| View previous topic :: View next topic |
| Author |
Message |
biggyL
Tux's lil' helper
Joined: 31 Jan 2005
Posts: 120
Location: Israel
|
 Posted: Tue Dec 02, 2008 1:54 pm Post subject: Package update script for Enterprise (or production servers) |
 |
|
Hello All,
I want to share a script that I'm using to update packages on my production servers without re-emerging all packages but only the ones affected by GLSA (Gentoo Linux Security Announcements).
I'm running the script every night.
The script:
1) checks for affected packages
2) builds binary packages for the current affected ones with quickpkg --include-config=y (to quickly create a binary packages of already installed ones with all config files).
3) creates a single script you can run to update all affected packages at once.
4) notifies me by e-mail with a list of affected packages, update script location and backed up packages location.
The script:
| Code: |
#!/bin/bash
tmp="/tmp/`cat /proc/sys/kernel/random/uuid`"
update="/root/run-to-update.sh"
glsa="/usr/portage/metadata/glsa"
if [ -f $tmp ] ; then
rm -f $tmp
fi
if [ -f $update ] ; then
rm -f $update
fi
# Please uncomment the following line before the actual update
emerge --sync >/dev/null 2>&1
glsa-check -n --list affected 2> /dev/null > $tmp
arr=(`cat $tmp | awk '{print $1}'`)
BUGCOUNT=${#arr[@]}
if [ $BUGCOUNT -gt "0" ] ; then
echo -e '#!/bin/bash' > $update
echo -ne '#relevant as for ' >> $update
echo `date +%D` >> $update
n=0
while (($n < $BUGCOUNT)); do
echo "/usr/bin/glsa-check -f" ${arr[$n]} >> $update
cat $glsa/glsa-${arr[$n]}.xml | grep "# emerge" | grep -v "emerge --sync" | \
sed 's/\"\;/\"/g' | sed 's/\>\;/\>/g' | sed 's/<\/code>//g' >> $update
echo >> $update
let n+=1
done
# Starting to build binary archives of currently installed packages
# quickpkg `sed '/=/!d;s/.*=\(.*\)-[0-9]\{1,\}.*$/\1/' /root/run-to-update.sh`
quickpkg --include-config=y $(glsa-check -p $(glsa-check -t all 2>/dev/null) | sed -n '/^[[:space:]]\+/s/[[:space:]]*\(.*\)-[0-9]\{1,\}.*$/\1/p')
# End of building binary archives of currently installed packages
chmod 700 /root/run-to-update.sh
echo -e "\nRun $update to update the system \n\nIf after the update something goes wrong, you could always go back to your previous version by restoring backed-up package \n\nTo restore your backed-up package (with all its configuration files) run for example (in case you need to restore xorg-x11): emerge --usepkgonly -a =xorg-x11-6.8.2-r8 \n\nIf you can't remember the exact version of backed-up package, you can find it out by running: ls -l /usr/portage/packages/All/" >> $tmp
cat $tmp | /bin/mail -s "GLSA_UNAPPLIED for myserver.com" user@gmail.com
rm -rf $tmp
fi
|
I want to thank all the people who helped me to enhance this script and the people who originally wrote this script.
Any improvements, suggestions are very welcomed. |
|
| Back to top |
|
 |
Insanity5902
Veteran
Joined: 23 Jan 2004
Posts: 1228
Location: Fort Worth, Texas
|
| Posted: Tue Dec 02, 2008 7:40 pm Post subject: |
|
|
Nice idea, I will have to look into this.
One suggestion, to also perform a quickpkg of the currently installed version, just incase the upgrade borks your services.
_________________
Join the adopt an unanswered post initiative today |
|
| Back to top |
|
|
biggyL
Tux's lil' helper
Joined: 31 Jan 2005
Posts: 120
Location: Israel
|
| Posted: Wed Dec 03, 2008 6:48 am Post subject: |
|
|
| Insanity5902 wrote: | Nice idea, I will have to look into this.
One suggestion, to also perform a quickpkg of the currently installed version, just incase the upgrade borks your services. |
This is what this script is already doing  |
|
| Back to top |
|
|
Insanity5902
Veteran
Joined: 23 Jan 2004
Posts: 1228
Location: Fort Worth, Texas
|
|
| Back to top |
|
|
NewBlackDak
Guru
Joined: 02 Nov 2003
Posts: 512
Location: Utah County, UT
|
| Posted: Fri Dec 05, 2008 4:58 am Post subject: |
|
|
One thing you might work out is cleaning up old versions, so it only keeps 1 version back.
_________________
Gentoo systems.
X2 4200+@2.6 - Athy
X2 3600+ - Myth
UltraSparc5 440 - sparcy |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sat Dec 06, 2008 6:39 am Post subject: |
|
|
Blimey this is weird; I use update -A to check for GLSA updates (or it's done by default with straight update or update -s etc where it's a standard world upgrade; you'd have to check update -h for variants on the theme, I've lost track ;)
| NewBlackDak wrote: | | One thing you might work out is cleaning up old versions, so it only keeps 1 version back. |
Hmm we always meant to do a thing where it would keep two, in case the one we bumped to was borked despite installing successfully.
biggyL: do please check that 'weird' post for some very useful bash links (and some tips you need, looking at that;)
It also links to the original update script if the current one seems daunting. (If it doesn't, you're insane ;p) |
|
| Back to top |
|
|
|
Documentation, Tips & Tricks
