A thread on another list I follow talked about server uptime, and reboot requirements due to patches (security). The understood result at the end of the thread was that the only time a reboot was required was after a kernel patch. My questions is two fold. First is this group aware of any other patches that would require user interaction. For example if I have set up automatic updates, in what instances would I need to reboot and/or manually restart a damon. Second question, if there are any user interaction from previous question, what method of notification (email) is there to notify an admin of the requirement (otherwise the machin is not protected for that security vulnerability). Thanks, Ron
On Jan 6, Ron Joffe
A thread on another list I follow talked about server uptime, and reboot requirements due to patches (security). The understood result at the end of the thread was that the only time a reboot was required was after a kernel patch.
My questions is two fold. First is this group aware of any other patches that would require user interaction. For example if I have set up automatic updates, in what instances would I need to reboot and/or manually restart a damon.
Second question, if there are any user interaction from previous question, what method of notification (email) is there to notify an admin of the requirement (otherwise the machin is not protected for that security vulnerability).
You should probably try out fou4s :-) http://fou4s.gaugusch.at/ It will run at night, download updates for you, and send you an email. If you don't install the updates, it will bug you the next day again ;-) (of course, everything is configureable). Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
On Friday 06 January 2006 10:03 am, Ron Joffe wrote:
My questions is two fold. First is this group aware of any other patches that would require user interaction. For example if I have set up automatic updates, in what instances would I need to reboot and/or manually restart a damon.
The benefit of the patch is not realized if one of the patched modules is in memory. So if sendmail or postfix were patched you might miss something important if you only rebooted or restarted for kernel patches. If as root you do lsof |grep "RPMDELETE" it will list all modules that are in memory but which have been replaced by an updated rpm. You can then schedule these for restart, or reboot as you wish. -- _____________________________________ John Andersen
On Jan 9, John Andersen
On Friday 06 January 2006 10:03 am, Ron Joffe wrote:
My questions is two fold. First is this group aware of any other patches that would require user interaction. For example if I have set up automatic updates, in what instances would I need to reboot and/or manually restart a damon.
The benefit of the patch is not realized if one of the patched modules is in memory. So if sendmail or postfix were patched you might miss something important if you only rebooted or restarted for kernel patches.
If as root you do lsof |grep "RPMDELETE"
Unfortunately, this is no longer true for current SuSE versions. There is a more complicated method of checking incorporated into fou4s. At least some services (like postfix) seem to be automatically restarted after installation (through rpm postuninstall script). I haven't had to restart services after an update on my servers for some time. On desktop machines with kde it is sometimes necessary, though. Markus -- __________________ /"\ Markus Gaugusch \ / ASCII Ribbon Campaign markus(at)gaugusch.at X Against HTML Mail / \
On Mon, 9 Jan 2006, John Andersen wrote:
If as root you do lsof |grep "RPMDELETE"
As Markus says, this needs altering for newer SuSE versions. Here is a
script which will work on all versions of SuSE I know about:
#! /bin/bash
# Check there are no processes using software that has been updated by
# rpm.
PATH=/bin:/usr/bin
set -o nounset
if [ $# -eq 1 ]
then
lines=$1
else
lines=10
fi
# Run lsof and scan the output for libraries that have been updated. Before
# SuSE 9.1 these will include the string RPMDELETE, but in 9.1 they include
# a semi-colon.
# In 9.2 and 9.3 they include the string 'path inode='
procs=`lsof | grep -E 'RPMDELETE|;|path inode=' | head -$lines`
if [ -n "$procs" ]
then
host=`hostname`
cat <
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-01-10 at 10:14 -0000, Bob Vickers wrote:
#! /bin/bash # Check there are no processes using software that has been updated by # rpm.
Wonderful! I just run YOU and let it update perl (5.8.6-5.3, SuSE 9.3). YOU did not restart the needed services: your script allowed me to detect that amavis, spamd and apache needed a restart - the first two I knew, but the third i didn't remember. Perhaps SuSE folks should include something like that in YOU ;-) - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDxByttTMYHG2NR9URAgI/AJ92H9/BVNrEopbhIQslzTdFccr9WgCeNd/W QrGQiaKQJxWTngzYjajQ0GM= =p8L3 -----END PGP SIGNATURE-----
On Tuesday 10 January 2006 2:14 am, Bob Vickers wrote:
On Mon, 9 Jan 2006, John Andersen wrote:
If as root you do lsof |grep "RPMDELETE"
As Markus says, this needs altering for newer SuSE versions. Here is a script which will work on all versions of SuSE I know about:
Bob, Very nice script, thanks for sharing it! Scott -- POPFile, the OpenSource EMail Classifier http://popfile.sourceforge.net/ Linux 2.6.11.4-21.10-default x86_64 SuSE Linux 9.3 (x86-64)
participants (6)
-
Bob Vickers
-
Carlos E. R.
-
John Andersen
-
Markus Gaugusch
-
Ron Joffe
-
Scott Leighton