Patching Linux - Pain or Gain?

News
By
published

Patching a single Linux machine every once in a while can be a small pain, but what do you do when you have a data center full of machines that need updates?

Patching Linux

There are four basic reasons patching your Linux machines is important :

  • Security
  • Maintenance
  • Supportability
  • Error Fixing

Security

Possibly the most important reason to update your OS is to maintain a secure environment for your machine’s applications. Applying security patches will update your machine and plug up security holes left by outdated software or poorly written applications. You really want to keep others from accessing your file system through some newly found vulnerability. If someone should get in, that person can possibly get important data, change security settings on the machine or even install some little piece of software you may not so easily catch. For example, software like rootkits can be installed and will use newly added processes, wresting some control from the unwary administrator. Even more, now that a machine is potentially “under the control” of someone else, it may become the unwilling participant in a bot attack involving other commandeered machines, coming from your network or across the Internet.

There are plenty of ways to keep your machines safe, but most importantly, keep up with the all the latest security alerts. Checking up on updated packages occasionally can save you from having to deal with the repercussions of having your data stolen or rebuilding your machine. Vendors and distributors like RedHat, SuSE and Ubuntu have special alert services and websites that get updated with the latest security news and information. You can also look up security based web sites like Secunia or the United States Computer Emergency Readiness Team (US-CERT) for more information on current vulnerabilities and how they’re affecting other computers in the wild.

Maintenance

Maintaining a solid working environment is the second reason for keeping your machine up to date. Having the latest/greatest software keeps you up with the times. As we all know, technology doesn’t slow down, and new software features are always popping up. For example, an application’s previous version may have needed an interface to a MySQL database, but with the advent of a new XML feature, the database requirement becomes non-existent. By updating your software, you can use the newer XML feature, and enjoy the benefits of updated technology.

Patching your Linux machine may also present another challenge…dealing with dependencies. If you patch your OS the wrong way, you may run into dependency conflicts that, if not resolved, could prevent you from updating your application. Let’s take an application like Gallery, a web based open-source photo album, as an example. You definitely wouldn’t be able to run Gallery with an older mySQL installation on your computer. Certain requirements would not be met and during the Gallery installation you would get messages coming back about first having to update other dependent packages. You would then have to update those dependencies as well for your Gallery installation to succeed. Theoretically, you could spend quite some time trying to find the appropriate packages, until you get it all straightened out.

Supportability

If you are going run Linux in an enterprise environment where you have various levels of expertise on-staff, it is important to make sure that you have your OS at a supportable level. Sure, Linux may be a free operating system, but if your operations are the type that support life or manage your company’s finances, you need to have access to a high level of expertise—you’ll never know for sure if you’re going to need it, and while support is not cheap, it’s necessary.

To qualify for support from most vendors, if not all, you need to have a supportable version of the OS to call in for. Just ask yourself this…“In 2007, who supports RedHat Linux 6.0 ?” Running an older version of an OS can potentially be more expensive to support, as fewer people work with it. Thus, it’s to your benefit to upgrade that RedHat server to a newer version, if not the latest. The big Linux distributions will usually list their supported OS levels, and also give end-of-life information so you can know when you should upgrade those older machines and OSes.

Error Fixing

The last reason for why you want to install newer software packages is to replace software that is problematic. Memory leaks, for example, are problems caused by errors that may have been missed during development. Software performance can also be fixed or improved on a well maintained machine. Just keep in mind that though most of these updates are listed as “optional”, but they can also be listed in a “critical” category if their defects can lead to security holes or other vulnerabilities.

Julio Urquidi
20 Comments Comment from the forums
  • Darkk
    Very nice article. Patching is just a way of life of sys admins everywhere regardless of what flavor of server and desktop OS. Least the article explains in detail what to expect and the gotchas.

    Good job!

    Darkk
    Reply
  • Patching harder on Linux than Windows?!?
    Maybe I'm biased, but updating Debian or ArchLinux (more of a desktop distro) has been so easy as not to even think about it.
    Reply
  • You really don't know what you're talking about here..and readers should avoid this article.

    If you buy Red Hat Enterprise Linux with a Satellite subscription Red Hat does the patching.

    If you have Novell - ZenWorks will do the trick.

    If you're running a non-commercial unsupported version than sure some of the options you mention might make sense but a simple cron job with yum/apt will do it all with one command line.

    Reply
  • Was this article written by Steve Ballmer? And interestingly there is only a single line about the Debian-based distros? Why Mr. Anderson, why didn't you mention the details about APT? Now Steve Ballmer, let me tell you something - my close friend is a sysadmin of my university (University Of Toronto) and he doesnt even bother patching the systems because they are fully automated (over 200 machines). As well he deploys 50 machines with brand new OS installation with no more than 5 lines of commands.

    Sad Tom's.. sad.. you have been an amazing site once upon a time ...
    Reply
  • hmmm.
    I'm a Windows guy most of the time but I enjoy playing with Linux from time to time.
    Actually as a Linux starter(some time ago) I had no problem patching my Linux.
    It was very easy...
    I do not remember reading or doing something special before patching it at that first time.
    Reply
  • Correction, Patch Quest by Advent Net was cited as patching only RedHat which is incorrect. It also patches Debian. In my experience finding a patch solution for your particular OS has not be that terribly difficult. Finding one that has robust scheduling, push on demand, and can handle the multitude of necessary evil apps, such as Adobe Reader, Quicktime, Realplayer, Instant Messaging, etc... is the real challenge.
    Reply
  • GoK
    The author of this article needs to go back through their information, and edit this article. It is highly inaccurate! The fact that he gave Debian-based GNU/Linux flavors (ie., Ubuntu&Gentoo) less time in the article than his praise for Mircosofts upstream ability for patches, seems a bad sign for this article.

    Patching most GNU/Linux installs is a simple task, which is highly scalable, and that can be fully automated through the use of CRON scheduling, etc. NO EXTRA SOFTWARE should be required to update/maintain ANY enterprise level GNU/Linux server distro (also if you server has a GUI on it, its not running in an enterprise level configuration).

    I find the mention of Windows Server strange in the article, since it can't run services like Bind9 (DNS), it only makes up roughly 38% of the current market share of net servers, and since it can't run Bind9, it runs NONE of the internet backbone (DNS routing server).

    I am a huge fan of Tom's, but this article should never have been published.
    Reply
  • nochternus
    <rant>
    While there are many Linux solutions, everybody will find what works best for them. I myself have become a fan of distributions like ArchLinux. I use it on my 3 servers at work and on my desktop and server at home. the package manager, pacman, is by far the best I've ever used. While it may not categorize some things into software groups, it does have it broken down into core, extra and then everything else. It is also extremely easy to configure and create wrappers or optional interfaces that utilize pacman (just like some of the others mentioned. There is also a package called the "arch build system" that allows you to create your own packages from source with the simple modifications of a PKGBUILD file, making recompiling and rebuilding easy and efficient. My latest server was not fully supported by a vanilla or even a patched kernel so a few quick modifications to the PKGBUILD and the kernel config and one command later, the package was compiled from source and installed without me sweating, swearing or crying.

    I don't want this to come off as a "YAY ARCH - EVERYBODY SWITCH" comment so much as a "do a little more research, or even a community probe could get you better information" comment. The concept of the article wasn't bad just slightly "mis-informative". Especially seeing as how not everything that is open-source and is an OS is linux/unix. Most are linux-like or unix-like (as is the nature of progression.

    As a note for the naysayers, I've used Windows Server, Debian, Gentoo, RedHat, SuSE, ubuntu, FreeBSD, OpenBSD, Solaris and many spin offs of some of those. All of them have their strengths and weaknesses (most notably the flaw of the Windows Server platform would be any machine that loads it - THAT is a biased opinion.)
    </rant>
    Reply
  • malici0usc0de
    With Ubuntu you can also set it up to silently install them in the background, it just prompts for a password then goes away. I don't know how long Ubuntu has had this but I have been using it as my only OS at home for about 2 years now and have never had a problem with patches. I use XP at work as almost everyone does and I notice it operates almost exactly the same way except it doesn't ask you for a password. So if it works for the less techie MS user base then I don't see why so many problems are occurring with this same basic system running under Linux. sudo apt-get install brain
    Reply
  • resistance
    The writer of this article has 0% knowledge of _present-day_ GNU/Linux or this article was sponsored by software monopolist.

    in Debian based distros like *ubuntu you can set automatically daily updates without _any_ user intervension and without installing additional software.

    Its a first time I see such badly written article on tomsharware.
    Reply