Errata for Debian-based systems in orcharhino
Release 4.0.0 from orcharhino not only brought a completely revised interface, but also another long-awaited feature: the errata management of Debian or Ubuntu hosts.
We are thus setting a new milestone in orcharhino development. We have been working continuously on expanding Debian/Ubuntu support for over a year now. You can find a brief overview of this here.
The perfect day for the presentation of the newly integrated errata support for Debian-based systems was of course the Open Source Automation Day last October.
Excursus:
Errata are, so to speak, leaflets that offer a solution to a known problem. With an erratum you want to provide the admin with information about which packages need to be updated to eliminate a (security) problem.
In the Debian world, the concept of errata is not very common. The common motto here is the regular automatic installation of all updates to “debian-security” (or ubuntu-security). However, this approach is questionable, especially for servers in a mission-critical environment. Because you should think very carefully about whether you really want to automatically install or renew packages like “nginx” or “openssl” on all productive web servers of a web application overnight.
Since the release of orcharhino 4.0.0, the admin now has full control over the Debian / Ubuntu systems managed by orcharhino. He can now specifically decide which servers should receive which security updates and at what time. Errata support for Debian / Ubuntu systems allows us to provide significant support to every admin via a uniform interface.
Configuring the Debian/Ununtu Errata feature is extremely simple: Debian/Ubuntu security updates are provided via the “debian-security” (or “ubuntu-securtiy”) repository. You now add the errata to this repository by setting the “Errata URL: https://dep.atix.de/dep/api/v1/debian”. The errata information for Debian or Ubuntu is prepared via this URL and made available in a machine-readable format for orcharhino. The number of errata in a repository is now displayed on the overview page of the repositories present in a product.
The errata will be processed the next time the repository is synchronized.
In addition, a calculation is automatically made as to whether an existing Debian / Ubuntu host is affected by an errata. This clarifies the question of whether this errata needs to be installed on the host in order to solve the (security) problem that has arisen.
In the orcharhino Management UI you can display a list of all errata. This can also be limited to applicable or installable errata for the existing Debian/Ubuntu hosts.
If you select an erratum directly, you will receive additional information such as detailed description, affected packages, corresponding CVE (Common Vulnerabilities and Exposures), affected hosts, etc. This overview list can also be used to install errata on one or more affected hosts initiate.
If you select the affected host, it will display the errata for the Debian / Ubuntu host. Of course, the installation of one or more erratums can also be started here. orcharhino checks whether the installation requires the creation of an incremental Content View version. This contains all the erratum packages. The Erratum can now be installed on the host using the RemoteExecution plugin that is available as standard in version 4.0.0.
By managing errata for Debian-based systems in orcharhino, we have succeeded in completing Debian / Ubuntu support. Of course, we will continue to develop this further and report on it.
