Configuring Errata for Ubuntu with Spacewalk

In my last article I have shown you how to get Ubuntu servers registered and integrated with Spacewalk.

However something important is still missing: Getting Errata into Spacewalk for Ubuntu systems. Errata are security, bugfix, enhancement advisories published by distribution vendors like Debian, CentOS, RHEL, Ubuntu. These Errata can be imported to Spacewalk and show/email which systems/packages are affected along with information like CVE numbers. You can then “apply” the Errata to these systems, triggering a remote update. That way you will always know if your systems lack critical updates.

Unfortunately, there is no general source or feed getting these Errata into Spacewalk. A good source are the security mailing lists of the vendors but you still need to parse them and import via API. For CentOS / RHEL there exist a few scripts:

However for Ubuntu there didnt exist such a script so I had to do one myself. Read on where to get and how to integrate it !

Ok so you will need the following files which you can find here parses$DATE.txt.gz into an XML which can be read by originally by Steve Meier ( I just modified it slightly to work with Ubuntu USN. By Ported version of the previous one. Includes some enhancenments like date, author and better package processing. Its quite faster than the Perl version is a Bash script which downloads the compressed security announces, calls on them and finally calls to import the Errata. This script can be run as a Cronjob to automate things. is the missing “action” for rhn_check so it can apply Errata. Its just a copy of

mkdir -p /opt/spacewalk-errata/errata
git clone /opt/spacewalk-errata/
# on the clients put in /usr/share/rhn/actions

In you have to edit the hostname and login for your Spacewalk server. You also want to edit “–exclude-channels ubuntu12.04-main” to match your Base channels name.

Install a Cronjob for every night.

Thanks to adding the missing to rhn_check scheduling Errata updates from Spacewalk is also working.

spacewalk errata ubuntu

  1. Hi,

    first of all thanks a lot for all the informations !

    I have a question for you : do you think it’s possible to provision ubuntu boxes ?

    I mean, can I make a cobbler definition for ubuntu distro?

    Thanks !

      • phil
      • November 13th, 2014 3:55pm

      I havent tested that yet as I dont need that yet but I’m optimistic on this as Cobbler itself works for any Linux.
      So mounting Ubuntu images instead of CentOS and creating a Kickstart profile with the already present Ubuntu Base Channel should work.

      If you are going to try this out, I would be happy to hear how that went and what steps you took !

      See Kickstarting and Provisioning Ubuntu systems with Spacewalk

    • Allan
    • November 13th, 2014 9:20pm

    I experience an error upon manually attempting to run the script:

    [root@spacewalk spacewalk-errata]# ./

    ./ line 16: /opt/spacewalk-errata/ Permission denied

    [root@spacewalk spacewalk-errata]# ll

    -rw-r–r–. 1 root root 9855 Nov 13 16:06

      • phil
      • November 14th, 2014 4:15pm

      the script tries to run /opt/spacewalk-errata/ errata/2014-November.txt so check if the permissions are correct and try to run that line manually

    • Allan
    • November 14th, 2014 7:01pm

    I gave execute permissions…

    now I get the following error…

    [root@spacewalk spacewalk-errata]# chmod 744
    [root@spacewalk spacewalk-errata]# ll
    total 60

    -rwxr–r–. 1 root root 9855 Nov 13 16:06

    [root@spacewalk spacewalk-errata]#
    [root@spacewalk spacewalk-errata]# ./

    500 Can’t connect to spacewalk.hc.lan:80 (Bad hostname ‘spacewalk.hc.lan’)

      • phil
      • November 14th, 2014 7:17pm

      Of course you need to replace spacewalk.hc.lan with your actual Spacewalk hostname.
      I’ll update the post to point this out

        • Allan
        • November 14th, 2014 7:19pm

        LOL, I figured that out after I sent the reply.

        I’m tailing the log now and hoping to see something on the dashboard.

        • Allan
        • November 14th, 2014 9:24pm

        It completed but only provided five (5) errata for precise-security and four (4) errata for trusty-updates. Is this accurate? Is there no other errata? I just want to ensure that this is working properly


          • phil
          • November 15th, 2014 12:48am

          Its working great for you. No worries. Spacewalk will only import/show Errata that actually apply to at least one of your packages. However you can manually curl older errata months and import them if you were lazy and didn’t update for a longer time.
          Otherwise simply run this as a cronjob every night to never miss any new updates. It will ignore existing imported errata and only add new ones

  2. Thanks for reporting back this tests !

    I will soon try too.

    Talking about your scripts for USN Erratas, I get an error when I launch it :

    # ./

    Use of uninitialized value in string at /opt/spacewalk-errata/ line 460.

      • phil
      • November 17th, 2014 11:41am

      Thats not really an error that matters. Check the log at /var/log/ubuntu-errata.log so see it worked.

      • Indeed, I have checked the log, and got 5 USN created 🙂

        Thanks !

        I will come back to you to tell how the kickstat goes.

    • phil
    • January 28th, 2015 3:54pm

    I just updated the script fixing (harmless) bug ‘Use of uninitialized value’ but also fixed a critical bug that prevented some Errata to be imported !
    So everyone should update to the latest version.

    • Marc
    • February 3rd, 2015 7:57am

    hi phil,

    thanks for the script. I’m syncing the ubuntu updates for trusty and precise. No I am testing the errata. In the log everything looks fine, but I just get 1 errata. That seems a little bit too little for precise and trusty…. how can I check if the scripts work correctly?

    INFO: Server is running API version 15
    INFO: API version 15 is supported
    INFO: Authentication successful
    INFO: User has administrator access to this server
    INFO: Loading errata XML
    INFO: Getting server inventory
    INFO: Checking for unpublished errata
    INFO: Excluding channel precise (precise)
    INFO: Scanning channel precise-backports
    INFO: Scanning channel trusty-updates
    INFO: Scanning channel precise-security
    INFO: Excluding channel trusty (trusty)
    INFO: Scanning channel precise-updates
    INFO: Scanning channel trusty-backports
    INFO: Scanning channel trusty-security
    INFO: Errata for USN-2488-1 already exists
    INFO: Errata created: 0

      • phil
      • February 3rd, 2015 12:44pm

      The script downloads the Errata archive for the current
      month and processes it. So if you want to import other months you have to download them manually and run on them. Then feed the generated XML into

    • ale
    • February 10th, 2015 2:21pm

    2015-02-10 14:19:33 (5,12 MB/s) – “/opt/spacewalk-errata/errata/2015-February.txt.gz” saved [5261/5261]

    File “/opt/spacewalk-errata/”, line 99
    return summary
    IndentationError: unindent does not match any outer indentation level

      • phil
      • February 10th, 2015 5:33pm

      thx. just fixed it. somehow the line above lost indentation after testing and before commiting ..

    • christian
    • February 17th, 2015 9:25am

    Thank you for the update! It works like a charm again!

    Is it possible to implement the “Reboot required” info into the erratas? For CentOS, the reboot info is included in the errata, so it should also be for ubuntu.

    Unfortunatley, it seems, RHNSD for debian is not applying errata updates, only package installs. Do you any workaround?

      • phil
      • February 17th, 2015 10:00am

      Is “Reboot required” a flag or field in the Errata I dont know of? However the Errata description does mention it sometimes as seen here
      so it will also be imported with the description.

      I have only tested on Ubuntu to be honest but Debian should work just fine. Errata updates are no different to package installs/updates after you have put to /usr/share/rhn/actions
      What does rhn_check -vv say when Errata update is scheduled?

        • christian
        • February 17th, 2015 12:37pm

        ah, forgot the on the clients. shame on me! Now it runs fine.

        I will test the reboot-flag the next days, it should be possible to trigger it manually with a local errata file. I’ve been testing spacewalk with ubuntu for several weeks but without the – maybe the reboot flag is only set after applying an errata. I will check.

          • phil
          • February 17th, 2015 1:19pm

          ah you mean the flag “reboot required” on the systems. uhm not sure where that comes from. probably after package install APT knows that and rhn_check reports back to Spacewalk

    • christian
    • February 19th, 2015 7:04am

    Fine! I’m looking forward to test – you can contact me by email anytime. Greets from Neu-Ulm

    • Christian
    • February 27th, 2015 12:11pm

    the errata import script is broken again, maybe someone has an idea?


    • James
    • March 12th, 2015 2:49pm

    I tried with both 2015-March and 2015-February.txt and get errors when it hits “firefox” related Errata

    INFO: Creating errata for USN-2505-1 (Firefox vulnerabilities) (1 of 2)
    500 Internal Server Error

      • phil
      • March 12th, 2015 3:00pm

      yes this is a known issue related to a bug in how Spacewalk splits up and handles package names / versions. Unfortunately firefox package is one of a few that are affected.
      The only workaround right now is to remove the offending entry from the ubuntu-errata.xml prior to importing :/

    • Raj
    • April 2nd, 2015 8:45pm

    Hi Phil,

    Can you please modify the import script to include a date range? This way we should be able to import errata dating back a year or before to until now. Otherwise, it is downloading every month’s errata file and running the import script all over again.



      • phil
      • April 2nd, 2015 11:51pm

      Simply run on all Month.txt and append the resulting ubuntu-errata.xml to another combined.xml and then run against the combined.xml

    • Raj
    • April 7th, 2015 10:14pm

    Hi Phil,

    When I try to parse January-2012 errata file, I get the following error.

    [root@ussclddspacewk03 spacewalk-errata]# ./ errata/2012-January.txt
    Message with subject ‘Firefox Rapid Release Migration in Ubuntu 10.04 LTS and Ubuntu 10.10’ doesnt appear to be an errata
    Failed to process message. Reason:
    ‘NoneType’ object has no attribute ‘packages’
    Traceback (most recent call last):
    File “./”, line 210, in processMessage
    parsed_msg.packages = self.processPackageList(errataMsg.get_payload())
    AttributeError: ‘NoneType’ object has no attribute ‘packages’
    Message with subject ‘Java packages in Partner archive to be removed on 2012-02-16’ doesnt appear to be an errata
    Failed to process message. Reason:
    ‘NoneType’ object has no attribute ‘packages’
    Traceback (most recent call last):
    File “./”, line 210, in processMessage
    parsed_msg.packages = self.processPackageList(errataMsg.get_payload())
    AttributeError: ‘NoneType’ object has no attribute ‘packages’

    • Raj
    • April 7th, 2015 10:19pm

    Same with January-2014 errata file.

    [root@ussclddspacewk03 spacewalk-errata]# ./ errata/2014-January.txt
    Message with subject ‘Ubuntu 13.04 (Raring Ringtail) reaches End of Life on January 27 2014’ doesnt appear to be an errata
    Failed to process message. Reason:
    ‘NoneType’ object has no attribute ‘packages’
    Traceback (most recent call last):
    File “./”, line 210, in processMessage
    parsed_msg.packages = self.processPackageList(errataMsg.get_payload())
    AttributeError: ‘NoneType’ object has no attribute ‘packages’
    Message with subject ‘Ubuntu 13.04 (Raring Ringtail) End of Life reached on January 27 2014’ doesnt appear to be an errata
    Failed to process message. Reason:
    ‘NoneType’ object has no attribute ‘packages’
    Traceback (most recent call last):
    File “./”, line 210, in processMessage
    parsed_msg.packages = self.processPackageList(errataMsg.get_payload())
    AttributeError: ‘NoneType’ object has no attribute ‘packages

    • Brian
    • May 11th, 2015 3:50am

    latest git clone on a CentOS 6.6 with spacewalk 2.2:

    # sh
    Use of uninitialized value in hash element at /opt/spacewalk-errata/ line 745.
    Use of uninitialized value in concatenation (.) or string at /opt/spacewalk-errata/ line 752.
    Use of uninitialized value in hash element at /opt/spacewalk-errata/ line 745.
    Use of uninitialized value in concatenation (.) or string at /opt/spacewalk-errata/ line 752.

    line 745 of
    if (defined($name2id{$xml->{$_[0]}->{packages}})) {

    line 752 of
    &debug(“Package: $xml->{$_[0]}->{packages} not found\n”);

      • phil
      • May 11th, 2015 1:40pm

      yes I also noticed this. Its related to a specific errata. Namely the one logged right below these warnings:

      Use of uninitialized value in hash element at /opt/spacewalk/ line 745.
      Use of uninitialized value in concatenation (.) or string at /opt/spacewalk/ line 752.
      NOTICE: Skipping errata USN-2600-1 (Linux kernel vulnerability) — No packages found

      I’ll debug and try fix this some more next days

    • pandujar
    • May 29th, 2015 12:57pm

    Thanks a lot for all of this 🙂

    • robin
    • June 16th, 2015 7:05am

    can you tell me where to get the debian errate
    i only found one from 2013 for

    • Pedro Andujar
    • June 17th, 2015 4:25pm

    I forked your repo and did the following that might be helpful for someone else:

    Modified to include date and from fields (Useful for searching).
    Added ubuntu-errata.xml containing USN’s from Jan 2012 till May 2015
    Added to import all USNs in a single shot as the perl version uses to break when importing large xml files.

    I think is really useful for people creating the whole errata from the 1st time

      • eking
      • July 13th, 2017 8:36am

      Thank you Pedro.
      Your script works beautifully! It’s saved me from giving up.

      Much appreciated!

    • Erik
    • December 2nd, 2015 7:52am


    I have problem with applying ubuntu errata when I copied the in /usr/share/rhn/actions

    I have this problem :

    File “./”, line 86, in
    File “./”, line 82, in main
    print update([23423423])
    File “./”, line 47, in update
    if len(packagelist[0]) > 4:
    IndexError: list index out of range

    please help me.

    • James M.
    • April 18th, 2016 5:47am

    I’m getting the following error when I run

    [+] USN-2945-1 doesn’t exist: analyzing
    [-] No related packages found: skipping
    [+] USN-2944-1 doesn’t exist: analyzing

      • phil
      • April 18th, 2016 1:15pm

      Hey James, only Errata matching packages are imported. For instance some Errata only apply for Ubuntu15 and if you dont have a channel and packages for that, they will be skipped.
      So for debugging, check affected packages in the USN and then search for that exact package in Spacewalk. If it _does_ exist but Errata still not imported, then its a bug.
      Did it ever import ANY Errata for you ? If not I’d say there is sth wrong in general with your setup.

        • James M.
        • April 18th, 2016 3:41pm

        Hi Phil, thanks for the quick response.
        This completely makes sense, thanks!

        Does the errata match to the channel or the packages installed on servers that are registered?
        Supposed I have a package that exists on the client server, but not on the channel, will the errata still match?


          • phil
          • April 18th, 2016 5:31pm

          It only matches packages which you also have in channels. So even if you dont wanna use Spacewalk as repository source, you still need to sync in at least the “updates” and “security” repos.
          (Btw packages not in Spacewalk but present on clients are shown as “Extra packages” if you browse system info but that doesnt help)

            • James M.
            • April 26th, 2016 5:16pm

            I’m getting a “Invalid function call attempted” error when trying to apply an errata to an affected system. Any ideas about what this could mean?

            • phil
            • April 26th, 2016 5:29pm

            Doesnt ring a bell, where do you get/see this error? Spacewalk UI ?

    • arij
    • January 30th, 2017 9:10am


    When I want to get all old errata with the script
    I haven’t any errata and I have this error :

    gzip: /opt/spacewalk/errata-debian/2016-December.txt.gz: not in gzip format
    gzip: /opt/spacewalk/errata-debian/2016-November.txt.gz: unexpected end of file

    So what should I do ?

    Thank you for the help.

      • phil
      • January 30th, 2017 12:04pm

      Hi Arij, maybe the txt.gz file wasnt downloaded properly. Check if you can ungzip it manually or redownload.

    • Annwoy
    • March 2nd, 2017 5:21pm

    drwxr-xr-x. 3 root root 29 Mar 2 12:07 ..
    -rw-r–r– 1 root root 249 Mar 2 12:13 2017-March.txt.gz
    -rwxr-xr-x 1 root root 4101 Mar 2 12:08
    drwxr-xr-x 3 root root 41 Mar 2 12:14 errata
    -rwxr-xr-x 1 root root 27406 Mar 2 12:08
    -rwxr-xr-x 1 root root 6252 Mar 2 12:08
    -rw-r–r– 1 root root 2364 Mar 2 12:08
    -rw-r–r– 1 root root 1664 Mar 2 12:08
    -rwxr-xr-x 1 root root 1881 Mar 2 12:08
    -rwxr-xr-x 1 root root 1582 Mar 2 12:08
    -rw-r–r– 1 root root 1394 Mar 2 12:08 LICENSE
    -rwxr-xr-x 1 root root 11073 Mar 2 12:08
    -rw-r–r– 1 root root 1571 Mar 2 12:08
    -rw-r–r– 1 root root 1730 Mar 2 12:08
    -rwxr-xr-x 1 root root 706 Mar 2 12:08
    [root@sndprfql1 spacewalk-errata]# ./
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 249 100 249 0 0 485 0 –:–:– –:–:– –:–:– 486

    gzip: /opt/spacewalk-errata/errata/2017-March.txt.gz: not in gzip format
    Failed to parse messages due to exception [Errno 2] No such file or directory: ‘errata/2017-March.txt’
    Traceback (most recent call last):
    File “/opt/spacewalk-errata/”, line 268, in main
    parsed_messages = message_parser.parse()
    File “/opt/spacewalk-errata/”, line 250, in parse
    inputData = open(self.inputFile).read()
    IOError: [Errno 2] No such file or directory: ‘errata/2017-March.txt’
    [-] Error connecting to http://localhost/rpc/api:
    [root@sndprfql1 spacewalk-errata]#
    [trusty] 0:root@sndprfql1:/opt/spacewalk-errata*

    • vyas
    • April 4th, 2017 2:37pm


    when i execute the script i getting this error message

    sh line 12: /opt/spacewalk-errata/errata/2017-April.txt.gz: No such file or directory
    gzip: /opt/spacewalk-errata/errata/2017-April.txt.gz: No such file or directory line 16: /opt/spacewalk-errata/ No such file or directory line 17: /opt/spacewalk-errata/ No such file or directory

      • phil
      • April 5th, 2017 11:18am

      the download of the Month.txt.gz might fail at beginning of the month when there are no mailinglist entries yet. However the two .py scripts should be there nonetheless so check whats in /opt/spacewalk-errata/

    • eking
    • July 6th, 2017 3:13pm

    I’ve been working with chef, setting up the Server and clients. Everything was fine.


    After setting up a new Server, re-syncing the repos, All my Precise 12.04 systems are not showing any errata updates. When removing spacewalk.list from apt and adding one for an official repo, it show update are available via commandline.

    Do you have any idea why Only precise systems would do this?

    I don’t see errors, which makes it even worse finding the issue.

      • eking
      • July 6th, 2017 3:15pm

      Maybe something left on the client from the previous install?
      I only removed the necessary from clients before taking down the old server:

      rm /usr/share/rhn/RHN*; rm /etc/sysconfig/rhn/systemid; rm /etc/sysconfig/rhn/up2date; rm /etc/sysconfig/rhn/osad.conf;

        • phil
        • July 8th, 2017 12:15pm

        looks good. imho its sufficient to delete /etc/sysconfig/rhn/systemid and then registering the system again. or even only rhnreg_ks –force

      • phil
      • July 8th, 2017 12:13pm

      it should work if the (updates / security) repo is synced and the clients re-registered to SW and subscribed to correct channel. and errata imported to SW ofc. try running rhn_check -vv

        • eking
        • July 10th, 2017 7:07am

        Some more info:

        Normal updates are showing to precise clients except for errata. I can upgrade normal packages. 14.04 clients are working perfectly.
        Even with the new server, i deleted the precise systems, channels and repo and re-adding it all. Still it did not work. I’m out of ideas here.

        What changed?…
        Repo data location changed from /var/satellite to a mounted nfs location.
        For Centos, I needed the previous version of C3P0. The newer version is not compatible with the Jabberd service

        Running rhn_check -vv

        D: do_call packages.checkNeedUpdate(‘rhnsd=1’,){}
        D: local action status: (0, ‘unable to open the timestamp file’, {})
        D: rpcServer: Calling XMLRPC registration.welcome_message

          • phil
          • July 10th, 2017 11:11am

          check if you actually do have any errata in SW which is mapped to a “precise” package that is installed on the node in an earlier version

            • eking
            • July 10th, 2017 12:23pm

            also, is it right for the contents of ubuntu-errata.xml to be in one line?

            • eking
            • July 13th, 2017 8:35am

            I am so exited i can scream. It’s working.

            So i’m still not sure why errata wasn’t imported for precise.
            I used Pedro Andujar’s script:

            I now see errata for precise. Yay!!!!

            • phil
            • July 13th, 2017 9:48am

            glad to hear. and I might know what the problem was: errata import script operates on current month. so there might have been no errata for any of your systems in the current month. by importing older erratas you got those that were matching a system

    • James
    • September 20th, 2017 4:39pm

    Hi Phil,

    I’m having an issue recently with the script. This is the error that I’m getting:
    Message with subject ‘[LSN-0030-1] Linux kernel vulnerability’ doesnt appear to be an errata
    Failed to parse messages due to exception ‘ascii’ codec can’t decode byte 0xc2 in position 0: ordinal not in range(128)
    Traceback (most recent call last):
    File “/opt/spacewalk-errata/”, line 301, in main
    File “/usr/lib64/python2.7/xml/etree/”, line 820, in write
    serialize(write, self._root, encoding, qnames, namespaces)
    File “/usr/lib64/python2.7/xml/etree/”, line 939, in _serialize_xml
    _serialize_xml(write, e, encoding, qnames, None)
    File “/usr/lib64/python2.7/xml/etree/”, line 932, in _serialize_xml
    v = _escape_attrib(v, encoding)
    File “/usr/lib64/python2.7/xml/etree/”, line 1090, in _escape_attrib
    return text.encode(encoding, “xmlcharrefreplace”)
    UnicodeDecodeError: ‘ascii’ codec can’t decode byte 0xc2 in position 0: ordinal not in range(128)

    Any ideas?



      • phil
      • September 20th, 2017 8:32pm

      Hi James,
      it seems like it errors while trying to write out the generated xml. so I would strip all other errata from the input txt and by trial/error/var-dumping find out what exactly is offending. maybe some sanitizing before writing out the xml could be added then.

      which is the mailinglist and month you are trying btw ?

      Best Phil

  1. October 31st, 2014
  2. November 19th, 2014