<STRONG>An Overview of What autorpm is Capable of Doing</STRONG>
autorpm uses a config file called /etc/autorpm.conf to compare locally
installed packages against packages in a directory on an FTP server and
upgrade out-of-date packages automatically on a nightly basis (or notify the
administrator that new packages exist - it depends on how you configure
autorpm). It can also install missing packages by the same mechanism. When
it find out of date or missing packages, it send mail to the root account of
the local machine to indicate what packages have been upgraded.
<STRONG>How it is Run</STRONG>
When AutoRPM is installed (manually via RPM) it is placed in /usr/sbin/autorpm
(it's just a huge perl script) and a symbolic link is created in
/etc/cron.daily to /usr/sbin/autorpm. To disable this daily update, simply
remove the symbolic link in /etc/cron.daily. You can still run autorpm
manually by typing (as root) 'autorpm'. This will run autorpm in
non-interactive mode, which is the preferred modus operandi!
As a matter of fact, DO NOT RUN AUTORPM IN INTERACTIVE MODE! This can be
slightly confusing to the uninitiated: the user is presented with many choices
for installing packages; packages that autorpm found that are new but not
installed on your system. Mostly theses are X-servers; you only need *one*
and autorpm will install the correct one all by itself! Do not install more
than you need! More is not necessarily better in this case!
<STRONG>The /etc/autorpm.config File</STRONG>
By default, AutoRPM comes with a sample config file called
/etc/autorpm.conf.sample. AutoRPM will NOT RUN if it can't find
/etc/autorpm.conf. The sample points to the Red Hat mirrors at Georgia Tech.
We have no control over these packages so we have created two Fermi specific
configuration files and you must install one of these configuration files
manually via RPM.
The recommended config file installs all updated security patches and installs
new packages that we inadvertently left out of the default installation of
Fermi Red Hat Linux 5.0.2. We carefully control what is installed and we will
not release superfluous packages. It will also install the latest version
autorpm when one becomes available. The second config file only upgrades the
packages that are already installed on a machine and the latest version of
autorpm when it becomes available.
<STRONG>How Does autorpm Know What to Upgrade/Install</STRONG>
To perform security upgrades, autorpm compares the packages installed on a
machine to packages in the following directory at Fermilab available via FTP:
ftp://linux.fnal.gov/linux/current/i386/security/RPMS/
Add-on packages are located here:
ftp://linux.fnal.gov/linux/current/i386/Fermi/addons/
The latest version of autorpm is located here:
ftp://linux.fnal.gov/linux/current/i386/contrib/RPMS/
Some people may be concerned about installing the packages located in the
addons directory: there really isn't any reason to be. The only 2 packages
that are located there are 'xterm-color' and 'cracklib.' Incidentally, both
of the packages are *required* for 2 security updates: 'xterm-color' is needed
for 'fvwm2' and 'cracklib' is needed for 'pam.'
When new security patches are released we will install them on a fresh Fermi
Red Hat Linux installation to test for missing dependencies and the
possibility of things breaking. We can only do so much to this end as we
usually don't stress our systems as rigorously as code developers. We will
fix dependency problems (by installing add-packages, if necessary) and place
them in the appropriate directory listed above for autorpm to install when it
runs at midnight.
<STRONG>AutoRPM Installation</STRONG>
To install autorpm, type this:
FRPM='ftp://linux.fnal.gov/linux/current/i386/contrib/RPMS'
rpm -ivh ${FRPM}/perl-libnet-1.0605-2.noarch.rpm
rpm -ivh ${FRPM}/autorpm-1.6.2-2.noarch.rpm
rpm -ivh ${FRPM}/autorpm-addons-config-1.0-1.noarch.rpm
The last file is the default Fermi Specific Config file described above. To
install the Security Only Patches config file, replace the last line above
with the following:
rpm -ivh ${FRPM}/autorpm-security-config-1.0-1.noarch.rpm
After autorpm runs at midnight and finds a later version of a package, it will
install it and send mail listing the packages installed to the root account as
well as an account called [email protected]. It will only send mail if
a packages has been upgraded or installed.
AutoRPM also maintains a list of the packages that have been installed on a
machine. This is located in /var/spool/autorpm/install.log. This can only be
viewed by root.
If you have any questions please feel free to drop myself, Connie or the
[email protected] list a line.
Please, please install the three packages above as soon as possible so we can
make Fermilab that much more secure.
_______________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Computing Division OSS/FSS | Fax: (630) 840-6345 .~. L
Fermi National Accelerator Lab | email: [email protected] /V\ I
P.O. Box 500 | WWW: www-oss.fnal.gov/~yocum/ // \\ N
Batavia, IL 60510 | "TANSTAAFL" /( )\ U
________________________________|____________________________________ ^`~'^__X_