How to secure channels created with spacewalk-create-channel?

Question

Does spacewalk-create-channel (RHN Satellite) create channels without security updates?

spacewalk-create-channel --user=username --password=password -v 5 -r Server -u U7 -a i386 --destChannel=rhel-i386-server-5.7 .N "rhel-i386-server-5.7"

Release date of RHEL 5.7:

• RHEL 5.7, also termed Update 7, 2011-07-21 (kernel 2.6.18-274)

Does that mean a created channels with the spacewalk-create-channel methods don't have package updates since the RHEL 5.7 release (2011-07-21)?

How to secure a RHEL 5.7 i386 channel created with spacewalk-create-channel without updating to RHEL 5.9-latest?

Answer 1

If you want security updates, you must do either one of two things:

• Always update to the latest service pack, currently 5.9.

  RHEL subscriptions normally receive security and bug fix updates against the latest minor release only. However, Red Hat does offer backporting:

• Purchase Extended Update Support for the specific minor release you want to remain on.

  Red Hat offers the Extended Update Support (EUS) Add-On to a Red Hat Enterprise Linux subscription for those customers who wish to standardize on a specific minor release for an extended period of time. The EUS Add-On allows customers the flexibility to decide when to take advantage of new Red Hat Enterprise Linux features, including new hardware enablement.

  Under a Red Hat Enterprise Linux subscription, all available RHSAs and RHBAs are provided for the current active minor release until the availability of the next minor release. By contrast, EUS delivers—for a specific minor release—an independent, extended stream of those Critical Impact RHSAs and selected Urgent Priority RHBAs that are available after that specific minor release and in parallel to subsequent minor releases. For EUS subscribers, Red Hat generally will continue to proactively provide Critical Impact RHSAs independent of customer requests if and when available.

  Note that some minor releases prior to 6.0 do not have Extended Update Support available (and 5.7 is one of these).

See Red Hat Enterprise Linux Lifecycle for more information.

You should also spend about an hour yelling at the idiot vendor who says you have to remain on 5.7.

Answer 2

When running the spacewalk-create-channel command, you get a static channel with packages based on the options you provide. You can always then manually clone or push in packages and security errata from other channels to it, but then you might end up having a hard time keeping track of what's in the channel...

Does that mean a created channels with the spacewalk-create-channel methods don't have package updates since the RHEL 5.7 release (2011-07-21)? 

yes.

How to secure a RHEL 5.7 i386 channel created with spacewalk-create-channel without updating to RHEL 5.9-latest?

This is a bit tricky.

I'm guessing it's a vendor requiring a specific minor release or something?. Anyway the package saying what release of Red Hat you are running is the one named redhat-release, and I have seen people entering the /etc/yum.conf and adding:

exclude=redhat-release*

You could then move the system to a 5.9 channel in the spacewalk and run a yum upgrade. Then you will have an updated system which will say that it is a 5.7. However I don't think that this is such a good idea, because then you will be running on something which vendor QA probably has not tested. On the other hand, that is the case with a 5.7 system which have been upgraded after installation but still is 5.7 (eg before RHEL5.8 was released). I don't like this minor number fixation many vendors have.