Transcript Chapter 6 - Managing System Software

Managing System Software
Chapter 6
Chapter Objectives
• Explore hardware and software requirements
for application installation.
• Explore types of software installations.
• Explore software installation and
maintenance tools.
• Explore disk layout, and pros/cons of
partitioning.
• Explore steps required before an installation
is attempted.
Managing System Software
• Operating systems, utilities and applications are continually
being updated.
• User’s request new software package installations as their
needs change or new packages become available.
• Vendors constantly offer new versions of operating systems,
utilities and applications.
• Bugs are found and patches to correct them need to be
applied.
• No matter the source or the reason, the system
administrator will be called upon to manage the system's
software on a routine basis.
• Software maintenance is the task of obtaining, installing
and keeping track of these updates.
Software Maintenance Concepts
• Software maintenance is conceptually pretty
straight-forward.
– As new features are added or bugs discovered, the
provider of the operating system or applications bundles
together the files needed to add the feature or correct the
bug and makes them available.
– The bundle of files is then installed to add the feature or
correct the problem and possibly some additional
commands are run to adjust configuration information as
needed by the newly installed files.
– Depending on the installation tools used, the bundle of
files may also be checked for correct installation and
authenticity as part of the installation process.
Software Maintenance Concepts
• These bundles of files are given various names.
– Packages refer to a bundle of files that contain the
programs, configuration files and installation
commands for a single facility such as a print
spooler.
– Updates often refer to bundles that add additional
features.
– Patches, service packs and hot fixes often refer to
bundles that correct a problem.
Software Maintenance Concepts
• Some vendors group bundles together into larger
groupings. For example, Sun calls the groupings of
Solaris packages, clusters, while Red Hat names
their groupings for the type of system (e.g. server,
client, laptop, etc.).
• A configuration is the term often used to describe a
particular suite of packages such as the suite of
packages one might install on each of a group of
similar systems or the complete suite required
packages needed to set a system up as a web
server or print server.
Software Maintenance Concepts
• The difficulty in performing software maintenance comes in
four areas.
– First, there is not much agreement on the format for bundling
files.
– Second, various bundling formats require specialized
installation, removal and management tools. These tools are
different between vendors, and offer differing feature sets.
– Third, updates, often overwrite configuration files, reset values
to defaults, add users, turn on services, or perform other
actions that causing working software to fail, or security to be
compromised.
– Finally, there is the chore of keeping track of which updates
have been installed and which of the available updates need
to be installed.
Software Packaging Formats
• Bundles of software can be packaged in a wide variety of
forms.
• It's not uncommon to use one format for the operating
system software, another for an application program and
third format for a tool or utility program.
– The self-extracting formats should be examined most carefully
before using them. These formats have a history of being
attacked via so-called Trojan Horse programs.
– A careful system administrator will verify the authenticity of any
patch or package before he installs it.
Software Maintenance Tools
• The wide variety of software packaging formats can be
grouped together based on the features present in the tools
used to manage them.
• There are three basic types of tools,
– simple archivers
– specialized multiple command package management suites
– all in one tools
• Additionally, many of these tools include additional graphical
interfaces making them easier to learn and use.
• Individual package management tools are not hard to learn,
it is the variety of differing feature sets and tools across
operating systems that makes this task tougher then it ought
to be.
Simple Archivers
• The simplest of the software package management
tools are the simple archivers such as tar, zip and
cpio.
– These common archiving tools are found on both
UNIX and Windows and are used to create and
install files from their corresponding archive formats.
– Macintosh users will be familiar with Stuff-It tool for
archiving files on that platform.
– While tar, zip, cpio and other archive tools have the
advantages of being cross platform, commonly used
and readily available, they lack a number of features
commonly found in tools specifically designed for
software package management.
Simple Archivers
• Drawbacks of simple archival tools
– Tracking installed software is left up to the administrator.
– Simple archivers make no installation records.
– The system administrator must use some external means to
record what has been installed via these tools.
– Any additional work required such as modifying configuration
files or additional set up steps must be performed by hand.
– These tools provide no integrated way to verify the authorship
of the archive.
– A simple archive does not contain the information needed to
check for any dependencies the package may require.
– None of these tools provide a direct method for obtaining the
archives over the Internet.
Software Package Management
Tools
• To address these deficiencies of simple archive tools for
software package management, specialized installation
tools were developed.
• Unlike the simple archivers whose packaging format is
common across systems, these specialized tools use a wide
variety of formats with limited cross platform availability.
– Worse still, the tools used to manage these packages are at
least as varied as the packaging formats themselves.
• Finally, the features provided by these tools vary from tool to
tool often leaving the system administrator to pick up the
slack when a needed feature is missing.
Software Package Management
Tools
• A typical suite has commands to install or update packages,
inquire about which packages are installed and remove
packages.
• Dependency checking is an important feature for a package
installation tool as many UNIX packages are modular, built
on top of libraries found in other packages.
• Verification is the act of checking that the package is
installed correctly and the files in the package match those
installed. This can be used to check for possible tampering
that may have occurred due to a break-in or to check that
file modes or ownerships have not been changed my
mistake.
Software Package Management
Tools
• Another aspect of assuring system security when
installing packages is the determination of the
authenticity of the package being installed. This is
especially important when using packages and
patches downloaded over the Internet.
• Listing the installed packages and removing
packages are common features across all of the
package installation tools.
Software Package Management
Tools
• Creating your own packages is one way a system
administrator can deal with the installation and maintenance
of locally developed software on a large number of systems.
• Advantages of home-grown installers:
– The created package can be distributed and installed using
the same tools and procedures used for other packages.
– Any post installation configuration steps needed may be
encapsulated in the package, assuring a consistent
installation.
– Checking and verification of proper installation of a package
can be used to verify that the locally developed software is
installed correctly.
Graphical Software Package
Management Tools
• A typical software package management tools suite often
tops off the command line tools with a graphical installation
tool.
• In the case of Windows, graphical tools are the only way to
install many software packages.
• These tools often offer the administrator fewer installation
options, but handle the typical installations very well.
• While these graphical tools can make life easier when
managing software on a single system, they suffer when put
to use across many systems.
Graphical Software Package
Management Tools
• When dealing with large numbers of systems, command line
tools that can be run from scripting languages offer the
flexibility needed to get package installations accomplished
in a timely fashion.
• Graphical installers (generally) offer few installation options,
by tending to oversimplify the installer for use by a novice
user.
• Installations that make use of shared disk space for
applications and other special situations will often require
the use of options not found in a graphical installation tool.
Dealing with missing features
• It would be terrific if every software package management
tool or tool suite had all the features needed.
• Unfortunately, nearly every installation tool suites lack one
or more features. This can be worked around by
combining the installation tools with other commonly
available tools.
• The easiest (missing) feature to compensate for is Internet
access.
• Most vendors provide access to software packages and
patches via ftp, the web or both.
• Internet available packages and patches are often further
packaged into one of the several common formats for
download and will need to be unpacked from their
distribution packaging before they can be installed.
Authenticity & Integrity
• Verification that a software package is intact and was
produced by the genuine author are two critical but lacking
features of nearly every software package management
suite.
• They are of special importance when using the Internet to
obtain patches or other software.
• One method of checking integrity and authenticity is to use a
public key cryptographic tool such as gpg.
• Another way to fill in for this missing feature is to perform
checksum and MD5 cryptographic fingerprint checks on the
files using the sum and md5sum commands.
– However, the vendor or other supplier of the patch or software
package must publish a reference MD5 fingerprint or
checksum value for comparison. Not all vendors do.
Catching Unintended Changes
• Despite the best intentions of the software vendor, installing
a new package or patch sometime results in unintended
changes to the operating system configuration files.
• These changes are not always easy to spot, but there are
several things that can be done to prevent problems caused
by package or patch installations.
– 1.
Make certain you have a good backup of the
system to be patched.
– 2.
Install the package using an account other than root
whenever possible.
Catching Unintended Changes
– 3.
Install the package or patch on a test system first.
– 4.
List and inspect the contents of the patch or
package to be installed.
– 5.
Extract and examine the installation script(s) for
setuid/setgid commands, or any chown, chmod, cp, rm,
mv, or shell redirection commands to ensure that critical
system files are not altered.
– 6.
Use a file modification monitor such as tripwire.
Finishing Touches
• Installing a package is often times not the end of the job for
the system administrator.
• A wide variety of software packages require some degree of
local customization, configuration, licensing or user level
setup to complete the installation process and present the
user with the fully functioning tool they expect.
• Since every package will have its own customization and
configuration needs, the system administrator will need to
read up on the specifics of the packages in use at his site.
Finishing Touches
• Configure once, and distribute the configuration.
– Even packages that are installed by a package installation tool
often have configuration files that will need to be modified.
These files can modified to suit local conditions and then
distributed using a tool such as rdist.
• Wrap a short shell script around a package to set needed
variables.
– Many packages require setting environment variables or
adding elements to a shell’s execution path. Instead of having
each user make the needed changes, one approach is to
replace the program with a short shell script that sets the
environment as required.
Finishing Touches
• For packages that contain several tools, all of which require
special environmental variables or modifications to the user’s
execution path consider adding the needed setup information to
the skeleton files used to create the user’s accounts.
• Employ a specialized user environment configuration tool such as
modules.
– The modules tool provides the means for the system
administrator to package up the environment variables, PATH
and other user environment changes into modulefiles that can
be easily loaded by a user to configure their environment to
suit a specific package.
– The modules tool performs complex tasks such as removing
and reordering elements of the user’s execution PATH to allow
even differing versions of the same package to be configured
correctly.
Service Packs and other
special situations
• Some patches and software packages cannot be
installed using the usual software management
tools.
• Special updates often require more time and a
planning than the usual package installation.
– Following the precautions listed in the previous
section on unintended changes are a must for
special updates. Additional caution is recommended.
Service Packs and other
special situations
• Keep the previous kernel version available and ready to
use. On Linux this can easily be accomplished by adding an
entry to /etc/lilo.conf or /etc/grub.conf.
– Other UNIX variants allow for a second kernel to be kept in the
root or boot partition.
• Make an emergency boot disk. The procedure for this
varies, but many operating systems allow you to make a
floppy disk that the system can be booted from.
• Locate a bootable CD for the system being updated. Many
operating systems allow you to boot from the installation CD
and correct problems caused by updates.
Tracking and Distributing
Packages and Patches
• Installing packages and patches on a large collection of
systems is a challenging task.
– The system administrator will need to maintain records of the
packages and patches installed, check for missing packages
and patches, and perform multiple installations.
– Record keeping and checking for correct package and patch
installation is rarely integrated into a software package
management tool or suite of tools.
– A simple, external method of monitoring packages and
patches is the keep records in a table such as a spreadsheet.
Tracking and Distributing
Packages and Patches
• Another approach is to make use of the software
package management tool’s ability to list the
installed packages.
– Lists of packages from each system in a group can
be gathered and compared to a master list or a
master system.
– This makes missing patches easy to spot.
– The lists from each system can be stored and
referred to later to determine which patches or
packages need to be installed on a given system.
Tracking and Distributing
Packages and Patches
• Package and patch distribution can be accomplished in a
similar manner.
– One method which works well is to place the package and
patch files in a network-accessible directory which is available
to all the systems to be patched.
– Then connect to each system in turn and execute the
appropriate package installation commands.
– Automating the actual installation of packages and patches is
an area where UNIX and command line package installation
tools really shine.
– Command line tools are readily automated by a variety of
methods and are easily run remotely over a network
connection such ssh.
Summary
• Maintaining the software on a system involves the periodic
installation of software packages and patches.
• While a straight-forward task in concept, the pitfalls are many.
• The wide variety of package formats, management tools and
missing features in specific tool sets make the process of
managing packages and patches more challenging then it ought
to be.
• Before attempting a software installation, the administrator should:
– Explore hardware and software requirements for the application.
– Understand the types of software installations.
– Understand the software installation and maintenance tools.
– Understand the disk layout, and pros/cons of partitioning.
– Understand the steps required before the installation is attempted.