Chapter 6 – Security, Updating, and Package Management

• Checking package versions
• Checking the OS version
• Checking for updates
• Automating updates
• Checking mailing lists and errata pages
• Using snaps
• Using Flatpak
• Using Pip, RubyGems, and other package managers
• Dependency hell (a quick word)
• Compiling from sources
• Adding additional repositories

---

1. Checking package versions

• Check installed packages 
• Get version number of packages

Install aptitude package manager:

# apt install aptitude

CentOS

• CentOS and RedHat have two package managers 
• RPM Package manager 
• RPM does following things: select, query, verify, install

List all installed packages

# rpm -qa

List specific package by name

# rpm -q dmidecode

• Output shows only package version

List specific package by name

# rpm -qi dmidecode

• Output shows package details and information

Yellowdog Updater Modified (YUM)

• Newer version of package manager.
• Developed by Yellow Dog Linux
• Generally used because handles automatic downloading and installing of packages

List all installed packages

# yum list installed

List specific package by name

# yum info dmidecode

• DNF (Did not finish) is newest package manager that will go live in Red Hat and CentOS versions. 

Debian

• Debian uses dpkg package manager to install and manage packages.
• Other manager are apt and aptitude which make management more user friendly.

List all installed packages with dpkg

# dpkg-query -W

# dpkg-query -W --showformat=’${Package} - ${Version}\n’

• To remove the TAB spacing

List all installed packages with apt

# apt list --installed

# aptitude search ~i --display-format ‘%p%v’

Use aptitude to navigate through package manager GUI

# aptitude

Under Security Updates (15) tab, we find the following information:

• Two kernels installed (4.9.0-6 and 4.9.0-7)

List kernels with command line

# aptitude search ‘~i linux-image’ --display-format ‘%p%v’

How it works

• In both cases we are querying the package database on our system.
• RPM and YUM are both looking inside /var/lib/rpm in order to find out state of the system.
• On Debian systems, package state is within /var/lib/dpkg.
• Advisable to not mess with these folders.

---

2. Checking the OS version

• List version of our OS
• List kernel version

CentOS

Find OS release

# cat /etc/centos-release

# cat /etc/system-release

• Symbolic link to centos-release file
• Shows same output

# cat /etc/os-release

• Detailed information 

# yum install redhat-lsb-core

• Now, we can use # lsb_release command to see OS version
• # lsb_release -s -d

Find kernel release

# dmesg | grep “Linux version”

# uname -a

# uname -r

# yum -q info installed kernel

Debian

Find OS release

# cat /etc/debian_version

# cat /etc/os-release

# dmesg | grep “Linux version”

# uname -r

# uname -a

# dpkg-query -W linux-image*

# lsb_release -s -d

How it works

• Linux Standard Base (LSB) is standard that multiple distros sign up to. It specifies a Filesystem Hierarchy Standard (FHS) and other components of a Linux system.
• LSB works on RPM package format, although Debian and Ubuntu dont use this by default. To get around this, Debian has alien package used to transform .rpm to .deb prior to installation. 

---

3. Checking for updates

• Check for available updates
• Install available updates
• Check for specific package update
• Check for all package updates.

CentOS

Check for specific package updates (in this case, updates for kernel)

# yum -q info kernel

To upgrade our kernel

# yum upgrade -y kernel

To upgrade all packages

# yum upgrade 

# yum update

• upgrade and update are the same on newer distributions.
• Using upgrade should technically be different. Upgrade uses logic to replace old programs. Inside yum.conf file, obsolete=1 is set by default, making update and upgrade functionally the same by default.

y/d/N

y – yes, download and upgrade all packages

d – just download packages.

N – abort 

• Only kernel and systemd (init system) require reboot to complete the update, as they are the soul of the system. With the update, we are killing the old program to make our way for new.

Debian

• We will use apt (newest package manager)

To update “updates list” and check for upgradable packages

# apt update

To list all upgradable packages that begin with linux-image (regex)

# apt list --upgradable linux-image*

To list all upgradable packages

# apt list --upgradable 

To upgrade single package

# apt install linux-image-amd64

To upgrade all packages:

# apt full-upgrade

# apt upgrade

• full-upgrade and upgrade are equivalent. 

How it works

• When we run package manager commands, we query servers they are configured to talk to, and asking them if there is any newer versions of the installed packages available.
• Configured repositories are inside:
  • /etc/yum.repos.d/ directory (CentOS)
  • /etc/apt/sources.list.d (Debian)
  • /etc/apt/sources.list.conf (Debian)
• If there are newer version of software available, then we can install or download them. 
• Generally, good idea is to keep all software up to date, especially public-facing services (SSH, httpd and others)

---

4. Automating updates

• Ways to automate updates 
• Not recommended to do in production environments
• Rebuilding systems programmatically

CentOS

# yum install -y yum-cron 

• The software comes with two configuration files inside /etc/yum/ directory
• By default, /etc/yum/yum-cron.conf filewill be used. 
• /etc/yum/yum-cron.conf file has random sleep value inside and it should be disabled.

# sed -i “s/random_sleep = 360/random_sleep = 0/g” /etc/yum/yum-cron.conf

• With the value set to 0, when we call yum-cron software, it will automatically run.

# yum-cron

• If there are no updates, yum-cron will not show any output!
• If there are updates, notification will pop that updates are downloaded successfully.
• If you want to download AND install updates using yum-cron, change the yum-cron.conf file with following command or using nano:

# sed -i “s/appy_updates = no/apply-updates = yes/g” /etc/yum/yum-cron.conf

To check if processes need restarting (not restart machine, but to restart service itself)

# needs-restarting

• Shows processes that need to be restarted in order to apply changes!

To check if processes need system rebooting

# needs-restarting -r

• Shows processes that need system reboot to apply changes!

To start/enable yum-cron service

# systemctl enable --now yum-cron

• New configuration file will show inside /var/lock/subsys/yum-cron
• This file enables two more cron jobs inside:
  • /etc/cron.daily/0yum-daily.cron
  • /etc/cron.hourly/0yum-hourly.cron

Debian/Ubuntu

• We use package called unattended-upgrades
• unattended-upgrades is used to automatically update Debian-based distros

# apt install unattended-upgrades

• Configuration files are inside /etc/apt/apt.conf.d/
• Files are called 20auto-upgrades and 50unattended-upgrades
• Edit 50unattended-upgrades and uncomment stable, stable-updates, proposed-updates

To run and test configuration with debug mode

# unattended-upgrade -d

• Upgrades should be installed 

To list timers

# systemctl list-timers

•     apt-daily.timer and apt-daily-upgrade.timer should show up

---

5. Checking mailing lists and errata pages

• Where we go for news on how your OS are performing, are they healthy, do they need space…

Package changelogs

• changelog provides information about specific package.

CentOS

To show most recently installed package

# rpm -q kernel --last

# rpm -q --changelog kernel-1.1.1-9… | less

• Use less as the output is more than one screen

Debian/Ubuntu

# apt changelog linux-image-amd64

Official sources and mailing lists

Official sources:

• Red Hat provides update news and errata (https://access.redhat.com/security/updates/advisory)
• Red Hat Common Vulnerabilities and Exposures (CVE) database (https://access.redhat.com/security/security-updates/#/cve)

Mailing lists:

Mailing lists are used to notify you (send you an email) for each thread you subscribe for. Good idea is to subscribe to newsletter for only packages you use in your environment. Following mailing lists are for each distribution:

• Red Hat (https://www.redhat.com/mailman/listinfo)
• CentOS (https://lists.centos.org/mailman/listinfo/)
• Debian (https://lists.debian.org/)
• Ubuntu (https://lists.ubuntu.com/)

Other resources:

• Reddit
• The Register
• HackerNews
• CentOS blog (https://blog.centos.org/)
• OpenSSL (https://www.openssl.org/community/mailinglists.html)
• Kernel news (https://lkml.org/)

6. Using snaps

• Snaps work like any other package manager. It installs and manages a package brought from a repository to your system.
• snapd is daemon that powers snaps. It is the environment that manages installed snaps, deals with installs, updates, deletes old versions…
• When we install snap, we download read-only squashfs file that lives in /var/lib/snapd/snaps
• Snap is a software that packages software in a universal fashion, and then that package can be deployed to any OS that supports snaps.

Search for snaps

# snap search foo

Install snaps

# snap install foo

• Once finished, we will have foo installed from a snap.

List installed snaps

# snap list

Activate snap

# snap services

• Shows active/inactive state of our services

To start snap

# snap start foo
Started.

Remove snaps

# snap remove foo

Show snap informations

# snap info foo

Also, it is available to search for snaps through Cannonical website.

7. Using Flatpak

• Second package manager used. 
• Same as snaps, packages software so that can be deployed to other systems that support Flatpak
• Just another holy war
• Flatpak emphasize desktop applications over server applications.
• Mostly graphical tools used to manage Flatpak apps
• When we install package using Flatpak, it is stored in:
  • System packages: /var/lib/flatpak
  • User packages: ~/.local/share/flatpak/ 
• User packages stored inside ~/.local/share/flatpak/app/ are stored in files.
• There are 585+ packages available to install from flathub repository

How many packages are available from flathub

# flatpak remote-ls flathub | wc -l

Update Flatpak applications

# flatpak update

Installing Flatpak

# apt install flatpak -y

Enable flathub repositoy from https://flathub.org

# flatpak remote-add --if-not-exists flathub

Search for a package

# flatpak search org.foo.foo

• Package identifier or Application ID from the table above, is represented as follows:
• org/com.<company or team name>.<application name>

Install a package

# flatpak install flathub org.foo.foo

Run a package

# flatpak run org.foo.foo

List installed packages

# flatpak list

Install package as a user

# flatpak --user remote-add --if-not-exists flathub

# flatpak --user install flathub org.foo.foo-y

Remove package

# flatpak uninstall org.foo.foo --user -y

• Specifically removing user-installed version. The system one will remain.

---

8. Using Pip, RubyGems, and other package managers

• Aside from YUM, Flatpak, snaps, apt, there are other package management systems.
• Pip and RubyGems are programming-language related ways to distribute package to a system.

Pip installs package (Pip) – included in Python installations.

Gem is used to package Ruby elements (included in Python installations, too)

Install pip and RubyGems

# apt install libgmp3-dev make gcc ruby ruby-dev python3-setuptools -y

Install pip with easy_install3 script

# python 3 /usr/lib/python3/dist-packages/easy_install.py pip

Pip

Check pip version

# pip3 --version

List installed packages and their versions

# pip3 list

Search for installed packages

# pip3 search foo

Install a package

# pip3 install foo --user

• Install package as a user (will be stored in user’s home directory)

Install a package (specify version)

# pip3 install foo==2.5.1 --user

Upgrade a package to latest version:

# pip3 install foo --upgrade --user

RubyGems

Check gem version

# gem --version

List installed gems

# gem list

List specific package

# gem search -e foo

• -e for exact option. Pip lacks this function

Install a package as a user

# gem install foo --user-install

Run the package

# ~/.gem/ruby/2.5.0/bin/foo --version

• Stored in home directory

Install other versions of packages

# gem install foo -v 14.2.0 --user-install

# ~/.gem/ruby/2.5.0/gems/chef-14.2.0/bin/chef-client --version

Uninstall the package

# gem uninstall foo

• Choose to uninstall, press number to uninstall that package

• Pip and RubyGems try to be self-contained.
• They are just querying upstream repository for a package and then downloading it on your system.
• When you update your PATH to update binary location new executables live in, only then you are able to run the packages that you installed.

9. Dependency hell

• Dependency hell is the notion that a package can have dependencies on things that either conflict with other versions of dependent packages or libraries that you have installed, or can try to use incompatible versions.