All about Release Patches Britain Connected / OVH
Release Patches are bash scripts that are downloaded and executed on a dedicated server. To make update see: SshOnDedicated
Advantages of patches :
- rapidity,
- simplicity,
- stability.
Attention! Do not apply patches if your server is personalised on the level of configuration, that is mysql, apache, php. All the options of compilation will be lost.
Attention! Some releases are security patches, if you don't install them you risk that your server will be hacked .
Vocabulary
Release or patch : a script downloaded to and executed on a dedicated server. E.g.:
wget ftp://ftp.ovh.net/made-in-ovh/release/patch-1.38-1.39.sh -O patch-1.38-1.39.sh; sh patch-1.38-1.39.sh
When the script is downloaded, it verifies whether it's an appropriate version before the actual execution of it. It prevents doing release 1.38 before 1.34. The releases should be applied in order. The first one is 1.04. If you try to apply them chaotically, they won't work.
Philosophy
For the proper functioning of releases, there is a system of blocking which only allows executing script in order. There is a file /etc/ovhrelease where the present release version is remembered.
The new release verifies if the one stored in the file is his predecessor.
root@ns30096 root# cat /etc/ovhrelease
1.37
1.37
After every release, the /etc/issue is updated, which allows checking the release version during the connection to the server:
Red Hat Linux release 7.2 (Enigma)
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.37
ip : 213.186.42.25
hostname : ns30096.ovh.net
root@ns30096 root#
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.37
ip : 213.186.42.25
hostname : ns30096.ovh.net
root@ns30096 root#
You may check the release version and the IP of server using your screen and keyboard. It saves your time because there's no need to connect to the server.
Changelog
Changelog is available at this link:
ftp://ftp.ovh.net/made-in-ovh/release/CHANGELOG.release
Applying release after release
In order to apply a release, you need to connect via SSH and copy the command:
root@ns30096 root# wget ftp://ftp.ovh.net/made-in-ovh/release/patch-1.37-1.38.sh -O patch-1.37-1.38.sh; sh patch-1.37-1.38.sh
[...]
[...]
The installation will be launched. It may take several minutes.
[...]
Arrêt de sshd : OK
Démarrage de sshd : OK
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6i engine Feb 19 2003
root@ns30096 root# cat /etc/issue
Red Hat Linux release 7.2 (Enigma)
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.38
ip : 213.186.42.25
hostname : ns30096.ovh.net
Arrêt de sshd : OK
Démarrage de sshd : OK
OpenSSH_3.7.1p2, SSH protocols 1.5/2.0, OpenSSL 0.9.6i engine Feb 19 2003
root@ns30096 root# cat /etc/issue
Red Hat Linux release 7.2 (Enigma)
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.38
ip : 213.186.42.25
hostname : ns30096.ovh.net
We've just passed from a release 1.37 to 1.38 and a sshd server has been updated.
Applying all releases
To avoid verification of every patch, you may execute patch-all.sh. It installs patches in the correct order.
root@ns30096 root# wget ftp://ftp.ovh.net/made-in-ovh/release/patch-all.sh -O patch-all.sh; sh patch-all.sh
[...]
[...]
patch-all.sh -it launches the system verification and installs necessary elements.
Red Hat Linux release 7.2 (Enigma)
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.39
ip : 213.186.42.25
hostname : ns30096.ovh.net
[...]
Linux ns30096.ovh.net 2.4.19 #2 SMP mer nov 20 17:40:06 CET 2002 i686 unknown
machine : 2344
release : 1.39
ip : 213.186.42.25
hostname : ns30096.ovh.net
[...]
This is 1.39 version.
Other functions
Patch-all.sh -it also sets the correct time on your server. First, the clock skew is counted, then clockspeed, installed on your server, synchronizes periodically the time using the clock skew value. Do not synchronize time too often, only rare synchronizations are fully reliable.
Without release
Server which wasn't updated with a release, may be updated with patches. Patches are automatized scripts, tested on various platforms and able to identify them. As every server is different, there is a possibility to download, edit, modify and install the patches. If a compilation problem appears, look for help on one of our mailing lists, such as ad@ml.ovh.net. Please do not direct your questions to our technical support.
Patches are on ftp://ftp.ovh.net/made-in-ovh/patch . There are:
- patches for Apache (web server):
-rwxr-xr-x 3517 jui 7 2002 apache_1.3.26+mod_ssl-2.8.10+php_4.2.1.sh
-rwxr-xr-x 3517 jui 22 2002 apache_1.3.26+mod_ssl-2.8.10+php_4.2.2.sh
-rwxr-xr-x 3517 sep 11 2002 apache_1.3.26+mod_ssl-2.8.10+php_4.2.3.sh
-rwxr-xr-x 3656 oct 4 2002 apache_1.3.27+mod_ssl-2.8.11+php_4.2.3.sh
-rwxr-xr-x 4567 jun 20 2003 apache_1.3.27+mod_ssl-2.8.14+php_4.3.2.sh
-rwxr-xr-x 4567 aou 31 2003 apache_1.3.28+mod_ssl-2.8.15+php_4.3.3.sh
-rwxr-xr-x 4601 déc 4 21:44 apache_1.3.29+mod_ssl-2.8.16+php_4.3.4.sh
- patches for bind (named)
-rwxr-xr-x 825 jui 7 2002 named_8.3.3.sh
-rwxr-xr-x 2320 jui 22 15:55 named_9.2.1-noshell.sh
-rwxr-xr-x 2407 jui 8 2002 named_9.2.1.sh
- patches for ssh
-rw-r--r-- 2481 sep 29 02:23 rebuild-ssh-auto.sh
-rw-r--r-- 2188 mar 24 2003 rebuild-ssh-downgrad.sh
-rw-r--r-- 2564 sep 28 20:10 rebuild-ssh.sh
- patches for ssl
-rw-r--r-- 1086 mar 24 2003 rebuild-ssl-downgrad.sh
-rw-r--r-- 1079 mar 23 2003 rebuild-ssl.sh
- other:
-rw-r--r-- 1234 jun 17 12:25 patch_reboot.sh
-rw-r--r-- 403 mar 4 2002 patch_resolv.sh
-rwxr-xr-x 627 jun 2 14:28 check_reboot.sh
-rw-r--r-- 634 jui 10 2002 a_l_heure.sh
-rwxr-xr-x 2230 aou 22 2002 rc.sysinit.patch.sh
Examples without release
This is a server with older ssh and openssl:
# ssh -V
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
- openssl version
First the compilation of openssl is required as it's used by other applications, such as
apache, ssh, qmail etc
5 minutes later
# openssl version
OpenSSL 0.9.6l engine 04 Nov 2003
OpenSSL 0.9.6l engine 04 Nov 2003
We have an appropriate version of openssl. Now it's time for ssh:
# wget ftp://ftp.ovh.net/made-in-ovh/patch/rebuild-ssh.sh -O rebuild-ssh.sh
- sh rebuild-ssh.sh
- ssh -V
Update:
# uname -a
Linux ns3060.ovh.net 2.4.16 #1 lun déc 17 15:22:27 CET 2001 i686 unknown
$ ssh xxxxxx
Linux ns3060.ovh.net 2.4.16 #1 lun déc 17 15:22:27 CET 2001 i686 unknown
- cat /proc/cpuinfo
- wget ftp://ftp.ovh.net/made-in-ovh/bzImage/bzImage-2.4.25-grs-piii*]*
- wget ftp://ftp.ovh.net/made-in-ovh/bzImage/System.map-2.4.25-grs-piii**
- pico /etc/lilo.conf
- /sbin/lilo
- reboot
- logout
$ ssh xxxxxx
- uname -a
Apache compilation:
# wget ftp://ftp.ovh.net/made-in-ovh/patch/apache_1.3.29+mod_ssl-2.8.16+php_4.3.4.sh
cat: /etc/ovhrelease: Żaden plik ani katalog tego typu
release tego systemu to
IMPORTANT:
verification of available version openssl:
OpenSSL 0.9.6l engine 04 Nov 2003
OpenSSL 0.9.6d 9 May 2002
- sh apache_1.3.29+mod_ssl-2.8.16+php_4.3.4.sh
cat: /etc/ovhrelease: Żaden plik ani katalog tego typu
release tego systemu to
IMPORTANT:
verification of available version openssl:
OpenSSL 0.9.6l engine 04 Nov 2003
OpenSSL 0.9.6d 9 May 2002
Incorrect. It means there is a version compiled manually:
# rm -rf /usr/local/ssl
From the beginning:
# cd
cat: /etc/ovhrelease: No file or repertory of this type
the release of the system is
IMPORTANT
verification of available version openssl
OpenSSL 0.9.6l engine 04 Nov 2003
[...]
- sh apache_1.3.29+mod_ssl-2.8.16+php_4.3.4.sh
cat: /etc/ovhrelease: No file or repertory of this type
the release of the system is
IMPORTANT
verification of available version openssl
OpenSSL 0.9.6l engine 04 Nov 2003
[...]
15 minutes later:
make1: Quitte le répertoire `/home/ovh/src/apache_1.3.29'
src
If the compilation wasn't successful, you may
install the working version using
the commands :
cd /home/ovh/src/apache_1.3.29
make install
/etc/rc.d/init.d/httpd restart
Then check what version is the latest
/usr/local/apache/bin/httpd -v
/usr/local/bin/php -v
Starting httpd: Syntax error on line 191 of /usr/local/apache/conf/httpd.conf:
Missing, invalid, or non-numeric port
FAILED
Starting httpd: OK
Server built: Nov 12 2003 20:31:33
The Zend Engine API version 20021010 which is installed, is newer.
Contact Zend Technologies at http://www.zend.com/ for a later version of Zend Optimizer.
PHP 4.3.4 (cgi) (built: Nov 12 2003 20:30:11)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
src
If the compilation wasn't successful, you may
install the working version using
the commands :
cd /home/ovh/src/apache_1.3.29
make install
/etc/rc.d/init.d/httpd restart
Then check what version is the latest
/usr/local/apache/bin/httpd -v
/usr/local/bin/php -v
- cd /home/ovh/src/apache_1.3.29
- make install
- /etc/rc.d/init.d/httpd restart
Starting httpd: Syntax error on line 191 of /usr/local/apache/conf/httpd.conf:
Missing, invalid, or non-numeric port
FAILED
- pico /usr/local/apache/conf/httpd.conf
- /etc/rc.d/init.d/httpd restart
Starting httpd: OK
- /usr/local/apache/bin/httpd -v
Server built: Nov 12 2003 20:31:33
- /usr/local/bin/php -v
The Zend Engine API version 20021010 which is installed, is newer.
Contact Zend Technologies at http://www.zend.com/ for a later version of Zend Optimizer.
PHP 4.3.4 (cgi) (built: Nov 12 2003 20:30:11)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies
