Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cross-Distro Remote Package Administration?

Posted by kdawson on from the i-patch dept.

tobiasly writes "I administer several Ubuntu desktops and numerous CentOS servers. One of the biggest headaches is keeping them up-to-date with each distro's latest bugfix and security patches. I currently have to log in to each system, run the appropriate apt-get or yum command to list available updates, determine which ones I need, then run the appropriate install commands. I'd love to have a distro-independent equivalent of the Red Hat Network where I could do all of this remotely using a web-based interface. PackageKit seems to have solved some of the issues regarding cross-distro package maintenance, but their FAQ explicitly states that remote administration is not a goal of their project. Has anyone put together such a system?"

8 of 209 comments (clear)

  1. Tools exist by PeterBrett · · Score: 5, Informative
    1. Create a local package repository for each distro.
    2. Set apt/yum to point at only the local repository.
    3. Create a cron job on each box to automatically update daily.
    4. When you want to push a package update out to all boxes, copy it from the public repository to the local one.
    5. Profit!
    --
    Pirate Party UK
  2. Webmin by trendzetter · · Score: 5, Interesting

    I recommend Webmin which 100% FOSS. I have found it reliable, flexible and feature-rich.

  3. clusterssh by circlingthesun · · Score: 5, Interesting

    allows you to ssh into multiple machines and execute the same command on all of them from one terminal window. So if you set up a shell script that detects a host's distro and then execute the relevant update command you should be sorted.

  4. Re:Remote admin of a UNIX box? by Nursie · · Score: 5, Insightful

    Uh, right. Like putting ssh commands into a script?

    ssh user@host aptitude update

    Set up key based login and you don't even have to type passwords. By the sounds of it he needs to pay some attention to each individual machine anyway, as he has multiple distros and wants to determine which patches he needs for each box.

  5. Re:You don't want it by galorin · · Score: 5, Informative

    Depending on how uniform your servers are, keep one version of CentOS and one version of Ubuntu running in a VM, and have these notify you when updates are available. When updates are available, test against these VMs, and do the local repository thing suggested by another person here. Do one system at a time to make sure something doesn't kill everything at once.

    Web based apps with admin privs are fine as long as they're only accessable via the intranet, strongly passworded, and no one else knows they're there. If you need to do remotely, VPN in to the site, and SSH into each box. You're an Administrtor, start administratorizing. Some things just shouldn't be automated.

  6. yum-updatesd is meant for that by MrMr · · Score: 5, Informative

    1) yum -e whateveryoudontneed
    2) chkconfig yum-updatesd on
    3) Make sure do_update = yes, download_deps = yes, etc are set in yum-updatesd.conf
    4) /etc/init.d/yum-updatesd start
    This makes your yum system self-updating.

  7. Re:Tools exist: we do it this way. by nick_urbanik · · Score: 5, Interesting

    I work in a large ISP, and this is the way we manage updates for the various Linux platforms we use. Quite simple, really. You can build tools that help: diff between the downloaded updates and what you have in your own repository, and mail you the ones that you are not using. I find lwn.net's security pages useful in keeping track of what security updates matter to us.

  8. Re:Remote admin of a UNIX box? by BruceCage · · Score: 5, Interesting

    Set up key based login and you don't even have to type passwords.

    Since you basically need root access to do updates this definitely poses a security hazard as when your client is compromised there is direct access to the server. Then again, an attacker could always use a keylogger to capture the password anyways.

    If you even attempt to do this I'd setup a different user account specifically for the process of updating and limit the rights accordingly and then I'd restrict the commands that can be executed (you can do this per key).

    There may actually be better ways but I'm not a very experienced sysadmin. Most experience I have is from managing a single web server and my local desktop obviously. Be sure to correct me (in a friendly manner) if I'm wrong.

    Then again, if you do this from the same machine as your normal account is located on you'll still have the same issues in case of a compromised client. Probably just best to limit every single account to just that what is specifically needed and setup proper host based intrusion detection (OSSEC?) to be notified when something goes wrong. This stuff is hard...

    --
    Perfect is the enemy of done.