我知道官方的 CentOS 6(甚至 7)更新存储库不提供安全信息。结果是yum-plugin-security
插件和yum check-update --security
命令没有列出任何更新,如 onRHEL
或OEL
distros。
有一个很好的剧本生成更新信息它能够将缺失的安全信息注入本地yum
存储库。该插件甚至可以在 CentOS 上运行。
不幸的是,我遇到了一个小问题。我不确定问题出在脚本上还是工作方式上yum
。
如何重现该问题(在 CentOS 6.8、x86_64 上测试,但在我看来,以前/较新的版本也存在同样的问题):
- 首先,让我们清理一切,从干净的桌子开始
yum clean all
- 看看有哪些可用的安全更新(系统不是最新的)
yum check-update --security ... 56 package(s) needed for security, out of 28 available kernel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-devel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-firmware.noarch 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-headers.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates libtiff.x86_64 3.9.4-21.el6_8 local-centos-6-x86_64-updates openssl.x86_64 1.0.1e-48.el6_8.4 local-centos-6-x86_64-updates sudo.x86_64 1.8.6p3-25.el6_8 local-centos-6-x86_64-updates
- 现在,让我们安装 eg
squid
包
yum install -y squid ... Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be installed --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Installing: squid x86_64 7:3.1.23-16.el6_8.6 lp-centos-6-x86_64-updates 1.8 M Transaction Summary ==================================================================================================================== Install 1 Package(s) Total download size: 1.8 M Installed size: 6.3 M Downloading Packages: squid-3.1.23-16.el6_8.6.x86_64.rpm | 1.8 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Warning: RPMDB altered outside of yum. Installing : 7:squid-3.1.23-16.el6_8.6.x86_64 1/1 Verifying : 7:squid-3.1.23-16.el6_8.6.x86_64 1/1 Installed: squid.x86_64 7:3.1.23-16.el6_8.6 Complete!
- 我想测试软件包的更新,因此我们先尝试降级它
yum downgrade -y squid ... Resolving Dependencies --> Running transaction check ---> Package squid.x86_64 7:3.1.23-16.el6_8.5 will be a downgrade ---> Package squid.x86_64 7:3.1.23-16.el6_8.6 will be erased --> Finished Dependency Resolution Dependencies Resolved ==================================================================================================================== Package Arch Version Repository Size ==================================================================================================================== Downgrading: squid x86_64 7:3.1.23-16.el6_8.5 lp-centos-6-x86_64-updates 1.8 M Transaction Summary ==================================================================================================================== Downgrade 1 Package(s) Total download size: 1.8 M Downloading Packages: squid-3.1.23-16.el6_8.5.x86_64.rpm | 1.8 MB 00:00 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 7:squid-3.1.23-16.el6_8.5.x86_64 1/2 Cleanup : 7:squid-3.1.23-16.el6_8.6.x86_64 2/2 Verifying : 7:squid-3.1.23-16.el6_8.5.x86_64 1/2 Verifying : 7:squid-3.1.23-16.el6_8.6.x86_64 2/2 Removed: squid.x86_64 7:3.1.23-16.el6_8.6 Installed: squid.x86_64 7:3.1.23-16.el6_8.5 Complete!
- 我们最好再检查一下它安装了什么
rpm -qa | grep -i squid squid-3.1.23-16.el6_8.5.x86_64
- 目前,我预计当我再次检查安全更新时,该
squid
软件包应该会被重新列出,但事实并非如此
yum check-update --security ... 56 package(s) needed for security, out of 28 available kernel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-devel.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-firmware.noarch 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates kernel-headers.x86_64 2.6.32-642.15.1.el6 local-centos-6-x86_64-updates libtiff.x86_64 3.9.4-21.el6_8 local-centos-6-x86_64-updates openssl.x86_64 1.0.1e-48.el6_8.4 local-centos-6-x86_64-updates sudo.x86_64 1.8.6p3-25.el6_8 local-centos-6-x86_64-updates
- 让我们看看系统上安装了哪些 squid 勘误表。这有点奇怪。从上面,我可以看到 squid 被降级为
squid-3.1.23-16.el6_8.5.x86_64
(CEBA_2016__1412 bugfix
),但squid-3.1.23-16.el6_8.6.x86_64
(CESA_2016__1573
) 似乎仍被标记为已安装
yum updateinfo list all | grep squid-3 i CESA_2011__1791 Moderate/Sec. squid-3.1.10-1.el6_2.1.x86_64 i CEBA_2012__0122 bugfix squid-3.1.10-1.el6_2.2.x86_64 i CEBA_2012__0470 bugfix squid-3.1.10-1.el6_2.3.x86_64 i CEBA_2012__0557 bugfix squid-3.1.10-1.el6_2.4.x86_64 i CEBA_2012__1290 bugfix squid-3.1.10-9.el6_3.x86_64 i CESA_2013__0505 Moderate/Sec. squid-3.1.10-16.el6.x86_64 i CEBA_2013__0985 bugfix squid-3.1.10-18.el6_4.x86_64 i CEBA_2013__1396 bugfix squid-3.1.10-19.el6_4.x86_64 i CEBA_2014__0048 bugfix squid-3.1.10-20.el6_5.x86_64 i CESA_2014__0597 Moderate/Sec. squid-3.1.10-20.el6_5.3.x86_64 i CESA_2014__1148 Important/Sec. squid-3.1.10-22.el6_5.x86_64 i CEBA_2014__1446 bugfix squid-3.1.10-29.el6.x86_64 i CEBA_2015__1314 bugfix squid-3.1.23-9.el6.x86_64 i CEBA_2016__0896 bugfix squid-3.1.23-16.el6.x86_64 i CESA_2016__1138 Moderate/Sec. squid-3.1.23-16.el6_8.4.x86_64 i CEBA_2016__1412 bugfix squid-3.1.23-16.el6_8.5.x86_64 i CESA_2016__1573 Moderate/Sec. squid-3.1.23-16.el6_8.6.x86_64
- 当我尝试获取有关该勘误表的信息时,什么也没有
yum update info CESA_2016__1573 --- NOTHING NOTHING NOTHING ---
- 当我尝试列出所有勘误表但 grep 那个时我可以看到它
yum updateinfo info all | grep CESA_2016__1573 -B3 -A8 =============================================================================== Moderate CentOS squid Security Update =============================================================================== Update ID : CESA_2016__1573 Release : CentOS 6 Type : security Status : stable Issued : 2016-08-04 12:51:39 Description : Moderate CentOS squid Security Update Severity : Moderate Installed : true
我想指出的是,我在 RHEL6 上测试了这种情况(降级/升级),并且它有效。我也尝试squid
直接安装旧版本的软件包以避免降级/升级顺序,但结果也是一样的。而且问题不仅仅与软件包有关squid
。基本上,我可以用任何软件包重现这个问题。我还尝试yum
在软件包降级后清理缓存,但没有帮助。
知道哪里出了问题吗?!为什么它被标记为已安装,但实际上并未安装?!在 RHEL6 上测试时,我发现它未安装,然后它被包含在要更新的软件包列表中。
谢谢您的回答。