Ask Shadowman: Red Hat Network


April 2002

He's smart. He's mysterious. He's got only one name like Madonna or a Brazilian soccer player. And every month Shadowman answers the toughest technical questions anyone has ever dared ask a two-dimensional logo. This month's mission: To respond to your questions about Red Hat Network. A remarkable feat considering Shadowman's face is missing a mouth...

Join us again in May when Shadowman scales the walls of the enterprise to answer your questions about Red Hat Linux Advanced Server, our new enterprise-class operating system.

Got a question that you'd like Shadowman to answer? Ask him.

Brian M. writes:
I tried using 'tcpdump' and got some interesting info I don't understand. 192.168.0.2 is my linux box, 192.168.0.254 is the router.

-> 23:38:17.562019 eth0 > arp who-has 192.168.0.254
tell 192.168.0.2 (0:50:ba:be:59:65)
-> 23:38:17.562019 eth0 < arp reply 192.168.0.254
is-at 0:0:c0:51:e8:c1 (0:50:ba:be:59:65)
-> 23:38:17.562019 eth0 > 192.168.0.2.1025 >
192.168.0.254.domain: 53518+ A? www.rhns.redhat.com.
(37) (DF)
-> 23:38:22.572019 eth0 > 192.168.0.2.1025 >
192.168.0.254.domain: 53518+ A? www.rhns.redhat.com.
(37) (DF)
-> 23:38:27.582019 eth0 > 192.168.0.2.1025 >
192.168.0.254.domain: 53519+ A?
www.rhns.redhat.com.Ourhouse. (46) (DF)

This goes on for many more packets - I didn't post whole thing due to length, but can provide. Can someone tell me why my computer is 'calling home?'

Shadowman says:
Shadowman is impressed -- the very first question, and it includes a packet trace! (With questions like this, Shadowman wonders if it's too late to go back to just being another pretty face here in Red Hat HQ...)

But first, a little background before answering your question. The first thing to keep in mind about Red Hat Network is that it is based on a client/server architecture. Basically, that means that the client (your system) must connect to the server (the Red Hat Network systems) in order to make anything happen.

It's always the same dance:

  1. client "asks"
  2. server "answers"

But sometimes, you want the server to start the conversation--like when Red Hat Network determines that an update should be installed on your system.

How do you make this scenario fit into the client/server architecture? The short answer is that you don't--the client-server model doesn't support it. So a different approach is necessary; and that's what you're seeing.

In this case, your system has been profiled and registered with Red Hat Network. Once that is done, your system will "check in" with the Red Hat Network on a periodic basis, looking for updates and actions to be performed. If there is an update or action available for your system, this periodic check will discover them, making it look like your system was actually "tapped on the shoulder" by Red Hat Network.

If you temporarily want to stop this from happening (say you're sitting in a hotel room in Dubuque reading email on your laptop, and the modem's just connected at 4800 baud, and you *really* don't want that nifty 100MB XFree86 update downloading right now, thank you very much), just enter this command (while logged in as root, of course):

/sbin/service rhnsd stop

You can also disable it forever with another command (again, as root):

/sbin/chkconfig --del rhnsd

Whew! Shadowman needs a vacation after that one...


Kaizaad B. asks:
Is there an easy way to revert to the previously installed package (before rhnd or up2date installed the updated package(s))? Sometimes I run into the problem that performing an update causes some other package to become nonfunctional and I would like to revert to the original state of the system before the update.

Shadowman says:
In search of the answer to this question, Shadowman took the painful step of inviting the entire Red Hat Network team out for a beer. Besides getting Guinness stains on his fedora, Shadowman has learned that this is currently not possible.

The things Shadowman does for his readers!


Jarod F. wonders:
Is there a way to get up2date to reinstall an RPM I already have installed? So far, I've just been able to get it to tell me I don't need an update.

Shadowman says:
Shadowman just tried this, and had the exact same thing happen to him. However, he was able to get it to work (after a fashion) by using RPM to remove a package, and then using up2date (and naming the package to be installed) to install it.

Yes, Shadowman realizes that this is not going to work in every instance. However, Shadowman does wonder: Why do you want to install an RPM that is already installed? Maybe somebody deleted some files by mistake, hmmm? That's why rm has the -i option...


Unable to Communicate in Calgary asks:
What ports do I have to open on my firewall to allow the Updates to happen?

Shadowman says:
Shadowman wondered about this himself, particularly since his home network in the Shadow Lair is firewalled, and yet all Red Hat Network operations work perfectly.

It turns out that Shadowman's iptables Kung-Fu is nothing special (even though it is highly effective against script kiddies and grandmothers with port scanners). Any firewall that allows outbound connections on ports 80 (http) and 443 (https) will not impact Red Hat Network-related activities.

An easy way to test this is simply to try browsing both non-secure and secure websites -- if you can do that, you can use Red Hat Network.


Robert P. shouted into the wind:
Are you concerned that Microsoft might catch on to how easy up2date actually is and try to abolish and destroy all of the good work by buying the development team away from redhat and rebranding it?

No really, stop laughing... Are you concerned?

Shadowman says:
Shadowman just squirted water out his nose on that one! Whew-- Shadowman must remember not to drink while reading questions; if that had been a Coke, Shadowman's vintage IBM clicky keyboard would have been history...

There are three things that allow Shadowman to sleep soundly at night:

  1. The knowledge that Microsoft would have an easier time retrofitting Red Hat Network to a 1968 VW Microbus than making it work with the Windows family of operating systems
  2. The knowledge that the Red Hat Network development team would sooner change the tires on that 1968 VW Microbus than draw a paycheck with Bill Gates' autograph on it
  3. The knowledge that Shadowman will play Duke Nukem Forever before he dies of old age. Maybe.

Brian S. whispered:
Since you're covering the topic of Red Hat Network, I thought maybe you could answer a question for me. I was wondering if it was possible for someone to pretend to be the update server? Or possibly trick a user into thinking that they're connected to the server? And if so, how likely, or easily could it be pulled off? Since security has been a major topic lately, I was just wondering how secure Red Hat Network is.

Shadowman says:
Shadowman thinks this is a great question! In fact, Shadowman likes this question so much, he's going to give you a step-by-step guide to spoofing Red Hat Network:

1. First, you must do something to make connection attempts directed to Red Hat Network go instead to your evil Red Hat Network clone. DNS spoofing and/or playing games with routing would probably do the trick. This is, admittedly, difficult but not impossible.

2. Next, you must set up your own evil Red Hat Network clone. Again, difficult but not impossible.

3. Then you must obtain (or fake) a secure certificate signed by the same Certificate Authority that we use for Red Hat Network. This is absolutely necessary, as the Red Hat Network client authenticates the server every time it connects. This is quite a bit more difficult than the previous two steps.

That's it! You can now serve Red Hat-signed RPMs using your evil Red Hat Network clone. What's that, you say? The point of all this is to silently install evil RPMs on unsuspecting systems? Unfortunately, as RPMs are downloaded, their signatures are checked against Red Hat's key. So this means you'll also need to:

4. Create a fake digitally-signed RPM (of course, the crypto folks like to say that this is "computationally infeasible" -- does this get crypto folks dates? Shadowman doubts it). Or, you need to steal Red Hat's private RPM-signing key (even Shadowman doesn't know where it's kept), and then coerce one of the three people in the world (and Shadowman isn't one of those people) that know the key's passphrase into giving it to you. (And just a little hint -- if one of these three people end up missing, or suddenly purchasing the Republic of Nauru, we'll be changing the keys.)

After learning all this, Shadowman feels that this is another thing that helps him sleep soundly at night.


Peter E. (of Melbourne Australia) said:
I have two questions for you:

  1. Why does up2date bypass kernel updates by default?
  2. Why doesn't up2date use the feature of rsync or some ftp's which allows a file transfer to continue on from where a previous one left off thanks to a disconnection? Starting a large file from the beginning again is a Microsoft sort of approach.

Shadowman says:
Shadowman notices this everytime he runs up2date-config on a new system. Finally, he has a good excuse to go find out why -- more beer for the Red Hat Network team! And for Shadowman.

The answer is that, while today's kernel RPMs do a pretty good job of:

  • installing themselves
  • making an initial ramdisk (if necessary)
  • updating the appropriate boot loader's configuration file

it's still possible to shoot oneself in the foot, and be left without a leg to stand on (if Shadowman may be so bold as to mix his metaphors).

Of course, most seasoned system administrators are aware of the importance of maintaining at least one bootable kernel (and those unseasoned sysadmins that make this mistake quickly become seasoned -- usually while on a slowly-turning spit, over a hickory fire, stoked by the users they claim to support).

So rather than promote this kind of fate for sysadmins everywhere, the Red Hat Network default settings encourage system administrators to consider this matter carefully before blindly enabling kernel updates. It can be done -- but you need to be sure you check the results whenever a kernel update is installed.

As for your second question, Shadowman will slip into your local dialect to answer:

Shadowman was off to the dunny after a ripper king brown, when his mates hooked around the Johnny Horner, and went back o' beyond, leaving Shadowman Adrians with a drongo ear basher, which was hard yakka, and bob's your uncle!


Maarten L. spoke clearly:
Say I have a gross of computers in a rather large Company. Is there a simple way to have up2date run per host connecting to a private mirror run within the Company? (preventing problems with a/the firewall and saving bandwith) And how should I set up such a mirror?

Shadowman says:
Shadowman is sorry that you have gross computers -- oh, *a* gross of computers! Ah, that is different. In this situation, Shadowman recommends that you look at Red Hat Network's Proxy Server. This does exactly what you describe. You can learn more about it in the "Deploying RHN Proxy Server in the Enterprise" whitepaper. (Note that registration is required to read the whitepaper -- Shadowman wants to be sure you're studying!)

(Note that registration is required to read the whitepaper -- Shadowman wants to be sure you're studying!)


Kevin H. noted:
I have an old account on Red Hat Network that I would like to cancel/deactivate. I've deleted all systems from the account but I've not seen how to delete the actual account.

Shadowman says:
As the old saying goes, old Red Hat Network accounts never die, they just, er, never die. Just kidding. Actually, if you send email to rhn-feedback@redhat.com, you can get the account locked, which is as close to deleted as you can get.


Martin F. intoned:
Can Red Hat Network download and update packages automatically, without user intervention, when Red Hat posts them? Particularly security-related releases?

Shadowman says:
Shadowman notes that reading comprehension (particularly reading comprehension of https://rhn.redhat.com/) is not what it used to be. Hint.


William B. mumbled:
Ok... I had a machine at home with Red Hat installed with Red Hat Network. At the office I prepared another computer with it own Red Hat Network account. The question: how can I add my home computer to the office Red Hat Network account and then discard my old Red Hat Network home account, since I moved my home computer to the office?

Shadowman says:
As much as Shadowman wishes it were otherwise, there is no one-step method to transfer a system between two Red Hat Network accounts. However, all is not lost. First, make sure that your Red Hat Network office account has sufficient entitlements for the new machine.

Next, remove the machine from your Red Hat Network home account (You can then send mail to rhn-feedback@redhat.com and tell them to lock the account, if you like).

The last step is to use rhn_register to register the machine. Because the machine has already been registered, you'll be asked if you want to continue anyway; click on the "yes" button. Register the machine as you normally would (making sure to use your Red Hat Network office account).

After you log into your Red Hat Network office account and entitle the machine, you'll be all set. It's so simple even Shadowman can do it!


Ted J. screamed:
Is there a URL on the Red Hat Network that I can point IE on a Windows box at to automatically reformat and install Red Hat Linux?

Shadowman says:
Yes, but Shadowman will not tell you, because your Mommy will be very angry if you do that to her computer.