Linux Patch Management: Keeping Linux Systems Up To Date

3.2. Configuring YaST Patch Management for a LAN

There are two ways to configure an update server for SUSE Linux Professional. You can configure a mirror using a YaST Online Update Server on SUSE Linux Enterprise Server. Alternatively, you can configure a mirror using the rsync command. One relative advantage of rsync is that it is customizable; if you use the YaST Online Update Server for regular PCs, you'll end up with updates for 32-bit and 64-bit systems.

In either case, you'll need to select a mirror. You can find a current (but not necessarily complete) list at http://www.novell.com/products/linuxprofessional/downloads/ftp/int_mirrors.html. Before you select a mirror, check it out in the browser of your choice. A mirror you see in this list may be redirected to a different URL. For example, the mirror I use, http://suse.oregonstate.edu, is automatically redirected to http://suse.osuosl.org.

3.2.1. Creating a Local Mirror with YaST Online Update Server

If you have a SUSE Linux Enterprise Server, you can create a mirror for SUSE Linux Professional computers on your network by using the YaST Online Update Server. First, select a mirror.

Note

This section assumes you're maintaining updates for SUSE Linux Professional version 9.2. If you're maintaining updates for a different version of SUSE Linux Professional, substitute version numbers accordingly.

Selecting a Mirror

You've seen how this server works earlier in this chapter. To open YaST in the GUI, click Main Menu -> System -> Control Center (YaST). Select Software in the left pane, and select YOU Server Configuration. In the YaST Online Update Server Configuration window, select Add. This opens a window similar to that shown previously in Figure 3-12.

In this unnamed window, you'll need to enter four parameters:

Product NameSUSE Linux is normally sufficient.

VersionEnter the version number for the distribution, such as 9.2; this becomes the subdirectory with the mirror in the /var/lib/YaST2/you/mnt/i386/update directory.

ArchitectureSpecify the architecture for your distribution, such as i386.

Synchronization URLEnter the SUSE Mirror of your choice. In my case, I've entered http://suse.osuosl.org/suse/. Depending on mirror availability, some trial and error may be required.

AuthenticationIn most cases, anonymous authentication is supported on SUSE mirrors associated with SUSE Linux Professional.

Synchronizing

After you've entered the parameters of your choice, click OK. Back in the YaST Online Update Server Configuration window, select Synchronize now. The YaST Online Update Server proceeds through any products configured in this menu. Depending on the timing of your update, you may be downloading several gigabytes of data. This process may take some time.

If there are problems, you'll see a message such as "Synchronization failed." The mirror of your choice may not be available. If successful, you'll find update RPMs and patches in the /var/lib/YaST2/you/mnt/i386/update directory. In my case, where I've created an update server for SUSE Linux Professional 9.2, they are located in the following subdirectories:

9.2/patches Includes a list of patches available to YaST Online Update on your SUSE Linux Professional client computers.

9.2/scripts Includes any update scripts, which can help you install specialized components.

9.2/rpm Contains RPMs in the i586, i686, and noarch subdirectories.

YaST Online Update Server Troubleshooting

If you do have problems, you can troubleshoot the YaST Online Update Server. Exit from the server. Check the current version of the associated log file in /var/log/YaST2/y2log. If you can't figure out the problem from the log file, there is more that you can do.

By default, YaST Online Update Server settings are stored in the you_server_settings file, in the /var/lib/YaST2/you directory. If you've configured authentication settings, usernames and passwords are stored in the password file in the same directory. For the next troubleshooting step, move these files. The following commands move them to your /root home directory (default permissions won't allow you to move these files as a regular user):

mv /var/lib/YaST2/you/you_server_settings ~ mv /var/lib/YaST2/you/password ~

If you've previously downloaded packages to your system using the YaST Online Update Server, they'll still be there.

Note

By default, the /var/lib/YaST2/you/password file is "world-readable"; in other words, associated with 644 permissions. And this file can display your passwords in clear text. You can change the permissions of this file to be readable only by the file owner without affecting the performance of the YaST Online Update Server.

Return to YaST. Reopen the YaST Online Update Server. You'll see the original two products (SUSE SLES and SUSE CORE) in the update list. You'll need to re-edit these products for the required usernames and passwords.

Re-enter the information described earlier for your SUSE Linux Professional mirror. Try the synchronization process again.

3.2.2. Creating a Local Mirror with rsync

One thing to remember when creating a local mirror is that YaST Online Update looks for patches in the i386/update/9.2/patches subdirectory. Except for the version number, this is true for all SUSE Linux distributions. So when you create a mirror, make sure updates are downloaded to that subdirectory. Otherwise, YaST Online Update won't be able to find what you've so laboriously downloaded to your LAN.

Therefore, make sure that this subdirectory is part of the tree where you download the update mirror. You might even want to create a separate partition for this mirror, to keep it from crowding (or being crowded out by) other demands on your system. For convenience, I've created this mirror on an external Firewire (IEEE 1394) hard drive, on partition /dev/sdb3. I've also created a /mnt/yast directory to mount these updates.

For those distributions with mirrors, you can create and then update your systems with a local mirror server. While you could use commands such as wget or FTP clients to create a mirror, I prefer the rsync command. After you create an rsync mirror, updates download only the data that changed since the last download. Therefore, you can keep a rsync mirror up to date fairly quickly and keep the load on your Internet connection to a minimum.

Note

The first time you create a repository mirror, chances are that you'll be downloading several gigabytes of data. Be sure you have a sufficiently high-speed connection to the Internet before attempting to create a mirror. The first time I downloaded a SUSE repository on my home cable modem (which runs up to 5 Mb/s), the process took approximately 20 hours.

For this purpose, you need a public mirror which accepts rsync connections. Some trial and error may be required. Many FTP sites listed in the official SUSE Linux Professional list of international mirrors also accept rsync connections.

The rsync command is important for anyone interested in patch management. It helps the administrator create and maintain a local patch management server with a minimum of load on the Internet connection. When created, updates download only data that has changed since the last update. This is the briefest of introductions to the world of rsync; for more information, see the rsync man page, as well as its Web site at http://rsync.samba.org.

In its simplest invocation, you can copy all files, in archive mode (-a), from /home/michael to /home/donna with the following command:

rsync -a /home/michael /home/donna

When you repeat this command in the future, it only copies what has changed within each file in Michael's home directory, and nothing more. Naturally, this is a powerful tool for backups. You can use rsync over a Secure Shell connection. For example, the following command takes the files from the /home/michael directory on the computer named remotepc.example.com and copies them locally to /tmp:

rsync -a -e ssh michael@remotepc.example.com:/home/michael /tmp

Now, determine whether your preferred mirror site supports rsync, and on what directories. For example, you can find the applicable directories on the distro.ibiblio.org site with the following command (don't forget both colons at the end of the URL):

rsync -n mirrors.kernel.org::

If the site you try does not have an rsync server, you won't see a response, and you may need to interrupt the command (with Ctrl-C) to get back to the command line.

Watch for hints in the message that you see. For example, this particular command included in the response:

suse Novell SUSE mirror

This gives me a hint to the directory structure I need for the rsync command. I could synchronize all SUSE related contents, using the ::suse/ subdirectory, but that would download all available SUSE Professional distributions and versions, which might be several dozen more gigabytes than I really need.

With a look at the directory structure at this site, I can find a list of updates with the following command:

rsync -n mirrors.kernel.org::suse/i386/update/9.2/

As discussed earlier, I've created a separate partition, /mnt. I can copy and then synchronize the contents of /mnt with this particular server. Don't forget to create the /mnt/i386/update/9.2 directory. The fastest way is with the following command, which creates all needed directories:

mkdir -p /mnt/i386/update/9.2 command.

With the following command, I can download patches to the /mnt/i386/update/9.2/patches directory. But don't run this command, at least not yet:

rsync -a mirrors.kernel.org::suse/i386/update/9.2/. /mnt/i386/update/9.2

While this command should work, you won't know until it's done. There is more that you can and should do with this command. As with most commands, the -v switch allows you to watch the progress as rsync does its work. Fortunately, rsync allows you to "double" the messages; you can expand this command to rsync -avv <whatever you're syncing>.

But that's still not enough. If you don't need the source code associated with the download, you can shorten the required time. You know that source code RPMs normally end with the .src.rpm extension, so you can exclude those files with the --exclude=*.src.rpm switch.

Finally, you can collect statistics associated with the download to make sure you're not getting overloaded. For this purpose, rsync supports the --stats switch. Finally, we're ready to start the process. If the ibiblio.org mirror is closest, you could start the rsync process with the following command:

rsync -avv --stats --exclude=*.src.rpm mirrors.kernel.org::suse/i386/update/9.2/. /mnt/i386/update/9.2

When the process is complete, you'll have a mirror, fresh with SUSE updates, ready for use by the other SUSE Linux Professional computers on your network.

Pointing Updates to the Mirror

Now you can point your updates to the local mirror. It's a simple process. If the SUSE Professional or SUSE Linux computer that you want to update is local, all you need to do is point YaST Online Update to the correct mirror directory.

As described in the previous section, I've configured my own SUSE Professional Linux update mirror site in the /mnt/i386/update/9.2 directory. I know this includes a patches subdirectory. Because YaST Online Update looks for an i386/update/9.2/ patches subdirectory, all I need to do is point it to /mnt.

If I have a SUSE Professional Linux system on the same computer as the update mirror, I can configure the update with the following steps:

1.

Start YaST. If you're in the GUI, click the Main Menu button -> System -> Control Center (YaST).

2.

Under the Software menu, select Online Update.

3.

Under the Installation Source drop-down box, specify User-Defined Location.

4.

In the Location text box, specify the directory with the i386/update/9.2/patches subdirectory. With the directory defined earlier, that's

dir:///mnt/

Naturally, if you're working with a different version of SUSE Linux or SUSE Linux Professional, the version number in the directory will change accordingly. Of course, you can use the New Server or Edit Server options to specify the directory.

5.

Select Next to continue. You'll see a list of YaST Online Update (YOU) patches similar to that shown in Figure 3-15.

Figure 3-15. Patches on a SUSE professional workstation

Review the list of available patches. You'll note that some are upgrades; others are installations of new packages over previous versions. Not all options will be selected. Make any desired changes.

6.

When you're ready with your desired patches, select Accept to continue.

7.

The Patch Download process provides a warning if there are any critical upgrades, such as those related to the Linux kernel.

One example of a warning is shown in Figure 3-16. Make appropriate selections related to any warnings that you see.

Figure 3-16. Kernel update warning

8.

YaST Online Update proceeds with installing the patches and upgrades as you specified. But because the patches are local, you should not have to wait very long.

The total progress bar may not reach 100 percent before the process stops. However, you should see a message such as "Installation finished." At that point, you can select Finish to continue.

9.

YaST Online Update now writes the patches to your system configuration. When complete, you're returned to the main YaST Software Menu.

Sharing the Update Directory

Now that you've updated the local SUSE Linux workstation, you can share the local repository with the rest of your network. As you've seen, YaST Online Update allows you to configure updates from local and network sources.

While this is not a book on networking, the most straightforward way to share directories with other Linux computers is with an NFS server. For more information on the NFS, see Linux Administration Handbook by Evi Nemeth, Garth Snyder, and Trent Hein (Upper Saddle River, NJ: Prentice Hall, 2002). The server and client tools are normally available even in a minimal Linux installation.

To share the directory that you created earlier, follow these steps:

1.

Add the following line to the local /etc/exports file:

/mnt/i386/update/9.2 192.168.0.0/24(ro,sync)

This line assumes that the directory where you synchronized patches is as shown and your LAN is configured on the private 192.168.0.0 IPv4 network. These computers are allowed read-only (ro) access, and changes must be synchronized (sync) regularly.

2.

If the local NFS Server is not already running, you'll need to start it with a command, such as

/etc/init.d/nfsserver start

If your NFS server is already running, you may need to substitute restart for start.

3.

Make sure to export the share with the exportfs -a command.

4.

Confirm your exports with the showmount -e command.

Updating Neighboring Servers

Now you can proceed to updates of remote SUSE Linux Enterprise Servers, Professional Workstations, and later systems on your network. To do so, follow these steps:

1.

Confirm your access to the shared NFS directory. If the SUSE Linux Professional workstation with the repository is suse2.example.com (you can substitute the IP address), you can confirm access with the following command:

showmount -e suse2.example.com

2.

On the remote SUSE Linux Enterprise Server, start YaST. Select Online Update from the Software menu. Select New Server. In the Select Type of URL window, select NFS, and click OK.

3.

Enter the name or IP address of the NFS server, as well as the shared directory, and click OK. You'll see the shared directory in the Location text box in a format similar to

nfs://suse2.example.com//mnt/i386/update/9.2

If this doesn't work, you can mount the shared directory locally and use the techniques described in the previous section.

4.

Now you can update your system using the techniques described in the previous section.

5.

When the process is complete, consider configuring automatic updates. Return to YaST Online Update. Select the Configure Fully Automatic Update option.

Категории