The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to stop BIND from being overwritten by cPanel daily update

Discussion in 'Bind / DNS / Nameserver Issues' started by SupaDucta, Jan 30, 2005.

  1. SupaDucta

    SupaDucta Active Member

    Joined:
    Oct 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Yesterday we have upgraded BIND to 9.3.0 and chrooted it.

    At 4 AM, when running updates, cPanel overwrote it and reverted back to 9.2.1, so I had to:

    killall named
    mv /usr/sbin/named /usr/sbin/named.old
    ln /urs/local/sbin/named /usr/sbin/named
    chmod 777 /var/run

    and restart BIND, so we had 9.3.0 running again.

    Where can I exclude BIND from being updated by software and cPanel version updates?
     
  2. Jemshi

    Jemshi Well-Known Member

    Joined:
    Sep 11, 2003
    Messages:
    210
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    Not sure, but I think cpanel is trying to update (reinstall) the rpm packages already installed in server. If you are not using the rpm bind, you can just do

    rpm -e bind_package_name

    HTH
     
  3. SupaDucta

    SupaDucta Active Member

    Joined:
    Oct 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Hm, I have managed to find a few instances in /scripts/ where bind is handled:

    sysup
    rpmup
    rpmup2.

    rpmup:

    @IGNORERPMS=("wu-ftpd","perl","kernel","httpd","apache","php","gnupg","pine","exim","proftpd","MySQL","webmin");

    I wonder, if I added "bind" here, maybe it would be ignored?
     
  4. Jemshi

    Jemshi Well-Known Member

    Joined:
    Sep 11, 2003
    Messages:
    210
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    India
    no use - all scripts under /scripts will be overwritten on the next cp upgrade
     
  5. SupaDucta

    SupaDucta Active Member

    Joined:
    Oct 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    I wouldn't have a problem with that, because I have turned off automatic cPanel updates due to some former issues with rewriting, so I would be satidfied with updating those scripts every time after cPanel update.

    Strange, no? cPanel doesn't update BIND, running 9.2.1 which has a few security flaws, but if you try to update and compile some never version manually, it reverts it back to 9.2.1. :confused:
     
  6. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    SupaDucta: What OS are you using ?
     
  7. SupaDucta

    SupaDucta Active Member

    Joined:
    Oct 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    RedHat 7.3, and I was just informed a few gours ago that RedHat patches versions it packs, and that RedHat's Bind 9.2.1 doesn't have a security leak like usual 9.2.1

    Hope it's true...
     
  8. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    That is true. Redhat patches known workin versions and includes certain features from newer software releases and incorperates them into older versions. That said, Redhat no longer support their redhat linux line of OS's. You are going to have to upgrade your system. If you want to stay with Redhat, check out redhat enterprise. If you need something that's easier to upgrade and less expensive, check out CentOS.org. Its a clone of RHEL, but without the pricetag and "official" support.

    It's supprising you were not aware of this, as it happened quite a while ago. I would suggest you start auditing the software installed on the system to see what does and doesn't need updated, that done i'd start making up a plan to start considering your OS migration options. Also note, that FedoraLegacy.org has taken up the job of updating the OS, however they don't have enough help to make it all happen. You may want to check fedoralegacy out to see what they might have available, update wise, for the OS, but i'll tell you honestly, you'll still be far behind, security wise.
     
  9. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    Also, if you want to install the source bind, make sure and add bind/named to your package skip list in whatever update client software you use. Thats what is most likely causing the issue for you.
     
  10. SupaDucta

    SupaDucta Active Member

    Joined:
    Oct 6, 2004
    Messages:
    40
    Likes Received:
    0
    Trophy Points:
    6
    Thanks Haze,

    we are at the moment building up a new webserver (in early testing stage) on Debian Sarge and other testing platform on CentOS, so we'll see how each turns out before making a final choice.

    The machine this thread is about is a Virtuozzo-based VPS with old kernel and RedHat 7.3 and we can't update it or secure it properly due to VPS limitations, so we're buildning up a new dedicated platform from scratch.

    Thanks, you are very kind and helpful ;)
     
  11. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    You mention old kernel, perhaps you should ask your host to upgrade it if you feel it interferes with your sites security. If they use the Virtuozzo platform, sw-soft should have a patched kernel available, as they roll out their own kernels, if i'm not mistaken.

    If it was a newer kernel, such as source + virtuozzo patched ( if possible ) you could be able to interchange between certain redhat linux versions, such as CentOS ( RHEL, would be very difficult via remote means ).

    If you want to stick to your budget and use a more flexible solution, perhaps something along the lines of http://www.linode.com would fit your requirements.
     
Loading...

Share This Page