Using Debian Linux Packages
"Packages" are software. A package can be a workstation-type program (mozilla Web browser, gimp graphics editor, etc.), a server-type program (Apache Web server, Sendmail e-mail server, etc.), a utility (apcupsd for APC UPSs, taper backup utility), programming libraries, or OS components (GUIs, language modules, even kernel patches). You can download and install software which isn't "packaged". It's just that when software is put into a package it makes it easier to install because programs are already compiled (binary), directories are created if necessary, and all files (binary executables, text configuration files, man pages, etc.) are put into the proper directories. Some packages even have configuration scripts that are run near the end of the package installation to help you initially configure the software.
A "package manager" is used to search for, install, remove, etc. packages. Sun has a package manager for its flavor of UNIX (Solaris) that works with files that have a .pkg extension. Red Hat's package manager uses .rpm files. And Debian's package manager uses .deb files. As you will see below, a package manager isn't always a single program but several utilities used to perform the various package-related functions (search, install, etc).
Working with packages in Debian uses three main utilities:Note: The software in one package may need software from another package to work properly. One of the best things about Debian's package architecture is "automatic dependency resolution", i.e it will automatically load any packages that selected packages may depend on. It may also remove other packages that could cause conflicts. This is why the number of installed packages may be greater than the number of packages you select to install.
If you've ever tried installing packages using Red Hat Package Manager (RPM) you've likely found it a frustrating experience due to the "failed dependencies" errors commonly encountered when trying to install an RPM package. This is because Red Hat's package manager doesn't automatically take care of dependencies like Debian's package manager does.
- apt - Advanced Package Tool - the main package manager on Debian systems used for retrieving/installing, removing, or searching for packages
- dpkg - kind of the predecessor to apt, but is still used for some functions
- dselect - a menu driven front-end that uses both apt and dpkg
You may recall being prompted to insert all the discs during the installation so that they could be scanned for available packages. This scan process builds a database of available (on the discs) packages which is used by these package utilities. When you install or remove a package this database is referenced and updated.
A complete list of the current "stable" Debian packages (including free and non-free) can be found at:
apt and dpkg are useful if you have some idea of what you're looking for. For example, apt has a search utility where you can search for software by its given name such as 'apache' or you can search for all available packages containing software offering specific functionality such as 'sniffer', 'dns', etc.
Because Debian comes with so many packages, it's often a good idea to just browse through all of the available packages to see what software you can install and play around with. To get a full listing of packages and their installation status we use dselect. As mentioned, dselect is more of a front-end, user interface tool because when you select a menu item in dselect you are simply running one of the apt or dpkg utilities with a specific set of command-line switches.
Although useful for browsing all available packages, dselect will not be your primary package management tool. You can search for, and install, packages much faster using the apt utilities. However, we wanted to show you how to use dselect because half the fun of playing around with Debian is playing around with some of the thousands of packages that comes with it.
dselect has a 7-step menu (numbered 0 through 6) and it will walk you through the steps. There are two different "modes" that you can use when retreiving packages. One is "access" mode where additional .deb files are retreived and added to your inventory, and "update" mode where no new packages are retreived but any updates to existing packages (newer versions of whats already in your inventory database) are. dselect doesn't get installed automatically in later versions so make sure it's installed with the command:
apt-get install dselect
If the version of Debian you're using installed it automatically you'll see a message saying it's already installed.
To use dselect:
Type in dselect at the shell prompt and the menu screen will be displayed. The possible selections are:
- 0. Access - highlighting this and pressing Enter will allow you to select apt as the method for accessing the packages. When you select apt and press Enter it will display your current sources.list file and ask you if you want to over-write it. "No" is the default so just press Enter again.
- 1. Update - ALWAYS run this selection every time you run dselect. dselect maintains its own database so run this to have it read (sync up with) the apt database (containing package status information) to update its own database.
- 2. Select - pressing Enter with this selection highlighted will display a help screen. Press q to clear it. This is the main guts of the program. It's displaying the package inventory database. It can look very confusing the first time you use it but it's really not all that bad.
Notice near the very top of the screen is a line with EIOM on the left. They stand for
Error Installed OldMark NewMark
Uninstalled packages have "marks" like this:
(Note that this is two underscores in columns 3 and 4 - OldMark and NewMark columns.) On the left end of this line there is actually two blank spaces (in columns 1 and 2) before the two __ underscore characters.
- the first blank (Error) column is good
- the second blank (Installed State) column indicates it's not installed
- the _ in the third (OldMark) column indicates that nothing has changed in the selection status of the package
- the _ in the fourth (NewMark) column indicates that nothing has changed in the selection status of the package
Note that the first time you look at this list the third (OldMark) column may have an n in it. This indicates it's a New package because you just ran the Update step. The next time you view the list it will be an underscore character.
Installed packages marks are three asterisks (***) and they indicate:
- the first blank space (Error column) is good
- the first * in the second (Installed state) indicates that it is installed
- the next * in the third (OldMark) column means it was requested for install
- the third * in the fourth column means that it's OK to upgrade this package
If you would like to see a more explanatory presentation of this information, simply press the v key repeatedly to toggle the Verbose display mode on and off. In addition, you can press the ? key at any time to bring up the help menu. In the help menu, pressing the l (lower-case L) key will display a screen explaining all of the code letters. Press q to get out of help.
If you look at the highlight bar in the middle of the screen it will also give you some of this information. A description of the highlighted package is displayed below the blue bar.
Note: If you ever get into a Select screen and you can't figure out how to get out, just press an upper-case X to get back to the 7-step menu page.
Packages are grouped into categories such as 'devel', 'net', 'utils', and 'web' with 'admin' being the top category because the groups are listed alphabetically. The packages within each of these groups are listed alphabetically also. Packages that are installed are grouped at the top of the listing and thousands of uninstalled packages are listed afterwards.
Use your down-arrow key to go past the installed packages (asterisks in the left columns). When you get to uninstalled packages (underscores in the left columns) go down until the uninstalled cpuid pacakge is highlighted:
__ Opt admin cpuid
Looking at the cpuid line, a blank in the first "Error" column is a good thing. A blank in the second "Installed" column indicates it's not installed. An 'n' in the third (OldMark) column means the package is new (as far as dselect is concerned because it hasn't been run since the packages were indexed when you scanned the DVDs) and the underscore in the fourth (NewMark) columns means nothing has changed (selection-wise) for this package.
With the cpuid line highlighted, press the + key to select it for installation and the indicator in column 4 will change to an asterisk. Press Enter to go back to the main menu and the next menu selection (Install) will be highlighted.
- 3. Install - is where the packages are actually transferred onto the hard-drive. It will be highlighted so just press Enter and you'll be presented with the packages to install (if any dependent packages were required they'd be listed also). With 'Y' as the default just press Enter to continue and you'll be asked to insert the Debian DVD #2 and press Enter again. Once it's finished you can answer accept the default 'Y' to remove .deb files.
- 4. Config - is next. This is where any installed packages requiring additional configuration are taken care of. There won't be any in this case so you can just go to the next step.
- 5. Remove - will remove any unnecessary files or software they may cause conflicts with the newly installed packages. The dpkg command takes care of this for you so you'll just be returned to the menu.
Before selecting the "Quit" option, go back up to the "Select" option and press Enter to see how the flags for the cpuid have changed. The cpuid line we looked at earlier is further up (in the installed packages group) this time so if you arrow down to find it you'll see
*** Opt admin cpuid
Again, using the "l" (lower-case L) option on the help (?) menu will tell you all this.
- 6. Quit - will exit you out of dselect.
Try out the software you just installed. Back at the shell prompt, type in:
cpuid | more
to display information, including register contents, about the CPU chip in your system. The | more part of the command just pauses the displayed output of the command at each 25 lines with --More-- at the bottom of the screen. Press the Space Bar to see the next screen.
After you've been working with your system for awhile it's easy to lose track of what packages you have installed. It's also nice to see what all got installed by the installation routine. For that you can use the command:
dpkg -l | more
That's a lower-case L for "list". apt and dpkg have a lot of command-line options and viewing the man pages for them will provide you with more information.
dselect is not only useful for browsing all available packages but it will also tell you which packages are already installed. When you installed Debian a set of "base packages" were installed. As we go through using dselect you will be able to see which packages got installed during the installation and all of the packages that were included with Debian that are available for you to install.
Using the apt Utilities
The apt utilities (there are several such as apt-get, apt-cache, etc.) can retreive packages from DVDs or the Internet via http or ftp. You can update your entire system via an Internet connection which is why you want to have a modem or other means of accessing the Internet. This is especially true for Internet server systems as you will want to regularly apply security updates (we'll show you how to do this later in this page).
apt uses the /etc/apt/sources.list file which lists the locations of package files (we'll be modifying this file later in this page). These locations include the DVDs or CDs you inventoried (scanned) during the installation routine and also has entries for various Internet servers from which you can retreive updates. The lines in the sources.list file for these Internet servers are commented out by default in case you don't have an Internet connection. The apt utilities are command line utilities and installing a package is very easy provided you know the exact package name. Most of the time you don't. But there is an apt utility that will help with that too.
WU-FTP is one of the most widely-used FTP server applications. Lets say you want to set your system up as an FTP server using WU-FTP. How do you find out if it's included in one of the package files, and if so, what the package name is? You can use the apt-cache command with the search option like so:
apt-cache search wu-ftp
Note that this will display any package that has the word "wu-ftp" anywhere, including in a package's description (without them being a part of the package name).
When the listing is complete the shell prompt will reappear. The last item in the listed packages is:
wu-ftpd - powerful and widely used FTP server
which is probably the program we want. (The 'd' at the end of the package names stands for daemon.) If we're not sure We can get more information about this package with the command:
apt-cache show wu-ftpd | more
Now that we know that this is the program we're looking for and we know the name of the package, we can use a simple apt command to install it. apt will automatically install any dependency packages also. To install it just type in:
apt-get install wu-ftpd
to start the package installation. Note that I ran into a problem on two systems I've installed this on where the shell prompt never reappeared. If you run into this same problem, simply hit Ctrl-C and re-run the apt command. It will finish properly this second time giving you a shell prompt.
Your system is now an FTP server! Because this installed the FTP server daemon, it'll start automatically every time you boot your system.
If your Debian server is on a network (and provided you can ping other systems on the network) it's easy to check out. Just go to another system (Linux or Windows) on the same network and at a command prompt (open a DOS window on a Windows machine) enter (assuming the IP address of your Debian system is 192.168.10.10):
You'll be prompted for a username. You can't FTP using the root account. That's because with the FTP protocol everything, including the username and password you enter, is sent over the wire as clear text. Enter the username and password of the account you set up during the Debian installation and you'll see a message that the user is logged in. By default, wu-ftpd drops you into the home directory of the user you logged in as. For now just type in quit to close the FTP session.
So what if you don't really want your system to be an FTP server? The command:
apt-get remove wu-ftpd
would remove the program files from your system, but it would leave the configuration files. In order to remove everything associated with it you need to use the command
apt-get --purge autoremove wu-ftpd
You'll want to keep wu-ftpd installed however, so we can transfer files to and from your server. If you are going to set up a system as an Internet server that does offer FTP services, be sure to use the
/etc/wu-ftpd/ftpaccessfile to increase the security of your FTP services.
Note: The apt-get command has a lot of options for checking packages, resolving dependencies, etc. that we don't cover here. It would be worth your while to check out the man page or Web references to learn more about all this command can do.
Upgrading Your System
Debian's package system makes it real easy to keep your system up-to-date. Once you get your system connected to the Internet (see the Networking page), you can upgrade your system to the current point release using that Internet connection.
While using this procedure to upgrade your system to the current stable release is why we're doing it here, it's not the only time it should be done. In other words, if the current stable release is 6.0.1 and you used this procedure in the past to upgrade your system from 6.0.0 to 6.0.1, that doesn't mean you don't have to run it again until 6.0.2 comes out. Individual packages can get updated in between point releases. You'll also want to stay on top of any security updates that are available. We'll show you how to automate the security patching process later in this page.
The first thing you have to do is change the sources.list file that apt uses to determine from where it should pull packages. Right now, if you installed your system using a DVD set, it's set to only look on DVDs. We have to change that to only look on the Internet.
Open the sources.list file in the nano text editor with the command:As mentioned on the Installation page, many organizations don't allow their servers to be Internet-accessible for security reasons. If this is the case with your server, you have no choice but to do point-release updates using discs and should not follow this procedure.
You'll see a line like the following for each DVD in your set:
deb cdrom:[name of dvd-rom]
Put a pound character (#) in front of all of these lines to comment them out like so:
#deb cdrom:[name of dvd-rom]
Look for the following line further down in the file:
# deb http://security.debian.org/ stable/updates main
and remove the the pound character (#) at the beginning of this line.
Add the following line underneath the line you just edited:
deb http://http.us.debian.org/debian stable main contrib non-free
If you're outside the US, uncomment the line that has "non-us" in place of the "us" part of the above line. Then exit the editor (by pressing Ctrl-X, then 'y' and then Enter) saving the file.
Note: As long as the sources.list file is in the above configuration (http sources enabled and DVD-ROM sources disabled) you'll have to connect to the Internet in order to install any new packages as well as update any currently-installed packages. It is best to wait until you have your system set up just the way you want it before you use this procedure.
Once you're able to connect to the Internet use the following procedure to update your system:
The -u in the above command just makes the process a little more verbose, displaying package names as they're downloaded and installed. Be advised that these downloads could take awhile because you could be upgrading to a higher point release of the OS (ex: going from 6.0.1 to 6.0.2).
- You have to update the inventory database of available packages. (This is the list of packages you see when you run dselect.) Database entries for new packages are also pulled from Debian's server over the Internet. You do this by issuing the command:
- Once the package list is up to date, you upgrade the software on your system by typing in the following command:
apt-get upgrade -u
Once the download is complete the package updates will be installed and set up the same way they were when you pulled them off the DVDs.
Note: The above procedure only updates applications that were installed as a Debian package. If you installed applications that were not in Debian packages (such as when you download the source code files from a Web site and compile/install it yourself), it will have to be updated separately.
Automating Security Patching
Automatically applying security patches will help ensure you're protected against the latest worms and exploits. Automating the process of retreiving and applying security patches is not hard at all. The cron memory-resident scheduler is loaded by default when the system boots so it's just sitting there waiting for you to use it. Automating a process involves two steps; giving cron something to run (i.e. creating a shell script containing the commands you want to run), and then telling cron when to run it.
Because you only want this process to take care of security patches, you'll want to edit the /etc/apt/sources.list file to comment-out every line except the line that contains the word security in it. The only line that shouldn't be commented out is:
deb http://security.debian.org/ stable/updates main
With this restriction in place you can now create the shell script that will do the updating. You create a shell script using a standard text editor. Create the new shell script with the command:
and enter the following commands:
The init command will restart the system. Normally when you patch a daemon you'll want to restart that daemon to make sure the patches take effect. However, since you won't know which daemon got patched with this automated process there's now way to know which daemons to restart so simply restarting the system is the safest way to go.
Save the file and then change the permissions to make it executable using the command:
chmod 755 /usr/local/security-patches.sh
This is a very basic script. You'll probably want to set up some 'if' statements which test to make sure you got connected and check the success of the apt-get command.
How can you check to see if apt-get executed successfully? If you're familier with DOS you know you could check the value of the ERRORLEVEL environment variable to determine the success of a command. In Linux/UNIX it's called the "exit status" and the ? represents this environment variable. Entering the command:
will display the exit status of the most recently run command. (Remember that you have to put the $ in front of an environment variable when referring to its value as with the echo command or the when using an 'if' statement in a shell script.) A zero indicates success (just remember "zero errors") and anything greater than a zero represents some kind of problem.
cron is the memory-resident scheduler daemon that can execute commands and scripts at regular intervals. The jobs it runs are listed in a crontab file which is edited using the crontab utility.
The following command will list the contents of your current crontab file:
You'll want to add an entry to the crontab file for the security-patches.sh shell script. The format of the file is basically:
<when-to-run values> <what to run>
The "when to run" is a field which consists of five space-delimited values in the following order:
You can use the asterisk (*) to specify all values for any given entry. For example, to run a job every Saturday at 11:15 pm you would use the following values:
- Minutes past the hour (0 to 59)
- Hour of the day (0 to 23)
- Day of the month (1 to 31)
- Month of the year (1 to 12)
- Day of the week (0=Sunday to 6=Saturday)
15 23 * * 6
Be careful with these values. You'd rarely want to enter a number for the "Day of the Month" and the "Day of the Week". For example, if you entered:
15 23 3 * 6
cron would only run the job when the 3rd falls on a Saturday.
You can enter multiple values for each entry by separating them with commas. We set up cron jobs to check the logs twice a day, every weekday, at noon and again at 5 pm. This required the following values:
0 12,17 * * 1,2,3,4,5
Remember that the space is the delimiter between the five entries.
The "what to run" is what you want to cron to execute and is basically anything you can enter at a shell prompt. Any command, including pipes and redirects, shell script, etc. Since we want to run the security-patches.sh shell script, which we saved to the /usr/local directory, our crontab entry ends up looking like this:
0 3 * * 0 /usr/local/security-patches.sh
Note that only a space separates the "what to run" value from the last of the "when to run" values. The "when to run values above will run the security-patches.sh shell script every Sunday morning at 3 a.m.
So now that we know what our entry will be, we have to use crontab to enter it into the crontab file. At the shell prompt, enter:
This will fire up your default text editor with the current crontab file automatically loaded (which is likely empty). Simply enter your new crontab entry and close the editor. You can check to make sure your entry was added to the crontab file by entering the following command at the shell prompt:
Did you find this page helpful ?
If so, please help keep this site operating
by using our DVD or book pages.
Site, content, documents, original images Copyright © 2003-2013 Keith Parkansky All rights reserved
Duplication of any portion of this site or the material contained herein without
the express written consent of Keith Parkansky, USA is strictly prohibited.
This site is in no way affiliated with the Debian Project, the debian.org Web site, or
Software In The Public Interest, Inc. No endorsement of this site by the Debian Project
or Software In the Public Interest is expressed or implied. Debian and the Debian logo
are registered trademarks of Software In The Public Interest, Inc. Linux is a registered
trademark of Linus Torvalds. The Tux penguin graphic is the creation of Larry Ewing.
IN NO EVENT WILL KEITH PARKANSKY OR BLUEHOST INCORPORATED OR ANY OF ITS' SUBSIDIARIES BE LIABLE TO ANY PARTY (i) FOR ANY DIRECT, INDIRECT, SPECIAL, PUNITIVE OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, DAMAGES FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR INFORMATION, AND THE LIKE), OR ANY OTHER DAMAGES ARISING IN ANY WAY OUT OF THE AVAILABILITY, USE, RELIANCE ON, OR INABILITY TO USE THE INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE, COMMONLY REFERRED TO AS THE "ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED OR TRANSMITTED FILES OR GENERATED COMMUNICATIONS OR DATA EVEN IF KEITH PARKANSKY OR BLUEHOST INCORPORATED OR ANY OF ITS' SUBSIDIARIES SHALL HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES, AND REGARDLESS OF THE FORM OF ACTION, WHETHER IN CONTRACT, TORT, OR OTHERWISE; OR (ii) FOR ANY CLAIM ATTRIBUTABLE TO ERRORS, OMISSIONS, OR OTHER INACCURACIES IN, OR DESTRUCTIVE PROPERTIES OF ANY INFORMATION, METHODS, HTML OR COMPUTER CODE, OR "KNOWLEDGE" PROVIDED ON OR THROUGH THIS WEBSITE, COMMONLY REFERRED TO AS THE "ABOUT DEBIAN" WEBSITE, OR ANY OF ITS' ASSOCIATED DOCUMENTS, DIAGRAMS, IMAGES, REPRODUCTIONS, COMPUTER EXECUTED CODE, OR ELECTRONICALLY STORED, TRANSMITTED, OR GENERATED FILES, COMMUNICATIONS, OR DATA. ALL INFORMATION, METHODS, HTML OR COMPUTER CODE IS PROVIDED STRICTLY "AS IS" WITH NO GUARANTY OF ACCURACY AND/OR COMPLETENESS. USE OF THIS SITE CONSTITUTES ACCEPTANCE OF ALL STATED TERMS AND CONDITIONS.