Previously I took you through
the importance of keeping systems ‘patched’ and up to date; we then
looked at the apt update mechanism used by Debian–how it resolves
dependencies of packages and allows for patches to be quickly and easily
applied. This week, I want to take a look at one of the major commercial
Linux distributions, SUSE Linux Enterprise Server, and see how they
deal with the same issues.
As most of you will know, Novell are behind SUSE Linux Enterprise Server
(SLES). Many enterprises choose to go with this commercial version due
to the peace of mind offered by full support, backed by Novell. Support
means far more than simply being able to ring a call centre in India
and be driven mad while they pass you from person to person; Novell
support provides not only installation support and hardware certification/testing,
they also protect you from possible intellectual property issues which
could arise in relation to Linux (Microsoft push this risk as a big
negative factor when dismissing Linux). The last, and for us, most important
part of the support package is the seven-year lifecycle of the product;
that means that from the launch of a SUSE Enterprise Linux release (SLES9,
for example), operating system patches and security updates will be
available via the SUSE Linux Portal for the length of your support subscriptionfor
seven years. This means you dont need to worry about upgrading to
the latest release, just so that you can maintain a secure system free
Although I have recently started to favour Debian-based distributions
such as Ubuntu, I still use SUSE Linux Enterprise Server for core service-bearing
YaST (Yet another Setup Tool)
Control Centre is the main hub for all administration work with SLES–from
here, you can add/remove packages, perform ‘Online Updates’, change
hardware configuration such as graphics mode, change system preferences
(partition editing, network settings, hostname, firewall setup, time/date
etc), control system services, and even manage users. Of course were
interested in the online update functionality, YaST Online Update (YOU
for short), which you can see in Figure A [http://cn.cbsimg.net/cnwk.1d/i/tr/NL_images/Fielding0419_A.jpg] (click to view).
YaST Online Update can be configured
to pick updates from the SUSE Portal, a different HTTP of FTP source,
CD, DVD, or local Windows / NFS shares. Most people will use the direct
SUSE Portal, however if you need to update multiple servers there would
be considerable advantage to mirroring the SUSE repository and performing
the updates via a local share; this would save considerable bandwidth.
Not all patches need to be
applied. Kernel updates, for example, will display a warning before
installation and give you the chance to skip. This is pretty useful
if the reason for the patch does not affect you, or you dont want
to update due to module dependencies (for example HP CCISS module).
There is one issue that Ive come across, which is that at some point,
other patches/updates may not apply if the Kernel is not up to date.
If a specific patch requires a service to be restarted, stopped, or
it requires a configuration modification, then a prompt will be displayed
with any relevant information and instructions, such as in Figure
B [http://cn.cbsimg.net/cnwk.1d/i/tr/NL_images/Fielding0419_B.jpg] (click to view).
All things considered, YaST
Online Update is relatively trouble free, solving all dependencies just
as Debians apt or RedHats yum. As I said, the only
issue I have had with YOU is in applying new updates without updating
to the latest Kernel patch.
I approached Novell and asked
them how long they aim to take in order to patch a vulnerability once
its in the public domain. It was stressed that Novell work hand-in-hand
with other members of the Open Source community to fix security holes
as quickly as possiblethe time scale varies from a few hours to a
few days, depending on the severity and complexity. Upgrades to packages
(e.g., version updates) are not usually provided unless there is a security
fix in the newer version; however, service packs will sometimes contain
version updates to add new functionality or compatibility. When I raised
the issue of Kernel updates/module dependencies (such as CCISS for HP
Servers), it was mentioned that in the upcoming SUSE Enterprise Server
10, there will be a new way of dealing with Kernel updates. A dedicated
Kernel update tool will be added that will check loaded Kernel modules
and assess their compatibility with the new Kernelthis sounds like
an interesting development which Im quite eager to see in action.
As a general package management
tool, YOU is not as good as apt due to the lack of available
program updates; however, as a tool for delivering security patches,
it is every bit as good–and of course, fully commercially supported.
Have you been using SLES and
YOU? How do you compare it to apt or yum? Do you prefer
to run updates from the SUSE Portal or a local repository?