Automation
No-one likes doing the same task repeatedly and so one thing every admin should try to do at every opportunity is to Automate. Automation relieves us of those tasks which are dull and would be otherwise ignored from time to time. Automation is also important in ensuring that tasks that are complicated or need to be run reliably are completed.
Apticron
Ensuring that all of the systems you are resonsible for are up to date is one of those tasks that unless you automate it will never get done in a timely or reliable manner. As was seen in the previous section Debian provides a whole infrastructure for providing new packages in central repositories. All that was needed was a tool that could use this infrastructure which would check for updates on a server and e-mail a notification if updates were available.
This tool is apticron. Apticron is available from apt.heanet.ie and is part of the standard install procedure. Each night it checks for and downloads any available updates and sends an e-mail to a specified address, in our case our Network Operations list where the duty engineer can process the updates.
Date: Fri, 31 Jan 2003 06:25:06 +0000
From: root <root@BYRON.HEANET.IE>
Subject: Debian Package Updates on byron
The Debian Package Update Notification tool has detected that some packages need
upgrading on byron
The following packages have been downloaded and are available for installation :
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-ssl_0.37.3-3.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-imap-ssl_1.4.3-3.3_i386.deb
http://security.debian.org/pool/updates/main/c/courier-ssl/courier-pop-ssl_0.37.3-3.3_i386.deb
======================================================================================
Package Details:
courier-ssl (0.37.3-3.3) stable-security; urgency=high
* Non-maintainer upload by the Security Team
* Added special detection routine for big/little endianess on MIPS since
the line "byteorder : {big|little} endian" from /proc/cpuinfo was
removed as of Linux 2.4.20, resulting in the mipsel buildd being
unable to build this package.
-- Martin Schulze <joey@infodrom.org> Wed, 29 Jan 2003 08:42:46 +0100
courier-ssl (0.37.3-3.2) stable-security; urgency=high
* Non-maintainer upload by the Security Team
* Improved username sanitizing before passing to the PostgreSQL
auth module, patch from upstream/Stefan Hornburg.
-- Martin Schulze <joey@infodrom.org> Tue, 28 Jan 2003 21:38:02 +0100
======================================================================================
You can perform the upgrade by issueing the command:
apt-get dist-upgrade
as root on byron
--
Debian Package Update Notifaction Tool
(colm.maccarthaigh@heanet.ie)
Don't be too automatic
Now machines doing things automatically is great and all but allowing machines to upgrade themselves is risky, especially as upgrades may change the behaviour of the system or despite all the testing that packagers do eventually something will go wrong. This is why apticron only downloads the updates but asks a human to actually perform the update.
It's important that your automatic update tool not be an automatic Trojan tool. Automatic methods to install software accross your network are great ways for attackers to cripple a network. Debian uses gpg signed packages, and has the facility to check these signatures prior to installation.
Updates, log-rotation and Backups
You Operating System of choice will have a standard
method of achieving automated tasks. Debian has
/etc/cron.* which provide directorys for
scripts to be run daily, weekly or monthly. More
comples requirments can be achived by placing crontab
fragments in /etc/cron.d. This allows
standard tasks to be packaged using the packaging
infrastructure described previously and deployed
sitewide.
Managing logfiles is one of these tasks that if
ignored or not properly managed can lead to
/var becoming a nightmare.
This is again where the strength of debians policy
comes to the fore. All packages which produce logfiles
are required to provide a config fragment for the
logrotation system so that the logs are managed in a
sensible fashion.
So when packaging our own applications for use it was important to make sure we implemented these measures or we would have eroding all the benifits we had acquired with our choice of platform.
So you have a system that has been installed using all of the tools for ensuring it has certain pakages installed etc. but how do you record all those changes that have been made to make the system function just the way you like.
Enter cruft which will examine all of the
files on a system and compare them to the package
database and list those which have differences and /
or those which are not listed.
With a list of installed packages and a backup of the
files listed by cruft it is possible to restore a
system to a fully configured state in short order.
Centralise Backups
Changing tapes on many machines is a chore noone needs. Invest in an autoloader, the cost savings from not fitting a tape drive to each server and not having to visit each machine to swap tapes each day will soon recoop the cost of the autoloader.
Backup systems are complex enough to merit a talk in it's own right.
© 2003 Colm MacCárthaigh & Colin Whittaker
