Applying periodic updates on the system in the form of patches to keep the operating system updated and secure is an important job function of every system administrator. Patching the operating system certainly enhances the functionality and health of the system for the better but in case of few isolated instances patching operating systems may cause problems in the working of the application or database.
What is a patch?
A patch is a piece of software code which will be inserted into existing programme in the system. This is an imidate fix to existing software before a minor release is planned. A patch is a kind of temporary and quick fix to existing software.
What is a patch looks like?
Suppose you have some xyz.c file within your Linux kernel which require a patch, the patch is a just the difference between the existing line of code in that file and extra lines which we will add to this file. It is just a diff of lines of code which is added to existing file.
On Red Hat based systems we use the yum package manager as the preferred method to install and update packages. You may please go through our earlier post on yum which explains the basics of yum and rpm differences and YUM server setup.
In this article, we’ll be using yum to
- Update system with patches
- Downgrade system patches
- Rollback a patch in the system
Updating a Linux server is straightforward. We use the “yum update” command to apply updates on the server. If you are using Ubuntu based machine use apt-get update and apt-get upgrade commands. If the system is registered with the correct yum channels and there is no dependency related hindrances, the updates should take a few minutes up to an hour to complete depending on the number of patches to be applied and the resources available on the server.
For the purpose of this demonstration, we’ll patch/update a Centos system from version 6.8 to version 6.9 and then perform a rollback to version 6.8.
First, let’s check the current version of Centos running on the system.
[root@linuxunix ~]# cat /etc/redhat-release CentOS release 6.8 (Final) [root@linuxunix ~]#
After you’ve made sure that any pre-requisite tasks you perform while patching systems in your environment have been completed, then you may proceed and execute the “yum update” command which applies updates to the system. Since I’m using a lab environment there isn’t much to check, so let’s move forward.
[root@linuxunix ~]# yum update Loaded plugins: fastestmirror, security Setting up Update Process Loading mirror speeds from cached hostfile epel/metalink | 5.3 kB 00:00 * base: mirrors.nju.edu.cn * epel: mirror2.totbb.net * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.7 kB 00:00 epel | 4.3 kB 00:00 epel/primary_db | 5.9 MB 00:14 extras | 3.4 kB 00:00 extras/primary_db | 29 kB 00:00 puppetlabs-pc1 | 2.5 kB 00:00 puppetlabs-pc1/primary_db | 131 kB 00:00 updates | 3.4 kB 00:00 updates/primary_db | 4.7 MB 00:12 Resolving Dependencies -------------------------------------------------output truncated for brevity ---> Package xorg-x11-drv-ati-firmware.noarch 0:7.6.1-2.el6 will be updated ---> Package xorg-x11-drv-ati-firmware.noarch 0:7.6.1-3.el6_9 will be an update ---> Package yum.noarch 0:3.2.29-73.el6.centos will be updated ---> Package yum.noarch 0:3.2.29-81.el6.centos will be an update ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-37.el6 will be updated ---> Package yum-plugin-fastestmirror.noarch 0:1.1.30-40.el6 will be an update ---> Package yum-plugin-security.noarch 0:1.1.30-37.el6 will be updated ---> Package yum-plugin-security.noarch 0:1.1.30-40.el6 will be an update ---> Package yum-utils.noarch 0:1.1.30-37.el6 will be updated ---> Package yum-utils.noarch 0:1.1.30-40.el6 will be an update --> Running transaction check ---> Package libkadm5.x86_64 0:1.10.3-65.el6 will be installed ---> Package python-sss-murmur.x86_64 0:1.13.3-57.el6_9 will be installed ---> Package python2-jmespath.noarch 0:0.9.0-2.el6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================================== Package Arch Version Repository Size ==================================================================================================================================== Installing: kernel x86_64 2.6.32-696.13.2.el6 updates 32 M Updating: GConf2 x86_64 2.28.0-7.el6 base 963 k ORBit2 x86_64 2.14.17-6.el6_8 base 169 k abrt x86_64 2.0.8-43.el6.centos base 229 k abrt-addon-ccpp x86_64 2.0.8-43.el6.centos base 124 k abrt-addon-kerneloops x86_64 2.0.8-43.el6.centos base 71 k abrt-addon-python x86_64 2.0.8-43.el6.centos base 68 k abrt-cli x86_64 2.0.8-43.el6.centos base 58 k abrt-libs x86_64 2.0.8-43.el6.centos base 70 k abrt-python x86_64 2.0.8-43.el6.centos base 74 k abrt-tui x86_64 2.0.8-43.el6.centos base 66 k acl x86_64 2.2.49-7.el6_9.1 updates 76 k alsa-utils x86_64 1.1.0-10.el6 base 2.0 M ansible noarch 2.3.2.0-1.el6 epel 5.9 M at x86_64 3.1.10-49.el6 base 61 k audit x86_64 2.4.5-6.el6 base 204 k audit-libs x86_64 2.4.5-6.el6 base 74 k autofs x86_64 1:5.0.5-132.el6 base 729 k avahi-libs x86_64 0.6.25-17.el6 base 55 k bash x86_64 4.1.2-48.el6 base 910 k bind-libs x86_64 32:9.8.2-0.62.rc1.el6_9.4 updates 892 k bind-utils x86_64 32:9.8.2-0.62.rc1.el6_9.4 updates 189 k binutils x86_64 2.20.51.0.2-5.47.el6_9.1 updates 2.8 M biosdevname x86_64 0.7.2-1.el6 base 35 k ca-certificates noarch 2017.2.14-65.0.1.el6_9 updates 1.3 M centos-release x86_64 6-9.el6.12.3 base 22 k certmonger x86_64 0.77.5-4.el6 base 637 k coreutils x86_64 8.4-46.el6 base 3.0 M ----------------------------------------------------------------output truncated for brevity unzip x86_64 6.0-5.el6 base 152 k util-linux-ng x86_64 2.17.2-12.28.el6 base 1.6 M Installing for dependencies: libkadm5 x86_64 1.10.3-65.el6 base 143 k python-sss-murmur x86_64 1.13.3-57.el6_9 updates 102 k python2-jmespath noarch 0.9.0-2.el6 epel 39 k Transaction Summary ==================================================================================================================================== Install 4 Package(s) Upgrade 283 Package(s) Total download size: 402 M Is this ok [y/N]: y Downloading Packages: (1/287): GConf2-2.28.0-7.el6.x86_64.rpm | 963 kB 00:02 (2/287): ORBit2-2.14.17-6.el6_8.x86_64.rpm | 169 kB 00:00 (3/287): abrt-2.0.8-43.el6.centos.x86_64.rpm | 229 kB 00:00 (4/287): abrt-addon-ccpp-2.0.8-43.el6.centos.x86_64.rpm | 124 kB 00:00 (5/287): abrt-addon-kerneloops-2.0.8-43.el6.centos.x86_64.rpm | 71 kB 00:00 (6/287): abrt-addon-python-2.0.8-43.el6.centos.x86_64.rpm | 68 kB 00:00 (286/287): yum-plugin-security-1.1.30-40.el6.noarch.rpm | 43 kB 00:00 (287/287): yum-utils-1.1.30-40.el6.noarch.rpm | 113 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------ Total 310 kB/s | 402 MB 22:07 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction -------------------------------------------------output truncated for brevity Verifying : pulseaudio-libs-0.9.21-24.el6.x86_64 568/570 Verifying : plymouth-scripts-0.8.3-27.el6.centos.1.x86_64 569/570 Verifying : libXv-1.0.9-2.1.el6.x86_64 570/570 Installed: kernel.x86_64 0:2.6.32-696.13.2.el6 Dependency Installed: libkadm5.x86_64 0:1.10.3-65.el6 python-sss-murmur.x86_64 0:1.13.3-57.el6_9 python2-jmespath.noarch 0:0.9.0-2.el6 Updated: vim-filesystem.x86_64 2:7.4.629-5.el6_8.1 vim-minimal.x86_64 2:7.4.629-5.el6_8.1 virt-what.x86_64 0:1.11-1.3.el6 wget.x86_64 0:1.12-10.el6 xorg-x11-drv-ati-firmware.noarch 0:7.6.1-3.el6_9 yum.noarch 0:3.2.29-81.el6.centos yum-plugin-fastestmirror.noarch 0:1.1.30-40.el6 yum-plugin-security.noarch 0:1.1.30-40.el6 yum-utils.noarch 0:1.1.30-40.el6 Complete!
After the yum update process has been completed, we will check the redhat-release file and /etc/grub.conf to verify that the entries in these files have been modified.
[root@linuxunix ~]# grep -v '^#' /etc/grub.conf
default=0
timeout=5
splashimage=(hd0,0)/grub/splash.xpm.gz
hiddenmenu
title CentOS (2.6.32-696.13.2.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-696.13.2.el6.x86_64 ro root=/dev/mapper/vg_linuxunix-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=vg_linuxunix/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_linuxunix/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-696.13.2.el6.x86_64.img
title CentOS 6 (2.6.32-642.el6.x86_64)
root (hd0,0)
kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=/dev/mapper/vg_linuxunix-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=vg_linuxunix/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_linuxunix/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet
initrd /initramfs-2.6.32-642.el6.x86_64.img
[root@linuxunix ~]#
[root@linuxunix ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)Now when I reboot my system it will boot with the new kernel 2.6.32-696.13.2.el6.x86_64.
I’ll demonstrate the same.
We’ll interrupt the server’s boot process and in doing so we can see that we have two kernels to boot from.
We’ve run the uname -a command after logging in to the server to validate that the system booted from the new kernel.
[root@linuxunix ~]# uname -a Linux linuxunix 2.6.32-696.13.2.el6.x86_64 #1 SMP Thu Oct 5 21:22:16 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [root@linuxunix ~]#
We could simply boot the old kernel as a simple workaround if we don’t the system to run on the newer kernel. But what if our application/database demands that all trace of the new kernel be removed from the system. This is exactly what we’ll be working on now.
Step 1: Boot from the old kernel.
[root@linuxunix ~]# uptime 16:34:24 up 8 min, 1 user, load average: 0.08, 0.08, 0.06 [root@linuxunix ~]# uname -a Linux linuxunix 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@linuxunix ~]#
Step 2: Now run the yum history command to view a history of previous yum activities.
[root@linuxunix ~]# yum history Loaded plugins: fastestmirror, security ID | Login user | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 18 | root <root> | 2017-10-28 16:00 | I, U | 287 E< 17 | root <root> | 2017-05-16 04:38 | Install | 1 >< 16 | root <root> | 2017-05-15 18:27 | Install | 8 > 15 | root <root> | 2017-05-11 18:13 | Install | 3 14 | root <root> | 2017-03-10 15:35 | Install | 12 13 | root <root> | 2017-03-10 14:53 | Install | 1 12 | root <root> | 2017-03-10 14:51 | Install | 13 11 | root <root> | 2017-03-08 22:10 | Install | 1 10 | root <root> | 2017-03-08 21:11 | Install | 1 9 | root <root> | 2017-03-01 16:46 | Install | 5 8 | root <root> | 2017-02-19 17:54 | Install | 1 7 | root <root> | 2017-02-19 17:54 | Install | 1 6 | root <root> | 2017-02-19 17:45 | Install | 1 5 | root <root> | 2017-02-19 17:38 | Install | 1 4 | root <root> | 2017-02-19 17:38 | Install | 2 3 | root <root> | 2017-02-19 17:36 | Install | 1 2 | root <root> | 2017-02-19 17:33 | Install | 2 1 | System <unset> | 2017-02-19 17:08 | Install | 646
We are interested in transaction id number 18. This is the latest one which altered 287 packages. This is the transaction id for our yum update command.
We view more information about this transaction by typing yum history info <id>
[root@linuxunix ~]# yum history info 18 Loaded plugins: fastestmirror, security Transaction ID : 18 Begin time : Sat Oct 28 16:00:19 2017 Begin rpmdb : End time : 16:13:57 2017 (13 minutes) End rpmdb : 705:1a7b639bee61a5512a83ad82dd2ce31ecae16c6e User : root <root> Return-Code : Success Command Line : update Transaction performed with: Installed rpm-4.8.0-55.el6.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Updated yum-3.2.29-73.el6.centos.noarch @anaconda-CentOS-201605220104.x86_64/6.8 Updated yum-plugin-fastestmirror-1.1.30-37.el6.noarch @anaconda-CentOS-201605220104.x86_64/6.8 Packages Altered: Updated GConf2-2.28.0-6.el6.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.28.0-7.el6.x86_64 @base Updated ORBit2-2.14.17-5.el6.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.14.17-6.el6_8.x86_64 @base ------------------------------------------------------------------------output truncated for brevity
Step 3: Now, we will rollback this transaction via the yum history undo command.
[root@linuxunix ~]# yum history undo 18 Loaded plugins: fastestmirror, security Undoing transaction 18, from Sat Oct 28 16:00:19 2017 Updated GConf2-2.28.0-6.el6.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.28.0-7.el6.x86_64 @base Updated ORBit2-2.14.17-5.el6.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.14.17-6.el6_8.x86_64 @base Updated abrt-2.0.8-40.el6.centos.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.0.8-43.el6.centos.x86_64 @base Updated abrt-addon-ccpp-2.0.8-40.el6.centos.x86_64 @anaconda-CentOS-201605220104.x86_64/6.8 Update 2.0.8-43.el6.centos.x86_64 @base Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Removing: kernel x86_64 2.6.32-696.13.2.el6 @updates 131 M libkadm5 x86_64 1.10.3-65.el6 @base 207 k python-sss-murmur x86_64 1.13.3-57.el6_9 @updates 5.5 k python2-jmespath noarch 0.9.0-2.el6 @epel 132 k Downgrading: curl x86_64 7.19.7-52.el6 base 197 k jasper-libs x86_64 1.900.1-16.el6_6.3 base 137 k libcurl x86_64 7.19.7-52.el6 base 169 k openjpeg-libs x86_64 1.3-11.el6 base 60 k puppet-agent x86_64 1.10.1-1.el6 puppetlabs-pc1 29 M scl-utils x86_64 20120927-27.el6_6 base 22 k xorg-x11-drv-ati-firmware noarch 7.6.1-2.el6 base 1.2 M Removing for dependencies: ansible noarch 2.3.2.0-1.el6 @epel 27 M ipa-client x86_64 3.0.0-51.el6.centos @base 312 k ipa-python x86_64 3.0.0-51.el6.centos @base 4.6 M krb5-workstation x86_64 1.10.3-65.el6 @base 1.0 M Transaction Summary =========================================================================================================================================================================================== Remove 8 Package(s) Downgrade 7 Package(s) Total download size: 31 M Is this ok [y/N]: y Cleanup : puppet-agent-1.10.8-1.el6.x86_64 15/22 Erasing : krb5-workstation-1.10.3-65.el6.x86_64 16/22 Cleanup : curl-7.19.7-53.el6_9.x86_64 17/22 Cleanup : libcurl-7.19.7-53.el6_9.x86_64 18/22 Erasing : libkadm5-1.10.3-65.el6.x86_64 19/22 Cleanup : scl-utils-20120927-29.el6_9.x86_64 20/22 Cleanup : openjpeg-libs-1.3-16.el6_8.x86_64 21/22 Cleanup : jasper-libs-1.900.1-21.el6_9.x86_64 22/22 Verifying : jasper-libs-1.900.1-16.el6_6.3.x86_64 1/22 Verifying : openjpeg-libs-1.3-11.el6.x86_64 2/22 Verifying : libcurl-7.19.7-52.el6.x86_64 3/22 Verifying : curl-7.19.7-52.el6.x86_64 4/22 Verifying : scl-utils-20120927-27.el6_6.x86_64 5/22 Verifying : xorg-x11-drv-ati-firmware-7.6.1-2.el6.noarch 6/22 Verifying : puppet-agent-1.10.1-1.el6.x86_64 7/22 Verifying : puppet-agent-1.10.8-1.el6.x86_64 8/22 Verifying : jasper-libs-1.900.1-21.el6_9.x86_64 9/22 Verifying : kernel-2.6.32-696.13.2.el6.x86_64 10/22 Verifying : krb5-workstation-1.10.3-65.el6.x86_64 11/22 Verifying : libcurl-7.19.7-53.el6_9.x86_64 12/22 Verifying : ipa-client-3.0.0-51.el6.centos.x86_64 13/22 Verifying : scl-utils-20120927-29.el6_9.x86_64 14/22 Verifying : ipa-python-3.0.0-51.el6.centos.x86_64 15/22 Verifying : curl-7.19.7-53.el6_9.x86_64 16/22 Verifying : python2-jmespath-0.9.0-2.el6.noarch 17/22 Verifying : xorg-x11-drv-ati-firmware-7.6.1-3.el6_9.noarch 18/22 Verifying : python-sss-murmur-1.13.3-57.el6_9.x86_64 19/22 Verifying : openjpeg-libs-1.3-16.el6_8.x86_64 20/22 Verifying : ansible-2.3.2.0-1.el6.noarch 21/22 Verifying : libkadm5-1.10.3-65.el6.x86_64 22/22 Removed: curl.x86_64 0:7.19.7-53.el6_9 jasper-libs.x86_64 0:1.900.1-21.el6_9 kernel.x86_64 0:2.6.32-696.13.2.el6 libcurl.x86_64 0:7.19.7-53.el6_9 libkadm5.x86_64 0:1.10.3-65.el6 openjpeg-libs.x86_64 0:1.3-16.el6_8 puppet-agent.x86_64 0:1.10.8-1.el6 python-sss-murmur.x86_64 0:1.13.3-57.el6_9 python2-jmespath.noarch 0:0.9.0-2.el6 scl-utils.x86_64 0:20120927-29.el6_9 xorg-x11-drv-ati-firmware.noarch 0:7.6.1-3.el6_9 Dependency Removed: ansible.noarch 0:2.3.2.0-1.el6 ipa-client.x86_64 0:3.0.0-51.el6.centos ipa-python.x86_64 0:3.0.0-51.el6.centos krb5-workstation.x86_64 0:1.10.3-65.el6 Installed: curl.x86_64 0:7.19.7-52.el6 jasper-libs.x86_64 0:1.900.1-16.el6_6.3 libcurl.x86_64 0:7.19.7-52.el6 openjpeg-libs.x86_64 0:1.3-11.el6 puppet-agent.x86_64 0:1.10.1-1.el6 scl-utils.x86_64 0:20120927-27.el6_6 xorg-x11-drv-ati-firmware.noarch 0:7.6.1-2.el6 Complete!
Once this completes we take a look at the /etc/grub.conf file.
[root@linuxunix ~]# grep -v ^# /etc/grub.conf default=0 timeout=5 splashimage=(hd0,0)/grub/splash.xpm.gz hiddenmenu title CentOS 6 (2.6.32-642.el6.x86_64) root (hd0,0) kernel /vmlinuz-2.6.32-642.el6.x86_64 ro root=/dev/mapper/vg_linuxunix-lv_root rd_NO_LUKS LANG=en_US.UTF-8 rd_NO_MD rd_LVM_LV=vg_linuxunix/lv_swap SYSFONT=latarcyrheb-sun16 crashkernel=auto rd_LVM_LV=vg_linuxunix/lv_root KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet initrd /initramfs-2.6.32-642.el6.x86_64.img
The entries for the new kernel have been removed.
But the entry in /etc/redhat-release file will not be updated automatically. We’ll need to do it manually.
Step 4: Once the rollback operation completes it’s highly recommended that you reboot the system. Now when we reboot the system and interrupt the boot process we find that only the original kernel is now available to boot from.
Once the system boots, we can run the uname -a command to verify that the system is running on the old kernel.
[root@linuxunix ~]# uname -a Linux linuxunix 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@linuxunix ~]# date Sat Oct 28 17:46:26 IST 2017
Let’s run the ‘yum history’ command again to view information on our rollback task:
[root@linuxunix ~]# yum history Loaded plugins: fastestmirror, security ID | Login user | Date and time | Action(s) | Altered ------------------------------------------------------------------------------- 19 | root <root> | 2017-10-28 16:43 | D, E | 15 EE 18 | root <root> | 2017-10-28 16:00 | I, U | 287 E< 17 | root <root> | 2017-05-16 04:38 | Install | 1 >< 16 | root <root> | 2017-05-15 18:27 | Install | 8 > 15 | root <root> | 2017-05-11 18:13 | Install | 3 14 | root <root> | 2017-03-10 15:35 | Install | 12 13 | root <root> | 2017-03-10 14:53 | Install | 1 12 | root <root> | 2017-03-10 14:51 | Install | 13 10 | root <root> | 2017-03-08 22:10 | Install | 1 10 | root <root> | 2017-03-08 21:11 | Install | 1 9 | root <root> | 2017-03-01 16:46 | Install | 5 8 | root <root> | 2017-02-19 17:54 | Install | 1 7 | root <root> | 2017-02-19 17:54 | Install | 1 6 | root <root> | 2017-02-19 17:45 | Install | 1 5 | root <root> | 2017-02-19 17:38 | Install | 1 4 | root <root> | 2017-02-19 17:38 | Install | 2 3 | root <root> | 2017-02-19 17:36 | Install | 1 2 | root <root> | 2017-02-19 17:33 | Install | 2 1 | System <unset> | 2017-02-19 17:08 | Install | 646 history list
The latest transaction with id 19 represents the ‘yum history undo 18’ command we executed. The Action field mentions the letters D and E indicating downgrade and erases respectively. The E in the Altered field indicates that the corresponding yum transaction finished successfully but an error warning was displayed.
Although we could successfully rollback our system to a previous release version I will point out that this method is not risk-free and is not recommended by Red Hat. Also, some aspects of the update will be irreversible. Therefore, caution is advised while performing this procedure.
Sahil Suri
Latest posts by Sahil Suri (see all)
- Google Cloud basics: Activate Cloud Shell - May 19, 2021
- Create persistent swap partition on Azure Linux VM - May 18, 2021
- DNF, YUM and RPM package manager comparison - May 17, 2021
- Introduction to the aptitude package manager for Ubuntu - March 26, 2021
- zypper package management tool examples for managing packages on SUSE Linux - March 26, 2021
