fix-cves¶
Command to fix cves
usage: pubtools-pulp-fix-cves [-h] [--debug] [--udcache-url UDCACHE_URL]
[--udcache-user UDCACHE_USER]
[--udcache-password UDCACHE_PASSWORD]
[--cdn-url CDN_URL] [--cdn-cert CDN_CERT]
[--cdn-key CDN_KEY] [--cdn-ca-cert CDN_CA_CERT]
[--cdn-arl-template [CDN_ARL_TEMPLATE [CDN_ARL_TEMPLATE ...]]]
[--fastpurge-host FASTPURGE_HOST]
[--fastpurge-client-token FASTPURGE_CLIENT_TOKEN]
[--fastpurge-client-secret FASTPURGE_CLIENT_SECRET]
[--fastpurge-access-token FASTPURGE_ACCESS_TOKEN]
[--fastpurge-root-url FASTPURGE_ROOT_URL]
[--pulp-url PULP_URL] [--pulp-user PULP_USER]
[--pulp-password PULP_PASSWORD]
[--pulp-certificate PULP_CERTIFICATE]
[--pulp-certificate-key PULP_CERTIFICATE_KEY]
[--pulp-insecure]
[--pulp-throttle PULP_THROTTLE] [--pulp-fake]
[--clean] [--force] [--advisory ADVISORY]
[--cves CVES]
Named Arguments¶
- --debug, -d
Show debug logs; can be provided up to three times to enable more logs
Default: 0
- --advisory
advisory to fix. e.g. –advisory RHXA-1234:56
- --cves
full list of desired CVEs for the advisory must be provided with both existing and the new ones. Current list of CVEs will be overwritten by the provided list. e.g. –cves CVE-987,CVE-456 or –cves CVE-987 –cves CVE-456
Unified Downloads Cache environment¶
- --udcache-url
Base URL of UD cache flush API; if omitted, UD cache flush features are disabled.
- --udcache-user
Username for UD cache flush
- --udcache-password
Password for UD cache flush (or set UDCACHE_PASSWORD)
Default: “”
CDN Client environment¶
- --cdn-url
Base URL of CDN, if omitted, CDN won’t be requested for special data (e.g. headers for ARLs)
- --cdn-cert
Client certificate for CDN client
- --cdn-key
Client key for CDN client
- --cdn-ca-cert
CA certificate for CDN
- --cdn-arl-template
ARL template used for flushing cache by ARL
Default: []
Akamai FastPurge environment¶
- --fastpurge-host
FastPurge hostname (xxx.purge.akamaiapis.net)
- --fastpurge-client-token
Fast Purge client token
- --fastpurge-client-secret
FastPurge client secret (or set FASTPURGE_SECRET environment variable)
Default: “”
- --fastpurge-access-token
FastPurge access token
- --fastpurge-root-url
Root URL of CDN for all cache purges (or set FASTPURGE_ROOT_URL environment variable). If omitted, FastPurge features are disabled.
Default: “”
Pulp environment¶
- --pulp-url
Pulp server URL
- --pulp-user
Pulp username
- --pulp-password
Pulp password (or set PULP_PASSWORD environment variable)
- --pulp-certificate
Pulp certificate. Can also be a single file (.pem)
- --pulp-certificate-key
Pulp certificate key
- --pulp-insecure
Allow unverified HTTPS connection to Pulp
Default: False
- --pulp-throttle
Allows to enqueue or run only specified number of Pulp tasks at one moment (or set PULP_THROTTLE environment variable)
- --pulp-fake
Use a fake in-memory Pulp client rather than interacting with a real server. For development/testing only, may have limited functionality.
Default: False
Publish options¶
Options affecting the behavior of Pulp repo publishes.
- --clean
attempt to delete remote content not in the repo
Default: False
- --force
force publish of repos even if Pulp thinks nothing has changed
Default: False
Example¶
A typical invocation of fix-cves would look like this:
pubtools-pulp-fix-cves \
--pulp-url https://pulp.example.com/ \
--pulp-user admin \
--pulp-password XXXXX \
--advisory RHXA-123:45 \
--cves CVE-123,CVE-345
Mentioned CVEs will be updated in the advisory and uploaded to one of the randomly picked repo from the list of repos the advisory belongs to. All those repos will then be published.
Example: with cache flush¶
If the Pulp server is configured to publish to Akamai CDN, cache flush may be enabled by providing –fastpurge-root-url to publish and clear the Akamai cache to get the updated advisory. If the repo is listed for Unified Downloads,UD cache flush may be enabled with –udcache-url.
pubtools-pulp-fix-cves \
--pulp-url https://pulp.example.com/ \
--pulp-user admin \
--pulp-password XXXXX \
--fastpurge-root-url https://cdn.example.com/ \
--udcache-url https://ud.example.com/ \
--advisory RHXA-123:45 \
--cves CVE-123,CVE-345
Once the advisory is updated and the related repos are published, caches will be cleared for the provided urls.