Tag Archives: Debian

cron-apt and the perfect update system

On my spare time, I manage a handful of servers. And even if it’s not really my job, I try to do it well and efficiently. All of them work on Debian because it’s simple to manage. I started using cron-apt a few years ago. I started by upgrading everything automatically, this was a big mistake. I switched to only sending mails on available upgrades and doing the upgrade manually. But this is also quite painful because 95% of the time, it consists in typing “apt-get dist-upgrade -y” and waiting and I have lots more interestings things to do.

So here is my cron-apt configuration, I like it a lot:

In /etc/apt:
– I removed the sources.list file
– I put the content of my sources.list into sources.list.d/main.list, it should look something like that:

1
2
deb http://http.us.debian.org/debian stable main contrib non-free
deb-src http://http.us.debian.org/debian stable main contrib non-free

– I created a directory sources.security.list.d
– I put the following content:

1
2
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free

Then I added the repositories with packages I want to manually upgrade to /etc/apt/sources.list.d/ and the ones that I want to automatically upgrade (which means that they can’t require any user interaction) to /etc/apt/sources.security.list.d/.

The interesting part is here, in /etc/cron-apt/action.d, this what I have:

0-update

1
2
update -o quiet=2
update -o quiet=2 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists"

We launch an update of the two kinds of repositories. For the sources.security.list.d one, we use also a different Dir::State::lists parameter (which is the directory the cache file) so that we don’t to re-download the content of the index files every time.

2-install-security

1
dist-upgrade -y -o quiet=1 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"

For the –force-conf* options, I found the solution on RaphaĆ«l Hertzog’s blog.

We launch the upgrade (dist-upgrade actually) only on the repositories defined in /etc/apt/sources.security.list.d.

3-download

1
dist-upgrade -d -y -o APT::Get::Show-Upgraded=true

Then we only download files for the upgrade of the non-security packets.

6-clean

1
autoclean -y

And we finally delete all the old packets (the ones that will never be used).

If you want to play with the apt settings yourself, you should use apt-config to see what can change to fit your needs.

This made me save a lot of time. Because Debian produces quite a lot of security updates. Here is the frequency of the updates for one of my servers:

Debian 6.0

Debian released a new version of their system. I updated it on the server that powers this blog, it took me something like one hour to do the whole system upgrade. There was only a little glitch with mysql’s my.cnf file that had an unsupported “skip-bdb” line. Everything else went fine…

The very good thing in this new release is the new kfreebsd version (available in i386 and x86_64). It brings the power of the FreeBSD kernel to the great Debian OS. If you don’t see the point, read this. To put in a nutshell: a more stable kernel with less legal issues, better vendors support and the same softwares.

get start-stop-daemon on any Linux distribution

I switched from Debian to CentOS because I had the choice between an old 32 bits Debian 4.0 or a brand new 64 bits CentOS 5.3. And I have some scripts that use the great “start-stop-daemon” tool, which isn’t available on CentOS.

The easiest way to solve this problem is to get dpkg from Debian and then try to compile it. It’s likely that it will fail because libselinux (and it’s subsidiary library libsepol) won’t be registered in the pkgconfig dir. But we don’t really care as we only need start-stop-daemon, not dpkg.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# wget http://ftp.de.debian.org/debian/pool/main/d/dpkg/dpkg_1.14.25.tar.gz
# tar -xf dpkg_1.14.25.tar.gz
# cd dpkg-1.14.25/
# ./configure >/dev/null
configure: WARNING: x86_64 not found in cputable
configure: WARNING: linux-gnu not found in ostable
Package libselinux was not found in the pkg-config search path.
Perhaps you should add the directory containing `libselinux.pc'
to the PKG_CONFIG_PATH environment variable
No package 'libselinux' found
configure: WARNING: no curses library found
# make >/dev/null
processarc.o: In function `process_archive':
/root/dpkg-1.14.25/src/processarc.c:166: warning: the use of `tmpnam' is dangerous, better use `mkstemp'
archives.o: In function `tarobject':
/root/dpkg-1.14.25/src/archives.c:634: undefined reference to `matchpathcon'
/root/dpkg-1.14.25/src/archives.c:640: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:802: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:804: undefined reference to `freecon'
/root/dpkg-1.14.25/src/archives.c:826: undefined reference to `setfscreatecon'
/root/dpkg-1.14.25/src/archives.c:618: undefined reference to `is_selinux_enabled'
collect2: ld returned 1 exit status
make[2]: *** [dpkg] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
# cd utils
# make install
gcc -std=gnu99 -DHAVE_CONFIG_H -I. -I.. -DLOCALEDIR=\"/usr/local/share/locale\" -idirafter ../libcompat -I../lib    -g -O2 -MT start-stop-daemon.o -MD -MP -MF .deps/start-stop-daemon.Tpo -c -o start-stop-daemon.o start-stop-daemon.c
mv -f .deps/start-stop-daemon.Tpo .deps/start-stop-daemon.Po
gcc -std=gnu99  -g -O2  -Wl,-O1 -o start-stop-daemon start-stop-daemon.o ../libcompat/libcompat.a
make[1]: Entering directory `/root/dpkg-1.14.25/utils'
test -z "/usr/local/sbin" || /bin/mkdir -p "/usr/local/sbin"
  /usr/bin/install -c 'start-stop-daemon' '/usr/local/sbin/start-stop-daemon'
make[1]: Nothing to be done for `install-data-am'.
make[1]: Leaving directory `/root/dpkg-1.14.25/utils'

Even if it doesn’t look so good, it should have installed the start-stop-daemon software.

Server moved

I’ve switched from my two three years old dedicated servers to one brand new virtual server. Reasons are : These servers costed me too much and they were becoming old (risk of failure increases). It wasn’t worth it.

I spent last night doing that because I didn’t want to interrupt anybody using these servers.

My two servers were running some Debian and I’m now switching to a CentOS virtual server. I was a little bit worried at first that CentOS would have a crappy package management system, but its yum is in fact working the same way as Debian’s apt-get and OpenSuse’s zypper. The oool thing is that these three package management systems roughly work the same way : install , you don’t have to learn a new “ultimate” way to upgrade your software (like on FreeBSD). By the way, the faster package management system is yum, and the slowest one is zypper.

The biggest problem I had so far was to move all the databases. Previously, I was always using some Debian hosts, I was using exactly the same version of MySQL, so I just had to copy the MySQL datadir and logs files. Here, I had to export/import everything.

CentOS has an antique 1.2.4 version of Mono (when the current version is 2.4). I couldn’t manage to compile from the tarball but compiling from the SVN worked fine.

1
2
3
4
5
6
7
8
9
]# /usr/local/bin/mono --version
Mono JIT compiler version 2.5 (/trunk/mono r140917 Sat Aug 29 05:29:19 CEST 2009)
Copyright (C) 2002-2008 Novell, Inc and Contributors. www.mono-project.com
        TLS:           __thread
        GC:            Included Boehm (with typed GC and Parallel Mark)
        SIGSEGV:       altstack
        Notifications: epoll
        Architecture:  amd64
        Disabled:      none