Discussion:
Keeping hosts updated
Jaco
2011-11-24 23:09:09 UTC
Permalink
Rather than run all apps/services on a single host, I make extensive use
of multiple VM & baremetal systems (local & remote) for my setups; most
of them are Ubuntu, with a few Debian & BSD's in the mix.

One of my pet peeves is keeping them updated.
At he moment I manage to do that with a script that uses cert-based
SSH-connections to remotely run the update/upgrade/dist-upgrade process,
but this is not exactly ideal (for a number of reasons that I'd prefer
not to get into at this stage).

Does anyone have a better way of doing this?

- Jaco

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-11-24 23:32:52 UTC
Permalink
On Fri, Nov 25, 2011 at 12:09 PM, Jaco <***@yahoo.co.uk> >
multiple VM & baremetal systems (local & remote) for my setups; most
of them
Post by Jaco
are Ubuntu, with a few Debian & BSD's in the mix.
One of my pet peeves is keeping them updated.
Two approaches work for me :-

For a collection of Debian-like machines, 'apt-dater'
http://www.ibh.de/apt-dater/ does an excellent job, combine that with
a regular apt-get --download-only & notification and you're sorted
well.

For a collection of dissimilar machines, puppet would help, even
though it has a far wider scope it can look after package versions
just fine.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Steve Holdoway
2011-11-25 03:12:20 UTC
Permalink
Post by Jaco
multiple VM & baremetal systems (local & remote) for my setups; most
of them
Post by Jaco
are Ubuntu, with a few Debian & BSD's in the mix.
One of my pet peeves is keeping them updated.
Two approaches work for me :-
For a collection of Debian-like machines, 'apt-dater'
http://www.ibh.de/apt-dater/ does an excellent job, combine that with
a regular apt-get --download-only & notification and you're sorted
well.
centos also offers yum-updatesd which will keep you up to date
automagically if you trust them.

However, the question also needs to be expanded to keeping $CMS updated
as well in a lot of cases. I find that most of the big ones have
extensions that at least tell you that you need to update...

hth,

Steve
--
Steve Holdoway BSc(Hons) MNZCS <***@greengecko.co.nz>
http://www.greengecko.co.nz
MSN: ***@greengecko.co.nz
Skype: sholdowa
Tomislav Skunca
2011-11-25 03:18:43 UTC
Permalink
Post by Steve Holdoway
Post by Jaco
multiple VM & baremetal systems (local & remote) for my setups; most
of them
Post by Jaco
are Ubuntu, with a few Debian & BSD's in the mix.
One of my pet peeves is keeping them updated.
Two approaches work for me :-
For a collection of Debian-like machines, 'apt-dater'
http://www.ibh.de/apt-dater/ does an excellent job, combine that with
a regular apt-get --download-only & notification and you're sorted
well.
centos also offers yum-updatesd which will keep you up to date
automagically if you trust them.
However, the question also needs to be expanded to keeping $CMS updated
as well in a lot of cases. I find that most of the big ones have
extensions that at least tell you that you need to update...
hth,
Steve
You can try Puppet (http://www.puppetlabs.com/). There is a FOSS and a
commercial version with extra features.

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jim Cheetham
2011-11-25 04:33:42 UTC
Permalink
On Fri, Nov 25, 2011 at 4:18 PM, Tomislav Skunca
Post by Tomislav Skunca
Post by Steve Holdoway
centos also offers yum-updatesd which will keep you up to date
automagically if you trust them.
Agreed, there are many tools for "just blindly update" but I don't
really recommend that approach. Automatically grab the latest updated
list of packages, yes. Download them, probably. But apply them without
a human checking or authorizing? No ...
Post by Tomislav Skunca
Post by Steve Holdoway
However, the question also needs to be expanded to keeping $CMS updated
Very good point.
Post by Tomislav Skunca
You can try Puppet (http://www.puppetlabs.com/). There is a FOSS and a
commercial version with extra features.
And back to Puppet -- if you have complex requirements, Puppet will
satisfy them, you may have to do some foundational work but it will
pay off in the long term.

My main use-case for apt-dater is a large number of hosts that belong
to different customers, and while I have responsibility for package
update management, I don't have responsibility for anything else (i.e.
the wider configuration). So Puppet doesn't provide sufficient
benefits in this case; but it will in many others.

-jim

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Daniel Pittman
2011-11-25 04:37:54 UTC
Permalink
On Thu, Nov 24, 2011 at 19:18, Tomislav Skunca
Post by Tomislav Skunca
Post by Steve Holdoway
Post by Jim Cheetham
Post by Jaco
multiple VM & baremetal systems (local & remote) for my setups; most
of them are Ubuntu, with a few Debian & BSD's in the mix.
One of my pet peeves is keeping them updated.
Two approaches work for me :-
For a collection of Debian-like machines, 'apt-dater'
http://www.ibh.de/apt-dater/ does an excellent job, combine that with
a regular apt-get --download-only & notification and you're sorted
well.
centos also offers yum-updatesd which will keep you up to date
automagically if you trust them.
However, the question also needs to be expanded to keeping $CMS updated
as well in a lot of cases. I find that most of the big ones have
extensions that at least tell you that you need to update...
You can try Puppet (http://www.puppetlabs.com/). There is a FOSS and a
commercial version with extra features.
Disclosure: I am one of the core Puppet developers.

Puppet is awesome, and would have plenty of value in this situation,
but it isn't actually directly awesome or the "keep lots of random
packages up to date" problem; because it focuses on modelling the
desired state and leaving anything you don't model the heck alone,
getting everything updated would require you to model *every* package.

Most people end up deploying something like apt-dater, apticron, or
yum-updatesd, with it, and using that to handle the bulk of the
package update work.

One of our developers did build a tool over the top of our mcollective
suite that would find and update packages on any system that supported
Puppet though. That was pretty awesome, but I don't know where it was
released off hand.

Daniel
--
♲ Made with 100 percent post-consumer electrons

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jaco
2011-11-24 23:53:50 UTC
Permalink
Post by Jim Cheetham
Two approaches work for me
Cheers :)
I'll look into it

- J

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Daniel Lawson
2011-11-25 08:42:15 UTC
Permalink
Post by Jaco
Rather than run all apps/services on a single host, I make extensive
use of multiple VM & baremetal systems (local & remote) for my setups;
most of them are Ubuntu, with a few Debian & BSD's in the mix.
One of my pet peeves is keeping them updated.
At he moment I manage to do that with a script that uses cert-based
SSH-connections to remotely run the update/upgrade/dist-upgrade
process, but this is not exactly ideal (for a number of reasons that
I'd prefer not to get into at this stage).
Does anyone have a better way of doing this?
Redhat has, or used to have, a commercial service that let you manage
the packages installed on your redhat systems. I think it was controlled
via Redhat Satellite Server, or else via a portal on redhat.com

Ubuntu have a commercial service called landscape that does what you
want as well, and it looks like it's either run from the internet, or
you can have a local Landscape server installed.

Neither help if you have a heterogenous network of course, or if you
have neither RedHat nor Ubuntu on your systems.


I trialled "System Upgrade Manager" about 5 years ago, and it was pretty
close to being useful in this respect. Distro agnostic, managed from
your own system, OSS. I ended up not using it because the issue of ssh
key management was a pain in the ass (and I didn't have time to look
into cfengine; puppet didn't exist at the time). It looks like
development has stalled on it though. http://freecode.com/projects/sysmgr

It's only marginally better than your script though, I guess. It gives
you a dashboard view of what's up to date, so maybe that's useful. You
could always do the same thing with scripts and poke them into Nagios or
similar to warn you when there are packages outstanding.

Personally, I use apticron and clusterssh to handle upgrades. I
haven't used apt-dater, it looks like it might be useful.

_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Dagan
2011-11-26 05:09:57 UTC
Permalink
Post by Daniel Lawson
Post by Jaco
Does anyone have a better way of doing this?
Redhat has, or used to have, a commercial service that let you manage
the packages installed on your redhat systems. I think it was controlled
via Redhat Satellite Server, or else via a portal on redhat.com
In fact the upstream for this is a free product, and supports more
distros. It is also adding support for PostgreSQL as the back-end (RHN
uses Oracle as the back-end DB)

http://spacewalk.redhat.com/

Support for: Fedora, CentOS, SLE and Debian

http://spacewalk.redhat.com/faq.html

I've been considering installing it, wanting to use the PostgreSQL
support

Dagan


_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug
Jaco
2011-11-26 02:08:15 UTC
Permalink
Post by Daniel Lawson
Ubuntu have a commercial service called landscape that does what you
want as well, and it looks like it's either run from the internet, or
you can have a local Landscape server installed.
A combination of Landscape & Puppet seems like the (long-term) ideal
solution, but required some time & effort to get right.
I'll need to make a commitment to AppArmor/SELinux to deploy & maintain
policy, such as application/process-whitelisting, etc.

What's spurned me to do this, beyond a very few systems, is this good
report (posted before; might've been elsewhere):
Top 35 Mitigation Strategies
http://www.dsd.gov.au/infosec/top-mitigations/top35mitigationstrategies-list.htm

Quick summary of top points:
* Patch OS
* Patch apps
* Restrict privileges & scope
* Whilelist

I've been doing some of this for some time (to a greater & lesser
extent), but I want to take the monotonous leg-work out of recurring
repetitive tasks (i.e. automation).
Much of this seems like common sense, which really isn't all that common.

Thanks for the pointers & please keep them coming.

Cheers

- Jaco
_______________________________________________
NZLUG mailing list ***@linux.net.nz
http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

Loading...