Results 1 to 5 of 5

Thread: Patching Server not connected to the Internet

Hybrid View

  1. #1

    Patching Server not connected to the Internet

    Hello Gurus,

    I have two SUSE servers that cannot be connected to the internet due to security restrictions.

    There is a requirement to regularly patch servers with at the very least security patches and updates. Currently, both servers have not been updated since install. I would like to know what my options are to ensure that non internet connected servers are kept up to date with current updates and security fixes.

    much appreciated

  2. Re: Patching Server not connected to the Internet

    Quote Originally Posted by dlicheri View Post
    Hello Gurus,

    I have two SUSE servers that cannot be connected to the internet due to security restrictions.

    There is a requirement to regularly patch servers with at the very least security patches and updates. Currently, both servers have not been updated since install. I would like to know what my options are to ensure that non internet connected servers are kept up to date with current updates and security fixes.

    much appreciated
    Hi and welcome to the Forum
    You could look at SMT, it does mean two servers though one internal and one external;
    https://www.suse.com/documentation/s...connected.html

    Else the other option is creating a patch cd/dvd and adding this too each system (old but still relevant AFAIK)?
    https://www.suse.com/c/creating-add-products-yast/

    Or download all the patches and create a custom repository, while this link is CVE specific it's still the same for any rpms;
    https://www.suse.com/support/kb/doc/?id=7015731
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. Re: Patching Server not connected to the Internet

    Hi,

    in addition to Malcolm's reference to SMT, you may also want to look into using SUSE Manager (which is a payed-for product you'd need to license, unlike SMT) if you're running an over-all larger number of servers and/or need more support for release life-cycle control.

    There are different levels of "not connected to the Internet". I. e. if you just have these servers behind a cascading firewall and limiting their connections to "internal" systems (put permanently available), then a single SUSE Manager server should be fulfilling your requirements. (your servers all go to SUSE Manager and SUSE Manager serves what it pulled from SUSE servers, aka "upstream").

    If you have a stricter policy, barring your restricted servers from network access most of the time, you could set up a so-called "ISS" server (a SUSE Manager with according configuration), which needs to be *triggered* to pull its patches from an upstream SUSE Manager server. You'd place the ISS server alongside your restricted servers, these will fetch their updates form that ISS server. On occasion, you'd open up the link so that the ISS server can pull updates from the upstream SUSE Manager, then close the link again. No automatic pulling in of things, but full control. And you're still able to maintain all basic functions (like providing your channels of *tested* versions, organizational configuration and so on) via the master SUSE Manager (and have those pulled by the ISS server as well).

    Regards,
    J
    From the times when today's "old school" was "new school"

    If you find this post helpful and are logged into the web interface, show your appreciation and click on the star below...

  4. #4

    Re: Patching Server not connected to the Internet

    Many thanks to you both for your advice and contribution so far ...

    Malcolm's proposal is the only one that looks to address the patching issue as servers have no connectivity at all (no internet access and internal network is limited to secure devices only). Additionally, disk media will have to be checked and validated before it is introduced and applied to the production environment.

    The only problem I can see with implementing SMT servers is that SMT requires SUSE 12.4 (https://www.suse.com/documentation/s...connected.html) and servers in internal network are running SUSE 11.4. Is there a version of SMT that will work with SUSE 11.4 ?


    thx in advance ...
    Last edited by dlicheri; 18-Dec-2018 at 19:02.

  5. Re: Patching Server not connected to the Internet

    Quote Originally Posted by dlicheri View Post
    Many thanks to you both for your advice and contribution so far ...

    Malcolm's proposal is the only one that looks to address the patching issue as servers have no connectivity at all (no internet access and internal network is limited to secure devices only). Additionally, disk media will have to be checked and validated before it is introduced and applied to the production environment.

    The only problem I can see with implementing SMT servers is that SMT requires SUSE 12.4 (https://www.suse.com/documentation/s...connected.html) and servers in internal network are running SUSE 11.4. Is there a version of SMT that will work with SUSE 11.4 ?


    thx in advance ...
    Hi
    Yes, the one for SLE 11 SP3, see this document and there is a download link;
    https://www.suse.com/support/kb/doc/?id=7016802

    SMT Manual: https://www.suse.com/documentation/smt11/
    Last edited by malcolmlewis; 18-Dec-2018 at 20:05. Reason: Add SLE 11 SP3 Manual link
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •