Apply Linux Security Patches

Self-hosted Orchestrator users need to apply Linux security patches. Orchestrator-as-a-Service (OaaS) users do not need to apply Linux security patches. Linux security patches are automatically applied for OaaS users via the Cloud Portal.

NOTE: To apply Orchestrator security patches (including CVE fixes), you must upgrade Orchestrator. See Upgrade Orchestrator or Stats Collectors for details.

Prerequisites

  • Before you update Linux security patches, ensure that the operating system of the host is running Rocky Linux v9 or later. If you are running a release that is not built on Rocky Linux, you must migrate from CentOS to Rocky Linux. See Migrate CentOS to Rocky Linux for details.

    NOTE: Orchestrator release 9.1.10+, 9.2.10+, 9.3.3+, and 9.4.2+ are built on Rocky Linux. Other releases of Orchestrator are built on CentOS. CentOS will no longer receive security updates or patches after June 30, 2024. If you have an Orchestrator version earlier than those listed in this note, the following steps in this topic will apply Linux security patches up to June 30, 2024.

  • Ensure that you have a recent backup of Orchestrator before you apply Linux security patches. If you do not have a recent backup of Orchestrator, see Back Up on Demand.

  • The following URLs (required for Linux updates) must be reachable. This is not a complete list and is subject to change.

    • mirrors.fedoraproject.org
    • mirrors.rockylinux.org
    • dl.rockylinux.org
    • codecs.fedoraproject.org
    • dl.fedoraproject.org

Apply Linux Security Patches (with Internet Access)

If your Orchestrator VM has internet access, complete the following steps to apply Linux security patches.

  1. Log in to the Orchestrator as admin. You must know the sudo password.

  2. Do one of the following depending on whether FIPS mode is enabled on Orchestrator.

    HINT: Run “fips-mode-setup --check” to see if FIPS mode is enabled on Orchestrator.

    • If FIPS mode is not enabled on Orchestrator, do the following:

      1. Enter /home/gms/gms/orch-setup -p

      2. Enter the admin password. Admin user has sudo privileges.

      3. If you have a recent backup of Orchestrator, enter y to proceed. The patch might take a while to complete.

    • If FIPS mode is enabled on Orchestrator, do the following:

      1. Enter sudo -s

      2. Enter the admin password. The Transaction Summary displays and notes the number of packages to install, upgrade, and remove.

      3. Enter yum update to update the patches in the packages.

        WARNING: Run “yum update” at your own discretion.

      4. Review the download size and enter y to continue.

  3. Enter sudo reboot to reboot Orchestrator.

Apply Linux Security Patches (Without Internet Access)

If your Orchestrator VM does not have internet access, complete the following steps to apply Linux patches:

  1. Download the required RPM packages from HPE Aruba Networking Support Portal or relevant Linux distribution site (for example, Red Hat, Fedora, Rocky Linux, and so on) on a system that has internet access.

  2. Move or copy the downloaded RPM packages to a repository server inside the network that the Orchestrator VM can access.

  3. On the Orchestrator VM, run sudo yum localinstall <packagename>.rpm where <packagename> is the name of the RPM package or point yum to the internal repository where you saved the RPM package to install the updates.

  4. Enter the admin password. Admin user has sudo privileges.

  5. Enter sudo reboot to reboot Orchestrator.