Patching Linux - Pain or Gain?

Built-In Tools

Because manually updating your OS can become pretty complicated, Linux distros come with applications that do the downloading and installation for you. All it takes is a simple command line argument and some time, as the application downloads, verifies and installs your patches. You’ll especially need the time if this is a newly installed machine, or one that hasn’t been updated in a very long time, or if you have a slow connection.

One way to shorten your update time is to build your own repository, and synch it with other mirror sites. That way, if your own repository is on your network, your updates will not have to cross numerous other ones to get to your Linux machine, significantly speeding up the patching process. In this case, SuSE Enterprise Linux Server 9 gave you the option of configuring a YaST Online Update (YOU) server using its YaST management tool. With a little fiddling around, you can schedule a file synch between your YOU server and the available Novell repositories, to update your machines by pointing them to your own internal update server.

As things are always changing, newer versions of RedHat and OpenSuSE use an open source utility called yum (for YellowDog Updater, Modified) which works with RPM based installations and updates. Yum has been slowly replacing up2date in the RedHat/Fedora realm, while also being reworked in SuSE’s Linux versions. Even though you can run yum from a command line, various graphical tools have been created to facilitate the update operation making it easier to keep your machines up to date.

YUM

YUM

You can install single or multiple packages using YUM (YellowDog Updater, Modified).

In versions 7, 8 and 9 of SuSE’s Enterprise Linux Server, SuSE’s main administrative utility YaST (short for Yet another Setup Tool) has a subcomponent called YaST Online Update or YOU. As opposed to the YOU server mentioned above, this utility is the client end of SuSE’s patch management tool. The YOU client gives you an ncurses interface or GUI that downloads and installs RPMs from Novell’s SuSE portal site using a registered login. You could also point to other SLES repositories, without having to edit any configuration files.

It’s a pretty straight forward process to run ; the only problem I’ve encountered with YOU is remembering to have the update point to the correct repository. If the update fails and can’t find any new packages, it may be because you’re using an outdated version of YaST that lacks the updated server listing. This is usually resolved by updating YOU to its latest version, which has the updated pointers to newer download sites.

SuSE YOU

SuSE YOU

SuSE’s YOU (YaST Online Update) is a great GUI-based tool that simplifies package management and updating.

Another option for updating your newer SuSE Linux Enterprise servers is the command line interface called rug. It works with the ZenWorks Management Daemon (zmd) and gives you various command line options. Rug stands out because of a nice feature that sorts similar software into channels. This helps focus your update installation on the software you need, without requiring you to install updates that you don’t. The use of ZenWorks with Linux is obviously something that came about after Novell’s purchase of SuSE in 2003. A systems administrator can still use YOU to update his server, but you have to remember to first register your machine through YaST’s built-in module in order to access the official Novell repositories.

Ubuntu, a Debian based Linux distro, uses a different utility called apt (for Advanced Package Tool). This Gnu/Linux package management tool predates RedHat’s RPM system and also relies on the need to connect to an external repository. In order to get the latest packages installed on your Ubuntu box, you run the apt-get program; you can then either specify which package you want to update, or update all updatable applications on your machine.

Ubuntu

Ubuntu

Package management in the Ubuntu distro can be done using apt-get. This particular command updates your list of packages.

Synaptic Package Manager

Synaptic Package Manager

Ubuntu uses the Synaptic Package Manager for its graphical based updates.

  • Darkk
    Very nice article. Patching is just a way of life of sys admins everywhere regardless of what flavor of server and desktop OS. Least the article explains in detail what to expect and the gotchas.

    Good job!

    Darkk
    Reply
  • Patching harder on Linux than Windows?!?
    Maybe I'm biased, but updating Debian or ArchLinux (more of a desktop distro) has been so easy as not to even think about it.
    Reply
  • You really don't know what you're talking about here..and readers should avoid this article.

    If you buy Red Hat Enterprise Linux with a Satellite subscription Red Hat does the patching.

    If you have Novell - ZenWorks will do the trick.

    If you're running a non-commercial unsupported version than sure some of the options you mention might make sense but a simple cron job with yum/apt will do it all with one command line.

    Reply
  • Was this article written by Steve Ballmer? And interestingly there is only a single line about the Debian-based distros? Why Mr. Anderson, why didn't you mention the details about APT? Now Steve Ballmer, let me tell you something - my close friend is a sysadmin of my university (University Of Toronto) and he doesnt even bother patching the systems because they are fully automated (over 200 machines). As well he deploys 50 machines with brand new OS installation with no more than 5 lines of commands.

    Sad Tom's.. sad.. you have been an amazing site once upon a time ...
    Reply
  • hmmm.
    I'm a Windows guy most of the time but I enjoy playing with Linux from time to time.
    Actually as a Linux starter(some time ago) I had no problem patching my Linux.
    It was very easy...
    I do not remember reading or doing something special before patching it at that first time.
    Reply
  • Correction, Patch Quest by Advent Net was cited as patching only RedHat which is incorrect. It also patches Debian. In my experience finding a patch solution for your particular OS has not be that terribly difficult. Finding one that has robust scheduling, push on demand, and can handle the multitude of necessary evil apps, such as Adobe Reader, Quicktime, Realplayer, Instant Messaging, etc... is the real challenge.
    Reply
  • GoK
    The author of this article needs to go back through their information, and edit this article. It is highly inaccurate! The fact that he gave Debian-based GNU/Linux flavors (ie., Ubuntu&Gentoo) less time in the article than his praise for Mircosofts upstream ability for patches, seems a bad sign for this article.

    Patching most GNU/Linux installs is a simple task, which is highly scalable, and that can be fully automated through the use of CRON scheduling, etc. NO EXTRA SOFTWARE should be required to update/maintain ANY enterprise level GNU/Linux server distro (also if you server has a GUI on it, its not running in an enterprise level configuration).

    I find the mention of Windows Server strange in the article, since it can't run services like Bind9 (DNS), it only makes up roughly 38% of the current market share of net servers, and since it can't run Bind9, it runs NONE of the internet backbone (DNS routing server).

    I am a huge fan of Tom's, but this article should never have been published.
    Reply
  • nochternus
    <rant>
    While there are many Linux solutions, everybody will find what works best for them. I myself have become a fan of distributions like ArchLinux. I use it on my 3 servers at work and on my desktop and server at home. the package manager, pacman, is by far the best I've ever used. While it may not categorize some things into software groups, it does have it broken down into core, extra and then everything else. It is also extremely easy to configure and create wrappers or optional interfaces that utilize pacman (just like some of the others mentioned. There is also a package called the "arch build system" that allows you to create your own packages from source with the simple modifications of a PKGBUILD file, making recompiling and rebuilding easy and efficient. My latest server was not fully supported by a vanilla or even a patched kernel so a few quick modifications to the PKGBUILD and the kernel config and one command later, the package was compiled from source and installed without me sweating, swearing or crying.

    I don't want this to come off as a "YAY ARCH - EVERYBODY SWITCH" comment so much as a "do a little more research, or even a community probe could get you better information" comment. The concept of the article wasn't bad just slightly "mis-informative". Especially seeing as how not everything that is open-source and is an OS is linux/unix. Most are linux-like or unix-like (as is the nature of progression.

    As a note for the naysayers, I've used Windows Server, Debian, Gentoo, RedHat, SuSE, ubuntu, FreeBSD, OpenBSD, Solaris and many spin offs of some of those. All of them have their strengths and weaknesses (most notably the flaw of the Windows Server platform would be any machine that loads it - THAT is a biased opinion.)
    </rant>
    Reply
  • malici0usc0de
    With Ubuntu you can also set it up to silently install them in the background, it just prompts for a password then goes away. I don't know how long Ubuntu has had this but I have been using it as my only OS at home for about 2 years now and have never had a problem with patches. I use XP at work as almost everyone does and I notice it operates almost exactly the same way except it doesn't ask you for a password. So if it works for the less techie MS user base then I don't see why so many problems are occurring with this same basic system running under Linux. sudo apt-get install brain
    Reply
  • resistance
    The writer of this article has 0% knowledge of _present-day_ GNU/Linux or this article was sponsored by software monopolist.

    in Debian based distros like *ubuntu you can set automatically daily updates without _any_ user intervension and without installing additional software.

    Its a first time I see such badly written article on tomsharware.
    Reply