Uyuni Enhancement Request - CLM notifications

[heiwu]

Please add notifications about staged (CLM) channels that need to be synced to distribute (security) patches

We are using content lifecycle management and would like to know which upstream channels have updates that are relevant to our systems before we sync that channels.

Details

• In order to get updates we must sync our CLM channels. But not every package an upstream channel contains is installed on our systems, so we don't know which updates are really relevant to our systems before syncing.
• We don't want to sync our first stage (dev) on a daily basis just to get that information.
• It would be great if it is possible to see which (installed) Package has an update waiting upstream, and if it is security relevant (kind of a diff between any stage and upstream)
• for more context please see my uyuni users list thread: https://lists.opensuse.org/archives/list/users@lists.uyuni-project.org/thread/UOC6Q5RYROZXGJ7PKSR3LR722T3D2X7W/

Thanks for this great product! BR Heiner

[moio]

Hey @heiwu, thanks for this report.

I was wondering about two things:

• what client OSs are you using mainly? Are those SUSE OSs (SLE/openSUSE) or others?
• does the CVE Audit feature help you? It is designed to find applicable patches in channels including unassigned parent channels (which is what CLM uses). The limitation is, you have to know what CVE number to look for upfront. What if we lifted this limitation?

[heiwu]

Hi @moio, thanks for your feedback! Currently most of our Clients are SLES15 SP2. You are right, CVE Audit feature would only help in case of any "famous" CVE that gets special attention. But If you could enhance that function to also report all CVEs that need to be fixed by patching client systems (even if their current channels first need to be synced), that would be great! I am thinking of implementing this maybe with

• a daily report mail to uyuni admins (must be optional to avoid daily spam!)
• plus an overview in gui, showing which channels need to be updated in order to provide patches for which CVEs to which systems (similar to "System Overview"

Today we also spoke to Jörg Bunse about this feature/request, maybe he can provide further information about this?

[moio]

@heiwu I have on my to-do list a feasibility assessment - we need to make sure this is computationally feasible from a performance standpoint. Current CVE Audit searches take well under a second in normal circumstances, but just running that algorithm through the thousands of possible CVE numbers is necessarily going to take a long time.

I can also speak with Jörg, of course :wink:

[heiwu]

Sure, scanning all CVEs would be really expensive. Maybe one way could be to just scan all for the first time, save the result, and after that only scan "new" CVEs and systems (diff)? Another way could be to not only compare a system's package list to what its repos provide but also to what is available upstream? So if i have a sles15sp2 system in a CLM env "prod", i not only see which updates are available within my CLM Prod channels but also in SUSE's official upstream Channels...

[heiwu]

Hi all, @moio

any news on this one?

BR Heiner

[moio]

The topic's importance hasn't really changed, but I also do not have any news for you today, sorry.