The following excerpt was taken from the book titled Linux Patch Management: Keeping Linux Systems Up to Date, authored by Michael Jang, copyright 2006, Pearson Education, Inc. ISBN 0-13-236675-4. Reproduced by permission of Pearson Education, Inc. All rights reserved. To learn more about the book and for the complete table of contents, please visit the book's Web site.

One of the popular Linux patch management systems is based on the Advanced Package Tool, known as apt. While it was developed for Debian Linux, it is the standard patch management tool for a number of Debian and Red Hat-based distributions, including Knoppix, Xandros, and even the Lineox rebuild of Red Hat Enterprise Linux. But if you prefer apt, the associated tools can be installed on most Linux distributions.

In this chapter, you'll learn the fundamentals of apt, including some of its more useful commands. Then you'll see how you can use apt to maintain a Debian client, beyond the fundamental tools that you learned about in Chapter 1, "Patch Management Systems". Finally, you'll see how you can create and maintain a local apt-based repository for your network.

There are many different commands associated with apt. You reviewed a couple of these commands in Chapter 1. While you can do a lot with apt-cache and apt-get, there are more commands and capabilities.

You should know how to find the best mirrors for your distribution, as well as how to include them in your apt configuration. When you learn how to use various apt commands, you'll learn to appreciate the capabilities of related "all-in-one" tools, including aptitude and the Synaptic Package Manager. If you find apt to your liking, you may need to install it on your chosen distribution. The same apt tools are available for both Debian- and RPM-based distributions.

Installing apt on a Debian-Based Distribution

There are several packages associated with apt. Not all are installed by default. If you want to take full advantage of the apt system, you'll want to install as many apt-related packages as is practical. To find available apt packages on my Debian system, I ran the following command:

apt-cache search apt

When I ran this command, I got a list of 384 packages. That's too much! As you search through this list, you might realize that it includes unrelated packages, such as raptor-utils, because the "apt" string is in its name or description. So you should use a more discriminating search. Without getting too fancy, I find available apt-related packages with the following two commands, where I've added a space before and after the search term (in quotes):

apt-cache search "apt "

apt-cache search " apt"

Because apt-cache is part of the apt package, this of course assumes that you have previously installed apt on your Linux system. These searches reveal a substantial number of packages related to apt. (When you install these packages, the apt system also installs dependencies.) Some of these packages may be redundant, because they provide different ways of doing the same thing. You don't need to install every apt-related package. I've described some of the apt packages I consider important in Table 4-1.

Note: The list shown in Table 4-1 is far from complete. It omits packages that are installed as dependencies to those listed here. It also leaves out other packages with tools that you may prefer. This list and chapter encompass just one formula for patch management.

Installing apt on a RPM-Based Distribution

There are a number of RPM-based distributions that can or do use apt as the primary patch management tool. We'll discuss this in more detail in Chapter 5, "Configuring apt for RPM Distributions".

Configuring apt on Your Computer

As discussed in Chapter 1, the key to apt as a patch management tool is the repositories that you select and include in your apt configuration file, /etc/apt/sources.list. In that chapter, you used the Debian mirror list at www.debian.org/mirror/list to add appropriate sites for your computer and physical location.

Before you configure /etc/apt/sources.list, you should know the different repository categories for your distribution. Debian and other related distributions (e.g. Knoppix, Ubuntu) use different names. You can use the netselect tool to help find the repository mirror best suited to your location.

There are repositories associated with the three current Debian distributions. All three are in use, so you may need to create repositories for each. The three current Debian distributions known are listed here:

Note: While the previous stable version of Debian, known as Woody, is still commonly used, the version before that, known as Potato, is pretty much obsolete. Many mirrors no longer include Potato packages in their repositories.

As of this writing, I use Debian Sarge on my primary laptop computer. I used it even while it was "unstable" and have never had a major problem with associated packages. There are three subcategories associated with each repository, as described in Table 4-2.

Some sources.list options are distribution-specific. For example, Ubuntu Linux (www.ubuntu.com) includes universe and multiverse repositories that correspond loosely to the Debian unstable and contrib / non-free repositories. Because the actual contents of these repositories vary, they are far from exact mirrors.

While many Linux users in principle prefer to use free software packages, this may not always be possible on your network. A lot of important Linux compatible software is released under fairly restrictive licenses, such as some versions of Java and RealPlayer.

There are two basic reasons to select a repository. One is for updates, while the other is for mirroring onto your network. If you're looking for update servers for your /etc/apt/sources.list file, it's in your interest to select more than one repository. If one goes down, you can still get the updates you need. On the other hand, if you're looking for a mirror, you may want to find one that supports rsync access. Some searching and trial and error may be required.

Depending on your situation, you can use the netselect or netselect-apt commands to find the repository or repositories best suited to your needs. If you know that there are only a small number of suitable repositories, try netselect. For example, if you're in the middle of the U.S. Silicon Valley, you might have noticed that the Debian repositories at the University of California at Berkeley (linux.csua.berkeley.edu) and the University of California at Santa Cruz (sluglug.ucsc.edu) are fairly close. Assuming the bandwidth and demand on both servers is approximately the same (it is up to you to check), you can find the one best suited for your system with the following command:

netselect -vv linux.csua.berkeley.edu sluglug.ucsc.edu

With the -vv switch, you can get measurable results that can help you make a judgment. One possible result is shown here:

linux.csua.berkeley.edu 34 ms 13 hops 100% ok (10/10) [ 87]

sluglug.ucsc.edu 38 ms 14 hops 100% ok (10/10) [ 82]

This output lists results in the following order: URL, transmission time, number of hops, percentage and number of successfully transmitted packets, and an overall score based on the transmission time and number of hops. In this case, the scores are close; the results may vary slightly if you repeat this command.

Unfortunately, you can't rely on these tools alone. While distance from a mirror is important, capacity is also an issue. For example, it may be better to connect to a more distant mirror if it has a higher-capacity Internet connection. It may be better to connect to a mirror associated with wealthier sponsors-multi-gigabyte downloads from many thousands of users can be rather expensive. For that reason, Debian strongly discourages downloads direct from the repositories that it owns.

Based on the information so far in this section, you can now customize your /etc/apt/sources.list file with the mirrors best suited for your Debian system. In Chapter 1, you read about adding the following mirrors to this file:

deb ftp://debian.oregonstate.edu/debian/ stable main

deb-src ftp://debian.oregonstate.edu/debian/ stable main

As you now know, the stable distribution is associated with Debian Sarge. The main repository includes only a part of the available packages for this distribution. If you want all Sarge-associated repositories, access the contrib and non-free repositories, as follows:

deb ftp://debian.oregonstate.edu/debian/ stable main contrib non-free

deb-src ftp://debian.oregonstate.edu/debian/ stable main contrib nonfree

I've selected additional repositories for my Debian computer, just in case the Oregon State repository goes down. But if you're in the Silicon Valley, you probably do not want to connect to a repository all the way in Oregon. Based on the mirrors described earlier, you might add the following lines to your sources.list file:

deb ftp://linux.csua.berkeley.edu/debian/ stable main contrib non-free

deb-src ftp://linux.csua.berkeley.edu/debian/ stable main contrib nonfree

deb ftp://sluglug.ucsc.edu/debian/ stable main contrib non-free

deb-src ftp://sluglug.ucsc.edu/debian/ stable main contrib non-free

We'll show you how to use different commands to download a Debian repository for your network later in this chapter.

You can point your /etc/apt/sources.list to a repository on your local network. After you create your own repository using one of the methods described later in this chapter, you can point clients on your local network to that repository. For example, based on the current version of Debian's apache2, Web server files can be stored in the /var/www/apache2-default/ directory. Therefore, if I have a repository on my local web.example.com computer's pub/subdirectory, I could add the following line to my sources.list file:

deb http://web.example.com/pub/ testing main contrib non-free

You can even use locally available sources; for example, if the source ismounted on a shared /var/debian NFS directory, you could use the following line in your sources.list file:

deb file:/var/debian/ testing main contrib non-free

In either case, be careful. Before configuring a locally cached repository on your clients, test it. Back up any clients before testing that repository.

The Basic apt Commands

Before using apt, you should learn more about the basic commands than you may have read about in Chapter 1. This section is far from comprehensive. An excellent place to start is the APT HOWTO, available online from www.debian.org/doc/manuals/apt-howto/index.en.html.

One key command is aptitude. While I described apt-get in Chapter 1, aptitude is in many ways an enhanced version of this command. If you're familiar with apt-get, you can use most of the same options with aptitude. What you use or prefer depends on you.

apt-get and aptitude

Not all Debian-style distributions include aptitude. But for all commands in this section, you can substitute aptitude for apt-get. In fact, you may want to try both versions to see which you prefer.

As described in Chapter 1, the basic command that you can use to install the package of your choice is

apt-get install packagename

But what you get might not be up to date. To keep your databases up to date, download the Packages.gz file, which includes the latest package information from each repository. You don't have to download the file directly. You can update your databases with the help of this file by using the following command:

apt-get update

Note: Sometimes you may see an error in the output from apt-get update. Don't panic. Run the command again. Sometimes the updates that you download the first time fix problems that allow you to complete the update the second time you run that command.

As a systems administrator, you might want to remove some packages on occasion. For example, if you don't want users recompiling their kernels, you could run the following command:

apt-get remove kernel-source

If you want to keep your system up to date, you'll want to become familiar with the following command (the -u switch doesn't work with aptitude):

apt-get -u dselect-upgrade

This is an important command. The -u switch forces apt-get to tell you what is planned for the upgrade. The dselect-upgrade option includes recommended options for packages that are downloaded and installed. This switch is not available for aptitude; the aptitude upgrade mode works just as well.

When you download packages with apt, they're download as .deb packages to the /var/cache/apt/archives directory. As you install and patch your system, the space used by this directory can build into the gigabytes. You should keep this directory clean on a periodic basis. If you just want to purge packages that are now obsolete, you could run the following command:

apt-get autoclean

If you have obsolete packages in your archives, you'll see a series of messages listing the files that are now deleted, such as

Del acroread 5.10-0.2 [9171kB]

If you're really pressed for space, and do not want a patch management repository on this computer, you could run the following command:

apt-get clean

Just remember, this command deletes all files in what you could potentially use as a local patch management repository. (For that reason, if you create a mirror, you may want to use a different directory.)

apt-cdrom

If you've downloaded the CDs associated with your distribution, you can use those as sources for your updates. For example, if you've inserted a Debian CD, all you need to do is run the apt-cdrom add command. But that's not too helpful, as there are more than a dozen CDs associated with Debian Linux.

However, if you've mounted a CD ISO file on a specific directory, such as /mnt/inst1, you could use that information; the -d allows you to specify the mount point:

apt-cdrom -d /mnt/inst1 add