Skip to main content

Patching Linux - Pain or Gain?

Third Party Tools

Aside from the Linux vendor based utilities like ZenWorks and YaST, there are also third party commercial applications geared to facilitate the patching process. Some of these server based applications will download Linux packages from the vendor, store the updates in a central repository, and provide either automated or manual installation of packages to waiting Linux servers.

These applications, especially for Linux, are few in number—you can spend a considerable amount of time trying to find a straight-forward technology that isn’t just a small piece of a larger entire enterprise level package (like ZenWorks). The apps I found mostly patch the Microsoft Windows OS, while a handful of solutions will patch RedHat Linux. Support for SuSE can also be found, but other Linux distros were pretty much left out, except in a couple of products.

Patchlink Update is one solution that patches Windows and RedHat systems, but will also cover SuSE, Solaris, AIX, NetWare and OSX. Seeing that RedHat and SuSE are two of the dominant Linux distros in enterprise computing, support for these two distributions puts Patchlink in a very advantageous position over its competitors. It’s an agent based architecture that lets you choose how you want to install your patches—either by a scheduled or a manual update.

Patchlink

Patchlink

The great thing about Patchlink is that it touches a lot more operating systems than most update tools.

From a top level perspective, to have one application take care of most of your patching needs across various operating systems and supporting software is a dream come true. You get to avoid running multiple patching systems for each OS, saving time and resources that you can deploy elsewhere.

Patchlink

Patchlink

The great thing about Patchlink is that it touches a lot more operating systems than most update tools.

Optimism aside, Patchlink does have its setbacks. For one, I haven’t seen any great performance from its system discovery tool: it’s slow and takes a while to start up on a two-year old server. In fact, I’ve seen it take up to 10 -15 minutes to get going.

Patchlink, like similar applications, needs a little hand-holding when deploying updates. One thing I’ve learned is that if you are using a scheduling feature that will download, install and reboot your servers, don’t go tell your users that their servers are going to be automatically rebooted at 10 pm, for example. Patching can be slow, and delays on the network can delay the actual system restart, frustrating both the sys admin and his clients. The common practice to avoid delayed downtimes is to just patch the machines ahead of time and then reboot the server.

One other gotcha about Patchlink Update is that its base concept is very security-centric. Patchlink doesn’t take care of the occasional maintenance patches—it only covers security based updates that fix vulnerabilities when the updated software is available.

Finally, Patchlink does not release kernel updates. Seeing that the kernel is the heart of your Linux system, this can be a little bothersome. The only solution is to patch the kernel yourself.

Though not a traditional patch management system, one product line that holds some promise is BlueLane’s set of PatchPoint and Virtual Shield products. These products are appliance-based gateways that sit between your network and your unpatched servers. They protect the servers by cleaning up the network traffic going to the protected servers, and then mitigate any incoming hazardous vulnerabilities.

BlueLane's PatchPoint

BlueLane's PatchPoint

BlueLane’s PatchPoint Gateway appliances sit between your network and the server farm. The gateways are maintained by a PatchPoint manager that receives its updates from BlueLane.

The PatchPoint gateway is a network appliance that works in your physical server farm. The other product, Virtual Shield, is a virtual machine that works with VMWare’s Virtual Infrastructure and sits within an ESX Server. Both PatchPoint and Virtual Shield are maintained by a management application running on a separate server. Aside from protecting Windows, RedHat and Novell SuSE machines, BlueLane also takes care of FreeBSD and Solaris, as well as IIS, Apache and iPlanet web application servers.

For virtual machine environments using VMWare’s ESX Server products, you can use the BlueLane Virtual Shield product. Depending on the complexity of your environment, setup can range from being pretty simple to pretty complex. Instead of using physical hardware, you use a Linux-based virtual appliance to protect your virtual machines. Updates are periodically retrieved via a BlueLane subscription channel, keeping your machines safe, especially if patching servers represents a scheduling problem. The only real drawback I can see from using BlueLane is the risk of disregarding the actual patching of the protected OSes, when you know that BlueLane’s appliances will be there for you.

BlueLane Virtual Shield

BlueLane Virtual Shield

If you have a virtual server farm, BlueLane Virtual Shield, like it’s physical counterpart can help mitigate vulnerabilities, too.

As I mentioned before, there are other products, like Update Manager, PatchEasy, PatchQuest and Prism Patch Manager, which provide patch management for Linux. These products, however, are limited to covering only RedHat, with little or no mention of other distros in their documentation. Still, it’s good news if you use a lot of RedHat in your datacenter. With RedHat’s current position as a leader in mass-market Linux, it’s easy to see why there’s so much more support for it over Turbolinux, Debian and Ubuntu. In the future, though, I would expect to see more support for SuSE Linux because of its acquisition by Novell in the American market. Time will tell.