Answer Squad

This Q&A column answers one LinuxWorld Magazine reader's question per installment. Send your questions to answersquad@linuxworld.com, or submit them using the Ask the AnswerSquad link at www.LinuxWorld.com.

Q: How does Linux deal with patch management? Not just deployment, but tracking the installation of patches.

First, let's make sure we're talking about the same thing. "Patches" are tweaks and updates to applications or the OS to close off security holes, fix bugs, and so on. To keep track of the so-called patch level the OS needs to keep a database of what's installed and the exact version of each component. Linux folk talk about this as package management since we tend to replace entire packages these days instead of applying small patches to them; probably the best known package management system is RPM, the Red Hat Package Manager. However, just about all Linuxes have a package and patch management system, with the DEB (Debian) package format being equally popular in the Linux space.

Using the package management system on your Linux box, you can tell what version of a package you have, with the patches included, by watching package numbers. You will see crazy package names like "VMware-workstation-4.0.5-6030.i386. rpm." In this case, you're looking at VMWare version 4, with the 4.0.5 update, and then likely a "build number" (how many times the package had been compiled up to this point) or a date - it's hard to tell in this case. However, at a glance, it's not too hard to see that this package is newer than VMware-workstation-4.0.0-4460.i386.rpm, which is the straight version 4 release with an earlier build number.

In the good old days, you used to have to watch mailing lists and update your packages by hand when announcements came out. This option is still available and is still preferred by a good number of experienced Linux administrators. However, with 10 years of Linux maturing come better toolsets to help make administrators' and users' lives easier. Linux today offers a variety of methods for handling operating system and software patches, depending on which distribution you're working with. Note again that we're talking mainly about packages and not patches, but that in the Linux space these are often seen as the same thing. You'll need to deal with actual patches only when you have software installed and compiled from the raw source code.

Determining Which Updates You Need

Before we get into specific tools, it's important to point out how to determine which patches you absolutely need and which you can do without. After all, you don't have to apply every new update, and at times there are risks with a new update that mean that you shouldn't apply it in your particular situation. You know that old computer rule, "fixing one thing just breaks another." These days, most security and bug-fix updates aren't actually a problem - especially the security fixes. We're just those paranoid types who feel the need to point out that there are updates you might want to do without.

You can track information about available updates by subscribing to a small but important selection of mailing lists. First, join the security alerts list for your distribution. The URLs for finding these lists in some favorite distributions are:

• Debian: http://lists.debian.org/users.html
• Gentoo: www.gentoo.org/main/en/lists.xml
• Mandrake: www.mandrakesecure.net/en/mlist.php
• Red Hat: www.redhat.com/solutions/security/news/
• SUSE: www.suse.com/us/private/support/online_help/mailinglists/

Typically you'll want the distribution's "security announcements" list. If you're not fond of installing every update that comes your way, you can use this list to easily identify absolute must-install patches. In addition, many of the more advanced updating tools out there allow you to see the same information about a particular update without having to turn to a list.

Here's a tip before we venture into specifics: all of the updating tools (including manual, obviously) that we've seen allow you to keep the updated packages on your hard drive after they're installed. This means that you can grab the updates for only one computer on your network and then apply them to other computers on your network without having to use the update tool at all! A handy shell script or an advanced tool can automate this for you.

Updating via the Security Mailing Lists

One method of updating is using the security mailing lists themselves. These days, many people don't do this, opting instead for the various tools we'll discuss in a moment - after all, an admin's life is busy, so why spend extra time doing things manually when some well-written automation lets you get on with the rest of your work? However, you may have your reasons for wanting to stick with the mailing lists, so we felt the need to include this issue.

When updating through the lists, you can often download the newly updated package by clicking through a link in the notification e-mail. If not, the updates are available through the distribution's Web or FTP site, letting you download the items directly from an errata or updates section. Exactly what you need to do will be detailed in the distribution's documentation or in the warning e-mail.

Fortunately, as previously mentioned, there are many updater tools available for Linux. Some of these are distribution-specific while others are neutral or work on a variety of distributions that all share the same packaging scheme (RPM or DEB, for example). There are also third-party products available that do a higher-level job, including handling rollbacks and more advanced mass-installation and maintenance tasks.

Updating Debian

Debian (www.debian.org) has long been a leader in offering easy updates with its apt series of utilities - see the APT HOWTO at www.debian.org/doc/user-manuals#apt-howto. While there is no automatic notification of updates available through this tool (see the Debian mailing lists for how to keep up with updates), you can use apt-get in particular to update currently installed packages and add new ones. A quick cron job even lets you automate the updating process, and if you have more than one Debian machine, there is an apt proxy tool available to let you quickly set up an update server as well.

Those who prefer a GUI interface can get the Storm Package (http://sourceforge.net/projects/stormpkg/) program, which lets you point and click your way through keeping everything up to the latest versions. A list of distributions that support the apt set of tools is available at the end of the APT HOWTO.

A note on Debian in particular: this distribution has three branches - stable, testing, and unstable. Since we assume you're using stable for your production servers, we'll point out that the only updates available for these installations are security fixes, which you can pretty much guarantee you will want to install the moment they're available.

Updating Fedora Core

Fedora Core (http://fedora.redhat.com) offers a trio of choices (see http://fedora.artoo.net/faq/ for details): Red Hat's up2date utility, yum, and a version of apt adjusted to manage RPMs. Yum is equivalent in most ways to apt-get, so we won't spend additional time on it here. Up2date, on the other hand, allows capabilities such as rollbacks so that if you find you are unhappy with the updated version you just installed you can revert to the previous program version without having to uninstall and then re-install it from scratch. You need to turn on the ability to use rollbacks if you want them; this is not on by default.

When it comes to patch management, one advantage in Fedora Core (and Red Hat Enterprise Linux) is that GUI users have a desktop icon that notifies them when an update to an installed package is available. If you're not a GUI user or don't want to have to rely on the Red Hat Network icon, you can once again utilize cron jobs to have the command-line tools check in and tell you what updates are out there - on top of making sure to subscribe to those important security lists!

An advantage to the GUI tools is that you can typically read the notes for the update before deciding if you want to apply it or not. With the command-line tools, you often must either go out of your way to run extra commands to get the same information, or you might have to rely on the mailing lists or surfing to the distribution's Web site to find out more.

Updating Gentoo

Gentoo (www.gentoo.org) offers the Portage build system (see www.gentoo.org/doc/en/portage-user.xml and www.gentoo.org/doc/en/portage-manual.xml). Rather than working on a package level like the others, Portage builds software from source code, automatically downloading and compiling dependencies as required. This is a developer's distribution for the most part.

Again, you can use a cron job to check for available updates when desired, and then either apply them manually or have the cron job handle them.

Updating Mandrake

Mandrake (www.mandrake-linux.com) offers urpmi, which is similar to yum and the RPM-handling version of apt-get, along with gurpmi, its graphical front end. Once again, a quick cron job and a solid configuration, and you're good to go.

Updating Red Hat Enterprise Linux

RHEL offers up2date, as discussed in the Fedora Core section, and - more important for enterprise users with many machines with different configurations to manage - the Red Hat Network (www.redhat.com/software/rhn/). Again, you have the RHN icon on GUI desktops to alert you when there are updates available, but even better, you have advanced features at your beck and call that can seriously ease a system administrator's life. Both the Management and Provisioning modules are worth investigation, and again, roll-backs are available if you find that an update breaks unexpected services.

RHN does not allow for installing new software along with its update capabilities, so you may find combining it with the other tools discussed here worthwhile. It does, however, let you update multiple machines at once. You can even (with the proper licenses for a large institution like a university) set up your own satellite RHN server that stores all of the updates from the central RHN server, meaning that individual machines don't have to grab their updates from outside your own network.

Updating SUSE

SUSE (www.suse.com) offers YaST2 (www.suse.de/~sh/YaST2-Package-Manager/), which can handle both updates and new software packages. While not quite as friendly to newcomers as the Red Hat Network's updating component, YaST2 is feature-rich and allows you a fine grain of control over which packages will be changed and added. Because of this ability to add new software, it takes YaST2 users longer to get used to the tool as it adds a necessary level of complexity. However, it's pretty handy.

You can also schedule automatic updates directly with the YaST2 interface instead of having to create a cron job, which is good since otherwise you would have to find a way to automate a menu-driven process. YaST2 offers both a graphical and text menu interface; however, those administrators who are not comfortable with the idea of just allowing a patch program to do its thing without supervision are going to want to run the updater manually.

Updating with Third-Party Tools

Then there are the third-party tools. When it comes to advanced features such as provisioning, these are often where you want to turn - except in the case of Red Hat Network users, who will want to look at the Provisioning module before committing to software they might not need. Those who must support cross-platform environments in the enterprise will especially like the latest crop of vendor solutions, including:

• PatchLink: www.patchlink.com
• Novell Ximian Red Carpet Enterprise: www.ximian.com/products/redcarpet_enterprise
• IBM's Tivoli Intelligent ThinkDynamic Orchestrator: www-306.ibm.com/software/tivoli/products/intell-orch
• VERITAS OpForce: www.veritas.com/products/category/ProductDetail.jhtml?productId=itautomation

As you can see, patch management is not a trivial issue. You can use the simple tools that come with various distributions, or you can go all the way to the enterprise level and use provisioning products that can bring you from bare metal to a fully installed replacement server with automation - once you have taught them what to do. These third-party options also typically allow you to update a group of machines at once rather than having to do them all individually.