The Opmantek Machine is - like all networked computer systems - subject to the usual requirements wrt. patching software for security holes, general care and periodic adjustments and so on. The Machine comes with logrotation and other standard management services enabled, but this is no substitute for a trained system administrator's watchful eye.
For example it's very much recommended to run yum check-update
periodically, e.g. once monthly, to learn of important software updates, and to apply them using yum upgrade
.
Some customers are reluctant to grant any of their servers (or the Opmantek Machine) direct access to the Internet. In normal operation that doesn't limit the Machine in any way (as long as there is a source of DNS and NTP available), but updating (our or other) software on the Machine would be made impossible.
To deal with software maintenance in such highly restrictive environments we do recommend that you provide a web proxy for servers that otherwise cannot download updated software packages; you might want to run said proxy only temporarily, with authentication required or filtering, e.g. only serving files from particular web locations. Setting up a proxy like the well-known and -tested Squid proxy server is a minimal effort (even with authentication) and well worth the improved maintainability of your infrastructure.
The packaging manager (yum) used by the underlying operating system (CentOS) can be configured easily to use a proxy server for Internet access, and the same is true for installing Perl modules via CPAN.
You need to edit /etc/yum.conf
(nano is likely your best choice for a simple editor if you have no real preferences), and add a block like the following somewhere to the section labelled "[main]
":
[main] # lots of other directives proxy=http://mycache.mydomain.com:3128 # The account details for yum connections, IF your proxy enforces authentication proxy_username=yum-user proxy_password=qwerty |
After you've made those changes you should run yum check-update
to verify that it can access the package repositories in question.
The following applies primarily to updating NMIS as all other software ships in compiled/stand-alone form.
If you decide to extend your deployed Opmantek Machine with new Opmantek packages (or update existing software packages), then it may be necessary occasionally to install extra Perl packages from CPAN (the Comprehensive Perl Archive Network).
The NMIS installer/updater automates these installation steps using the cpan
tool, which is proxy-capable as well.
To configure cpan to use a proxy, you need to start the tool (as root) and tell it to run the proxy configuration dialog and it'll ask you for the relevant settings:
# become root, su or sudo bash cpan o conf init /proxy/ # and answer the questions as displayed |
A variation of the above is also possible, if (and only if) you are accessing the Internet (from your desktop) using a proxy server, and if (and only if) you are accessing the Machine via SSH. In that case you can use SSH port forwarding to temporarily grant the Machine access to your proxy.
You have to select an unused high port number, and you need to know your web proxy addess and port number. In this example I'll use 8888 as the high port number, and let's assume my proxy is at proxy.opmantek.com and works on port 3128.
With plain command-line ssh I'd use the following invocation to establish that port forwarding: ssh -v -R 8888:proxy.opmantek.com:3128 root@the_Machine_name_or_address
For PuTTy, I'd go to the configuration menu, SSH, Tunnels and add 8888 as source port, select "Remote" and add proxy.opmantek.com:3128 as destination. Then I'd connect to the Machine.
Configure the Machine's yum and cpan to use localhost:8888
, possibly configure proxy authentication, and things will work as if the Machine had direct proxy access.
You'll be able to use localhost:8888
on the Machine as the proxy address, precisely while your SSH connection is open. Once you disconnect, port 8888 closes down, and the proxy becomes inaccessible.
If you have another (virtual) system that does have Internet access, then it is possible to collect the pre-requisites on that system and then transfer them over onto the final server. This does, however, require some manual work on the command line and a small modicum of Linux skills. We've tested this with a CentOS 6 systems, but can't guarantee that it'll work precisely the same everywhere.
To do so you'll need another (temporary!) instance of the Opmantek Machine running with Internet access enabled, which could easily be just in VirtualBox on your desktop, for example; You would then have to follow the procedure described below:
/etc/yum.conf
so that there's a line like this: keepcache=1
/var/cache/yum
. /etc/yum.repos.d,
/var/cache/yum and
/root/.cpan
(primarily if you're upgrading NMIS).zip -r /tmp/captured.zip /etc/yum.repos.d /var/cache/yum /root/.cpan
/tmp
, and then replace the originals like this:cd /tmp/; unzip captured.zip; rm -f /etc/yum.repos.d/*; mv ./etc/yum.repos.d/* /etc/yum.repos.d; rm -rf /var/cache/yum/*; mv ./var/cache/yum/* /var/cache/yum/; rm -rf /root/.cpan; mv ./root/.cpan /root
yum -C -y install /var/cache/yum/x86_64/6/*/packages/*.rpm
captured.zip
on your non-internetted system (and whereever you may have stored it temporarily).