        'Key':'Classification'
    },
    {
        'Values': [
            'Critical',
            'Important'
        ],
        'Key': 'Severity'
    }
]

The preceding rule is used to match update packages that are of the Security or Bugfix type and at the Critical or Important severity level for scanning or installation. The rule is equivalent to the following yum command:

yum check-update --security --bugfix --secseverity=Critical,Important

The rule is equivalent to the following dnf commands:

dnf  check-update --security --bugfix --secseverity=Critical
dnf  check-update --security --bugfix --secseverity=Important

If you do not specify the types and severity levels of the patches that need to be scanned or installed in a rule of a custom baseline that you create, the rule is equivalent to the following yum and dnf commands:

yum check-update --security
dnf check-update --security

After the patch package to be installed is filtered, the patch manager runs the yum(update api) or dnf update command to install the patch package. After the patch package is installed, the patch manager restarts the instance. If you set the Allow Restart parameter to No, the patch manager does not restart the instance.

Note: Alibaba Cloud Linux 2 supports kernel live patching. If kernel live patching is enabled for your instance, and only kernel live patches are installed on your instance, the patch manager does not restart the instance. For more information, see Overview of the Kernel Live Patching feature.

How a patch baseline works on APT

On Debian and Ubuntu, a patch baseline selects patches based on the Priority and Section fields of DEB packages. The Priority field indicates the priority of the package. The Section field indicates the type of the package.

The patch manager scans or installs system patches based on the following steps:

1. Run the apt update command to refresh the list of packages in the software repository.

2. Use the patch baseline to match an upgradable package. If you do not select Include Non-security Updates, the patch manager requires that the latest upgradable version of the package must be in the security repository. The following content lists the names of security repositories on different operating systems:

Debian Server 8: debian-security jessie
Debian Server 9: debian-security stretch
Debian Server 10: debian-security buster
Debian Server 11: debian-security bullseye
Debian Server 12: debian-security bookworm
Ubuntu Server 16.04 LTS: xenial-security
Ubuntu Server 18.04 LTS: bionic-security
Ubuntu Server 20.04 LTS: focal-security
Ubuntu Server 22.04 LTS: jammy-security

The public baseline for Debian or Ubuntu specifies the following rule to match the packages whose priority is Required or Important:

'PatchFilterGroup': [
    {
        'Values': [
            '*'
        ],
        'Key': 'Product'
    },
    {
        'Values': [
            'Required',
            'Important'
        ],
        'Key': 'Severity'
}

The preceding rule is equivalent to the following steps:

1. Run the apt list --upgradable command to query all upgradable packages.

2. Run the apt list -a package-name command to query all upgradable versions of a package. In the command output, the package versions are sorted from the latest to the earliest.

3. Run the apt show package-name=={Version} command to check the priority of an upgradeable version of the package and whether the version meets the baseline rule.

4. Check whether the version of the package that meets the baseline rule is in the security repository.

The patch manager runs the apt update api command to install the patch package that needs to be installed. After the patch package is installed, the patch manager restarts the instance. If you set the Allow Restart parameter to No, the patch manager does not restart the instance.

How a patch baseline works on Zypper

On SLES and openSUSE, Zypper uses patch to manage system patches. You can run the zypper list-patches command to list applicable patches. A patch is used to fix a specific set of software packages. The following table describes the attributes of a patch.

status	not needed: The patch is not needed. applied: The patch is installed. need: The patch needs to be installed.
Category Category	security: security patches that fix security vulnerabilities and bugs. recommended: recommended patches that help improve system performance, functionality, or compatibility. optional: optional patches that provide additional features or fix non-critical issues. feature: functional patches that add a new operation or improve an existing feature. document: documents. yast: YaST is a system management tool for openSUSE and SUSE Linux distributions.
Severity Severity	low: low-level issues or risks. moderate: moderate issues or risks. important: important issues or risks. critical: critical issues or risks. unspecified: unspecified issues or risks.
Created On	The date on which the patch was created.

A Zypper patch baseline selects patches based on the Category and Severity attributes of patches. Example:

"PatchFilterGroup": [
    {
        "Values": [
            "*"
        ],
        "Key": "Product"
    },
    {
        "Values": [
            "security",
            "recommended"
        ],
        "Key": "Classification"
    },
    {
        "Values": [
            "Critical",
            "Important",
            "Moderate"
        ],
        "Key": "Severity"
    }
],

The preceding rule is used to match security and recommended patch packages whose severity is Critical, Important, or Moderate.

Windows

How system patches are updated on Windows

When patch updates are scanned or installed, the patch manager automatically removes the updates that are replaced by subsequent updates in the patch list. Therefore, the patch manager displays only the latest updates for you to install. For example, if the patch KB4550961 is replaced by the patch KB4556846, only the patch KB4556846 is used as a patch update.

If the required patch updates have dependent updates, you must first install the dependent updates. Then, you can detect and install the required updates after patch updates are scanned again. For example, if the patch KB5005076 is dependent on the patch KB4566425, and the patch KB4566425 has not been installed, the patch KB5005076 cannot be detected after patch updates are scanned. In this case, you must first install the patch KB4566425.

Note: The patch manager supports system patch updates only for Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, and Windows Server 2022.