Monday, 22 February 2021

Linux Admin - System Updates

 The CentOS 7 system can be updated in three ways −

  • Manually
  • Automatically
  • Update manually for major security issues and configure automatic updates

In a production environment, it is recommended to update manually for production servers. Or at least establish an update plan so the administrator can assure services vital to business operations.

It is plausible a simple security update can cause recursive issues with common application that requires upgrading and reconfiguration by an Administrator. So, be weary of scheduling automatic updates in production before testing in development servers and desktops first.

Manually Update CentOS 7

To update CentOS 7, we will want to become familiar with the yum command. yum is used to deal with package repositories in CentOS 7. yum is the tool commonly used to −

  • Update the CentOS 7 Linux System
  • Search for packages
  • Install packages
  • Detect and install required dependencies for packages

In order to use yum for updates, your CentOS server will need to be connected to the Internet. Most configurations will install a base system, then use yum to query the main CentOS repository for additional functionality in packages and apply system updates.

We have already made use of yum to install a few packages. When using yum you will always need to do so as the root user. Or a user with root access. So let's search for and install an easy to use text-editor called nano.

[root@centos rdc]# yum search nano
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.rackspace.com
 * epel: mirror.chpc.utah.edu
 * extras: repos.forethought.net 
 * updates: repos.forethought.net 
====================================================================== 
      N/S matched: nano 
======================================================================
nano.x86_64 : A small text editor
nodejs-nano.noarch : Minimalistic couchdb driver for Node.js
perl-Time-Clock.noarch : Twenty-four hour clock object with nanosecond precision
 Name and summary matches only, use "search all" for everything.
 
[root@centos rdc]#

Now, let's install the nano text editor.

[root@centos rdc]# yum install nano
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.keystealth.org
 * epel: pubmirror1.math.uh.edu
 * extras: centos.den.host-engine.com
 * updates: repos.forethought.net
Resolving Dependencies
--> Running transaction check
---> Package nano.x86_64 0:2.3.1-10.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================  
Package                             Arch
Version                          Repository                            Size  
================================================================================  
 Installing: 
 nano                               x86_64
 2.3.1-10.el7                    base                                  440 k
 
Transaction Summary
Install  1 Package
Total download size: 440 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
nano-2.3.1-10.el7.x86_64.rpm
| 440 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Installing : nano-2.3.1-10.el7.x86_64
1/1  
 Verifying  : nano-2.3.1-10.el7.x86_64
1/1  
Installed: 
 nano.x86_64 0:2.3.1-10.el7
 
Complete!

[root@centos rdc]#

We have installed the nano text editor. This method, IMO, is a lot easier than searching for utilities on websites and manually running the installers. Also, repositories use digital signatures to validate packages assuring they are coming from a trusted source with yum. It is up to the administrator to validate authenticity when trusting new repositories. This is why it is considered a best practice to be weary of third party repositories.

Yum can also be used to remove a package.

[root@centos rdc]# yum remove nano 
Loaded plugins: fastestmirror, langpacks 
Resolving Dependencies 
--> Running transaction check 
---> Package nano.x86_64 0:2.3.1-10.el7 will be erased 
--> Finished Dependency Resolution

Dependencies Resolved 

Now let's check for updates.

[root@centos rdc]# yum list updates
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.keystealth.org
 * epel: pubmirror1.math.uh.edu
 * extras: centos.den.host-engine.com
 * updates: repos.forethought.net
Updated Packages
NetworkManager.x86_64           1:1.4.0-17.el7_3       updates
NetworkManager-adsl.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-glib.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-libnm.x86_64     1:1.4.0-17.el7_3       updates
NetworkManager-team.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-tui.x86_64       1:1.4.0-17.el7_3       updates
NetworkManager-wifi.x86_64      1:1.4.0-17.el7_3       updates
audit.x86_64                    2.6.5-3.el7_3.1        updates
audit-libs.x86_64               2.6.5-3.el7_3.1        updates
audit-libs-python.x86_64

As depicted, we have a few dozen updates pending to install. Actually, there are about 100 total updates since we have not yet configured automatic updates. Thus, let's install all pending updates.

[root@centos rdc]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * epel: pubmirror1.math.uh.edu
 * extras: repos.forethought.net
 * updates: repos.forethought.net
Resolving Dependencies
--> Running transaction check
---> Package NetworkManager.x86_64 1:1.4.0-14.el7_3 will be updated
---> Package NetworkManager.x86_64 1:1.4.0-17.el7_3 will be an update
 selinux-policy            noarch      3.13.1102.el7_3.15      updates     414 k
 selinux-policy-targeted   noarch      3.13.1102.el7_3.15      updates     6.4 M 
 systemd                   x86_64      21930.el7_3.7           updates     5.2 M 
 systemd-libs              x86_64      21930.el7_3.7           updates     369 k 
 systemd-python            x86_64      21930.el7_3.7           updates     109 k 
 systemd-sysv              x86_64      21930.el7_3.7           updates     63 k 
 tcsh                      x86_64      6.18.01-13.el7_3.1      updates     338 k 
 tzdata                    noarch      2017a1.el7              updates     443 k 
 tzdata-java               noarch      2017a1.el7              updates     182 k 
wpa_supplicant             x86_64      1:2.021.el7_3           updates     788 k  

Transaction Summary 
=============================================================================== 
  Install   2 Packages 
  Upgrade  68 Packages 
Total size: 196 M 
Total download size: 83 M 
Is this ok [y/d/N]:

After hitting the "y" key, updating of CentOS 7 will commence. The general process that yum goes through when updating is −

  • Checks the current packages
  • Looks in the repository for updated packages
  • Calculates dependencies needed for updated packages
  • Downloads updates
  • Installs updates

Now, let's make sure our system is up to date −

[root@centos rdc]# yum list updates 
Loaded plugins: fastestmirror, langpacks 
Loading mirror speeds from cached hostfile 
 * updates: mirror.compevo.com

[root@centos rdc]#

As you can see, there are no updates listed.

Configure Automatic Updates for YUM

In an Enterprise environment, as mentioned earlier, automatic updates may or may not be the preferred method of installation. Let's go over the steps for configuring automatic updates with yum.

First, we install a package called yum-cron.

[root@centos rdc]# yum -y install yum-cron
Install  1 Package
Total download size: 61 k
Installed size: 51 k
Downloading packages:
yum-cron-3.4.3-150.el7.centos.noarch.rpm
|  61 kB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-cron-3.4.3-150.el7.centos.noarch
1/1
  Verifying  : yum-cron-3.4.3-150.el7.centos.noarch
1/1

Installed: 
 yum-cron.noarch 0:3.4.3-150.el7.centos
 
Complete!

[root@centos rdc]#  

By default, yum-cron will only download updates and not install them. Whether to install updates automatically is on the Administrator. The biggest caveat is: some updates will require a system reboot. Also, some updates may require a configuration change before services are again operational.

Updating dependencies can possibly create a recursive problem in the following situation −

  • An update is recommended by yum for a certain library

  • The library only supports Apache Server 2.4, but we have server 2.3

  • Our commerce site relies on a certain version of PHP

  • The new version of Apache installed for the library requires upgrading PHP

  • Our production web applications have not yet been tested with the newer PHP version

Yum may go ahead and automatically upgrade Apache and PHP without notice unless configured not to.

If all 5 scenarios play out, it can result in anything from a big headache in the morning to a possible security compromise exposing the user data. While the aforementioned example is a perfect storm of sorts, we never want such a scenario to play out.

It is up to the Administrator for accessing possible scenarios of potential revenue loss from time needed to restore services due to possible downtime from update reboots and reconfigurations. This practice may not be conservative enough for, say, a multi-million dollar per day ecommerce site with millions of customers.

Now let's configure yum-cron to automatically install system updates.

[root@centos rdc]# vim /etc/yum/yum-cron.conf
# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

We want to change apply_updates = no to apply_updates = yes. Now let's configure the update interval for yum-cron.

Again, whether to use automatic updates and install updates on demand can be a double edged sword and needs to be considered by an administrator for each unique situation.

No comments:

Post a Comment