Archive for the ‘sysadmin’ Category

Puppet

Tuesday, August 7th, 2012

I started to roll out puppet to manage our servers at work and have to say I am impressed. It really changed the way I think about managing systems and is so much cleaner and easier to understand than the ‘traditional’ way.
Just being able to automate often repeated steps like enabling LDAP access or distributing config files makes puppet worthwhile. That the configuration is self documenting and versioned makes puppet priceless.
I will not post a tutorial here, just links to a few I found useful:

If you have to manage more than two or three servers, read up on puppet and consider using it (or any other configuration management tool).  It will be worth the time learning it.

First updates with unattended-upgrades

Sunday, August 5th, 2012

Running it for the first time, it seams to work well. It upgraded the packages and send me an e-mail. Here are the config files I used:

/etc/apt/apt.conf.d/02periodic:

1
2
3
4
5
6
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::RandomSleep "3600";

/etc/apt/apt.conf.d/50unattended-upgrades:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id} stable";
    "${distro_id} ${distro_codename}-security";
//  "${distro_id} ${distro_codename}-updates";
//  "${distro_id} ${distro_codename}-proposed-updates";
};
 
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//  "vim";
//  "libc6";
//  "libc6-dev";
//  "libc6-i686";
};
 
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
Unattended-Upgrade::Mail "root@localhost";
 
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
 
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "false";
 
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

And here is the kind of report e-mail you get:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
Unattended upgrade returned: True
 
Packages that are upgraded:
 bind9-host dnsutils isc-dhcp-client isc-dhcp-common libbind9-60 
 libdns69 libgssapi-krb5-2 libisc62 libisccc60 libisccfg62 
 libk5crypto3 libkrb5-3 libkrb5support0 liblwres60 libxml2 
 
Package installation log:
(Reading database ... 23943 files and directories currently installed.)
Preparing to replace isc-dhcp-client 4.1.1-P1-15+squeeze3 (using .../isc-dhcp-client_4.1.1-P1-15+squeeze6_amd64.deb) ...
Unpacking replacement isc-dhcp-client ...
Preparing to replace isc-dhcp-common 4.1.1-P1-15+squeeze3 (using .../isc-dhcp-common_4.1.1-P1-15+squeeze6_amd64.deb) ...
Unpacking replacement isc-dhcp-common ...
Preparing to replace libk5crypto3 1.8.3+dfsg-4squeeze5 (using .../libk5crypto3_1.8.3+dfsg-4squeeze6_amd64.deb) ...
Unpacking replacement libk5crypto3 ...
Preparing to replace libgssapi-krb5-2 1.8.3+dfsg-4squeeze5 (using .../libgssapi-krb5-2_1.8.3+dfsg-4squeeze6_amd64.deb) ...
Unpacking replacement libgssapi-krb5-2 ...
Preparing to replace libkrb5-3 1.8.3+dfsg-4squeeze5 (using .../libkrb5-3_1.8.3+dfsg-4squeeze6_amd64.deb) ...
Unpacking replacement libkrb5-3 ...
Preparing to replace libkrb5support0 1.8.3+dfsg-4squeeze5 (using .../libkrb5support0_1.8.3+dfsg-4squeeze6_amd64.deb) ...
Unpacking replacement libkrb5support0 ...
Preparing to replace libxml2 2.7.8.dfsg-2+squeeze4 (using .../libxml2_2.7.8.dfsg-2+squeeze5_amd64.deb) ...
Unpacking replacement libxml2 ...
Preparing to replace bind9-host 1:9.7.3.dfsg-1~squeeze5 (using .../bind9-host_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement bind9-host ...
Preparing to replace dnsutils 1:9.7.3.dfsg-1~squeeze5 (using .../dnsutils_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement dnsutils ...
Preparing to replace libisc62 1:9.7.3.dfsg-1~squeeze5 (using .../libisc62_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement libisc62 ...
Preparing to replace libdns69 1:9.7.3.dfsg-1~squeeze5 (using .../libdns69_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement libdns69 ...
Preparing to replace libisccc60 1:9.7.3.dfsg-1~squeeze5 (using .../libisccc60_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement libisccc60 ...
Preparing to replace libisccfg62 1:9.7.3.dfsg-1~squeeze5 (using .../libisccfg62_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement libisccfg62 ...
Preparing to replace liblwres60 1:9.7.3.dfsg-1~squeeze5 (using .../liblwres60_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement liblwres60 ...
Preparing to replace libbind9-60 1:9.7.3.dfsg-1~squeeze5 (using .../libbind9-60_1%3a9.7.3.dfsg-1~squeeze6_amd64.deb) ...
Unpacking replacement libbind9-60 ...
Processing triggers for man-db ...
Setting up isc-dhcp-common (4.1.1-P1-15+squeeze6) ...
Setting up isc-dhcp-client (4.1.1-P1-15+squeeze6) ...
Setting up libkrb5support0 (1.8.3+dfsg-4squeeze6) ...
Setting up libk5crypto3 (1.8.3+dfsg-4squeeze6) ...
Setting up libkrb5-3 (1.8.3+dfsg-4squeeze6) ...
Setting up libgssapi-krb5-2 (1.8.3+dfsg-4squeeze6) ...
Setting up libxml2 (2.7.8.dfsg-2+squeeze5) ...
Setting up libisc62 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up libdns69 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up libisccc60 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up libisccfg62 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up libbind9-60 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up liblwres60 (1:9.7.3.dfsg-1~squeeze6) ...
Setting up bind9-host (1:9.7.3.dfsg-1~squeeze6) ...
Setting up dnsutils (1:9.7.3.dfsg-1~squeeze6) ...
 
 
Unattended-upgrades log:
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ["('Debian', 'stable')", "('Debian', 'squeeze-security')"]
Packages that are upgraded: bind9-host dnsutils isc-dhcp-client isc-dhcp-common libbind9-60 libdns69 libgssapi-krb5-2 libisc62 libisccc60 libisccfg62 libk5crypto3 libkrb5-3 libkrb5support0 liblwres60 libxml2
Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2012-08-05_06:33:13.547920.log'
All upgrades installed

If I could just shake off the feeling that one day a broken update will get pushed into the repositories and take down all the servers at once ;)

Automatic Updates on debian stable

Saturday, August 4th, 2012

To automate the installations of updates on our servers I am experimenting with the package unattended-updates. Good introductions can be found here:

I have to admit that I am a bit uneasy, but in the past year of applying updates by hand nothing ever broke. So I assume that this should not cause any problems. At least it will cut down the spam flood of nagios notices when updates become available :)