Open Source

Patch Management - How SUSE do it

Previously I took you through

the importance of keeping systems 'patched' and up to date; we then

looked at the apt update mechanism used by Debian—how it resolves

dependencies of packages and allows for patches to be quickly and easily

applied. This week, I want to take a look at one of the major commercial

Linux distributions, SUSE Linux Enterprise Server, and see how they

deal with the same issues.

As most of you will know, Novell are behind SUSE Linux Enterprise Server

(SLES). Many enterprises choose to go with this commercial version due

to the peace of mind offered by full support, backed by Novell. Support

means far more than simply being able to ring a call centre in India

and be driven mad while they pass you from person to person; Novell

support provides not only installation support and hardware certification/testing,

they also protect you from possible intellectual property issues which

could arise in relation to Linux (Microsoft push this risk as a big

negative factor when dismissing Linux). The last, and for us, most important

part of the support package is the seven-year lifecycle of the product;

that means that from the launch of a SUSE Enterprise Linux release (SLES9,

for example), operating system patches and security updates will be

available via the SUSE Linux Portal for the length of your support subscription—for

seven years. This means you don’t need to worry about upgrading to

the latest release, just so that you can maintain a secure system free

from vulnerability.

Although I have recently started to favour Debian-based distributions

such as Ubuntu, I still use SUSE Linux Enterprise Server for core service-bearing

machines.

YaST (Yet another Setup Tool)

Control Centre is the main hub for all administration work with SLES—from

here, you can add/remove packages, perform 'Online Updates', change

hardware configuration such as graphics mode, change system preferences

(partition editing, network settings, hostname, firewall setup, time/date

etc), control system services, and even manage users. Of course we’re

interested in the online update functionality, YaST Online Update (YOU

for short), which you can see in Figure A [http://cn.cbsimg.net/cnwk.1d/i/tr/NL_images/Fielding0419_A.jpg] (click to view).

YaST Online Update can be configured

to pick updates from the SUSE Portal, a different HTTP of FTP source,

CD, DVD, or local Windows / NFS shares. Most people will use the direct

SUSE Portal, however if you need to update multiple servers there would

be considerable advantage to mirroring the SUSE repository and performing

the updates via a local share; this would save considerable bandwidth.

Not all patches need to be

applied. Kernel updates, for example, will display a warning before

installation and give you the chance to skip. This is pretty useful

if the reason for the patch does not affect you, or you don’t want

to update due to module dependencies (for example HP CCISS module).

There is one issue that I’ve come across, which is that at some point,

other patches/updates may not apply if the Kernel is not up to date.

If a specific patch requires a service to be restarted, stopped, or

it requires a configuration modification, then a prompt will be displayed

with any relevant information and instructions, such as in Figure B [http://cn.cbsimg.net/cnwk.1d/i/tr/NL_images/Fielding0419_B.jpg] (click to view).

All things considered, YaST

Online Update is relatively trouble free, solving all dependencies just

as Debian’s apt or RedHat’s yum. As I said, the only

issue I have had with YOU is in applying new updates without updating

to the latest Kernel patch.

I approached Novell and asked

them how long they aim to take in order to patch a vulnerability once

it’s in the public domain. It was stressed that Novell work hand-in-hand

with other members of the Open Source community to fix security holes

as quickly as possible—the time scale varies from a few hours to a

few days, depending on the severity and complexity. Upgrades to packages

(e.g., version updates) are not usually provided unless there is a security

fix in the newer version; however, service packs will sometimes contain

version updates to add new functionality or compatibility. When I raised

the issue of Kernel updates/module dependencies (such as CCISS for HP

Servers), it was mentioned that in the upcoming SUSE Enterprise Server

10, there will be a new way of dealing with Kernel updates. A dedicated

Kernel update tool will be added that will check loaded Kernel modules

and assess their compatibility with the new Kernel—this sounds like

an interesting development which I’m quite eager to see in action.

As a general package management

tool, YOU is not as good as apt due to the lack of available

program updates; however, as a tool for delivering security patches,

it is every bit as good—and of course, fully commercially supported.

Have you been using SLES and

YOU? How do you compare it to apt or yum? Do you prefer

to run updates from the SUSE Portal or a local repository?

Editor's Picks

Free Newsletters, In your Inbox