Ubuntu Server admin



  • Hey, I've suddenly as if by magic become a Ubuntu Server admin through no fault or desire of my own and I gots some questions to answer!!

    1) The server is running version 10.10. I understand this version is supported for at least another full year. What command do I need to run to have it fetch and install security updates (and ONLY security updates?)

    2) I believe they built their own copy of PHP from source. If I run the above-mentioned update command, will it update this copy of PHP? If not, what do I need to run to ensure PHP is up-to-date?

    Any tips/gotchas?



  • Ok it turns out 10.10 is not a long-term support version, making my question moot. Now I have to dive into the jungle of upgrading this system, shit.



  • @blakeyrat said:

    Ok it turns out 10.10 is not a long-term support version, making my question moot. Now I have to dive into the jungle of upgrading this system, shit.
    I'm still answering because so long as it is Ubuntu the commands are the same across versions.

    1. In a command shell, run sudo apt-get update

    2. Run sudo apt-get upgrade


      You will need to enter your password for the first sudo command. So long as you do it from the same command window, you shouldn't need to enter your password a second time.


      As for PHP, if it's installed from source it won't auto-update. If you can use a package from a repository, that would be best. If the original sysadmin is still available, I'd ask why he/she installed from source (typically a version issue). If he/she is not available, you'll have to check documentation. If you can get it back to using a repository version, then it will auto-update for you.



  • @nonpartisan said:

    1. In a command shell, run sudo apt-get update


    2. Run sudo apt-get upgrade

    My impression is that that changes versions as well. Meaning, if PHP is 5.1, that could change it to 5.2 or whatever. I could be wrong; it's very vaguely documented as far as I can tell.

    Are you sure that just does security upgrades without changing software versions?

    @nonpartisan said:

    As for PHP, if it's installed from source it won't auto-update. If you can use a package from a repository, that would be best. If the original sysadmin is still available, I'd ask why he/she installed from source (typically a version issue). If he/she is not available, you'll have to check documentation. If you can get it back to using a repository version, then it will auto-update for you.

    I might try that. I think if I'm reading these setup instructions right they did it because they needed to "compile-in" some optional features? I don't know shit about this shit, or why you'd need to compile a fucking runtime to get get optional features, WTF Linux.

    Here's the commandline they were using to set up PHP 5.3.10:

    ./configure --disable-short-tags --without-sqlite --without-sqlite3 --enable-shmop --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-bcmath --enable-fpm --with-openssl --enable-calendar --enable-exif --with-gettext --enable-gd-native-ttf --with-t1lib=/usr --with-jpeg-dir=/usr/lib --enable-gd-native-ttf --with-mcrypt --with-zlib --enable-mbstring --enable-pdo --with-pdo-mysql --without-pdo-sqlite --with-curl --with-iconv --disable-debug --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-gd --with-pear --with-freetype-dir=/usr --prefix=/usr/local/php --with-fpm-user=www-data --with-fpm-group=www-data


  • @blakeyrat said:

    My impression is that that changes versions as well. Meaning, if PHP is 5.1, that could change it to 5.2 or whatever. I could be wrong; it's very vaguely documented as far as I can tell.

    Are you sure that just does security upgrades without changing software versions?

    In my experience, once a distribution is released it only provides bugfix versions to packages. So being distributed with PHP 5.1, it will only include PHP 5.1 bugfixes. It won't upgrade to 5.2 or 5.3 from under you.

    @blakeyrat said:

    I might try that. I think if I'm reading these setup instructions right they did it because they needed to "compile-in" some optional features? I don't know shit about this shit, or why you'd need to compile a fucking runtime to get get optional features, WTF Linux.
    The closest parallel, although not exact, is when you choose the installation options in Windows for which components to install.

    @blakeyrat said:

    Here's the commandline they were using to set up PHP 5.3.10:

    ./configure --disable-short-tags --without-sqlite --without-sqlite3 --enable-shmop --enable-sysvsem --enable-sysvshm --enable-sysvmsg --enable-bcmath --enable-fpm --with-openssl --enable-calendar --enable-exif --with-gettext --enable-gd-native-ttf --with-t1lib=/usr --with-jpeg-dir=/usr/lib --enable-gd-native-ttf --with-mcrypt --with-zlib --enable-mbstring --enable-pdo --with-pdo-mysql --without-pdo-sqlite --with-curl --with-iconv --disable-debug --disable-rpath --enable-inline-optimization --with-bz2 --with-zlib --enable-sockets --enable-mbregex --with-mhash --enable-zip --with-pcre-regex --with-gd --with-pear --with-freetype-dir=/usr --prefix=/usr/local/php --with-fpm-user=www-data --with-fpm-group=www-data
    I've never installed PHP from source, so I won't comment on all of the options there. But the general intent has to do with including what you want or default choices -- only including the options/components you want, setting the default directories, user as which the thing should run, etc. Other applications/languages/services/etc. are going with a more modular design so these options can be included or excluded at runtime.


  • @nonpartisan said:

    In my experience, once a distribution is released it only provides bugfix versions to packages. So being distributed with PHP 5.1, it will only include PHP 5.1 bugfixes. It won't upgrade to 5.2 or 5.3 from under you.

    I don't want "in my experience", I want a documented statement from the server vendor. This isn't a video game machine, it's serving client data over the Internet, and I freakin' need to know. Seriously, what the hell.

    @nonpartisan said:

    I've never installed PHP from source, so I won't comment on all of the options there. But the general intent has to do with including what you want or default choices -- only including the options/components you want, setting the default directories, user as which the thing should run, etc. Other applications/languages/services/etc. are going with a more modular design so these options can be included or excluded at runtime.

    Well derp. I'm not a retard.

    The question is, is anything listed there NOT included in the Ubuntu Server OS copy of PHP, or how would I find this out myself?



  • Regarding security-only vs all updates, I know that Debian Stable releases are security-updates only, while I'm not so sure about Ubuntu.

    You can do "sudo aptitude" to open a TUI package management interface. Pressing lower-case-u will update the package list, and security updates will be shown under a category of "Security Updates". Move the cursor to that list, hit "+" to select it, and "g" for "Go." That will show you a summary screen of all operations about to be conducted, so you can audit them by hand if you want to. Press "g" again to make it actually do it.

    As for finding out what the upstream PHP is compiled with, I do know that the "--prefix=/usr/local/php" option will put the custom compiled PHP in its own folder that won't be clobbered by the package version. You can create a .php file with only the contents "<?php phpinfo(); ?>", put it in the webroot somewhere, then view it in a browser. Under the "Configuration" section, you can see what options are enabled/disabled, then do the same again for the packaged version.



  • Thanks that's really useful. I popped off your post to myself for monday morning.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    Any tips/gotchas?

    Stop being admin for security on a system you, apparently, know nothing about?



    Seriously.



    TDWFT should not be the source to rectify your lack of *nix skills. You've clearly denigrated linux in the past - my suggestion, if this is a long term thing, is to migrate the system to Microsoft technology as soon as possible. Or get someone who knows what they're doing, or willing to learn, to admin the system.



  • @PJH said:

    Stop being admin for security on a system you, apparently, know nothing about?

    I know a krajillion times more than the guy who was doing it before, who was a "Linux expert" I'm sure.

    Fuck off.



  • As you discovered, 10.10 is not a long term release. More important is this note from the Ubuntu Guide. (Specifically, the Maverick Meerkat info page):

    Maverick Meerkat is not an LTS (Long Term Support) release and is no longer supported with security updates (as of April 2012). It is recommended to upgrade to the current version of Ubuntu.

    The current version as of this post is 12.04, which is a Long Term Support release. The best thing you can do is take the application(s) running on that machine and port them to a staging instance of 12.04. Once you verify the success, you can upgrade the production machine. The upgrade might also provide a PHP that is new enough to meet the needs for the person who did their own compiled version of PHP.



  • I've upgraded the server to version 12.04 using "do-release-upgrade".

    Next step is to install the distro's version of PHP 5.3, and ensure the PHP apps still function.

    Then it's just bundling up the server, doing security updates every so often, and trying hard to forget it exists.



  • Ok, it looks like Ubuntu has a version-specific entry for PHP 5, but not one for PHP 5.3. Is that normal? Is there a way to specify I want 5.3 (and associated security patches), or do I have to have it be 5.newest?



  • For further info, the version installed is 5.3.10, and the latest is 5.3.17. So it definitely needs updating one way or another.



  • Oh... it turns out 5.3.10 is the latest version Ubuntu has in their repository. So. I guess upgrading it is moot and I'm "done".

    I hope I'm not taking a huge risk, it looks like 5.3.17 has some security-relevant fixes in it.



  • @blakeyrat said:

    I don't want "in my experience", I want a documented statement from the server vendor. This isn't a video game machine, it's serving client data over the Internet, and I freakin' need to know. Seriously, what the hell.
    If you do nothing to change which repositories you're using -- just use the default repositories that Ubuntu installs -- then you'll only get security updates because that's all the Ubuntu maintainers will put into the stable repository.  If you monkey with the repository sources, it is possible you can upgrade to a completely different version of PHP.  But that takes configuration on your part.  If you don't mess with it, you will only get security updates.  So don't mess with it.

    @blakeyrat said:

    The question is, is anything listed there NOT included in the Ubuntu Server OS copy of PHP, or how would I find this out myself?
    I've no idea.  But a quick Google tells me that [url="http://apple.stackexchange.com/questions/10400/how-can-i-determine-the-compile-time-options-of-php"]php -i[/url] should show you the command string used to configure PHP.



  • @blakeyrat said:

    Ok, it looks like Ubuntu has a version-specific entry for PHP 5, but not one for PHP 5.3. Is that normal? Is there a way to specify I want 5.3 (and associated security patches), or do I have to have it be 5.newest?
    Looking at my system, php5-common is the name of the package but the specific version is 5.3.3-7+squeeze13.  Yes, it's normal to have a package listed by its major version number.  Regrettably, it's also normal for a package to be listed by its major and minor version numbers (like postgresql-8.4) and to not have a version number in the package name at all (postgresql).

    So what's normal is . . . it varies.



  • @PJH said:

    TDWFT should not be the source to rectify your lack of *nix skills. You've clearly denigrated linux in the past - my suggestion, if this is a long term thing, is to migrate the system to Microsoft technology as soon as possible. Or get someone who knows what they're doing, or willing to learn, to admin the system.
    In his previous ranting against Linux, it was said (by myself and others) that if he'd just asked the question, we would have been glad to help.

    He's asked the question.  So I felt obligated to try to help.  The answers may not be to his liking, but they're the best I can do.

    This is probably the most civil conversation I've had with Blakey.



  • @nonpartisan said:

    This is probably the most civil conversation I've had with Blakey.

    Some people don't understand that different content goes in different forums.

    Anyway, the server is running 12.04, it's using the Ubuntu repository version of PHP (which is the practically-antique 5.3.10-- I can only hope and pray it has all relevant security patches installed!) and I've cloned it and added it to the load balancer. So I think I've done pretty much all I can do with these servers, if they want more than that they'll have to find someone qualified.



  • @blakeyrat said:

    Hey, I've suddenly as if by magic become a Ubuntu Server admin through no fault or desire of my own and I gots some questions to answer!!

    TRWTF. Ubuntu is "Linux for human beings". Servers should not be interacting with human beings. (Well, except server admins, but they're... special.)


  • ♿ (Parody)

    @blakeyrat said:

    What command do I need to run to have it fetch and install security updates (and ONLY security updates?)

    This answer may be what you want (NB: replace "lucid" with whatever as appropriate for you system. Also, I note that I don't have an /etc/apt/preferences, so I assume you'd have to create the file if it doesn't exist.):

    replace /etc/apt/preferences with the following:
    Package: *
    Pin: release a=lucid-security
    Pin-Priority: 500
    

    Package: *
    Pin: release o=Ubuntu
    Pin-Priority: 50


    now a simple apt-get upgrade will upgrade all security updates only.

    Why (and how) this works: The preferences file will pin all packages from ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.

    You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.

    If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

     apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade
    

    This will make apt look for the preferences file from a non-default location.

    The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

    The apt_preferences man page has a lot of stuff in there about tuning it for particular packages, etc. That's probably more involved than what you're interested in.

    You can also set things up to do security updates automatically, but that sort of thing always worries me with a server.


  • @ekolis said:

    @blakeyrat said:
    Hey, I've suddenly as if by magic become a Ubuntu Server admin through no fault or desire of my own and I gots some questions to answer!!

    TRWTF. Ubuntu is "Linux for human beings". Servers should not be interacting with human beings. (Well, except server admins, but they're... special.)

     

    Nothing wrong with an Ubuntu server, provided they use Ubuntu Server for it and not the default desktop configuration (so you don't get all the UI guff that normally comes with Ubuntu). It's just Linux either way.



  • What I find a bit odd is that no one explained the "ancient 5.3.10" thing.



    Blakey: Most distributions (except "rolling upgrade" ones) - including Debian and Ubuntu - provide a specific version, and only that specific version of software in each release.

    Ubuntu 12.04 apparently ships with PHP 5.3.10. The next release (12.10) has a newer version, and so on.



    However, they do back-port all security fixes from the most current version to this version. That's what's provided as security updates.

    You don't receive an update from e.g. 5.3.10 to 5.3.11 (and all the way to 17), you receive an update from 5.3.10-1ubuntu3 to 5.3.10-1ubuntu3.4, which contains current security patches.



    So, feature-wise, you have 5.3.10; security-wise, you are up to date.



    References: http://packages.ubuntu.com/precise/php5-common, https://launchpad.net/ubuntu/precise/+source/php5/+changelog



    Also, seems that 12.04 is the /perfect/ choice of version for you, considering the codename. :)



  • @bannedfromcoding said:

    Blakey: Most distributions (except "rolling upgrade" ones) - including Debian and Ubuntu - provide a specific version, and only that specific version of software in each release.

    Ubuntu 12.04 apparently ships with PHP 5.3.10. The next release (12.10) has a newer version, and so on.

    Yeah I figured that out. I kind of lucked-out in that 12.04 just happened to ship with the version I needed.

    @bannedfromcoding said:

    However, they do back-port all security fixes from the most current version to this version. That's what's provided as security updates.

    You don't receive an update from e.g. 5.3.10 to 5.3.11 (and all the way to 17), you receive an update from 5.3.10-1ubuntu3 to 5.3.10-1ubuntu3.4, which contains current security patches.

    What's the point of the third part of the version number if it doesn't indicate bug fixes? If you read PHP's changelog, they sure seem to consider the third digit bug fix releases.

    Or phrased another way, what's the difference between "php-5.3.10ubuntu3.4" and "php-5.3.17"?



  • @blakeyrat said:

    Or phrased another way, what's the difference between "php-5.3.10ubuntu3.4" and "php-5.3.17"?


    It is 5.3.10 with security fixes.

    5.3.17 has both some new functionality compared to 5.3.10, a lot of "functionality" bug fixes - crashers, incorrect results, etc, and security bug fixes - i.e. ones that when unpatched allow for remote code execution, or other damage.

    The rule is to change the code as sligtly as possible.

    So, if a security hole that applies also to 5.3.10 is discovered and fixed in a latter version, the fix is backported.

    If a bug that e.g. causes some function to return incorrect data is fixed in latter version, it's not imported.

    You have 5.3.10 that acts like 5.3.10, bugs and all - except for places where it could be exploited.



    Think of it as difference between .net framework security hotfix (released often, patches just the issue) and update rollups / service packs (released rarely, patches functionality).


Log in to reply