Linux Admin 简明教程

Linux Admin - System Updates

CentOS 7 系统可以通过三种方式更新 −

The CentOS 7 system can be updated in three ways −

  1. Manually

  2. Automatically

  3. Update manually for major security issues and configure automatic updates

在生产环境中,建议为生产服务器手动更新。或者至少建立更新计划,以便管理员可以确保对业务运营至关重要的服务。

In a production environment, it is recommended to update manually for production servers. Or at least establish an update plan so the administrator can assure services vital to business operations.

简单的安全更新可能会导致对常见应用程序造成递归问题,这要求管理员进行升级和重新配置。所以,在开发服务器和桌面电脑中进行测试后再安排在生产中自动更新。

It is plausible a simple security update can cause recursive issues with common application that requires upgrading and reconfiguration by an Administrator. So, be weary of scheduling automatic updates in production before testing in development servers and desktops first.

Manually Update CentOS 7

要更新 CentOS 7,我们需要熟悉 yum 命令。 yum 用于处理 CentOS 7 中的软件包存储库。yum 是通常用于以下操作的工具 −

To update CentOS 7, we will want to become familiar with the yum command. yum is used to deal with package repositories in CentOS 7. yum is the tool commonly used to −

  1. Update the CentOS 7 Linux System

  2. Search for packages

  3. Install packages

  4. Detect and install required dependencies for packages

为了将 yum 用于更新,CentOS 服务器需要连接到互联网。大多数配置都会安装一个基本系统,然后使用 yum 查询主 CentOS 存储库以获取软件包的其他功能并应用系统更新。

In order to use yum for updates, your CentOS server will need to be connected to the Internet. Most configurations will install a base system, then use yum to query the main CentOS repository for additional functionality in packages and apply system updates.

我们已经使用了 yum 来安装一些软件包。在使用 yum 时,你始终需要作为 root 用户进行操作。或者具有 root 访问权限的用户。因此,让我们搜索并安装一个称为 nano 的易于使用的文本编辑器。

We have already made use of yum to install a few packages. When using yum you will always need to do so as the root user. Or a user with root access. So let’s search for and install an easy to use text-editor called nano.

[root@centos rdc]# yum search nano
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.rackspace.com
 * epel: mirror.chpc.utah.edu
 * extras: repos.forethought.net
 * updates: repos.forethought.net
======================================================================
      N/S matched: nano
======================================================================
nano.x86_64 : A small text editor
nodejs-nano.noarch : Minimalistic couchdb driver for Node.js
perl-Time-Clock.noarch : Twenty-four hour clock object with nanosecond precision
 Name and summary matches only, use "search all" for everything.

[root@centos rdc]#

现在,让我们安装 nano 文本编辑器。

Now, let’s install the nano text editor.

[root@centos rdc]# yum install nano
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.keystealth.org
 * epel: pubmirror1.math.uh.edu
 * extras: centos.den.host-engine.com
 * updates: repos.forethought.net
Resolving Dependencies
--> Running transaction check
---> Package nano.x86_64 0:2.3.1-10.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package                             Arch
Version                          Repository                            Size
================================================================================
 Installing:
 nano                               x86_64
 2.3.1-10.el7                    base                                  440 k

Transaction Summary
Install  1 Package
Total download size: 440 k
Installed size: 1.6 M
Is this ok [y/d/N]: y
Downloading packages:
nano-2.3.1-10.el7.x86_64.rpm
| 440 kB  00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Installing : nano-2.3.1-10.el7.x86_64
1/1
 Verifying  : nano-2.3.1-10.el7.x86_64
1/1
Installed:
 nano.x86_64 0:2.3.1-10.el7

Complete!

[root@centos rdc]#

我们已经安装了 nano 文本编辑器。在我看来,这种方法比在网站上搜索实用程序并手动运行安装程序容易得多。此外,存储库使用数字签名来验证软件包,确保它们来自可信来源并带有 yum。在信任新存储库时,由管理员验证真实性。这就是为什么将第三方存储库视为最佳实践的原因。

We have installed the nano text editor. This method, IMO, is a lot easier than searching for utilities on websites and manually running the installers. Also, repositories use digital signatures to validate packages assuring they are coming from a trusted source with yum. It is up to the administrator to validate authenticity when trusting new repositories. This is why it is considered a best practice to be weary of third party repositories.

Yum 也可用于删除软件包。

Yum can also be used to remove a package.

[root@centos rdc]# yum remove nano
Loaded plugins: fastestmirror, langpacks
Resolving Dependencies
--> Running transaction check
---> Package nano.x86_64 0:2.3.1-10.el7 will be erased
--> Finished Dependency Resolution

Dependencies Resolved

现在让我们检查更新。

Now let’s check for updates.

[root@centos rdc]# yum list updates
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.keystealth.org
 * epel: pubmirror1.math.uh.edu
 * extras: centos.den.host-engine.com
 * updates: repos.forethought.net
Updated Packages
NetworkManager.x86_64           1:1.4.0-17.el7_3       updates
NetworkManager-adsl.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-glib.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-libnm.x86_64     1:1.4.0-17.el7_3       updates
NetworkManager-team.x86_64      1:1.4.0-17.el7_3       updates
NetworkManager-tui.x86_64       1:1.4.0-17.el7_3       updates
NetworkManager-wifi.x86_64      1:1.4.0-17.el7_3       updates
audit.x86_64                    2.6.5-3.el7_3.1        updates
audit-libs.x86_64               2.6.5-3.el7_3.1        updates
audit-libs-python.x86_64

如上所述,我们有一些待安装的未决更新。事实上,大约有 100 个总更新,因为我们尚未配置自动更新。因此,让我们安装所有待处理的更新。

As depicted, we have a few dozen updates pending to install. Actually, there are about 100 total updates since we have not yet configured automatic updates. Thus, let’s install all pending updates.

[root@centos rdc]# yum update
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.usc.edu
 * epel: pubmirror1.math.uh.edu
 * extras: repos.forethought.net
 * updates: repos.forethought.net
Resolving Dependencies
--> Running transaction check
---> Package NetworkManager.x86_64 1:1.4.0-14.el7_3 will be updated
---> Package NetworkManager.x86_64 1:1.4.0-17.el7_3 will be an update
 selinux-policy            noarch      3.13.1102.el7_3.15      updates     414 k
 selinux-policy-targeted   noarch      3.13.1102.el7_3.15      updates     6.4 M
 systemd                   x86_64      21930.el7_3.7           updates     5.2 M
 systemd-libs              x86_64      21930.el7_3.7           updates     369 k
 systemd-python            x86_64      21930.el7_3.7           updates     109 k
 systemd-sysv              x86_64      21930.el7_3.7           updates     63 k
 tcsh                      x86_64      6.18.01-13.el7_3.1      updates     338 k
 tzdata                    noarch      2017a1.el7              updates     443 k
 tzdata-java               noarch      2017a1.el7              updates     182 k
wpa_supplicant             x86_64      1:2.021.el7_3           updates     788 k

Transaction Summary
===============================================================================
  Install   2 Packages
  Upgrade  68 Packages
Total size: 196 M
Total download size: 83 M
Is this ok [y/d/N]:

在按下 “y” 键后,将开始更新 CentOS 7。yum 在更新时经历的一般过程是 −

After hitting the "y" key, updating of CentOS 7 will commence. The general process that yum goes through when updating is −

  1. Checks the current packages

  2. Looks in the repository for updated packages

  3. Calculates dependencies needed for updated packages

  4. Downloads updates

  5. Installs updates

现在,让我们确保我们的系统是最新的 −

Now, let’s make sure our system is up to date −

[root@centos rdc]# yum list updates
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * updates: mirror.compevo.com

[root@centos rdc]#

正如你所看到的,没有列出更新。

As you can see, there are no updates listed.

Configure Automatic Updates for YUM

如前文所述,在企业环境中,自动更新可能是安装首选方法,也可能不是。我们来介绍一下使用 yum 配置自动更新的步骤。

In an Enterprise environment, as mentioned earlier, automatic updates may or may not be the preferred method of installation. Let’s go over the steps for configuring automatic updates with yum.

首先,我们安装一个名为 yum-cron 的包。

First, we install a package called yum-cron.

[root@centos rdc]# yum -y install yum-cron
Install  1 Package
Total download size: 61 k
Installed size: 51 k
Downloading packages:
yum-cron-3.4.3-150.el7.centos.noarch.rpm
|  61 kB  00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : yum-cron-3.4.3-150.el7.centos.noarch
1/1
  Verifying  : yum-cron-3.4.3-150.el7.centos.noarch
1/1

Installed:
 yum-cron.noarch 0:3.4.3-150.el7.centos

Complete!

[root@centos rdc]#

默认情况下,yum-cron 只会下载更新,而不会安装它们。是否自动安装更新取决于管理员。最大的警告是:某些更新需要系统重启。此外,某些更新可能需要配置更改,服务才能再次运行。

By default, yum-cron will only download updates and not install them. Whether to install updates automatically is on the Administrator. The biggest caveat is: some updates will require a system reboot. Also, some updates may require a configuration change before services are again operational.

在以下情况下,更新依赖关系可能会导致递归问题

Updating dependencies can possibly create a recursive problem in the following situation −

  1. An update is recommended by yum for a certain library

  2. The library only supports Apache Server 2.4, but we have server 2.3

  3. Our commerce site relies on a certain version of PHP

  4. The new version of Apache installed for the library requires upgrading PHP

  5. Our production web applications have not yet been tested with the newer PHP version

除非配置不执行自动更新操作,否则 Yum 可能继续自动升级 Apache 和 PHP,且不发出任何通知。

Yum may go ahead and automatically upgrade Apache and PHP without notice unless configured not to.

如果所有 5 个场景都发生,它可能导致各种后果,从早晨的巨大麻烦到可能因更新重启和重新配置而暴露用户数据的安全漏洞。尽管上述示例是一种完美的风暴,但我们永远不想看到这种情况发生。

If all 5 scenarios play out, it can result in anything from a big headache in the morning to a possible security compromise exposing the user data. While the aforementioned example is a perfect storm of sorts, we never want such a scenario to play out.

由管理员负责评估因更新重启和重新配置导致可能的停机时间而恢复服务所需时间而导致的潜在收入损失的可能情况。对于每天可能有数百万美元收入且拥有数百万客户的多家百万美元电商网站来说,这种做法可能还不够保守。

It is up to the Administrator for accessing possible scenarios of potential revenue loss from time needed to restore services due to possible downtime from update reboots and reconfigurations. This practice may not be conservative enough for, say, a multi-million dollar per day ecommerce site with millions of customers.

现在,我们来配置 yum-cron 以自动安装系统更新。

Now let’s configure yum-cron to automatically install system updates.

[root@centos rdc]# vim /etc/yum/yum-cron.conf
# Whether updates should be applied when they are available.  Note
# that download_updates must also be yes for the update to be applied.
apply_updates = yes

我们要将 apply_updates = no 更改为 apply_updates = yes。现在,我们来配置 yum-cron 的更新时间。

We want to change apply_updates = no to apply_updates = yes. Now let’s configure the update interval for yum-cron.

同样,是否使用自动更新并按需安装更新可以是一把双刃剑,需要由管理员根据每个独特情况进行考虑。

Again, whether to use automatic updates and install updates on demand can be a double edged sword and needs to be considered by an administrator for each unique situation.