Saturday, January 29, 2011

Is it safe upgrading php through Testing Repository (CentOS)

Hello,

I need to upgrade PHP to 5.2.x

Im referring here as how to do upgrade it:
http://wiki.centos.org/HowTos/PHP_5.1_To_5.2
 http://www.securityhacking.tk/2010/02/install-upgrade-php-5-1-to-5-2-centos-5-4/

But that was testing repository. Is it safe to use it on live server?

Thank you.

From serverfault $pageUsers[$entry.posts[0].author].name

  • The answer is on the CentOS site

    ...it should not be left enabled or used on production systems...

    So that's that.

    However due to the age of PHP 5.1.6 and the expectations of customers I can see why you may want to do the upgrade anyway.

    From my experience I have a server running 5.2.10 from the testing repository. There have been no problems in using this version from Testing.

    Obviously I cannot provide any assurance it won't break on your setup but you can reduce any disruption by enabling rollbacks in Yum. To do this add 

    tsflags=repackage

    to /etc/yum.conf before enabling the repository and performing the upgrade.

    Then if anything breaks you can rollback. There is an example of how to do this here.

    So the steps involved are:

    1. Edit /etc/yum.conf, add tsflags=repackage to enable rollback.

    2. Add the CentOS Testing Repository . See the instructions here.

    3. Upgrade PHP and only PHP by doing yum update php --enablerepo c5-testing. (Dependencies will be updated too, such as php-gd if installed.)

    4. Test your PHP applications thoroughly and check log files for unseen problems.

    5. Rollback if necessary.

    6. Tidy up /etc/yum.conf

    The Testing Repository should be left disabled, by setting enabled=0 in /etc/yum.repos.d/CentOS-Testing.repo to avoid accidentally updating httpd or any other critical applications with newer versions in Testing.

    This means you will have to manually check for updates to PHP regularly by using

    yum check-update php --enablerepo=c5-testing

    The bottom line is that it appears to work okay, but if you break anything you get to keep the pieces so you best have backups.

    From Richard Holloway

  • Maybe check the atomic turtle repository. They wrote plesk and these days focus on atomic secured Linux. Recent PHP rpms are available on their site and updated regularily.

    Richard Holloway : There are many places you can get newer versions of PHP as RPM or you can install from source. The question asked here is whether it is reliable for a production server. The CentOS view is "No stick 5.1.6 shipped by default". I saw the atomic turtle repository in my search for a solution for me. Do you run this version of PHP from this repository and is it more reliable that CentOS Testing?
    Imo : I run this (Atomic RPMs) in a production environment and have not experienced any problems with it. Not used CentOS testing so cannot compare. Sorry.
    From $pageUsers[$post.author].name

  • Jason Litka provides 3rd-party RPMs for php: http://www.jasonlitka.com/yum-repository/

    Safety is always a sliding scale. Clearly you are already running Centos, meaning you are probably running without a support contract of any kind and you have deemed this to be safe. I'm going to assume that when you hit problems you either try and debug yourself or you ask the community for assistance, and go from there. This is already "unsafe" from a bank/large corporation perspective.

    Sticking with either the Centos testing RPMs or Jason Litka's will place you more at risk of problems but there are still a significant portion of the user-base who are running this way. A newer version of PHP may have more security bugs, while it may contain some fixes. Redhat/Centos are sometimes lax in backporting fixes properly (which was why they got hacked - they didn't backport a kernel fix not marked as a security risk).

    Going down the Centos testing path may require you to upgrade glibc, which could then mean you have to start upgrading other packages you never intended to touch. For this reason I would recommend Jason's repository.

    Please make sure all additional repositories remained disabled (enabled=0) and you explicitly enable them on the yum command-line or using your configuration management tool

    yum --enablerepo=jason install php

    Richard Holloway : For reference, you can upgrade only php (and some php dependencies like php-gd if installed) from Testing without having to upgrade a bunch of other stuff.
    From mechcow
Posted by Mu Cat at 5:45 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)