Modern Python API to Red Hat's Errata Tool.
python-errata-tool is a Python library that wraps the Errata Tool's REST API. It uses requests_kerberos to authenticate and parses JSON responses into Erratum objects. You can use it to create new advisories, or read and update existing advisories. The ErratumConnector class also provides lower-level access to all of the Errata Tool's REST API.
Example:
Creating a new bugfix advisory:
e = Erratum(product='RHCEPH',
release='rhceph-2.1',
#errata_type='RHBA' # Default; may be omitted
synopsis='Red Hat Ceph Storage 2.1 bug fix update',
topic='An update for Red Hat Ceph 2.1 is now available.',
description='This update contains the following fixes ...',
solution='Before applying this update...',
qe_email='someone@redhat.com',
qe_group='RHC (Ceph) QE',
owner_email='kdreyer@redhat.com',
manager_email='ohno@redhat.com',
)
e.commit()
print(e.url())Creating a new enhancement (feature) advisory:
e = Erratum(product='RHCEPH',
release='rhceph-2.1',
errata_type='RHEA', # Set to RHEA for RHEA
synopsis='Red Hat Ceph Storage 2.1 enhancement update',
topic='An update for Red Hat Ceph 2.1 is now available.',
description='This update contains the following features ...',
solution='Before applying this update...',
qe_email='someone@redhat.com',
qe_group='RHC (Ceph) QE',
owner_email='kdreyer@redhat.com',
manager_email='ohno@redhat.com',
)
e.commit()
print(e.url())Creating a new security advisory. Note that RHSA (Security) advisories are given one of four impacts (Low, Moderate, Important, and Critical). See this link for more information: https://access.redhat.com/security/updates/classification
e = Erratum(product='RHCEPH',
release='rhceph-2.1',
errata_type='RHSA', # Set to RHSA for RHSA
security_impact='Moderate', # Required for RHSA
synopsis='Red Hat Ceph Storage 2.1 security update',
topic='An update for Red Hat Ceph 2.1 is now available.',
description='This update contains the following fixes ...',
solution='Before applying this update...',
qe_email='someone@redhat.com',
qe_group='RHC (Ceph) QE',
owner_email='kdreyer@redhat.com',
manager_email='ohno@redhat.com',
)
e.commit()
print(e.url())The errata-tool CLI is a thin wrapper around the classes. You can use it to query information from the Errata Tool or create new releases (releng):
errata-tool -h
usage: errata-tool [-h] [--stage] [--dry-run] {advisory,product,release} ...
positional arguments:
{advisory,product,release}
advisory Get or create an advisory
product Get a product
release Get or create a release (RCM)
optional arguments:
--stage use staging ET instance
--dry-run show what would happen, but don't do itGetting an erratum's name:
Adding bugs:
Removing bugs:
Checking whether an advisory is embargoed:
Checking whether an advisory is text-only:
Adding builds:
Adding container builds:
Changing state:
Changing docs reviewer:
Adding someone to the CC list:
Changing an advisory type:
Reloading the all specific builds that lack product listings:
Determining if an advisory has RPMs or containers:
Get active RPMDiff results for an advisory:
Set the CDN repos for a container advisory (only applies for advisories containing Docker images):
Same thing, but for text-only advisories:
The errata_tool.product.Product class can look up existing products.
Looking up a product:
The errata_tool.release.Release class can look up existing releases or create new release entries.
Looking up a release:
from errata_tool.release import Release
r = Release(name='rhceph-2.4')
print(r.id) # 792
print(r.name) # "rhceph-2.4"
print(r.description) # "Red Hat Ceph Storage 2.4"
print(r.type) # "QuarterlyUpdate"
print(r.is_active) # True
print(r.enabled) # True
print(r.blocker_flags) # ['ceph-2.y', 'pm_ack', 'devel_ack', 'qa_ack']
print(r.edit_url) # https://errata.devel.redhat.com/release/edit/792Finding all "NEW_FILES" advisories for a release:
Creating a new release (this requires the "releng" role in the Errata Tool):
from errata_tool.release import Release
r = Release.create(
name='rhceph-3.0',
product='RHCEPH',
product_versions=['RHEL-7-CEPH-3'],
type='QuarterlyUpdate',
program_manager='anharris',
blocker_flags='ceph-3.0',
default_brew_tag='ceph-3.0-rhel-7-candidate',
)
print('created new rhceph-3.0 release')
print('visit %s to edit further' % r.edit_url)To use the staging Errata Tool environment without affecting production, set the ErrataConnector._url member variable to the staging URL.
from errata_tool import ErrataConnector, Erratum
ErrataConnector._url = 'https://errata.stage.engineering.redhat.com/'
# Now try something like creating an advisory, and it will not show up in
# prod, or bother people with emails, etc.
e = Erratum(product='RHCEPH',
release='rhceph-2.1',
synopsis='Red Hat Ceph Storage 2.1 bug fix update',
...
)
e.commit()Maybe your application makes many API calls (lots of advisories, builds, etc), When processing large numbers of errata from higher-level tools, it's helpful to understand where the time is spent to see if multiple calls can be avoided.
Set ErrataConnector.debug = True, and then your connector object will record information about each call it makes. Each GET/PUT/POST is recorded, along with totals / mean / min / max.
URL APIs are deduplicated based on their name, so two calls to different errata on the same API is recorded as a single API.
To extract the information and print it, one might use PrettyTable:
e = Erratum(errata_id=24075)
pt = PrettyTable()
for c in ErrataConnector.timings:
for u in ErrataConnector.timings[c]:
pt.add_row([c, u,
ErrataConnector.timings[c][u]['count'],
ErrataConnector.timings[c][u]['total'],
ErrataConnector.timings[c][u]['mean'],
ErrataConnector.timings[c][u]['min'],
ErrataConnector.timings[c][u]['max']])
print(pt.get_string())This library verifies the ET server's HTTPS certificate by default. This is more of a python-requests thing, but if you receive an SSL verification error, it's probably because you don't have the Red Hat IT CA set up for your Python environment. Particularly if you're running this in a virtualenv, you'll want to set the following configuration variable:
REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crtWhere "RH-IT-Root-CA.crt" is the public cert that signed the ET server's HTTPS certificate.
When using RHEL 7's python-requests RPM, requests simply checks /etc/pki/tls/certs/ca-bundle.crt, so you'll need to add the IT CA cert to that big bundle file.
If you've already added the Red Hat IT CA to your system-wide bundle, you can have your Python code always use this file:
This will make requests behave the same inside or outside your virtualenv. In other words, with this code, your program will always validate the Red Hat IT CA.
Install fedpkg, then use the Makefile:
$ make srpmYou can then upload the SRPM to Copr. Or, to build RPMs on your local computer, using mock:
$ make rpmCheck out the CHANGELOG.