Skip to end of banner
Go to start of banner

Virtual Appliance Maintenance: Updating Software

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 6 Next »

General Maintenance

The Opmantek Appliance is - like all networked computer systems - subject to the usual requirements wrt. patching software for security holes, general care and periodic adjustments and so on. The appliance comes with logrotation and other standard management services enabled, but this is no substitute for a trained system administrator's watchful eye.
For example it's very much recommended to run yum check-update periodically, e.g. once monthly, to learn of important software updates, and to apply them using yum upgrade.

Updating software on the Appliance with limited Internet access

Some customers are reluctant to grant any of their servers (or the Opmantek Appliance) direct access to the Internet. In normal operation that doesn't limit the appliance in any way (as long as there is a source of DNS and NTP available), but updating (our or other) software on the appliance would be made impossible.

To deal with software maintenance in such highly restrictive environments we do recommend that you provide a web proxy for servers that otherwise cannot download updated software packages; you might want to run said proxy only temporarily, with authentication required or filtering, e.g. only serving files from particular web locations. Setting up a proxy like the well-known and -tested Squid proxy server is a minimal effort (even with authentication) and well worth the improved maintainability of your infrastructure.

The packaging manager (yum) used by the underlying operating system (CentOS) can be configured easily to use a proxy server for Internet access, and the same is true for installing Perl modules via CPAN.

Yum configuration for proxy access

You need to edit /etc/yum.conf (nano is likely your best choice for a simple editor if you have no real preferences), and add a block like the following somewhere to the section labelled "[main]":

[main]
# lots of other directives
proxy=http://mycache.mydomain.com:3128
# The account details for yum connections, IF your proxy enforces authentication
proxy_username=yum-user
proxy_password=qwerty

After you've made those changes you should run  yum check-update to verify that it can access the package repositories in question.

CPAN configuration for proxy access

The following applies primarily to updating NMIS as all other software ships in compiled/stand-alone form.

If you decide to extend your deployed Opmantek Appliance with new Opmantek packages (or update existing software packages), then it may be necessary occasionally to install extra Perl packages from CPAN (the Comprehensive Perl Archive Network).

The NMIS installer/updater automates these installation steps using the cpan tool, which is proxy-capable as well.

To configure cpan to use a proxy, you need to start the tool (as root) and tell it to run the proxy configuration dialog and it'll ask you for the relevant settings:

# become root, su or sudo bash
cpan
o conf init /proxy/
# and answer the questions as displayed

Updating software if the appliance has no Internet access, but your desktop has (via proxy)

A variation of the above is also possible, if (and only if) you are accessing the Internet (from your desktop) using a proxy server, and if (and only if) you are accessing the appliance via SSH. In that case you can use SSH port forwarding to temporarily grant the appliance access to your proxy.

You have to select an unused high port number, and you need to know your web proxy addess and port number. In this example I'll use 8888 as the high port number, and let's assume my proxy is at proxy.opmantek.com and works on port 3128.

With plain command-line ssh I'd use the following invocation to establish that port forwarding: ssh -v -R 8888:proxy.opmantek.com:3128 root@the_appliance_name_or_address
For PuTTy, I'd go to the configuration menu, SSH, Tunnels and add 8888 as source port, select "Remote" and add proxy.opmantek.com:3128 as destination. Then I'd connect to the appliance.

Configure the appliance's yum and cpan to use localhost:8888, possibly configure proxy authentication, and things will work as if the appliance had direct proxy access.

You'll be able to use localhost:8888 on the appliance as the proxy address, precisely while your SSH connection is open. Once you disconnect,  port 8888 closes down, and the proxy becomes inaccessible.

Installing or upgrading without any Internet access

If you have another (virtual) system that does  have Internet access, then it is possible to collect the pre-requisites on that system and then transfer them over onto the final server. This does, however, require some manual work on the command line and a small modicum of Linux skills. We've tested this with a CentOS 6 systems, but can't guarantee that it'll work precisely the same everywhere.

To do so you'll need another (temporary!) instance of the Opmantek Appliance running with Internet access enabled, which could easily be just in VirtualBox on your desktop, for example; You would then have to follow the procedure described below:

  1. Start up a temporary instance of the Opmantek Appliance
    It should be the same version of the non-networked Appliance that you want to upgrade/install stuff on, and it should be unchanged and pristine.
  2. Enable yum caching on the temporary system
    Use nano or your editor of choice, and change the config file /etc/yum.conf so that there's a line like this:  keepcache=1
    This makes yum keep copies of everything it downloads in /var/cache/yum.
  3. Run the installer for the application you want to add or upgrade, but on the temporary system.
    Tell it that Internet access is available, and let it install all missing prerequisites.
  4. Zip up the collected packages on the temporary system
    You need the following files and directories: /etc/yum.repos.d,/var/cache/yum and /root/.cpan (primarily if you're upgrading NMIS).
    A command to capture that would be zip -r /tmp/captured.zip /etc/yum.repos.d /var/cache/yum /root/.cpan
  5. Transfer that ZIP file off the temporary system
    Use the scp client of your choice (or a shared folder if running in VirtualBox) to save the captured zip file somewhere off the temporary system.
  6. Transfer that ZIP file onto the final, non-internetted system
    Likely you will be using scp again.
  7. Unpack the captured files and overwrite the originals
    I'd unpack everything in /tmp, and then replace the originals like this:
    cd /tmp/; unzip captured.zip; rm -f /etc/yum.repos.d/*; mv ./etc/yum.repos.d/* /etc/yum.repos.d; rm -rf /var/cache/yum/*; mv ./var/cache/yum/* /var/cache/yum/; rm -rf /root/.cpan; mv ./root/.cpan /root
  8. At this point you should be able to run the installer again, but now on the non-internetted system
    It should now be able to find the manually transferred packages, and install from these; However, if yum balks simply install all the packages from that cache before running up the installer (again):
    yum -C -y install /var/cache/yum/x86_64/6/*/packages/*.rpm
  9. The installer should now run through without any missing prerequisites.
  10. Cleanup
    You can now remove  the termporary system, delete the captured.zip on your non-internetted system (and whereever you may have stored it temporarily).
  • No labels