RobHost GmbH [email@example.com], 2007-2013
PLEASE NOTE THAT THIS SOFTWARE COMES WITH ABSOLUTELY NO WARRANTY!
Updian is a minimalistic update-engine for DEBIAN GNU/Linux based machines (and other flavours like Ubuntu based on APT) and, since v0.4, for machines with YUM such as CentOS. You can use it to maintain all your machines remotely over a simple web interface written in Python. There are 2 cronjobs, one checks for updates, another does them. You can choose from the webinterface which servers to update (it shows up the packages) and read logs after the updates are done.
Updian does not need any databases, all data is stored in (mostly empty) flatfiles. It can manage a high number of servers, we’ve tested/used it with 100+ servers without any problems…
Actually, Updian only does apt-get upgrade, not dist-upgrade. So it’s a good idea to run apticron or anything in parallel on the remote machines to keep informed about upcoming dist-upgrades. Apticron is also good for checking the correctness of Updian - it mails you the updates every day including changelog. These you can now install with Updian. If Updian is working correctly, apticron should mail you the same update-infos (except dist-upgrades) as Updian shows up in the webfrontend.
For every server Updian creates an logfile, so you’re always informed about updates made. The logfiles are available through the webfrontend.
Any Linux distribution on the machine which runs Updian (local-side)
Debian GNU/Linux or other apt-running systems (Ubuntu, Knoppix …) or yum-running systems (CentOS, RHEL, Fedora Core …) on the remote-side
Python 2.6 or newer (local-side)
a crond if you want to automate updian’s checking and updating (local-side)
Access as root to all involved machines (gaining root via sudo is also supported)
Exchanged SSH-publickeys between the local machine running Updian and the remote servers
that means you can login from the machine running Updian to the remote server via ssh <remote-server> without entering a password
Howto: On the machine running Updian:
ssh-keygen -t rsa cat ~/.ssh/id_rsa.pub | ssh remote-user@remote-server cat - ">>" ~/.ssh/authorized_keys # or 'ssh-copy-id remote-server'
Optional: Web server with WSGI support or a separate WSGI application server (local-side, see below)
0 8 * * * /var/www/updian/updiancmd collect > /dev/null 2>&1 # (collect updates daily at 8 am) 0 9 * * * /var/www/updian/updiancmd update > /dev/null 2>&1 # (run updates daily at 9 am)
To use mod_wsgi on the Apache2 web server you can use something along the following lines in your virtual host configuration (Assuming you installed Updian in /var/www/updian):
<IfModule mod_wsgi.c> WSGIScriptAlias /updian /var/www/updian/updian.wsgi WSGIPassAuthorization On WSGIDaemonProcess updian-webif python-path=/var/www/updian home=/var/www/updian WSGIProcessGroup updian-webif Alias /updian/static /var/www/updian/static <Directory /var/www/updian/static> Order allow,deny Allow from all </Directory> </IfModule>
If you have installed Updian’s dependencies into a virtual environment you should add its site-packages directory to the python-path of the daemon process:
WSGIDaemonProcess updian-webif python-path=/yourvenv/lib/python2.6/site-packages:/var/www/updian home=/var/www/updian
You can also use WSGIPythonHome to set an alternative Python interpreter for mod_wsgi to use globally (see: WSGIPythonHome documentation).
Since v0.3 Updian can check if there are services running on remote machines that need to be restartet. That is often needed if libs used by many programs (libssl i.e.) have been updated on the remote machine. After that it is i.e. required to restart apache or postfix.
Updian uses the script checkrestart from the package debian-goodies for that. Just apply apt-get install debian-goodies on the desired remote machines.
It does, in short, anything like this to find out which procs using deprecated libs: lsof -n | egrep -i "(DEL|inode)"
Updian writes the output from checkrestart to <server>_checkrestart.log (see “Logs” in webfrontend).
Updian’s default mode of operation gives the updian server unlimited root access to all servers. updian-rsh is a shell script that can be used with ssh’s forced command feature to limit the commands updian can execute over ssh. Then, even if the updian server is compromised, the intruder can only do one thing with your other servers: Update them.
To use it, copy updian-rsh to the machines you want to update, for example to /usr/local/bin. Prefix the line in /root/.ssh/authorized_keys with
so that it looks like this:
command="/usr/local/bin/updian-rsh" ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA8Yf[...]
Now when you try to connect to that server with ssh root@remote_server you should get the message
Updian Restriced Shell: Interactive shell not allowed
and the connection is closed.
TODO: Figure out how to actually get changelog content.
Changelog content for this version goes here.