Keeping Software Up-to-Date
Keeping Software Up-to-Date
Of the many reasons to keep software up-to-date, one of the most important is security. Although you may hear about software-based security breaches after the fact, you rarely hear about the fixes that were available but never installed before the breach occurred. Timely installation of software updates is critical to system security. Linux open-source software is the ideal environment to find and fix bugs and make repaired software available quickly. When you keep the system and application software up-to-date, you keep abreast of bug fixes, new features, support for new hardware, speed enhancements, and more.
Bugs
A bug is an unwanted and unintended program property, especially one that causes the program to malfunction (definition courtesy www.foldoc.org). Bugs have been around forever, in many types of systems, machinery, thinking, and so on. All sophisticated software contains bugs. Bugs in system software or application packages can crash the system or cause programs not to run correctly. Security holes (a type of bug) can compromise the security of the system, allowing malicious users to read and write files, send mail to your contacts in your name, or destroy all data on the system, rendering the system useless.
Even if the engineers fixed all the bugs, there would still be feature requests as long as anyone used the software. Bugs, feature requests, and security holes are here to stay. Thus they must be properly tracked if developers are to fix the most dangerous/important bugs first, users are to research and report bugs in a logical manner, and administrators are to apply the developers' fixes quickly and easily.
Bug tracking
Early on, Netscape used an internal bug-tracking system named BugSplat. Later, after Netscape created Mozilla (mozilla.org) as an open-source browser project, the Mozilla team decided that it needed its own bug-tracking system. Netscape's IS department wrote a very short-lived version of Bugzilla. Terry Weissman, who had been maintaining BugSplat, then wrote a new open-source version of Bugzilla in Tcl, rewriting it in Perl a couple of months later.
Bugzilla belongs to a class of programs formally known as defect tracking systems, of which Bugzilla is now preeminent. Almost all Linux developers use this tool to track problems and enhancement requests for their software. Red Hat uses Bugzilla to track bugs and bug fixes for its Linux distributions; Red Hat Network takes advantage of Bugzilla to notify users of and distribute these fixes. To use Bugzilla, go to bugzilla.redhat.com.
Errata
For both CentOS Linux and Centos Linux, Red Hat processes security, bug fix, and new feature (enhancement) updates. The easiest way to learn about new updates and to obtain and install them is to use up2date (page 494) on RHEL systems and yum (page 476) on FEDORA systems.
As the Linux community, including Red Hat, finds and fixes operating system and software package bugs, including security holes, Red Hat generates rpm files (page 487) that contain the code that fixes the problems. When you upgrade a system software package, rpm renames modified configuration files with a .rpmsave extension. You must manually merge the changes you made to the original files into the new files.
RHEL
If you are running RHEL, you probably have a subscription to RHN (page 498) and can use this service to find and download updates.
FEDORA
For information on Centos Linux updates, point a browser at fedora.redhat.com and click Download and then Download Server. Select core and updates. Information about updates is posted to www.redhat.com/mailman/listinfo/fedora-announce-list (the Centos Linux Announce List). You can also use yum to find, download, and install updates.
up2date: Keeps Software Up-to-Date (RHEL)
The round button on the panel that changes colors to let you know when updates are available is called the Red Hat Network (RHN) Alert Notification Tool (page 497).
Working with the RHN server, the up2date utility downloads and optionally installs rpm packages using yum-like tools. It works with many files and directories, in graphical and character-based modes, and has many options.
The configure option generates /etc/sysconfig/rhn/up2date, up2date's system profile file. The up2date-config utility (discussed in the next section) is a link to up2date with the configure option. You do not normally use this option because up2date configures itself (creates the up2date system profile) when necessary. The nox option (also up2date-nox) runs up2date in textual mode. Refer to the up2date man page for more information.
In addition to updating packages on the system, up2date can download and install Red Hat packages that are not on the system. In the following example, Superuser calls links, the character-based browser program, finds links is not on the system, and confirms that finding with whereis. Then up2date, with the whatprovides option, queries the RHEL repository to find that the elinks package provides links. Finally up2date, with an argument of the name of the rpm package to be installed, downloads the elinks package. In this case, up2date installs the package because that is what the up2date profile is set up to do. You must run up2date as Superuser to install or upgrade a package.
# links bash: /usr/bin/links: No such file or directory # whereis links links: # up2date --whatprovides links elinks-0.9.2-3.2 # up2date elinks Fetching Obsoletes list for channel: rhel-i386-es-4... Fetching rpm headers... ######################################## Name Version Rel ---------------------------------------------------------- elinks 0.9.2 3.2 i386 Testing package set / solving RPM inter-dependencies... ######################################## elinks-0.9.2-3.2.i386.rpm: ########################## Done. Preparing ########################################### [100%] Installing... 1:elinks ########################################### [100%]
When you give it a command, up2date determines where to look for the file you requested by looking at the /etc/sysconfig/rhn/sources configuration file. Initially the line up2date default in this file causes up2date to use the repository specified in the up2date configuration file (/etc/sysconfig/rhn/up2date).
up2date-config: Configures up2date
The up2date-config utility sets parameters in /etc/sysconfig/rhn/up2date, the up2date configuration file. Although you can run up2date-config from a command line, you do not usually need to do so because up2date configures itself as necessary the first time you run it. In a graphical environment, this tool displays a window with three tabs: General, Retrieval/Installation (Figure 13-3), and Package Exceptions. See Table 13-1 (next page).
Figure 13-3. Configuring up2date, Retrieval/Installation tab
|
Text box or check box |
Function |
|---|---|
|
General/Network Settings | |
|
Select a Red Hat Network Server to use |
This text box is already filled in. Do not change it unless you have reason to do so. |
|
Enable HTTP Proxy |
If you need to use a proxy server, enter the HTTP proxy server in the required format. |
|
Use Authentication |
Select Use Authentication and fill in the Username and Password text boxes when the proxy server requires authentication. These spaces are for the proxy server, not for the RHN username and password. |
|
Retrieval/Installation | |
|
Package Retrieval Options | |
|
Do not install packages after retrieval |
Download, but do not install packages. You will need to install the new packages manually. |
|
Do not upgrade packages when local configuration file has been modified |
Do not download or install packages that have been customized. This option is not necessary unless you are using packages other than the standard Red Hat packages. |
|
Retrieve source rpm along with binary package |
Download the source code (*.src.rpm) file in addition to the binary file (*.arch.rpm) that is to be installed. The up2date utility does nothing with the source file except download it. |
|
Package Verification Options | |
|
Use GPG to verify package integrity |
Use Red Hat's GPG signature to verify the authenticity of the files you are downloading. If the Red Hat signature is not on the local system, up2date asks whether you want the system to download it for you. This is a critical security link; it is a good idea to select this option. |
|
Package Installation Options | |
|
After installation, keep binary packages on disk |
Normally binary rpm files are removed once the files they contain have been installed. Select this option if you want them left on the system in the package storage directory. |
|
Enable rpm rollbacks (allows "undo" but requires additional storage space) |
By using extra disk space, up2date can store information so it can uninstall a package it has installed and reinstall the version that was installed previously. |
|
Override version stored in System Profile |
Download and install packages for a version of CentOS Linux that you specify in the text box, overriding the version number that is stored in the system profile. |
|
Package storage directory |
Specify a directory to store the downloaded files in. By default, they are stored in /var/spool/up2date. |
|
Package Exceptions |
Specify packages and files that you do not want to download. These names can include wildcard characters. |
|
Package Names to Skip |
By default, kernel* appears in this list box, meaning that no rpm packages whose names begin with the letters kernel will be downloaded. Installing a new kernel is an important event, and CentOS Linux assumes you do not want this to happen without your knowledge. Use the Add, Edit, and Remove buttons to adjust the list box to meet your requirements. Normally you do not have to make any changes here. |
|
File Names to Skip |
Similar to Package Names to Skip except you specify filenames you want to skip. |
Red Hat Network Alert Notification Tool
The Red Hat Network (RHN) Alert Notification Tool can take care of everything you need to do from the system to set up and run up2date to keep a system up-to-date. The RHN Alert Notification Tool is represented by a round button on both the GNOME and KDE Main panels. It shows one of four icons:
-
Blue with a check mark indicates that all is well: There are no pending downloads.
-
Red with an exclamation point indicates that files need to be downloaded.
-
Green with half-arrows pointing left and right indicates that the system is communicating with the server.
-
Gray with a question mark indicates that an error has occurred. Click the icon to display the error message.
If the button is not on the Main panel, run rhn-applet-gui from Run Application on the GNOME Action menu on the panel at the top of the screen or Run Command on the KDE Main menu to display it. Table 13-2 (next page) describes the selections on the RHN Alert Notification Tool Icon menu (right-click to display these options).
|
Function | |
|---|---|
|
Check for updates |
Runs up2date (page 494) in the background to check for updates. The green icon with arrows on the Red Hat Network Alert Notification button shows that the system is communicating with the server. |
|
Launch up2date |
Runs up2date (page 494) in the foreground, opening a series of windows that do not give you many options. |
|
Configuration |
Opens a series of windows that display the terms of service, allow you to configure a proxy, and check for updates. |
|
RHN Web site |
Opens a Firefox window displaying the RHN Web site. |
Red Hat Network (RHEL)
Red Hat Network (rhn.redhat.com ), a service provided by Red Hat, is an Internet-based system that can keep the software on one or more RHEL systems up-to-date with minimal work on your part. You must subscribe to the RHN service to use it. Red Hat uses the term entitle to indicate that a system subscribes to RHN: A system must be entitled before it can take advantage of RHN. You can choose to make RHN more or less automated, giving you varying degrees of control over the update process. Red Hat charges a fee for this service.
The entitled systems are the clients; Red Hat maintains the RHN server. The RHN server is much more than a single server: It involves many systems and databases that are replicated and located in different areas. For the purpose of understanding how to use the client tools on the local system, picture the RHN server as a single server. For additional information, refer to the Red Hat Network manuals at www.redhat.com/docs/manuals/RHNetwork.
When Red Hat built RHN, security was its priority. Whenever you allow a remote system to put a program on a system and run it, the setup must be very close to the theoretical ideal of absolutely secure. Toward this end, RHN never initiates communication with a system. Once a program running on a system sends a message to the RHN server, the server can respond and the system can trust the response.
Subscribing to Red Hat Network (RHEL)
Perform the following tasks to subscribe to and start using RHN:
-
Give the command up2date register to open the RHN registration window. RHEL prompts you for the root password.
-
Read the Welcome page and click Forward.
-
The Red Hat Login window opens. Choose whether you want to Create New Account or Use Existing Account. Fill in the requested information. Click Network Configuration if you need to enable an HTTP proxy. Click Read our Privacy Statement to review Red Hat's privacy policy. Click Forward.
-
The Activate window opens. Enter a subscription number or choose to use an existing, active subscription. The window allows you to confirm that you want to include hardware and package information in the profile information that the system will send to RHN at the end of this process. Enter the name you would like RHN to use when referring to the local system. You can put any information to help identify the system in this text box; usually the simple hostname is a good choice. When you click Forward, the program compiles a list of the hardware and rpm packages installed on the system and sends the local system's profile to RHN.
-
The Channels window opens. Verify the information in this window. Click Forward to display a list of packages on the local system that need to be updated. You can choose to update the system at this time or wait until later. When you finish, the registration window closes.
If necessary, entitle the system. The error Service not enabled for server profile: "profilename" means that the system is not entitled. If you get this message, go to rhn.redhat.com, and log in with the username and password you set up in the Red Hat Login window (step 3). Click the Systems tab at the top of the page, and then click the System Entitlements box at the left. The system you just registered should be listed. Click the check box adjacent to the system you want to entitle and then click either Set to Update Entitled or Set to Management Entitled. Follow the instructions on the page if you need more entitlements.
You can check for updates at any time. Run up2date, or choose RHN Alert Notification Tool Icon menu: Check for updates (page 498) to see if the RHN server downloads files to or exchanges information with the local system. Alternatively, give the command up2date list to see whether any packages are available for the system, thereby testing the connection with the RHN server.
You can start the flow of updates either from the system or from the Web site. From the system, run up2date. From the Web site, log in, click the Systems tab, click the name of the system in the table, click update now if applicable, and click Apply Errata. In either case, the next time the rhnsd daemon on the local system contacts the RHN server, the system will receive updates per the up2date profile (installed or not, left on the system or not, source code or not, and so on).
rhnsd: RHN Daemon
The RHN daemon (rhnsd) is a background service that periodically queries the RHN server to determine whether any new packages are available to be downloaded. This daemon is one of the keys to RHN security: It initiates contact with the RHN server so the server never has to initiate contact with the local system. Refer to "service: Configures Services I" on page 406 for information on how to start, stop, or display the status of rhnsd immediately; refer to "system-config-services: Configures Services II" on page 406 or to "chkconfig: Configures Services III" on page 408 for information on how to start or stop rhnsd at specified runlevels.
Installing Non-rpm Software
|