Create an automatic Linux patch machine (figure)

Create an automatic Linux network patch machine (figure)-Linux Enterprise Application-Linux server application information. The following is a detailed description. In Windows, the automatic patching method "World of network administrators" was described in detail in previous magazines and won unanimous praise. However, for Linux, the automatic patching method is recommended, this article will help you build an automatic patch machine in the Linux network.

I am a Red Hat Linux system administrator who manages dozens of Redhat Linux 9 hosts on the network. For open systems such as Linux, short-term support policies of publishers are compared with other private operating systems (Windows/Solais), so that network administrators often need to check the corresponding websites for patches, whether the bug is fixed and whether the upgrade is required. Never be lucky. Otherwise, a Shell script may win your website. A famous saying goes: your server may always be taken over by hackers the next day.

Without well-integrated and tested patches, server maintenance is a very heavy task. This is because the system administrator must track every software package installed in the system. Sometimes the subsystem must be transformed when the patch is released. If you connect each Linux host to the upgrade website patch of RadHat, the network egress of the Enterprise will be blocked and the bandwidth resources will be wasted. In addition, it is not safe. Here, I create an independent APT server. The administrator can download the software package first, and other users can easily perform regular upgrades through the network. On the APT server, you can install RPM packages of multiple Linux versions and provide WWW services because the client updates the software package and kernel through the WWW protocol of the server. For more information about the network topology, see.



(400) {this. resized = true; this. width = 400; this. alt = 'click here to open new window';} "onmouseover =" if (this. resized) this. style. cursor = 'hand'; "onclick =" window. open ('HTTP: // linux.chinaitlab.com/UploadFiles_7565/200602/20060215123720515.JPG'); ">

　　 How APT works

Debian GNU/Linux is the creator of APT (Advanced Package Tool. The original intention is to use tools to solve the dependency problem during software installation. The working principle is roughly as follows: the user installs the APT client tool, searches for the RPM software package information on the database (repositories) of the APT server, analyzes the dependencies between the software packages, downloads and installs them. APT not only allows you to easily and quickly install the RPM software, you can also use it to update the system. Although APT is a Debian-based software package management tool, it has been transplanted to RPM-based systems by a Brazilian company Conectiva. Therefore, APT is an excellent software management tool for RPM software package management platforms, such as Red Hat, TurboLinux, SuSe, and Mandrake.

　　 Server APT installation and configuration

1. Before Running APT, make sure that Apache on the server can provide the WWW Service, and the/var partition has at least 5 GB space.

2. Download and install APT kit, then add freshrpms.net's public key GPG-KEY, and then create a/gpg folder under/etc/apt to save the GPG-KEY there for future management.
# Rpm -- import http://ftp.freshrpms.net/pub/freshrpms/RPM-GPG-KEY

3. modify the configuration file/etc/apt/sources. list, which is the most important configuration file on the APT server and records the address and other information of the software warehouse server. Here, you only need to open the path information corresponding to the version to be upgraded, other versions of path information can be disabled.
# Red Hat Linux 9.0
Rpm http://apt.freshrpms.net redhat/9/en/i386 OS updates freshrpms
Rpm-src http://apt.freshrpms.net redhat/9/en/i386 OS updates freshrpms

4. Preparations before using APT

(1) After the APT software package is installed, the administrator needs to download the software package database from the default server for running:
# Apt-get update
# Apt-get upgrade
(2) verify the integrity and consistency of the local system and determine whether the software package dependency of the local system is consistent:
# Apt-get check
If you want to upgrade the system on a regular basis to ensure that the system is upgraded in time to compensate for security vulnerabilities, you only need apt-get update, apt-get dist-upgrade, or apt-get upgrade.
(3) install the graphic front-end
The freshrpms.net site provides a graphical apt-rpm interface Synaptic, which is more convenient to use. You can directly use apt to install Synaptic:
[Root @ Linux root] # apt-get install synaptic
After several lines of prompts, Synaptic will be installed. In the Xwindow window, Synaptic will appear in the system settings menu. See.



(400) {this. resized = true; this. width = 400; this. alt = 'click here to open new window';} "onmouseover =" if (this. resized) this. style. cursor = 'hand'; "onclick =" window. open ('HTTP: // linux.chinaitlab.com/UploadFiles_7565/200602/20060215123720604.JPG'); ">

5. Main commands

APT mainly includes four commands: apt-cache, apt-cdrom, apt-config, and apt-get. The most commonly used commands are apt-get. Common APT commands are shown in table 1.

6. Create a directory for storing the relevant source:
# Mkdir-p/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/9/en/ OS /i386
# Mkdir-p/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS

7. Create mirror Red Hat Linux 9 source.
Use a CD-ROM disc to copy the desired. OS to the RPM file directory:
Mount/mnt/cdrom
Cp-rf/mnt/cdrom/*/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/9/en/ OS /i386
Umount/mnt/cdrom
Copy the rpm file in the second and third CD-ROM slices according to the above method.

8. mirror Red Hat Linux 9 updates
Cd/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS
Wget-r-nH -- cut-dirs = 6 ftp://ftp.redhat.com/pub/redhath... dates/9/en/OS/i386/

9. Create apt directories and related links
Mkdir-p/var/ftp/pub/redhat/apt/9/i386
Ln-s/var/ftp/pub/redhathttp: // linux.chinaitlab.com/9/en/ OS/I #/redhat/rpms/var/ftp/pub/redhat/apt/9/i386/RPMS. OS
Ln-s/var/ftp/pub/redhathttp: // linux.chinaitlab.com/9/en/ OS/I #/srpms/var/ftp/pub/redhat/apt/9/i386/SRPMS. OS
Ln-s/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS /SRPMS/var/ftp/pub/redhat/apt/9/i386/SRPMS. updates

Create a soft link to the RPMS, SRPMS, and updates SRPMS directories in Red Hat Linux 9 to the/var/ftp/pub/redhat/apt directory named RPMS. OS, SRPMS. OS, SRPMS. updates.

10. Create the RPMS. updates directory and generate rpm-related soft links
Mkdir/var/ftp/pub/redhat/apt/9/i386/RPMS. updates
Cd/var/ftp/pub/redhat/apt/9/i386/RPMS. updates
Find/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS/-type f! -Name "*. src. rpm"-name "*. rpm"-exec ln-sf {};

If i386 (or i686) is used for software installation, the software package with the same structure must be used for the upgrade. Otherwise, an error may occur, the most common error occurs when glibc is upgraded. Therefore, the above script is written to avoid such errors, it will link all the updates RPMs of different architectures to the same directory, so that apt can obtain the updates rpm suitable for the computer architecture for upgrade.

11. Use the genbasedir command to generate the base directory and file index list.
Genbasedir -- flat -- bloat -- bz2only/var/ftp/pub/redhat/apt/9/i386 OS updates
The above command column will create the base subdirectory under the/var/ftp/pub/redhat/apt/9/i386 directory, and then generate the relevant file index list bz2 compressed file and release file.

12. Establish a link
Ln-s/var/ftp/pub/redhat/var/www/html/redhat
Apt server can be used in http mode only when ftp and html files are soft links are established.

13. Regular mirror updates rpm
So far, the Apt server has been installed. Update suites on the Internet are updated at any time, so the RPMS. updates directory on our APT server should also be updated at any time. At this time, we can use the miring (mirror) method to update:
Rpm-ivh http://mirrordir.sourceforge.net/mirrordir-0.10.49-1.i386.rpm
Export dir v/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS/f tp: // your/
Vi/etc/cron. daily/mirrorupdates
#! /Bin/sh
Using dir ftp://ftp.redhat.com/pub/redhath... dates/9/en/OS/i386/
/Var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS/
Rm-rf/var/ftp/pub/redhat/apt/9/i386/RPMS. updates /*
Cd/var/ftp/pub/redhat/apt/9/i386/RPMS. updates
Find/var/ftp/pub/redhathttp: // Linux.chinaitlab.com/updates/9/en/ OS/-type f! -Name "*. src. rpm"-name "*. rpm"-exec ln-sf {};
Genbasedir -- flat -- bloat -- bz2only/var/ftp/pub/redhat/apt/9/i386 OS updates
Grant permissions:
# Chmod 755/etc/cron. daily/mirrorupdates
Start crond
# Chkconfig -- level 345 crond on
In this way, the APT server regularly removes the mirror updates rpm and generates the rpm index list every day. For the APT server directory structure, see.



(400) {this. resized = true; this. width = 400; this. alt = 'click here to open new window';} "onmouseover =" if (this. resized) this. style. cursor = 'hand'; "onclick =" window. open ('HTTP: // linux.chinaitlab.com/UploadFiles_7565/200602/20060215123720234.JPG'); ">

　　 Client Linux computer settings

1. Install the APT suite first. If the local system consistency is seriously damaged, you can use the apt-get-f install command to manually fix the damaged dependency before using APT.

2. It is important to modify sources. list, vi/etc/apt/sources. list to add the following content:
Rpm http: // server_ip/redhat/apt/9 i386 OS updates
Rpm-src http: // server_ip/redhat/apt/9 i386 OS updates
Note: server_ip is the IP address of the APT server, for example, 192.168.1.9.
OS represents the original rpm of Red Hat Linux 9
Updates indicates the update (updates) rpm output by Red Hat.

3. Regular client updates:
First, create a timer setting file named mytype (set by name ):
# Crontab-e
File Content:
15 09 *** apt-get update; apt-get-y dist-upgrade; apt-get clean
Use vi or another editor to save the disk and exit.
(3) Use the crontab command to add it to the task list:
# Crontab-u user1 mytype

In this way, the Linux client will be automatically upgraded at 09:15 every day. Note that it is best to upgrade each Linux client by 10 minutes. Avoid blocking network bandwidth.

The above APT server is used for service in HTTP mode. If you want to change it to ftp mode, you must first set up anonymous (anonymous) FTP. Using FTP, you can limit the number of simultaneous logins and strictly control the logon process. However, the FTP logon process (even anonymous logon) is slower than HTTP.

The APT server described above is similar to Microsoft's patch server. It can automatically patch Linux Hosts on the network, and can automatically complete operations on both the server side and the client side. APT does not need to be registered and is free of charge. You can install software not provided by RedHat. So APT can automatically download and install corresponding software packages while detecting software package dependencies, so that the administrator can perform system software upgrade without any fault. APT makes zero downtime upgrade a reality.

The modified Debian APT package management tool using Connectiva can manage the RedHat RPM format. Running an APT software library (http://apt-rpm.tuxfamily.org/) is not very difficult, it can provide a very good mechanism for continuous security upgrades. System software can be updated on a regular basis to compensate for network and system security vulnerabilities. Therefore, Linux network administrators should pay attention to the bug fix and upgrade of related websites, and promptly upgrade or add patches.