01.14.04
 By Brian Hatch
Most Linux distributions use the RPM [1]
format for their software packages. RPMs are managed by the rpm program,
which typically lives at /usr/bin/rpm.
[2]
The problem with any system is that your software is out of date the
second you install it, and when security problems are found, you need
to upgrade your software. Linux is great in that you don't need to
reboot, you can upgrade your software on the fly. [3]
Most
Linux distributions maintain a web or FTP site that provides updated
RPMs for security or other critical bugs. Some even include handy
helpful programs to make it easier to identify older software and
automatically upgrade to the newest available version, for example
Red Hat's up2date. Some of these are subscription based
(hey, creating good tools and providing the bandwidth costs money)
so often people prefer to simply upgrade their RPMs directly.
|
It's fairly trivial to mirror the updates section of your distro's
website. For example I used to use the following to snag all the Red
Hat 6.2 upgrade RPMs:
$ wget -m --no-parent ftp://ftp.valinux.com/pub/mirrors/redhat/redhat/updates/6.2/en/os/i386
The above command would download all the x86 updates. Run it nightly
from cron, and you've always got a repository of updated packages.
Now that you have them, it's time to upgrade. Say you are running
Apache (who isn't) and there's an upgrade for it, you'd do the following
to upgrade:
# cd /path/to/my/mirrored/upgrade/packages
# rpm -U apache-1.3.27.rpm
The -U option to rpm tells it to upgrade the package, which is effectively
just an install of the new package followed by an uninstall (erase)
of the old. Your configuration files are all left alone, and in the
case of security upgrades you shouldn't need to make any changes.
[4] Life is
good.
Now wouldn't it be tempting to just run rpm -U out of cron after the
directory is mirrored? Yes, it is tempting, and it's problematic,
and here's why:
Calling rpm -U will upgrade a package even if it isn't
already installed. So if you weren't running Apache and attempt
to 'upgrade' it, rpm -U will install it for you! Now
you're running something you weren't expecting, and probably aren't
paying attention to. The less software you have installed and running,
especially network-accessible daemons, the better.
Instead of using rpm -U, you should use rpm -F. The
-F stands for 'freshen', and is the same as 'upgrade' except
that it will only install the upgraded package if the old version
is already installed. This will prevent you from accidentally installing
something that wasn't installed.
If you do want to run upgrades out of cron (which I don't
suggest in general), be careful about kernel upgrades. These should
only be installed manually, lest you end up rendering your machine
unable to boot, have a foobared /etc/lilo.conf or /etc/grub.conf,
or install kernel includes that are incompatible with your current
running kernel and goof up subsequent software compiles.
NOTES:
[1]
RPM stands for "Red Hat Package Manager", created by, unsurprisingly,
Red Hat.
[2]
Naturally there are many front ends to rpm functionality. I'll admit,
I'm an old foggie command line guy, and just can't keep up with the
GUI frontend of the week.
[3]
In many cases, such as daemon programs, you need to restart your software,
and this is likely not built into the post-upgrade functionality of
the RPM. See the article Upgrade
Process: Restarting vs Rebooting.
[4]
Usually, when a package has a security problem, the bug is fixed in
the exact same version of the software, rather than upgrading you
to a new version of the software. Upgrading Apache-1.3.x to Apache-1.3.y
could cause problems (perhaps some of your modules aren't available
for the new version) so patches are 'backported' to the currently-available
version when necessary. Because of this, you shouldn't need to change
any of your configuration or setup in 95% of your upgrades.
About the Author:
Brian Hatch is Chief Hacker at Onsight, Inc and author of Hacking
Linux Exposed and Building
Linux VPNs. He's having twin girls (Yikes!) and you can help shape
them for life! Go to http://www.ifokr.org/bri/name-the-twins.cgi to pick your favorite name
from the possibilities! Brian can be reached at brian@hackinglinuxexposed.com.
Read this newsletter at: http://www.linuxpronews.com/2004/0114.html |
|
| From the Forum: | | Linux is for Techies | I regularly get the "Geek Sermon" from the Linux crowd and simply have to laugh! Most of these command-prompters don't have a clue what goes on under the hood of the MS-box and don't care to learn.
Sure! There are more x-box servers on the Internet than MS-boxes -- but WHO CARES what geeksters are running to set up servers in their basements (millions of them). Check out the stats for what FORTUNE 500 businesses are running. ... |
 |
