Jump down to The Easy Installation and copy the commands! Skip the rest!
Patches is a container-based, offline repository with a web frontend that hosts all of Dell's PowerEdge patches. What it gives you:
Beta: In the full release we will add the ability to disable cert checking but for the beta it is force enabled. Patches is primarily designed to integrate into an existing PKI infrastructure.
Patches can be run on any *nix system that supports podman
but all testing was done on and the instructions written for Rocky Linux and we strongly suggest this be the operating system of choice for Patches.
We have tested on Rocky Linux 9.2.
Any RHEL-based system should work out of the box. Please post an issue if you encounter issues.
Rocky Linux is the spiritual successor to previous iterations of CentOS. It is available here.
We recommend you use the Minimal distribution.
If you need to apply STIGs for your organization Rocky Linux comes with an option in the installer to automatically STIG the operating system. See this official Rocky Linux guide for how to create a STIG-hardened Rocky instance automatically.
Note At the time of writing the docs only mention Rocky Linux 8 but it is available for Rocky Linux 9 as well.
Due to recent changes in the STIGs and FIPS some functionality no longer works.
These are the minimums
After initial setup nothing in Patches runs as sudo. Everything runs as user and in fact, if desired, you can run the entire installation as user without ever elevating to sudo. This includes the podman instance that powers Patches.
Patches can run on a shoestring server, but the installer will check to make sure you have at least 80GBs of free space during the installation. Note: This is not to say that the hard drive should be 80GBs, there must be 80GBs of free space at runtime.
It is not important that you understand this to use Patches, but it is provided here for those who want to understand a bit behind how it works without reading the code. Patches consists of the following Podman containers:
If you are on RHEL-family systems, including Rocky, you can copy and paste this code into your terminal to run the Patches and skip right to the section Before You Run Setup:
If your system is STIG'd, you need to paste each command separately!
sudo wget https://raw.githubusercontent.com/dell/patches/main/bootstrap.sh
sudo chown $(logname):$(id -gn $(logname)) ./bootstrap.sh
sudo bash ./bootstrap.sh
sudo chown -R $(whoami) /path/to/patches
Run sudo dnf update -y && sudo dnf install -y podman
and then reboot with sudo reboot
. The reboot just makes avoiding permissions / kernel issues easy because that information is reread on boot.
Run podman run hello-world
as your user to test your privileges. If this does not run correctly, Patches will not run correctly.
WARNING: If you are SSH'ing to your server, make sure you ssh as a user and not root. If you SSH as root and then su
to user, podman will issue ERRO[0000] XDG_RUNTIME_DIR directory "/run/user/0" is not owned by the current user
. This happens because the user that originally setup /run
is root rather than your user.
At a minimum port 443 and 8080 must be open on the server. We recommend opening 80 and 443 so that users who inadvertently go to 80 are redirected automatically to 443. On Rocky Linux/RHEL this is done with sudo firewall-cmd --zone=public --add-port=80/tcp --add-port=443/tcp --add-port=8080/tcp --permanent && sudo firewall-cmd --reload
Only applicable if you plan on using your own certificates/keys
Patches has its own certs that it generates and uses with its own internal PKI infrastructure. Required certs:
Patches accepts certificates in two formats, PEM and PKCS#12.
If you are using PEM, you will need two PEM files. The first must include at least the root CA's certificate. The second must include the certificate and private key for the patches server itself.
Examples of the certificates are in rootca.pem and patches.pem
If you are using PKCS#12, you only need the PKCS#12 file including both the server cert and its certificate chain.
To import keys, change to the patches/podman-build
directory and run bash patches.sh import-keys <your_pkcs#12 file>
or bash patches.sh import-keys <root_ca.pem> <patches_server_cert.pem>
.
This will only work for new root CA certs. If you want to change the PKI infrastructure you must run bash podman-build/patches generate-certificates
or bash podman-build/patches import-keys <args>
The purpose of this function is that you need to add new root CA certs AFTER deploying patches to cover a new user base. It is not meant to import certificates on initial install.
./server_certs/root_certs
bash podman-build/patches stop && bash podman-build/patches start
to restart the serviceThe file config.yml controls all installation/setup settings. You can leave the defaults but we recommend you browse through the settings.
Anything outside of the Developer Options are meant for user configuration.
If you are not using your own certificates, Patches provides a built in Certificate Authority (CA) which allows users to generate their own user certificates. The certificate properties are enumerated in the section clients of config.yml. If you are not using an existing CA, you will need to update these fields with your user data.
One of these users should have a name that matches the name selected for PATCHES_ADMINISTRATOR.
Log into your Linux server and browse to the patches/podman-build
directory. Run bash patches.sh setup
and follow the onscreen prompts.
It's that simple. After the setup completes patches will be up, running, and available.
Patches will automatically pull and build the entire PowerEdge catalog. If this is what you need then this is not necessary.
If you need to pull specific patches there are detailed instructions for manually pulling repositories located at Download Repositories with Dell Repository Manager
If you already have downloaded and exported the repository, run bash <your_patches_directory>/podman-build/patches.sh import-repository
to import a new repo. Follow the prompts to import the repo.
If you used Patches to generate user certificates, you will need to download the correct certs and add them to your browser to connect to Patches.
If you used Patches to setup your certs, they will all be in the folder <your_path_to_patches>/server_certs
.
<your_path_to_patches>/server_certs
to your desktop. If you are running Windows you can do this with WinSCP.<path_to_patches>/server_certs/root_certs
folder. At the top of the window click Trusted Root Certification Authoritiesroot_certs/<your_root_CA>.crt
and add it to your certificate store. You can place it in the default store and say yes when prompted if you are sure.The admin panel is available to the user configured as PATCHES_ADMINISTRATOR. You can also add additional admin users with bash patches/podman-build/patches.sh add-admin <username>
To access the admin panel you must be using a cert whose common name matches an administrator. When you do this the "Admin Dashboard" button will appear in the top right of the UI.
Run <your_patches_directory>/podman-build/patches.sh pull-patches
This is incremented when we make changes that are not compatible with previous versions, such as significant API changes or the introduction of major new features. Updating the MAJOR version indicates that users may need to modify their code or adjust their integrations to work with the new version.
This is incremented when we add new functionality to the software in a way that is backward-compatible. It signifies the introduction of new features or enhancements that users can take advantage of without needing to make any changes to their existing code or integrations.
This is incremented when we make bug fixes or address issues in a backward-compatible manner. It indicates that the software has undergone improvements or fixes, ensuring a more stable and reliable experience for users. Updating the PATCH version does not introduce any new features or require modifications to existing code.
See DEBUGGING.md
Grant Curell grant_curell AT dell DOT com is the current maintainer.