Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Distro Remote Package Administration?

Posted by kdawson on from the i-patch dept.

tobiasly writes "I administer several Ubuntu desktops and numerous CentOS servers. One of the biggest headaches is keeping them up-to-date with each distro's latest bugfix and security patches. I currently have to log in to each system, run the appropriate apt-get or yum command to list available updates, determine which ones I need, then run the appropriate install commands. I'd love to have a distro-independent equivalent of the Red Hat Network where I could do all of this remotely using a web-based interface. PackageKit seems to have solved some of the issues regarding cross-distro package maintenance, but their FAQ explicitly states that remote administration is not a goal of their project. Has anyone put together such a system?"

14 of 209 comments (clear)

  1. Remote admin of a UNIX box? by Nursie · · Score: 1, Interesting

    No, nobody ever tried that before.

    Hmmm... let's see. SSH ring any bells? Or are you actually going up and sitting at the box to do these updates?

    1. Re:Remote admin of a UNIX box? by BruceCage · · Score: 5, Interesting

      Set up key based login and you don't even have to type passwords.

      Since you basically need root access to do updates this definitely poses a security hazard as when your client is compromised there is direct access to the server. Then again, an attacker could always use a keylogger to capture the password anyways.

      If you even attempt to do this I'd setup a different user account specifically for the process of updating and limit the rights accordingly and then I'd restrict the commands that can be executed (you can do this per key).

      There may actually be better ways but I'm not a very experienced sysadmin. Most experience I have is from managing a single web server and my local desktop obviously. Be sure to correct me (in a friendly manner) if I'm wrong.

      Then again, if you do this from the same machine as your normal account is located on you'll still have the same issues in case of a compromised client. Probably just best to limit every single account to just that what is specifically needed and setup proper host based intrusion detection (OSSEC?) to be notified when something goes wrong. This stuff is hard...

      --
      Perfect is the enemy of done.
    2. Re:Remote admin of a UNIX box? by malinha · · Score: 2, Interesting

      or "clusterssh"
      http://www.debian-administration.org/article/Use_ssh_on_multiple_servers_at_one_time

  2. Webmin by trendzetter · · Score: 5, Interesting

    I recommend Webmin which 100% FOSS. I have found it reliable, flexible and feature-rich.

    1. Re:Webmin by ParanoidJanitor · · Score: 3, Interesting

      I have to second this. Webmin has everything you ask for and then some. If you have an update script on each machine, you could easily update all of your machines at once with the cluster management tools. I know it works well with APT (having used it myself), but I can't speak for any of the other package managers. In the worst case, it's still easy to push an update command to the non-apt machines through the Webmin cluster tools.

    2. Re:Webmin by Anonymous Coward · · Score: 1, Interesting

      I third the Webmin idea - however do not expose Webmin's port to the outside world.
      Use SSH to tunnel the port to the remote host.
        One other thing, While Webmin is excellent and I do mean excellent(using since 2000)It does some strange things if you use it to modify SERVERS. (basically it appends new config data to foo.d.conf) that sometimes has undesirable effects on the given server(s) Apache being one that comes to mind first. Also this effect is NOT evident with all servers that you use Webmin to modify. But as a tool to do just about everything else and I DO mean everything, Webmin is rock solid.I would definitely recommend it.

      Oh yeah, good luck with Firefox and the self-signed SSL cert.

  3. clusterssh by circlingthesun · · Score: 5, Interesting

    allows you to ssh into multiple machines and execute the same command on all of them from one terminal window. So if you set up a shell script that detects a host's distro and then execute the relevant update command you should be sorted.

  4. You don't want it by mcrbids · · Score: 4, Interesting

    I admin several busy CentOS servers for my company. You don't probably want a fully web-based application:

    1) what happens when some RPM goes awry to borken your server(s)? Yes, it's pretty rare, but it DOES happen. In my case, I WANT to do them one by one in asc order of importance so that if anything is borked, it's most likely to be my least important systems!

    2) How secure is it? You are effectively granting root privs to a website - not always a good idea. (rarely, never)

    Me? I have a web doohickey to let me know when updates are available. Cron job runs nightly to yum and a pattern match identifies whether or not updates are needed, to show on my homepage. So it doesn't DO the update, butit makes it ez to see has been done.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
  5. Func by foobat · · Score: 2, Interesting

    https://fedorahosted.org/func/

    I know it's get Fedora in it's name but it's been accepted into as a package into Debian (and thus ubuntu).

    It's pretty cool, designed to control alot of systems at once and avoid having to ssh into them all at once, has a build in certification system, a bunch of modules written for it already , usable from the command line so you can easily add it into your scripts and has a python api so if you really wanted some you could throw together some django magic if you wanted a web front end. OpenSymbolic is a webfront end for it already although I haven't checked it out.

    Not exactly what you wanted as there's a bunch of work you'd need to do to get it to do the things you want.

  6. Re:Tools exist by JohnnyKlunk · · Score: 2, Interesting

    Totally agree, I know this is /. and we hate windows - but it's similar to the way WSUS works - and since the introduction of WSUS I haven't given this question a second thought. You can set up different boxes to get updates on different schedules so the pilot boxes always get them first, then production boxes over a few days in a rolling pattern.

  7. Re:Tools exist: we do it this way. by nick_urbanik · · Score: 5, Interesting

    I work in a large ISP, and this is the way we manage updates for the various Linux platforms we use. Quite simple, really. You can build tools that help: diff between the downloaded updates and what you have in your own repository, and mail you the ones that you are not using. I find lwn.net's security pages useful in keeping track of what security updates matter to us.

  8. Re:In centos you could try by cerberusss · · Score: 3, Interesting

    the updates are installed automagically without any manual intervention

    I'm not sure that's a good idea on a server. Why would you mindlessly update packages on a server when there's no actual reason to do so?

    --
    8 of 13 people found this answer helpful. Did you?
  9. Re:Tools exist by value_added · · Score: 4, Interesting

    Assuming of course all boxes have the same version of the OS, the same packages installed, etc.

    And segregating things on the system that hosts the public repository is impossible?

    I don't think any of this is exactly rocket science. On my home LAN where I use FreeBSD, for example, I have a motley collection of hardware ranging from Soekris boxes to Opterons. Everything gets built on a central build server and distributed automagically from there using a setup similar to what's suggested the OP. Not a single box has the same collection of userland software installed, while certain boxes do get their own custom world/kernel. None of this really requires more effort or involvement on my part than some careful thought beforehand.

    One of the nice advantages of a centralised setup is that it accommodates a clean way of testing things beforehand. Rolling out the latest but broken version of "foo" to multiple systems is something to be avoided.

  10. never update a live system .. by viralMeme · · Score: 2, Interesting

    "I administer several Ubuntu desktops and numerous CentOS servers. One of the biggest headaches is keeping them up-to-date with each distro's latest bugfix and security patches"

    My advice is, if it ain't broke don't fix it, especially on a production server. Have two identical systems and test the latest bugfix on that, before you roll it out to the live system. You don't know what someone elses bugfix is going to break and would have no way of rolling it back.