up3date

up3date (up-free-date) is a 38KByte script which replaces Redhat's up2date service - its basically a completely free "Redhat Update". Run as a cron job, it automatically checks a chosen FTP or HTTP mirror for updated RPMs, confirms that they have not been tampered with by checking the digital signature, and then installs them. up3date emails a configurable email address with summary information about its actions.

NOTE - neither I nor up3date have any connection with Redhat other than using their fine distro.

download up3date-0.3.tar.gz (9.3K)

Features

Single bash script lives in /bin
Creates a default /etc/up3date.conf file itself the first time it is run
Runs itself and rpm as nice -n 19 (low priority 'background' job)
Caches last FTP and RPM database states so it can very quickly detect if there have been no changes in FTP or machine packagelist states and complete without doing any CPU intensive work: together with nice -n 19 this makes the script barely noticeable until it must actually update a package
Highly scalable: Mirror mode allows an automatically sync-ed local update repository to serve unlimited local machines using apache
Mirror mode supports mirroring multiple Redhat versions in one action
Only downloads updates for packages which are already installed
Only downloads newer packages than are installed
Operates completely without user intervention
Emails configurable address when it has updated a package
Fairly secure: checks Redhat digital signature on downloaded packages as a separate step before using them, deletes and redownloads any failures
Fairly secure: enforces permissions on script and config file automatically, accepts no user params, no rwx for non-root, only accepts root execution
Survey-free, subscription-free, install and forget until email from each machine lets you know its keeping you "up free date"

Install instructions

1) Download, unpack script up3date into /bin. If you are updating from 0.1 then delete your /etc/up3date.conf now.

2) Run up3date as root for the first time, this forces the permissions on the script to a safe state and creates /etc/up3date.conf with default settings, then exits suggesting you check these defaults

3) Next time you run up3date as root, it will do a full check for any updates, subsequently it will be able to do a very fast check for updates by looking to see if the FTP site or your RPM database has changed since the last run, if neither have then it immediately concludes there are no updates and completes.

4) When you're confident with its operation, add as a cron job every 4 hours (the same as the default up2date check period) by appending the following to /etc/crontab

30 1,5,9,13,17,21 * * * - /bin/up3date

The - means that cron itself will not mail you the results of the script, instead up3date will mail the user configured in /etc/up3date.conf only when something is updated. You can set MAILIFNOUPDATES=1 in /etc/up3date.conf if you want to be emailed whenever up3date runs, even if nothing was updated.

The 30 is the minutes, and the section 1,5,9.... is the list of hours of the day it should run /bin/up3date, the example runs at 01:30, 05:30, 09:30, etc

Excluding packages from update

Sometimes you need to exclude certain packages from automatic update, commonly because you are running a custom kernel. The variable BANNEDPACKAGES in /etc/up3date.conf allows you to define which packages should be left alone, for example

export BANNEDPACKAGES="kernel kernel-smp kernel-bigmem kernel-BOOT kernel-source kernel-docs"

will totally ignore any redhat kernel updates that may be available.

Update report emails

The update report emails look like this:

To: root@cb.ath.cx
Subject: Up3date at monkeycat - update report
Date: Mon, 22 Sep 2003 10:33:30 +0100 (BST)
From: root@monkeycat.cb.ath.cx (root)

Hi! This is the up3date script v0.3 running on monkeycat (on kernel 2.6.0-0.test2.1.28). Currently I am looking after 670 installed packages on this machine.

Please note that the following packages are NOT being updated, since they are listed in BANNEDPACKAGES in /etc/up3date.conf (currently "kernel kernel-smp kernel-bigmem kernel-BOOT kernel-source kernel-docs")
kernel-2.6.0-0.test1.1.26
kernel-2.4.20-8
kernel-source-2.6.0-0.test2.1.28
kernel-source-2.6.0-0.test1.1.26
kernel-2.6.0-0.test2.1.28

0 packages downloaded from http://192.168.0.50/up3date, installing 11 packages
The following files were updated:

/var/cache/up3date/up2date-gnome-3.1.23.2-1.i386.rpm
/var/cache/up3date/openssh-askpass-gnome-3.5p1-11.i386.rpm
/var/cache/up3date/redhat-config-network-tui-1.2.15-1.noarch.rpm
/var/cache/up3date/redhat-config-network-1.2.15-1.noarch.rpm
/var/cache/up3date/kdelibs-devel-3.1-12.i386.rpm
/var/cache/up3date/openssh-askpass-3.5p1-11.i386.rpm
/var/cache/up3date/redhat-config-printer-0.6.47.11-1.i386.rpm
/var/cache/up3date/redhat-config-printer-gui-0.6.47.11-1.i386.rpm
/var/cache/up3date/openssh-server-3.5p1-11.i386.rpm
/var/cache/up3date/up2date-3.1.23.2-1.i386.rpm
/var/cache/up3date/kdebase-devel-3.1-15.i386.rpm

RPM messages:

User updates being updated:

rpm -U /var/cache/up3date/up2date-gnome-3.1.23.2-1.i386.rpm
/var/cache/up3date/openssh-askpass-gnome-3.5p1-11.i386.rpm
/var/cache/up3date/redhat-config-network-tui-1.2.15-1.noarch.rpm
/var/cache/up3date/redhat-config-network-1.2.15-1.noarch.rpm
/var/cache/up3date/kdelibs-devel-3.1-12.i386.rpm
/var/cache/up3date/openssh-askpass-3.5p1-11.i386.rpm
/var/cache/up3date/redhat-config-printer-0.6.47.11-1.i386.rpm
/var/cache/up3date/redhat-config-printer-gui-0.6.47.11-1.i386.rpm
/var/cache/up3date/openssh-server-3.5p1-11.i386.rpm
/var/cache/up3date/up2date-3.1.23.2-1.i386.rpm
/var/cache/up3date/kdebase-devel-3.1-15.i386.rpm

Everything seemed to complete okay, caching this state as the current up to date state.

Bye!

By default the machines running the script send email only when updates occur.

/etc/up3date.conf settings

Here is what the default /etc/up3date.conf file looks like. Usually setting up a client requires only the SERVERBASEURL and MAILTO variables to be changed. The script automatically determines which Redhat version the client is running and which architecture the CPU is.

#!/bin/bash
# Config file for up3date script (c)2003 andy@warmcat.com
# created by up3date version 0.3 on Wed Sep 24 09:09:58 BST 2003
#
#
#
# SERVERBASEURL sets where up3date upgrades itself from, uncomment one of these below
#
#export SERVERBASEURL=ftp://ftp.redhat.com/pub
# UK
#export SERVERBASEURL=ftp://ftp.mirror.ac.uk/sites/ftp.redhat.com/pub
# US
#export SERVERBASEURL=ftp://chuck.ucs.indiana.edu/pub/linux/redhat
# DE -- say hello to Wagner for me!
export SERVERBASEURL=ftp://ftp.uni-bayreuth.de/pub
# JP
#export SERVERBASEURL=ftp://ftp.kddlabs.co.jp/pub/Linux/packages/RedHat
# *** Locally served by HTTP (replace the ip address with your server ip or name if in /etc/hosts) ****
#export SERVERBASEURL=http://192.168.0.50/up3date
#
#
# this is who gets a mail every time there is an install
export MAILTO=root@cb.ath.cx
#
# args to use with wget: --passive-ftp is needed if you are behind many kinds of firewall
export WGETARGS="--passive-ftp"
#export WGETARGS=""
#
# args to make wget run with minimal progress display
export WGETARGSQUIET="-nv"
#
# where downloaded RPMs should live
export RPM_STG_DIR=/var/cache/up3date
#
# where to make a temp directory (deleted on exit)
export TEMP_FILES_BASE_DIR=/tmp
#
# whether to email on every run even if nothing updated, blank=no, anything=yes
export MAILIFNOUPDATES=
#
# Package names separated by spaces which are NOT to be updated, eg BANNEDPACKAGES="kernel-smp kernel-bigmem kernel-BOOT"
# if you are running a custom kernel, you will want to use the commented-out version so no kernel packages come over
export BANNEDPACKAGES=""
#export BANNEDPACKAGES="kernel kernel-smp kernel-bigmem kernel-BOOT kernel-source kernel-docs"
#
#
#
#
# Mirror mode settings below - only need to set up this section if you are using up3date mirror mode
#
# MIRRORBASEURL is used to define where the mirroring function of up3date copies from
#
#export MIRRORBASEURL=ftp://ftp.redhat.com/pub
# UK
export MIRRORBASEURL=ftp://ftp.mirror.ac.uk/sites/ftp.redhat.com/pub
# US
#export MIRRORBASEURL=ftp://chuck.ucs.indiana.edu/pub/linux/redhat
# DE -- say hello to Wagner for me!
export MIRRORBASEURL=ftp://ftp.uni-bayreuth.de/pub
# JP
#export MIRRORBASEURL=ftp://ftp.kddlabs.co.jp/pub/Linux/packages/RedHat
#
# Package names separated by spaces which are NOT to be mirrored, eg MIRRORBANNEDPACKAGES="kernel-smp kernel-bigmem kernel-BOOT"
export MIRRORBANNEDPACKAGES=""
#
# Mirror mode only: subdirs of the mirror archive to maintain
export MIRRORSUBDIRS="i386 noarch i586 i686 athlon"
#
# Mirror mode only: local http server path (default: /var/www/html)
export MIRRORLOCALHTMLPATH="/var/www/html"
#
# Mirror mode only: list of distro versions to mirror, separated by a space, eg, "7.3 8.0 9" default is to mirror the latest version only
export MIRRORDISTROVERSIONS="9"
#

If you updated from 0.2 of up3date, some of the variables may be missing from your 0.2-generated /etc/up3date.conf. Although sensible defaults are used by the script in this case, you might want to delete your /etc/up3date.conf and have the current version generate you a fresh one next time it is executed.

Setting up a local mirror

If you have multiple local machines, it can start to get a bit unworkable having each one going out to an external FTP mirror. So up3date has an "optimal mirror" mode to allow you to have one machine locally mirror the external FTP site over http using apache. Once the initial sync has been done, up3date can detect that there are no updated files (the most common situation) and terminate very quickly indeed.

Its very easy to set up. On your server machine, you need Redhat's httpd package (apache) installed. The first time you can run the up3date mirror mode from the commandline:

up3date mirror

This will identify which packages need downloading and start copying them over to /var/www/html/up3date/redhat/linux/updates/9/en/os/

Even with deprecated packages (ie, kernel-2.4.20-18 when there is a kernel-2.4.20-19 available) pruned from the download list, you will still need 300MB - 400MB of storage for the mirror - but of course this is only downloaded the once. After the first big download only updates a brought over. If you already have a collection of RPMs downloaded separately, you can copy them by hand into the /var/www/html/up3date/... structure to reduce the initial downloading time. up3date will confirm that they pass the signature test before using them.

You can check with a browser on your local machine that the files are accessible via apache by looking at

http://localhost/up3date/redhat/linux/updates/9/en/os

you should see one more layer of subdirectories (i386, noarch, etc) which hold the RPMs.

Configuring clients to use your mirror

On the other machines which want to use the mirror, all you have to do is edit /etc/up3date.conf on the machines so that SERVERBASEURL points to your apache server, for example

export SERVERBASEURL=http://yourlocalserver/up3date

The client machines using a mirrored server on a LAN pick up their updates at an amazing speed!

Automating the mirror action with crontab

After you are comfortable that the mirror action is working correctly, you can add the mirror sync action as a cronjob by adding a line to /etc/crontab on your apache server machine like this:

10 * * * * - up3date mirror

Now your server will sync itself to the FTP update directory once an hour (the 10 is how many minutes past the hour), and all your other machines will collect from your local HTTP server copy.

Support for mirroring multiple distro versions

If you are supporting multiple client versions, for example, you have people with 7.3, 8.0 and 9, you can edit MIRRORDISTROVERSIONS in /etc/up3date.conf on the server machine. By default it is set to "9", but in the example above you would set it to

MIRRORDISTROVERSIONS="7.3 8.0 9"

and up3date mirror will iterate through each set of update directories each time it is run.

Excluding packages from being mirrored

Sometimes you need to exclude certain packages from being mirrored, for example if ALL your machines are running a custom kernel. The variable MIRRORBANNEDPACKAGES in /etc/up3date.conf allows you to define which packages should not be downloaded, for example

export MIRRORBANNEDPACKAGES="kernel kernel-smp kernel-bigmem kernel-BOOT kernel-source kernel-docs"

will totally ignore any redhat kernel updates that may be available.

Mirroring report emails

The mirror report emails look like this:

To: root@cb.ath.cx
Subject: Up3date Mirroring at cb.ath.cx - distro 9 report
Date: Mon, 22 Sep 2003 11:21:22 +0100 (BST)
From: root@mail.cb.ath.cx (root)

Hi! This is the up3date script v0.3 in MIRROR MODE running on cb.ath.cx.

I am mirroring ftp://ftp.mirror.ac.uk/sites/ftp.redhat.com/pub distro version 9, subdirectories "i386 noarch i586 i686 athlon".

The following packages were downloaded successfully and passed the signature test:
/var/www/html/up3date/redhat/linux/updates/9/en/os/i386/perl-5.8.0-88.3.i386.rpm
/var/www/html/up3date/redhat/linux/updates/9/en/os/i386/perl-CGI-2.81-88.3.i386.rpm
/var/www/html/up3date/redhat/linux/updates/9/en/os/i386/perl-CPAN-1.61-88.3.i386.rpm
/var/www/html/up3date/redhat/linux/updates/9/en/os/i386/perl-DB_File-1.804-88.3.i386.rpm
/var/www/html/up3date/redhat/linux/updates/9/en/os/i386/perl-suidperl-5.8.0-88.3.i386.rpm

We are up to date

Please note the following packages are being excluded from the mirror due to the definition of
MIRRORBANNEDPACKAGES in /etc/up3date.conf at cb.ath.cx (currently "kernel-smp kernel-bigmem kernel-BOOT"):

kernel-BOOT-2.4.20-18.9.i386.rpm
kernel-BOOT-2.4.20-19.9.i386.rpm
kernel-BOOT-2.4.20-20.9.i386.rpm
kernel-smp-2.4.20-18.9.i586.rpm
kernel-smp-2.4.20-19.9.i586.rpm
kernel-smp-2.4.20-20.9.i586.rpm
kernel-bigmem-2.4.20-18.9.i686.rpm
kernel-bigmem-2.4.20-19.9.i686.rpm
kernel-bigmem-2.4.20-20.9.i686.rpm
kernel-smp-2.4.20-18.9.i686.rpm
kernel-smp-2.4.20-19.9.i686.rpm
kernel-smp-2.4.20-20.9.i686.rpm
kernel-smp-2.4.20-18.9.athlon.rpm
kernel-smp-2.4.20-19.9.athlon.rpm
kernel-smp-2.4.20-20.9.athlon.rpm

Bye!

FAQ

I am not getting emails on my main machine when up3date runs on other machines?

Check the configured email address in /etc/up3date.conf MAILTO=

You also need to have an MTA like sendmail, postfix or Qmail running on the other machines... sendmail is widely considered not very secure... personally I run postfix, but I am reliably told Qmail is good too. Without the MTA, email will stay on the local machine. Its definitely worth the effort to set this up, since then your other machines report to you that they are updating themselves and you know everything is working. Its very pleasant to see in your inbox one morning all your machines reporting they patched themselves, and then later see the Redhat advisory.

Here is what you need to set up postfix on a remote machine sufficient for it to send mails to an MTA on your machine:

install the postfix rpm
edit /etc/postfix/main.cf

hostname=machinename.blah.com (or similar, it needs to have some dots in it)

mynetworks_style=host

relayhost = [ 192.168.0.50 ] (or whatever your machine's IP address is)

Save the config file
service postfix restart

You can test that mail is working from that machine by doing mail root@192.168.0.50 (or whatever your server is known as). Type Ctrl-D to end the message body.

How can I trust this script security-wise?

Read it through, its only 38K and has comments, this will only take you a few minutes. Its all bash script. It relies mainly on wget and rpm.

I can see my apache mirror on localhost, but from another machine I get 'connection refused'

Check that apache is binding to your network interface. See /etc/httpd/conf/httpd.conf and the Listen directive in there. After the change, make sure to do service httpd restart.

I got the security notice email from Redhat, but no updated files are found?

Check your mirror with a browser. Unfortunately some mirrors are updated only very infrequently. mirror.ac.uk can be several days behind ftp.uni-bayreuth.de for example.

Problems or Questions?

up3date@warmcat.com