Godaddy VPS: upgrade from CentOS 6.x to CentOS 6.5 and fix Bash Shellshock/ssl Heartbleed Bug

UPDATE 2014-10-28: CentOS 6.6 has been released, bringing many important updates, including a fix for POODLE ssl vulnerability. You can update your GoDaddy VPS from CentOS 6.5 to 6.6 without any problem. I guess you can safely update from 6.* to 6.6, just make sure to exclude iproute package from upgrade (see step 2). During update you will see this message: “udev: missing sysfs features; please update the kernel or disable the kernel’s CONFIG_SYSFS_DEPRECATED option; udev may fail to work correctly“. You can ignore it.

UPDATE 2014-09-25: This guide is also very useful to fix Bash Shellshock Bug. Without upgrading to CentOS 6.5 you won’t be able to update bash using “yum update”, the only way is manually installing the new rpm, possibly causing dependency issues.

UPDATE 2014-04-10: This guide is also very useful to fix SSL Heartbeat vulnerability (RedHat advisory, OpenSSL Advisory). Please patch your centos server as soon as possible as there are plenty of SSL exploits around… If you used official godaddy guide (which updates only openssl and NOT CentOS Release), please leave a comment: we want to know which one is easier and more effective!

 

 

CentOS 6.5 has been released and brings many new features and security fixes, as announced here.

In my case, I needed to upgrade from CentOS 6.4 to CentOS 6.5 because I needed php-5.4.24 (provided by remi repository), which required openssl-1.0.1 , introduced in CentOS 6.5 and unavailable in CentOS 6.4.

This HowTO explains how to upgrade to CentOS 6.5 on GoDaddy VPS (virtual private server, also called virtual dedicated server).

WARNING1: GoDaddy support discourage in doing this kind of update (and they even don’t know how to do it), because they want you to use their repositories. It is not clear if further updates will break things up. So follow this guide at your own risk.

WARNING2: BACKUP EVERYTHING, a system update like this one could overwrite important configuration files (e.g: php.ini, my.cnf, httpd.conf, etc) or could even completely break your system. I updated 5 GoDaddy servers without any problem, but I don’t know what will happen with yours.

WARNING3: MAKE A FULL COPY OF YOUR SERVER, because if something goes wrong, system could become unbootable. If you miss one or more steps, YOUR SERVER WON’T BOOT. If you have a custom server configuration, YOUR SERVER MAY NOT BOOT AFTER THE UPGRADE and you will HAVE TO reprovision your server, which means losing ALL DATA on server disk.

Why do I need to update to CentOS 6.5?

As soon as php-5.4.24 package (by remi) has been released, yum update started to raise weird errors.

These are the errors when I issued “yum update”, trying to update from php-5.4.23 to php-5.4.24 on CentOS 6.4.

# yum update

–> Running transaction check
—> Package php.x86_64 0:5.4.23-1.el6.remi will be updated
—> Package php.x86_64 0:5.4.24-1.el6.remi will be an update
–> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: php-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: php-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: php-5.4.24-1.el6.remi.x86_64
—> Package php-bcmath.x86_64 0:5.4.23-1.el6.remi will be updated
—> Package php-bcmath.x86_64 0:5.4.24-1.el6.remi will be an update
—> Package php-cli.x86_64 0:5.4.23-1.el6.remi will be updated
—> Package php-cli.x86_64 0:5.4.24-1.el6.remi will be an update
–> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: php-cli-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: php-cli-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: php-cli-5.4.24-1.el6.remi.x86_64
—> Package php-common.x86_64 0:5.4.23-1.el6.remi will be updated
—> Package php-common.x86_64 0:5.4.24-1.el6.remi will be an update
—> Package php-devel.x86_64 0:5.4.23-1.el6.remi will be updated
—> Package php-devel.x86_64 0:5.4.24-1.el6.remi will be an update
–> Processing Dependency: libssl.so.10(libssl.so.10)(64bit) for package: php-devel-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(libcrypto.so.10)(64bit) for package: php-devel-5.4.24-1.el6.remi.x86_64
–> Processing Dependency: libcrypto.so.10(OPENSSL_1.0.1)(64bit) for package: php-devel-5.4.24-1.el6.remi.x86_64
–> Finished Dependency Resolution
Error: Package: php-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)
Error: Package: php-cli-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)
Error: Package: php-cli-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libssl.so.10(libssl.so.10)(64bit)
Error: Package: php-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(OPENSSL_1.0.1)(64bit)
Error: Package: php-devel-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(libcrypto.so.10)(64bit)
Error: Package: php-devel-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libssl.so.10(libssl.so.10)(64bit)
Error: Package: php-cli-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(OPENSSL_1.0.1)(64bit)
Error: Package: php-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libssl.so.10(libssl.so.10)(64bit)
Error: Package: php-devel-5.4.24-1.el6.remi.x86_64 (remi)
Requires: libcrypto.so.10(OPENSSL_1.0.1)(64bit)
You could try using –skip-broken to work around the problem
You could try running: rpm -Va –nofiles –nodigest

It is clear that php-5.4.24 requires openssl-1.0.1, and it’s impossible to update from openssl-1.0.0 to openssl-1.0.1 on CentOS 6.4 because it’s a system package.

HowTo: Updating to CentOS 6.5 on Godaddy Virtual Private/Dedicated Server (VPS)

On GoDaddy VPS, issuing the command “yum update” doesn’t update to CentOS 6.5, because GoDaddy uses its own repositories, very outdated, slow and often unreachable.

1. Edit CentOS Base Repository

You must tweak some configuration files:

# vim /etc/yum.repos.d/CentOS-Base.repo

You need to change GoDaddy mirrorlist to default CentOS one and you’ll get the default repo file.

This is my CentOS-Base.repo after the changes:

# CentOS-Base.repo
#
# The mirror system uses the connecting IP address of the client and the
# update status of each mirror to pick mirrors that are updated to and
# geographically close to the client.  You should use this for CentOS updates
# unless you are manually picking other mirrors.
#
# If the mirrorlist= does not work for you, as a fall back you can try the
# remarked out baseurl= line instead.
#
#
[base]
name=CentOS-$releasever – Base
#mirrorlist=http://n1plmirror01.shr.prod.ams1.secureserver.net/vph/2/download/mirrors/cos-$releasever-os.$basearch
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#released updates

[updates]
name=CentOS-$releasever – Updates
#mirrorlist=http://n1plmirror01.shr.prod.ams1.secureserver.net/vph/2/download/mirrors/cos-$releasever-updates.$basearch
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that may be useful

[extras]
name=CentOS-$releasever – Extras
#mirrorlist=http://n1plmirror01.shr.prod.ams1.secureserver.net/vph/2/download/mirrors/cos-$releasever-extras.$basearch
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras
#baseurl=http://mirror.centos.org/centos/$releasever/extras/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#additional packages that extend functionality of existing packages

[centosplus]
name=CentOS-$releasever – Plus
#mirrorlist=http://n1plmirror01.shr.prod.ams1.secureserver.net/vph/2/download/mirrors/cos-$releasever-centosplus.$basearch
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus
#baseurl=http://mirror.centos.org/centos/$releasever/centosplus/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6
#contrib – packages by Centos Users

[contrib]
name=CentOS-$releasever – Contrib
#mirrorlist=http://n1plmirror01.shr.prod.ams1.secureserver.net/vph/2/download/mirrors/cos-$releasever-contrib.$basearch
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib
#baseurl=http://mirror.centos.org/centos/$releasever/contrib/$basearch/
gpgcheck=1
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6

WARNING: DO NOT ISSUE “yum update” right now, or your system won’t boot anymore!

 2. Edit yum.conf to exclude some packages from update

I found that updating iproute causes system freeze on boot. You need to tell yum not to update iproute so edit /etc/yum.conf

# vim /etc/yum.conf

If you don’t have any line starting with “exclude=“, add a line at the end of the file:

exclude=iproute*

If you already have an exclude, add iproute* to it like this:

exclude=package1* package2* iproute*

This is my yum.conf file:

[main]
cachedir=/var/cache/yum/$basearch/$releasever
keepcache=0
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=16&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
exclude=iproute*

3. Update all the required packages

WARNING: in one of my servers, I had some problems using the command “yum update”, I was able to upgrade ONLY upgrading some packages separately.

First, check your current system:

# cat /etc/redhat-release
CentOS release 6.4 (Final)

Second, check if yum is finding all the updates:

# yum clean all

# yum list updates

You should see lot of updates, including these ones:

 centos-release                                x86_64                   6-5.el6.centos.11.2                                   updates                    20 k
 glib2                                         x86_64                   2.26.1-3.el6                                          base                      1.6 M
 openssl                                       x86_64                   1.0.1e-16.el6_5.4                                     updates                   1.5 M
 openssl-devel                                 x86_64                   1.0.1e-16.el6_5.4                                     updates                   1.2 M

VERY IMPORTANT: make sure you don’t see any reference to iproute package, like this one:

 iproute                                       x86_64                   2.6.32-31.el6                                         base                      365 k

If you see it, and you update your system, your server won’t boot anymore and you’ll need to reprovision your server, losing everything on disk!!

3.a Update to CentOS 6.5 the safe way

In one of my servers, issuing the standard “yum update” made the system really unstable, so my advice is:

First: update glibc, yum, rpm and python.

Second: update all of the other packages.

# yum clean all
# yum update glibc* yum* rpm* python*
# yum update

If everything is ok, you can now reboot:

# reboot

3.b Update to CentOS 6.5 with some risks

Use the default update procedure, then reboot:

# yum update

# reboot

4. Verify a correct upgrade to CentOS 6.5

Just check everything works like expected (you may need to restore some configuration files overwritten during updates) and check CentOS Release:

# cat /etc/redhat-release
CentOS release 6.5 (Final)

5. Optional (untested): update to php-5.4.24 + mysql 5.5.35 (Ver 14.14)

WARNING: I did not test php+mysql update AFTER system upgrade (I was already using remi repo on CentOS 6.4), so I don’t know if it will raise any error.

If you need latest php 5.4.*, you need to install epel and remi repository, enable them, update php+mysql:

5.a: install remi and epel repositories:

# wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
# wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
# rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

5.b: enable remi repository

# vim /etc/yum.repos.d/remi.repo

Change enabled=0 to enabled=1 inside the [base] section.

5.c: update php and mysql

# yum update php mysql

6. FINISH

I hope everything went fine and now you have an up-to-date GoDaddy VPS with CentOS 6.5!! And you are safe from Heartbeat exploits and worms!

To check if you fixed your server for ssl Heartbleed Bug: http://filippo.io/Heartbleed/

13 pensieri riguardo “Godaddy VPS: upgrade from CentOS 6.x to CentOS 6.5 and fix Bash Shellshock/ssl Heartbleed Bug”

  1. This is a great tutorial, the only one talking about godaddy vps upgrade for those using centos.
    Tested on 3 different vps, no problems at all.
    Many thanks!

  2. This is great tutorial, how i wish i had read up this before i do my yum updates… the iproute package cause my server went down for 10hrs.

  3. Thanks a lot my friend. Your tutorial works like a champ. I was able to upgrade my Godaddy Centos from 6.4 to 6.5 without any issues.
    Venkat

  4. Thank you Matteo,
    this tutorial saved me lot of time and I was able to upgrade to openssl-1.0.1e-16.el6_5.7 in 1 second…

    So I patched my server after 10 minutes Heartbleed vulnerability was disclosed!

    Thanks again, GoDaddy should say a BIG thanks to you!!!

  5. Thanks so much for your help! I spent more than a day trying to get past the library incompatibilities between 6.4 and 6.5 and then trying to update to 6.5. Your tutorial worked perfectly.

    One note, GoDaddy seems to leave the original CentOS repo file available, you just have to swap /etc/yum.conf.d/CentOS-Base.repoe in to /etc/yum.conf.d/CentOS-Base.repo to get rid of the secureserver repositories and go back to the default ones.

  6. @darrylri glad it worked for you!! Did you try the official godaddy guide? I see they use official repo just to update openssl, then they say to switch back to Godaddy repos…

  7. I didn’t find the “official guide” and their chat support didn’t mention it. I am just happy to get past this so I can get to work updating my website!

  8. Thanks for the article. I’ve been running yum update on my GoDaddy CentOS VPS for six months but no updates were ever listed (not even security patches) I contacted Go Daddy chat support about this and this is what they said:

    “We do not update our repositories this way, We update our provisions, so new servers are up to date with known working configurations. You will need to manually update security patches after the initial provisioning.”

    After switching from GoDaddy repositories to the CentOS repositories I was able to update from Centos 6.4 to 6.5. The only issue I had was with updating Samba, but this is a known issue as listed on CentOS website release notes. I fixed issue by uninstalling Samba

  9. Thank you so much, I read this right after I issued yum update unfortunately so I had to reprovision the server. Fortunately I didn’t reboot the system after I ran the update so I was able to get everything backed up first. Thanks again!

  10. Thanks. Got me out of a jam where I always got “No packages marked for update” on Godaddy VPS using their repos.

  11. Thank you, I didn’t find any way to update bash on centOS 6.4, yum update didn’t return any security update for bash!
    Using your guide I updated to CentOS 6.5 and fixed bash bug, which is critical! THANK YOU!!

  12. Thanks. I’ve updated it and seems to work without major errors. Have not rebooted the server yet!

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *