Slashdot Mirror
Linux Patch Management
Ravi writes "Any system or network administrator will know the importance of applying patches to the various softwares running on their servers be it the numerous bug fixes or vulnerability checks. Now when you are maintaining just a single machine, this is really a simple affair of downloading the patches and applying them on your machine. But what happens when you are managing multiple servers and hundreds of client machines? How do you keep all these machines under your control up to date with the latest bug fixes? Obviously, it is a waste of time and bandwidth to individually download all the patches and security fixes for each machine. This is where this book named "Linux Patch Management - Keeping Linux systems up to date" authored by Michael Jang gains significance. This book released under the Bruce Perens' open source series aims to address the topic of patch management in detail." Read the rest of Ravi's review
Linux Patch Management - Keeping Linux Systems Up To Date
author
Michael Jang
pages
270
publisher
Prentice Hall
rating
8
reviewer
Ravi
ISBN
0-13-236675-4
summary
This book offers Linux professionals start-to-finish solutions, and examples for every environment, from single computers to enterprise-class networks.
The book is divided into seven detailed chapters, each covering a specific topic related to patch management. In the first chapter, the author starts the narration by giving an introduction to the basic patch concepts, the various distribution specific tools available for the user including Red Hat up2date agent, SUSE YaST online update, Debian apt-get and also community based sources like those in Fedora. What I found interesting was instead of just listing the various avenues that the user has regarding patching his system, the author goes the extra mile to stress the need for maintaining a local patch management server and also the need to support multiple repositories on it.
The second chapter deals exclusively with patch management on Red Hat and Fedora based Linux machines. Here the author walks the readers through creating a local Fedora repository. Maintaining a repository locally is not about just downloading all the packages to a directory on your local machine and hosting that directory on the network. You have to deal with a lot of issues here, like the hardware requirements, the kind of partition arrangement to make, what space to allocate to each partition, whether you need a proxy server and more. In this chapter, the author throws light on all these aspects in the process of creating the repositories. I really liked the section where the author describes in detail the steps needed to configure a Red Hat network proxy server.
The third chapter of this book namely SUSE's Update Systems and rsync mirrors describes in detail how one can manage patches with YaST. What is up2date for Red Hat is YaST for SuSE. And around 34 pages have been exclusively allocated for explaining each and every aspect of updating SuSE Linux using various methods like YaST Online Update and using rsync to configure a YaST patch management mirror for your LAN. But the highlight of this chapter is the explanation of Novell's unique way of managing the life cycle of Linux systems which goes by the name ZENworks Linux Management (ZLM). Even though the author does not go into the details of ZLM, he gives a fair idea about this new topic including accomplishing such basic tasks as installing the ZLM server, configuring the web interface, adding clients ... so on and so forth.
Ask any Debian user what he feels is the most important and useful feature of this OS, then in 90 percent of the cases, you will get the answer that it is Debian's contribution to a superior package management. The fourth chapter takes an in depth look into the working of apt. Usually a Debian user is exposed to just a few of the apt tools. In this chapter though, the author explains all the tools bundled with apt which makes this chapter a ready reference for any person managing Debian based system(s).
If the fourth chapter concentrated on apt for Debian systems, the next chapter explores how the same apt package management utility could be used to maintain Red Hat based Linux distributions.
One of the biggest complaints of users of Red Hat based Linux distributions a few years back was a lack of a robust package management tool in the same league as apt. To address this need, a group of developers created an alternative called YUM. The last two chapters of this book explores how one can use YUM to keep the system upto date as well as hosting ones own YUM repository on the LAN.
Each chapter of the book explores a particular tool to achieve patch management in Linux and the author gives in depth explanation of the usage of the tool. All Linux users irrespective of which Linux distribution they use will find this book very useful to host their own local repositories because the author covers all distribution specific tools in this book. The book is peppered with lots of examples and walk throughs which makes this book an all in one reference on the subject of Linux patch management."
Michael Jang has specialized in networks and operating systems. He has written books on four Linux certifications and one of them on RHCE is very popular among students attempting to get Red Hat certified. He also holds a number of certifications such as RHCE, SAIR Linux Certified Professional, CompTIA Linux+ Professional and MCP.
You can purchase Linux Patch Management - Keeping Linux Systems Up To Date from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Update: 02/07 14:52 GMT by J : Book rating changed from an intended 4 (of 5) stars to Slashdot-normalized 8 (of 10), by Ravi's request.
The book is divided into seven detailed chapters, each covering a specific topic related to patch management. In the first chapter, the author starts the narration by giving an introduction to the basic patch concepts, the various distribution specific tools available for the user including Red Hat up2date agent, SUSE YaST online update, Debian apt-get and also community based sources like those in Fedora. What I found interesting was instead of just listing the various avenues that the user has regarding patching his system, the author goes the extra mile to stress the need for maintaining a local patch management server and also the need to support multiple repositories on it.
The second chapter deals exclusively with patch management on Red Hat and Fedora based Linux machines. Here the author walks the readers through creating a local Fedora repository. Maintaining a repository locally is not about just downloading all the packages to a directory on your local machine and hosting that directory on the network. You have to deal with a lot of issues here, like the hardware requirements, the kind of partition arrangement to make, what space to allocate to each partition, whether you need a proxy server and more. In this chapter, the author throws light on all these aspects in the process of creating the repositories. I really liked the section where the author describes in detail the steps needed to configure a Red Hat network proxy server.
The third chapter of this book namely SUSE's Update Systems and rsync mirrors describes in detail how one can manage patches with YaST. What is up2date for Red Hat is YaST for SuSE. And around 34 pages have been exclusively allocated for explaining each and every aspect of updating SuSE Linux using various methods like YaST Online Update and using rsync to configure a YaST patch management mirror for your LAN. But the highlight of this chapter is the explanation of Novell's unique way of managing the life cycle of Linux systems which goes by the name ZENworks Linux Management (ZLM). Even though the author does not go into the details of ZLM, he gives a fair idea about this new topic including accomplishing such basic tasks as installing the ZLM server, configuring the web interface, adding clients ... so on and so forth.
Ask any Debian user what he feels is the most important and useful feature of this OS, then in 90 percent of the cases, you will get the answer that it is Debian's contribution to a superior package management. The fourth chapter takes an in depth look into the working of apt. Usually a Debian user is exposed to just a few of the apt tools. In this chapter though, the author explains all the tools bundled with apt which makes this chapter a ready reference for any person managing Debian based system(s).
If the fourth chapter concentrated on apt for Debian systems, the next chapter explores how the same apt package management utility could be used to maintain Red Hat based Linux distributions.
One of the biggest complaints of users of Red Hat based Linux distributions a few years back was a lack of a robust package management tool in the same league as apt. To address this need, a group of developers created an alternative called YUM. The last two chapters of this book explores how one can use YUM to keep the system upto date as well as hosting ones own YUM repository on the LAN.
Each chapter of the book explores a particular tool to achieve patch management in Linux and the author gives in depth explanation of the usage of the tool. All Linux users irrespective of which Linux distribution they use will find this book very useful to host their own local repositories because the author covers all distribution specific tools in this book. The book is peppered with lots of examples and walk throughs which makes this book an all in one reference on the subject of Linux patch management."
Michael Jang has specialized in networks and operating systems. He has written books on four Linux certifications and one of them on RHCE is very popular among students attempting to get Red Hat certified. He also holds a number of certifications such as RHCE, SAIR Linux Certified Professional, CompTIA Linux+ Professional and MCP.
You can purchase Linux Patch Management - Keeping Linux Systems Up To Date from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Update: 02/07 14:52 GMT by J : Book rating changed from an intended 4 (of 5) stars to Slashdot-normalized 8 (of 10), by Ravi's request.
4 stars? Don't book reviews get rated 1 to 10? And 4 stars? Is that out of 4 or 5? Or maybe 3? Some ratings only go up to 3 stars. I mean is the book pretty good (4 out of 5), excellent (4 out of 4), or so amazinly kick ass that everyone needs to read it (4 out of 3.) I'm confused as to the quality of this book.
What I want to know is how to issue patches via RPM rather than distributing the whole app again. Wether using some sort of binary diff, or just packaging the changed files. And how to manage things like this with the RPM database. I know that SuSE has got "patch" rpm's but I can't find any info as to how these are created, or how they are viewed/managed by the rpm DB.
Anyone?
This is a nice review of 'patching Linux' - and it's a subject close to my heart. Usual disclaimer - ZLM is partly my product and baby. One thing that the review clearly describes - there's a lot of choice out there. From Red Hat Network; to Novell update; to YaST Online Update - and there there is yum, apt etc etc etc. One of the cool things that ZENworks Linux Management brings to the table is the ability to integrate multiple sources of patches - RHN, YOU, Novell, roll-your-own, apt - and bring them into a central release server and control what goes where. For those that are too small or don't want to shell out for ZENworks - remember there is also the fully open source Open Carpet product - http://opencarpet.org/
Evil ZEN Scientist
At least in the RPM world, one would be neglect to not mention red-carpet and smart, IMHO the two best package managers out there. Although red-carpet has morphed into Novell's ZLM package, it is still the best system for enterprise Linux patch management, even if you use RedHat or some other non-Novell distribution. Smart is still in beta, but it is currently quite stable and functional even in its development state. Smart is definitely the next gen package manager, taking all the great features of apt-get, red carpet (short of the server daemon), and others. It's dynamic mirror management and repository agnositicism (you can use Fedora, Yum, apt-rpm, YaST, red-carpet repositories, and even mix and match as necessary, provided they are all for the same distribution) make it extremely compelling. I highly recommend you check it out. http://labix.org/smart
Old school commercial Unices like Solaris, HPUX, and AIX have "patches". Modern linux systems have "packages". Anyone who doesn't deal with a modern, automagical package management system like apt or yum is usually slogging through the mud unnecessarily. By updating a package, you get your patches. Most Linux users should never have to patch source code from tarballs, like the kernel or other software. This book may be useful for those few exceptions, however.
This only leaves running the updater manually to install updated kernels (by default it doesn't upgrade the kernel automatically, you can of course change this) and the occasional reboot once you update a kernel (network services are restarted as needed). You just set it and forget it like the Ronco showtime rottisiere (sp?) BBQ.
Chapter 1:
apt-get update ; apt-get upgrade
Umm, why? Does a package repository need to be more super-optimized than any other network resource?
What I'm listening to now on Pandora...
> If the fourth chapter concentrated on apt for Debian systems
Maybe you should re-read the book and pay more attention this time?
Such as to the actual open source series?m o=1484&redir=1&rl=1
http://www.phptr.com/promotions/promotion.asp?pro
This book will be there as a PDF in a few months, or you can buy it in dead tree format now.
Other books are also linked there.
I am a viral sig. Please copy me and help me spread. Thank you.
2. Next, set up your sources.list file to point only to that server.
3. 17 8 * * * root apt-get update; apt-get upgrade
4. ???
5. Profit!!!
Content Management System: A pretentious way of saying "text editor."
While you're downloading your 50 meg package *I'll* be smugly compiling the 300 megs worth of source code to to patch the 3 changed lines of code.
I am taking you too seriously maybe ;)
.deb packages (ONLY the .deb packages) from the /var/cache/apt/archive of an updated machine to the one to be updated. Apt recognizes it already have a local copy of the packages and refrains from obtaining it again from the network. Handy when installing a slightly old debian version on a new partition.
Anyway, first of all i'd use aptitude instead of apt-get. It has similar command line options (aptitude update, aptitude [dist-]upgrade), it has nice ways to resolve dependency problems, and it keeps a log of the upgrades (more precisely of the upgrade requests, IIRC).
Then, having each box doing an update on its own is an unnecessary waste of band. There is stuff like apt-proxy.
Another trick is to copy the
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol
Haha the guy's right though. Just saved me six bucks. +1 insightful if i had mod points :P
Just asking....
-b
For a group of people that prides themselves on being so smart, the average Slashdot Submission (and subsequently, the posting of said submission to the front page) is rife with grammar errors.
to individually download - split infinitive
Proofreading is so simple, yet none of you ever do it.
For those of you running Debian networks with a lot of boxes, you can use apt-proxy to apt-update/upgrade and patch all the machines through one download.
What about Gentoo's system where you use emerge and emerge sync...
Did it get a mention, or not?
SCIREV.NET - fanfics,reviews & more
Before anything goes into production, it goes into test.
YOU are the one responsible if a package breaks a production server.
You can still set a cron job to auto-magically download and install the apps, but you'd point it to your own repository where you put only the packages that have passed your testing.
The more "mission critical" something is, the less you want to automate ANY process that changes ANYTHING on the OS or apps.
For our critical database server, I come in on the weekend and hand apply every patch. And that is AFTER those same patches have been applied to the test server.
Shell Scripting is for people who like (and know how to use) *NIX.
Who needs packages and 'patches' when you can automate the installation/update across 12931293789321728 machines from the execution of 1 simple (hand-coded) shell script, using NFS and rsh.
the only permanence in existence, is the impermanence of existence.
Interested? Write to Mark_Taub at Prenhall.com and say you're interested in being in the Perens series.
Bruce
Bruce Perens.
sudo apt-get update && sudo apt-get upgrade
Step 2 has two parts. Files that simply overwrite existing files can be installed with no further change. There probably wouldn't be too many examples of those. The other step is to install patch files into a patch archive directory.
Step 3 has one mandatory part and one of two optional parts. The first part is to apply the binary patch(es). You're always going to need that. The second part is to re-insert patches rolled out by the %pre phase that can be rolled back in again at this point. This is only meaningful if there is a %pre phase. Finally, if there isn't a %pre phase, you want to clean up the patch archive directory.
You now have a binary patch RPM.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
If you had two Linux virtual systems, you could update the one not in use, then fail-over all of the running applications to it. You then update the one that was in use. The kernel is then updated, but the user doesn't have to wait for a reboot, as a virtual system is always running.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
I think they folks at Matrix42 (www.matrix42.com) have a product that can patch Linux as well as Windows from the same server. not sure how that's possible.
You could run Gentoo, and get to do both ...
Great review, interesting book, I'll consider buying a copy.
But the name "Patch Management" sorry that really grates on me. Almost universally GNU/Linux systems have abandoned patches, and perform upgrades to whole components at a logical level. Its the best way to do it found so far, but I don't think of those as "patches".
Or is that just me?
I have it and I liked it. Its time we started treating this OS as a proper productino ready OS.
Scott McNealy to Michael: "Suck my Sun!" Michael Dell to Scott : "Lick my Dell!"
This is a book I would recommend to any body interested in keeping their Linux machines upto date. Very well written book with scores of examples. And the reviewer has done justice to the book by writing such a descriptive and well rounded article.
APT makes this stuff so simple, that the idea of writing a book on it is ridiculous. Just configure machines, using other apt tools for major roll-outs if necessary, and set up a proxy server which caches patches, then serves them to clients. If you want to pre-approve patches, you can do that too by running commands on demand rather than automatically. Simple. Or, as simple as you can expect it to be, at least, given that patches sometimes break stuff on any system. What we really need though, is organization-wide security, like Active Directory (and maybe eDirectory) provides. Right now, you can lock desktops down via KDE's kiosk tools, and secure directories and devices etc., but on other systems, you can specify configuration for many programs on a network-wide basis, or group-wide, or whatever. I'd love to see a debian-based distro that takes that seriously, and patches every util/app/desktop to support it fully. There are frameworks to do this, and KDE 4 is going to use one I think, but apart from that, it seems to be about the only interest I've seen for such a huge gap in the Linux market :(
Save yourself $6.30 by buying the book here: Linux Patch Management. And if you use the "secret" A9.com Instant Reward discount, you can save an extra 1.57%! That's a total savings of $6.77, or 19.07%!
I like making all files on all machines on a LAN, excluding network addressing, electronic licensing and logs, bit-for-bit identical. Doing so massively reduces management overhead and improves management control.
I've managed networks of several hundred machines this way and it works well. I checksum all files and directories on all machines on a regular basis and if anything's different in time or space I find out why and make sure it doesn't happen again. I've found dozens of very obscure and troublesome software and hardware bugs this way, have very good uptime and I can concentrate on making sure the master machines are well configured rather than waste time trying to put out fires all over the network all the time. If individual machine classes need to have different configurations I partition those differences out and manage them separately
Distributing patch packages is error prone. By working at the file level it's easy to be confident everything is okay. You can also often distribute and back out "patches" (just a list of files to be rsync'ed) in the background very quickly at short notice with minimal impact on users.
---
Keep your options open!
This is the same Michael Yang that wrote the RHCE Study Guide..? the same one that is full of mistakes..? read it and try and comprehend LVM using his book.. you cant because he doesn't seem to understand what hes writing and conveys that confusion to the reader brilliantly.
After several of us obtained our RHCE's we coined the book 'The big red book of sh*t'.
I'm quite happy to keep away from anything written by this man.