Hi all,
I have difficulties to understand the output of yum-plugin-security.
I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed.
-------------------- # yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.linuxwerk.com * epel: mirrors.n-ix.net * extras: centos.mirror.sharkservers.co.uk * updates: centos.mirror.sharkservers.co.uk Limiting package lists to security relevant ones No packages needed for security; 34 packages available
cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates libXfont.i686 1.4.5-4.el6_6 updates nss-softokn.i686 3.14.3-18.el6_6 updates nss-softokn-freebl.i686 3.14.3-18.el6_6 updates perl-libs.i686 4:5.10.1-136.el6_6.1 updates --------------------
I would have expected, that it will list no packages, as it's statement is "No packages needed for security"
When I run the query with no filtering on security relevant packages, it shows the X86_64 versions of the above listed packages.
Do we have a problem of inconsistent data in the repo? Are only the i686 packages marked with "security-update" flag?
-------------------- # yum check-update Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile * base: centos.mirror.linuxwerk.com * epel: mirrors.n-ix.net * extras: centos.mirror.sharkservers.co.uk * updates: centos.mirror.sharkservers.co.uk
cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates .. device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates .. libXfont.x86_64 1.4.5-4.el6_6 updates .. nss-softokn.x86_64 3.14.3-18.el6_6 updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates .. perl-libs.x86_64 4:5.10.1-136.el6_6.1 updates --------------------
Cheers and thanks for your explanation / instruction
Gabriele
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-a...
HTH
-- Sent from the Delta quadrant using Borg technology!
Nux! www.nux.ro
----- Original Message -----
From: "Gabriele Pohl" gp@dipohl.de To: "CentOS mailing list" centos@centos.org Sent: Saturday, 22 November, 2014 11:49:19 Subject: [CentOS] yum-plugin-security
Hi all,
I have difficulties to understand the output of yum-plugin-security.
I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed.
# yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
Limiting package lists to security relevant ones No packages needed for security; 34 packages available
cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates libXfont.i686 1.4.5-4.el6_6 updates nss-softokn.i686 3.14.3-18.el6_6 updates nss-softokn-freebl.i686 3.14.3-18.el6_6 updates perl-libs.i686 4:5.10.1-136.el6_6.1 updates
I would have expected, that it will list no packages, as it's statement is "No packages needed for security"
When I run the query with no filtering on security relevant packages, it shows the X86_64 versions of the above listed packages.
Do we have a problem of inconsistent data in the repo? Are only the i686 packages marked with "security-update" flag?
# yum check-update Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates .. device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates .. libXfont.x86_64 1.4.5-4.el6_6 updates .. nss-softokn.x86_64 3.14.3-18.el6_6 updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates .. perl-libs.x86_64 4:5.10.1-136.el6_6.1 updates
Cheers and thanks for your explanation / instruction
Gabriele _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Sat, 22 Nov 2014 12:44:57 +0000 (GMT) Nux! nux@li.nux.ro wrote:
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-a...
HTH
yes it helped thanks!
Although the state of the thing itself is not very helpful :(
My intention was to automatically get warned, when there are pending security updates. I therefore reworked the "yum" plugin of Munin [1]
But as I see now, this will not work for CentOS as long as the data (a working updateinfo.xml) is not existent in the repos..
I will add a note in the Munin yum plugin to inform other CentOS users about this #fail.
It would be good to add such a hint also in the CentOS package of the yum-plugin-security. Until now there is no info about the no-op nor in the man page neither under /usr/share/doc.
Shall I create a bug report addressing the missing doc? Or will it get answered with "won't fix" as the fix would need to fork an own CentOS version of the plugin, so no longer simply copy the package from upstream (rh)
# rpm -ql yum-plugin-security /etc/yum/pluginconf.d/security.conf /usr/lib/yum-plugins/security.py /usr/lib/yum-plugins/security.pyc /usr/lib/yum-plugins/security.pyo /usr/share/doc/yum-plugin-security-1.1.30 /usr/share/doc/yum-plugin-security-1.1.30/COPYING /usr/share/man/man8/yum-security.8.gz
Cheers,
Gabriele
[1] https://github.com/munin-monitoring/munin/commits/devel/plugins/node.d.linux...
On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
Hi all,
I have difficulties to understand the output of yum-plugin-security.
I am on a X86_64 machine and when I query for security updates, yum lists i686 packages, that I don't have installed.
# yum check-update --security Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
Limiting package lists to security relevant ones No packages needed for security; 34 packages available
cyrus-sasl-devel.i686 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.i686 2.1.23-15.el6_6.1 updates device-mapper-multipath-libs.i686 0.4.9-80.el6_6.1 updates libXfont.i686 1.4.5-4.el6_6 updates nss-softokn.i686 3.14.3-18.el6_6 updates nss-softokn-freebl.i686 3.14.3-18.el6_6 updates perl-libs.i686 4:5.10.1-136.el6_6.1 updates
I would have expected, that it will list no packages, as it's statement is "No packages needed for security"
When I run the query with no filtering on security relevant packages, it shows the X86_64 versions of the above listed packages.
Do we have a problem of inconsistent data in the repo? Are only the i686 packages marked with "security-update" flag?
# yum check-update Loaded plugins: changelog, fastestmirror, security Loading mirror speeds from cached hostfile
- base: centos.mirror.linuxwerk.com
- epel: mirrors.n-ix.net
- extras: centos.mirror.sharkservers.co.uk
- updates: centos.mirror.sharkservers.co.uk
cyrus-sasl.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-devel.x86_64 2.1.23-15.el6_6.1 updates cyrus-sasl-lib.x86_64 2.1.23-15.el6_6.1 updates .. device-mapper-multipath-libs.x86_64 0.4.9-80.el6_6.1 updates .. libXfont.x86_64 1.4.5-4.el6_6 updates .. nss-softokn.x86_64 3.14.3-18.el6_6 updates nss-softokn-freebl.x86_64 3.14.3-18.el6_6 updates .. perl-libs.x86_64 4:5.10.1-136.el6_6.1 updates
CentOS only tests that things work when doing all updates ... it does not test any other grouping of packages.
In reality that is also true for upstream support as well ... see the first line in any upstream update in the solutions section. Here is an example:
https://rhn.redhat.com/errata/RHSA-2014-1870.html
First line in Solution Section:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
That does not say pick and choose errata or only install security errata. In reality, one should only NOT install an update if that update causes problems. That is any Errata update, not just security updates.
The reason, all updates are built on a staged system. Any updates built today are built on / linked against the updates from yesterday.
If you use a perl package (that is an example name, could be any package) built against today's update set on 6.3 .. it may or may not work at all, or work correctly. It also could possibly introduce security issues never tested for because that combination is unique to your install.
I might work fine, it might be horrible.
On Sat, 22 Nov 2014 08:00:50 -0600 Johnny Hughes johnny@centos.org wrote:
On 11/22/2014 05:49 AM, Gabriele Pohl wrote:
I have difficulties to understand the output of yum-plugin-security.
# yum check-update --security
CentOS only tests that things work when doing all updates ... it does not test any other grouping of packages.
when I install the updates I usually install all pending updates btw.
As written in my other mail, the intention is to get triggered when security updates are pending.
fyi and cheers,
Gabriele
On Sat, 22 Nov 2014 15:32:32 +0100 Gabriele Pohl wrote:
As written in my other mail, the intention is to get triggered when security updates are pending.
If you just want to be notified (or start a job, or whatever) then why not set up something to watch the centos-announce list, parse the subject lines for "Security", and then do whatever you need to do after that.
On Sat, Nov 22, 2014 at 12:07:00PM -0600, Frank Cox wrote:
If you just want to be notified (or start a job, or whatever) then why not set up something to watch the centos-announce list, parse the subject lines for "Security", and then do whatever you need to do after that.
You're actually going to want to look for 'CESA' which indicates a security update announcement.
John
On Sat, 22 Nov 2014 12:07:00 -0600 Frank Cox theatre@melvilletheatre.com wrote:
On Sat, 22 Nov 2014 15:32:32 +0100 Gabriele Pohl wrote:
As written in my other mail, the intention is to get triggered when security updates are pending.
why not set up something to watch the centos-announce list, parse the subject lines for "Security", and then do whatever you need to do after that.
because I want the alert for my individual machines. So the proposed method is no solution for an automagical trigger :)
As said in my earlier mail I use Munin for system monitoring and want the raven to croak when a node has pending security updates:
http://gallery.munin-monitoring.org/distro/plugins/node.d.linux/yum.html
But thanks for sharing your idea ~
Cheers,
Gabriele
On Sat, 22 Nov 2014 19:52:30 +0100 Gabriele Pohl wrote:
because I want the alert for my individual machines. So the proposed method is no solution for an automagical trigger :)
You still can do that without expending too much effort.
One way would be to monitor centos-announce, parse the subject lines, copy the security update filenames to a text or database file. (sqlite is made for this kind of thing.) You can either keep a list on each machine or have a central data repository, whichever suits you best.
Then all you need to do is have each machine run "yum check-update" on whatever timed basis you wish. Capture the list of pending updates, compare it against your database, and then do your thing.
On Sat, 22 Nov 2014 13:17:59 -0600 Frank Cox theatre@melvilletheatre.com wrote:
On Sat, 22 Nov 2014 19:52:30 +0100 Gabriele Pohl wrote:
because I want the alert for my individual machines. So the proposed method is no solution for an automagical trigger :)
You still can do that without expending too much effort.
Although the proposal you made is /possible/ to implement, I will not do it, because I think that this is the wrong way to solve the issue.
One way would be to monitor centos-announce, parse the subject lines, copy the security update filenames to a text or database file. (sqlite is made for this kind of thing.) You can either keep a list on each machine or have a central data repository, whichever suits you best.
Pardon me, but I think it is madness to maintain the info outside of yum.
And your method is not suitable to use within Munin monitoring. And a Munin capable solution is what I am looking for with highest priority.
Then all you need to do is have each machine run "yum check-update" on whatever timed basis you wish. Capture the list of pending updates, compare it against your database, and then do your thing.
I don't like to spend time in creating ugly workarounds.. and therefore would highly appreciate if the CentOS-Developers will add the data to the yum repositories. Then I can use Munin to monitor the pending security packages also for CentOS as now only for my RHEL machines.
All the best and thanks again,
Gabriele
On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
I don't like to spend time in creating ugly workarounds.. and therefore would highly appreciate if the CentOS-Developers will add the data to the yum repositories. Then I can use Munin to monitor the pending security packages also for CentOS as now only for my RHEL machines.
It's not that simple. Please have a look at the list archives in the past couple months where this was addressed. The threads were either here or on the centos-devel mailing list.
http://lists.centos.org/pipermail/centos http://lists.centos.org/pipermail/centos-devel
If memory serves the primary factor that is holding this up is a space requirements issue; the threads can shed more light on it, however.
John
On Sat, 22 Nov 2014 17:10:40 -0600 "John R. Dennison" jrd@gerdesas.com wrote:
On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
I don't like to spend time in creating ugly workarounds.. and therefore would highly appreciate if the CentOS-Developers will add the data to the yum repositories. Then I can use Munin to monitor the pending security packages also for CentOS as now only for my RHEL machines.
It's not that simple. Please have a look at the list archives in the past couple months where this was addressed. The threads were either here or on the centos-devel mailing list.
thanks to Nux! who posted the following link in the first reply of this thread:
---------------------------- Begin forwarded message:
Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT) From: Nux! nux@li.nux.ro To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] yum-plugin-security
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-a... ----------------------------
I read this thread and also another, which is refered to therein: http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html
If memory serves the primary factor that is holding this up is a space requirements issue; the threads can shed more light on it, however.
To tell the truth, as a person who is not familiar with the internal structures and procedures of tree building and maintenance of the repositories, I don't really understand why it should be so difficult to handle a "security-update" flag for the update packages, but I have to believe the experts, who make statements on this topic.
Here is what I picked up when reading the thread from devel list:
1. For a valid approach data for all packages over the complete history of the major version is needed.
2. At the time the data is only sent to the announce mailing list and it will need a big effort with also manual work to collect all the data back from there.
3. "it would add significantly to the size required to mirror CentOS and require a redesign of how we do trees completely (we currently only push the latest tree for each live major version)." (Johnny Hughes)
4. The developers fear that the yum-plugin-security functions may seduce people to only install the security relevant packages, which can cause problems.
5. The tools used by scientific linux repo maintainers, who support a security classification, are availabe under free software license. https://cdcvs.fnal.gov/redmine/projects/python-updateinfo
My personal view is represented by the mails of Kevin Stange in this thread. And I still hope that the issue will be solved by integrating the "security update" flag into the CentOS repositories in the future.
so far and thanks for your replies to all contributors in this thread,
Gabriele
We have an alert for CentOS packages with security updates, and I was curious how it works. Turns out that what it does is do a search engine search for
[$package $version site:https://rhn.redhat.com/errata/]
{yeah, doesn't even put $version in quotes!}
And then fetches the top result looking for the string /Security Advisory/
We update all packages to tip whenever we update. This not-completely-accurate method turns the ordinary "you have some updates, zzzz" to the occasional "you have security updates! zomg!"
Amusing. Keeps people awake.
Anyway, if we did have such a tool, we should definitely build it such that the only thing it does is look at your current machine and say, "you're not at tip, and some of your packages have security problems. update to tip." That would not increase the size of the tree nor encourage people to unsafely do partial updates. And it wouldn't require a huge historical analysis.
-- greg
On Sun, Nov 23, 2014 at 01:54:49AM +0100, Gabriele Pohl wrote:
On Sat, 22 Nov 2014 17:10:40 -0600 "John R. Dennison" jrd@gerdesas.com wrote:
On Sat, Nov 22, 2014 at 11:41:17PM +0100, Gabriele Pohl wrote:
I don't like to spend time in creating ugly workarounds.. and therefore would highly appreciate if the CentOS-Developers will add the data to the yum repositories. Then I can use Munin to monitor the pending security packages also for CentOS as now only for my RHEL machines.
It's not that simple. Please have a look at the list archives in the past couple months where this was addressed. The threads were either here or on the centos-devel mailing list.
thanks to Nux! who posted the following link in the first reply of this thread:
Begin forwarded message:
Date: Sat, 22 Nov 2014 12:44:57 +0000 (GMT) From: Nux! nux@li.nux.ro To: CentOS mailing list centos@centos.org Subject: Re: [CentOS] yum-plugin-security
This plugin does not work on CentOS, at least not yet, there were previous discussions. e.g. http://centos-devel.1051824.n5.nabble.com/CentOS-devel-yum-plugin-security-a...
I read this thread and also another, which is refered to therein: http://lists.centos.org/pipermail/centos-devel/2014-September/011893.html
If memory serves the primary factor that is holding this up is a space requirements issue; the threads can shed more light on it, however.
To tell the truth, as a person who is not familiar with the internal structures and procedures of tree building and maintenance of the repositories, I don't really understand why it should be so difficult to handle a "security-update" flag for the update packages, but I have to believe the experts, who make statements on this topic.
Here is what I picked up when reading the thread from devel list:
- For a valid approach data for all packages over
the complete history of the major version is needed.
- At the time the data is only sent to the announce mailing list
and it will need a big effort with also manual work to collect all the data back from there.
- "it would add significantly to the size required to
mirror CentOS and require a redesign of how we do trees completely (we currently only push the latest tree for each live major version)." (Johnny Hughes)
- The developers fear that the yum-plugin-security functions
may seduce people to only install the security relevant packages, which can cause problems.
- The tools used by scientific linux repo maintainers,
who support a security classification, are availabe under free software license. https://cdcvs.fnal.gov/redmine/projects/python-updateinfo
My personal view is represented by the mails of Kevin Stange in this thread. And I still hope that the issue will be solved by integrating the "security update" flag into the CentOS repositories in the future.
so far and thanks for your replies to all contributors in this thread,
Gabriele _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Frank Cox -
Gabriele Pohl -
Greg Lindahl -
John R. Dennison -
Johnny Hughes -
Nux!