Managing System Software

Chapter Objectives
Explore hardware and software requirements for application installation. Explore types of software installations. Explore software installation and maintenance tools. Explore disk layout, and pros/cons of partitioning. Explore steps required before an installation is attempted.

Managing System Software

perating systems, utilities and applications are continually being updated. !ser"s request new software package installations as their needs change or new packages become a#ailable. $endors constantly offer new #ersions of operating systems, utilities and applications. %ugs are found and patches to correct them need to be applied. &o matter the source or the reason, the system administrator will be called upon to manage the system's software on a routine basis. Software maintenance is the task of obtaining, installing and keeping track of these updates.

Software Maintenance (oncepts

Software maintenance is conceptually pretty straight)forward.
* +s new features are added or bugs disco#ered, the pro#ider of the operating system or applications bundles together the files needed to add the feature or correct the bug and makes them a#ailable. * ,he bundle of files is then installed to add the feature or correct the problem and possibly some additional commands are run to ad-ust configuration information as needed by the newly installed files. * .epending on the installation tools used, the bundle of files may also be checked for correct installation and authenticity as part of the installation process.

Software Maintenance (oncepts

,hese bundles of files are gi#en #arious names.
* /ackages refer to a bundle of files that contain the programs, configuration files and installation commands for a single facility such as a print spooler. * !pdates often refer to bundles that add additional features. * /atches, ser#ice packs and hot fixes often refer to bundles that correct a problem.

Software Maintenance (oncepts

Some #endors group bundles together into larger groupings. 0or example, Sun calls the groupings of Solaris packages, clusters, while 1ed 2at names their groupings for the type of system 3e.g. ser#er, client, laptop, etc.4. + configuration is the term often used to describe a particular suite of packages such as the suite of packages one might install on each of a group of similar systems or the complete suite required packages needed to set a system up as a web ser#er or print ser#er.

Software Maintenance (oncepts

,he difficulty in performing software maintenance comes in four areas.
* 0irst, there is not much agreement on the format for bundling files. * Second, #arious bundling formats require speciali5ed installation, remo#al and management tools. ,hese tools are different between #endors, and offer differing feature sets. * ,hird, updates, often o#erwrite configuration files, reset #alues to defaults, add users, turn on ser#ices, or perform other actions that causing working software to fail, or security to be compromised. * 0inally, there is the chore of keeping track of which updates ha#e been installed and which of the a#ailable updates need to be installed.

Software /ackaging 0ormats

%undles of software can be packaged in a wide #ariety of forms. 6t's not uncommon to use one format for the operating system software, another for an application program and third format for a tool or utility program.
* ,he self)extracting formats should be examined most carefully before using them. ,hese formats ha#e a history of being attacked #ia so)called ,ro-an 2orse programs. * + careful system administrator will #erify the authenticity of any patch or package before he installs it.

Software Maintenance ,ools

,he wide #ariety of software packaging formats can be grouped together based on the features present in the tools used to manage them. ,here are three basic types of tools,
* simple archi#ers * speciali5ed multiple command package management suites * all in one tools

+dditionally, many of these tools include additional graphical interfaces making them easier to learn and use. 6ndi#idual package management tools are not hard to learn, it is the #ariety of differing feature sets and tools across operating systems that makes this task tougher then it ought to be.

Simple +rchi#ers
,he simplest of the software package management tools are the simple archi#ers such as tar, 5ip and cpio.
* ,hese common archi#ing tools are found on both !&67 and 8indows and are used to create and install files from their corresponding archi#e formats. * Macintosh users will be familiar with Stuff)6t tool for archi#ing files on that platform. * 8hile tar, 5ip, cpio and other archi#e tools ha#e the ad#antages of being cross platform, commonly used and readily a#ailable, they lack a number of features commonly found in tools specifically designed for software package management.

Simple +rchi#ers
.rawbacks of simple archi#al tools
* ,racking installed software is left up to the administrator. * Simple archi#ers make no installation records. * ,he system administrator must use some external means to record what has been installed #ia these tools. * +ny additional work required such as modifying configuration files or additional set up steps must be performed by hand. * ,hese tools pro#ide no integrated way to #erify the authorship of the archi#e. * + simple archi#e does not contain the information needed to check for any dependencies the package may require. * &one of these tools pro#ide a direct method for obtaining the archi#es o#er the 6nternet.

Software /ackage Management ,ools

,o address these deficiencies of simple archi#e tools for software package management, speciali5ed installation tools were de#eloped. !nlike the simple archi#ers whose packaging format is common across systems, these speciali5ed tools use a wide #ariety of formats with limited cross platform a#ailability.
* 8orse still, the tools used to manage these packages are at least as #aried as the packaging formats themsel#es.

0inally, the features pro#ided by these tools #ary from tool to tool often lea#ing the system administrator to pick up the slack when a needed feature is missing.

Software /ackage Management ,ools

+ typical suite has commands to install or update packages, inquire about which packages are installed and remo#e packages. .ependency checking is an important feature for a package installation tool as many !&67 packages are modular, built on top of libraries found in other packages. $erification is the act of checking that the package is installed correctly and the files in the package match those installed. ,his can be used to check for possible tampering that may ha#e occurred due to a break)in or to check that file modes or ownerships ha#e not been changed my mistake.

Software /ackage Management ,ools

+nother aspect of assuring system security when installing packages is the determination of the authenticity of the package being installed. ,his is especially important when using packages and patches downloaded o#er the 6nternet. 9isting the installed packages and remo#ing packages are common features across all of the package installation tools.

Software /ackage Management ,ools

(reating your own packages is one way a system administrator can deal with the installation and maintenance of locally de#eloped software on a large number of systems. +d#antages of home)grown installers:
* ,he created package can be distributed and installed using the same tools and procedures used for other packages. * +ny post installation configuration steps needed may be encapsulated in the package, assuring a consistent installation. * (hecking and #erification of proper installation of a package can be used to #erify that the locally de#eloped software is installed correctly.

;raphical Software /ackage Management ,ools

+ typical software package management tools suite often tops off the command line tools with a graphical installation tool. 6n the case of 8indows, graphical tools are the only way to install many software packages. ,hese tools often offer the administrator fewer installation options, but handle the typical installations #ery well. 8hile these graphical tools can make life easier when managing software on a single system, they suffer when put to use across many systems.

;raphical Software /ackage Management ,ools

8hen dealing with large numbers of systems, command line tools that can be run from scripting languages offer the flexibility needed to get package installations accomplished in a timely fashion. ;raphical installers 3generally4 offer few installation options, by tending to o#ersimplify the installer for use by a no#ice user. 6nstallations that make use of shared disk space for applications and other special situations will often require the use of options not found in a graphical installation tool.

.ealing with missing features

6t would be terrific if e#ery software package management tool or tool suite had all the features needed. !nfortunately, nearly e#ery installation tool suites lack one or more features. ,his can be worked around by combining

the installation tools with other commonly a#ailable tools.

,he easiest 3missing4 feature to compensate for is 6nternet access. Most #endors pro#ide access to software packages and patches #ia ftp, the web or both. 6nternet a#ailable packages and patches are often further packaged into one of the se#eral common formats for download and will need to be unpacked from their distribution packaging before they can be installed.

+uthenticity < 6ntegrity

$erification that a software package is intact and was produced by the genuine author are two critical but lacking features of nearly e#ery software package management suite. ,hey are of special importance when using the 6nternet to obtain patches or other software. ne method of checking integrity and authenticity is to use a public key cryptographic tool such as gpg. +nother way to fill in for this missing feature is to perform checksum and M.= cryptographic fingerprint checks on the files using the sum and md=sum commands.
* 2owe#er, the #endor or other supplier of the patch or software package must publish a reference M.= fingerprint or checksum #alue for comparison. &ot all #endors do.

(atching !nintended (hanges

.espite the best intentions of the software #endor, installing a new package or patch sometime results in unintended changes to the operating system configuration files. ,hese changes are not always easy to spot, but there are se#eral things that can be done to pre#ent problems caused by package or patch installations. * >. Make certain you ha#e a good backup of the system to be patched. * ?. 6nstall the package using an account other than root whene#er possible.

(atching !nintended (hanges

* @. 6nstall the package or patch on a test system first. * A. 9ist and inspect the contents of the patch or package to be installed. * =. Extract and examine the installation script3s4 for setuid/setgid commands, or any chown, chmod, cp, rm, m#, or shell redirection commands to ensure that critical system files are not altered. * B. !se a file modification monitor such as tripwire.

0inishing ,ouches
6nstalling a package is often times not the end of the -ob for the system administrator. + wide #ariety of software packages require some degree of local customi5ation, configuration, licensing or user le#el setup to complete the installation process and present the user with the fully functioning tool they expect. Since e#ery package will ha#e its own customi5ation and configuration needs, the system administrator will need to read up on the specifics of the packages in use at his site.

0inishing ,ouches
(onfigure once, and distribute the configuration.
* E#en packages that are installed by a package installation tool often ha#e configuration files that will need to be modified. ,hese files can modified to suit local conditions and then distributed using a tool such as rdist.

8rap a short shell script around a package to set needed #ariables.

* Many packages require setting en#ironment #ariables or adding elements to a shell"s execution path. 6nstead of ha#ing each user make the needed changes, one approach is to replace the program with a short shell script that sets the en#ironment as required.

0inishing ,ouches
0or packages that contain se#eral tools, all of which require special en#ironmental #ariables or modifications to the user"s execution path consider adding the needed setup information to the skeleton files used to create the user"s accounts. Employ a speciali5ed user en#ironment configuration tool such as modules. * ,he modules tool pro#ides the means for the system administrator to package up the en#ironment #ariables, /+,2 and other user en#ironment changes into modulefiles that can be easily loaded by a user to configure their en#ironment to suit a specific package. * ,he modules tool performs complex tasks such as remo#ing and reordering elements of the user"s execution /+,2 to allow e#en differing #ersions of the same package to be configured correctly.

Ser#ice /acks and other special situations

Some patches and software packages cannot be installed using the usual software management tools. Special updates often require more time and a planning than the usual package installation.
* 0ollowing the precautions listed in the pre#ious section on unintended changes are a must for special updates. +dditional caution is recommended.

Ser#ice /acks and other special situations

Ceep the pre#ious kernel #ersion a#ailable and ready to use. n 9inux this can easily be accomplished by adding an entry to /etc/lilo.conf or /etc/grub.conf.
* ther !&67 #ariants allow for a second kernel to be kept in the root or boot partition.

Make an emergency boot disk. ,he procedure for this #aries, but many operating systems allow you to make a floppy disk that the system can be booted from. 9ocate a bootable (. for the system being updated. Many operating systems allow you to boot from the installation (. and correct problems caused by updates.

,racking and .istributing /ackages and /atches

6nstalling packages and patches on a large collection of systems is a challenging task.
* ,he system administrator will need to maintain records of the packages and patches installed, check for missing packages and patches, and perform multiple installations. * 1ecord keeping and checking for correct package and patch installation is rarely integrated into a software package management tool or suite of tools. * + simple, external method of monitoring packages and patches is the keep records in a table such as a spreadsheet.

,racking and .istributing /ackages and /atches

+nother approach is to make use of the software package management tool"s ability to list the installed packages.
* 9ists of packages from each system in a group can be gathered and compared to a master list or a master system. * ,his makes missing patches easy to spot. * ,he lists from each system can be stored and referred to later to determine which patches or packages need to be installed on a gi#en system.

,racking and .istributing /ackages and /atches

/ackage and patch distribution can be accomplished in a similar manner.
* ne method which works well is to place the package and patch files in a network)accessible directory which is a#ailable to all the systems to be patched. * ,hen connect to each system in turn and execute the appropriate package installation commands. * +utomating the actual installation of packages and patches is an area where !&67 and command line package installation tools really shine. * (ommand line tools are readily automated by a #ariety of methods and are easily run remotely o#er a network connection such ssh.

Summary
Maintaining the software on a system in#ol#es the periodic installation of software packages and patches. 8hile a straight)forward task in concept, the pitfalls are many. ,he wide #ariety of package formats, management tools and missing features in specific tool sets make the process of managing packages and patches more challenging than it ought to be. %efore attempting a software installation, the administrator should: * Explore hardware and software requirements for the application. * !nderstand the types of software installations. * !nderstand the software installation and maintenance tools. * !nderstand the disk layout, and pros/cons of partitioning. * !nderstand the steps required before the installation is attempted.