Okay,
got a new Red Hat ES box, start off on the usual, fiddle with SSH config, download a firewall, and so on... but can I find out how to get the (&*%*^ updates?
Sorry, I feel like ranting like a crazy ranting thing. I thought maybe getting a Red Hat Enterprise Server would entitle me to, like, Red Hat updates?
Then I looked long and hard through the archives and found a post that said you could use apt-get internally... but that doesn't seem to work.
Sheesh. If these were Windows boxes they'd get reamed in the first five minutes... but why, with a brand-new server should I be running software with security holes in it? And why can't EV1 have
a) a mirror of the RH updates and
b) a HOWTO on patching your box?
Excuse me if this is an old subject, but I've read the FAQs, I've STFWed, RTFMed until my eyes have popped...
What do the rest of you do? Susbscribe to RHN for yet more $$$?
regards
WK.
Full Version: Getting patched
Stick a trouble ticket in to the techs asking they set your box up for rhn.... Why proxy when you get to use the real one for free 
As for the rest, the usual how-tos still can apply but you just dont do stuff specific to the various control panels.
As for the rest, the usual how-tos still can apply but you just dont do stuff specific to the various control panels.
Thanks Err0r. Trouble ticket being submitted.
I'd be quite happy with proxies if I knew where they were. Is the README with all this info in it so big and obvious that I missed it?
I'd be quite happy with proxies if I knew where they were. Is the README with all this info in it so big and obvious that I missed it?
There are a bunch of threads in the how-to forums (like the ensim one and the generic how-to one) which list various things you might want to do to a new box. Those then give a link to the how-to which tells you how to do the various task.. While they are posted in the control panel forums, some of them still do apply and you might want to do them.
Yup, I've even got my own "new box" checklist.
(Which has links to page on the old rackshack site, but that's another question).
But I'm still trying to figure out where and how to get the system patched and up to date... hoping that the trouble ticket will bring a result.
(Which has links to page on the old rackshack site, but that's another question).
But I'm still trying to figure out where and how to get the system patched and up to date... hoping that the trouble ticket will bring a result.
On RHEL you just use up2date. Naturally if you have some control panel, you want to be careful about which packages you update, lest your break things.
Up2date license is included in RHEL. There is no such thing as a licensed copy of RHEL without it.
If you type up2date -l that will get you started. If its broke enter a troble ticket - EV1 has to configure it.
Up2date license is included in RHEL. There is no such thing as a licensed copy of RHEL without it.
If you type up2date -l that will get you started. If its broke enter a troble ticket - EV1 has to configure it.
Yup, now I know. If you have a brand new unpatched Red Hat ES3 box (or any other unpatched brand new box from Ev1 / Ev1servers / EV1servers.net) and you want updates and patches, particularly from red Hat Network (rhn, rhns, rhnsd, rhnd) then you need to open a Trouble Ticket, give an EV1 tech your passwords and let them run a script. Then you can run up2date.
Did I miss any keywords?
< registration RHN up2date key rackshack blah blah >
More?
Did I miss any keywords?
< registration RHN up2date key rackshack blah blah >
More?
If you dont have a control panel installed then just do up2date -u once the box is configured for RHN.. Unless of course you have some custom compiled things like sendmail in which case you want to add that to the skiplist.
I compiled my own openssl, openssh, apache, php, pureftpd, sendmail and various other minor bits.. The only thing I had to add to the skip list was sendmail as I dont want it to overwrite my binary. The others have been removed as rpms except openssl which is still updated as needed by up2date. My custom compiled version is in a different directory so I can use that when I compile things.
Another thing I recommend is in up2date --configure, set the nobootloader to yes, set noreboot to yes
I do this so I control when it goes down for the reboot.
While other people have suggested not allowing RHN to automatically install the kernel, I personally allow it to. But then I make the bootloader change myself so I can make sure that the bootloader is happy before I send it down to reboot. With the nobootloader set to yes, the kernel creates it's entry in the bootloader config but does NOT make itself the kernel which will be booted after a reboot.
I compiled my own openssl, openssh, apache, php, pureftpd, sendmail and various other minor bits.. The only thing I had to add to the skip list was sendmail as I dont want it to overwrite my binary. The others have been removed as rpms except openssl which is still updated as needed by up2date. My custom compiled version is in a different directory so I can use that when I compile things.
Another thing I recommend is in up2date --configure, set the nobootloader to yes, set noreboot to yes
I do this so I control when it goes down for the reboot.
While other people have suggested not allowing RHN to automatically install the kernel, I personally allow it to. But then I make the bootloader change myself so I can make sure that the bootloader is happy before I send it down to reboot. With the nobootloader set to yes, the kernel creates it's entry in the bootloader config but does NOT make itself the kernel which will be booted after a reboot.
Thanks Err0r, the source of my frustration was being unable to find *anywhere* the information that to get RHN set up / enabled you need to open a ticket and get EV1 to do it. Hopefully this thread has got enough keywords in it to save someone else the grief.
Do you compile your own apache etc for performance, security, or fun? I generally run Gentoo on my "own" servers so I am used to the idea of not using the CPU as a 386...
Do you compile your own apache etc for performance, security, or fun? I generally run Gentoo on my "own" servers so I am used to the idea of not using the CPU as a 386...
Literally open a trouble ticket on the members area saying
"Please can you setup my server for up2date usage... my root password is: blahblahblah"
To make it easier on them, enable direct root login on ssh (if you've disabled it) until its done.
Performance - yep, have you seen the amount of s*** redhat compiles in to their packages?
Security - yep, once again unneeded s*** = more potential holes = more ways in.. I know redhat backports the fixes to their packages, but I'd rather use the sources straight from the authors and not rely on someone else to compile the stuff that I can. The only thing I dont compile that I could is the kernel and I'm happy with their one.
Fun - yep that too..
"Please can you setup my server for up2date usage... my root password is: blahblahblah"
To make it easier on them, enable direct root login on ssh (if you've disabled it) until its done.
QUOTE
Originally posted by WhiteKat
Do you compile your own apache etc for performance, security, or fun?
Do you compile your own apache etc for performance, security, or fun?
Performance - yep, have you seen the amount of s*** redhat compiles in to their packages?
Security - yep, once again unneeded s*** = more potential holes = more ways in.. I know redhat backports the fixes to their packages, but I'd rather use the sources straight from the authors and not rely on someone else to compile the stuff that I can. The only thing I dont compile that I could is the kernel and I'm happy with their one.
Fun - yep that too..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.