Updating DTLinux

DTLinux has the built-in capacity to check for updates using the dtcheck command-line tool.

Running dtcheck -update will check with its pre-defined upstream server and inform you if an update is available. The pre-defined update server is https://www.greyware.com. This server offers a browsable folder, so you can read the changelog, obtain hashes, and download the packages you want. Visit the update server to see the currently-available files. Read the online documentation for more information.

/opt/domtime/update.sh is a bash script that inspects the environment and uses dtcheck's built-in check-for-update feature. If an update is available, then the script will offer to download it and upgrade for you. This script requires root or sudo, although using dtcheck -update by itself does not.

dtlinux-update is a symlink in /usr/bin that points to /opt/domtime/update.sh. You may use either command. For simplicity, we'll refer to dtlinux-update hereafter. To see all of the options available, use sudo dtlinux-update --help.

If you just want to know if a new release is available, run dtcheck -update. If you want the option to install a new release if available, use sudo dtlinux-update.

By default, dtlinux-update relies on Internet connectivity to get version information from its upstream server, and to download the appropriate .tgz, .rpm, or .deb (depending on how you first installed DTLinux).

If you don't have Internet connectivity, you may want to set up an alternate update source.

Requirements

DTLinux must be version 5.2.b.20210130 (30 Jan 2021) or later in order to use an alternate update source. If you are running an earlier version, you must first update according to the instructions in /opt/domtime/README.txt. After that, you may set up and use an alternate update source.

Using a local package

If you download a new version of DTLinux, either a TGZ file or an RPM or DEB package, you may update by either following the instructions in README.txt, or by using dtlinux-update:

Syntax: sudo dtlinux-update <filename>

Replace <filename> with the full path and filename of the package you want to install. You must update using the same type of package with which you intitially installed DTLinux. dtlinux-update will check for a previous installation and only allow you to use the same type of package.

Specifying an alternate update source

Any web server may serve as your update source, as long as it supports HTTP and optionally HTTPS.

Syntax: sudo dtlinux-update http[s]://ServerNameOrIP[:port]/path/

For example, if you have set up a web server at www.example.com, using the default port 80, with the update files in a folder named /myDTLinuxUpdates, then your command line would be:

sudo dtlinux-update http://www.example.com/myDTLinuxUpdates/

If you are using a non-standard port, for example 8080, then include it after the server name or IP address:

sudo dtlinux-update http://www.example.com:8080/myDTLinuxUpdates/

To protect against DNS hijacking, we recommend you use the server's IP address rather than its name.

If you don't want to type the update source every time, you may edit the /etc/opt/domtime/dtlinux.conf file and change misc:updateURL from its default blank setting to the URL you want to use. Then sudo dtlinux-update will use the URL from the dtlinux.conf file.

Putting an URL on the command line will override both the built-in server and the misc:updateURL setting. If you do not specify an URL on the command line, and misc:updateURL is not blank, then misc:updateURL will be used.

When you run your own web server as the update source, you must manually download and refresh the files on your web server as new versions of DTLinux become available.

Using Domain Time II Server as an upstream source

If you are running the Windows version of Domain Time II Server and Domain Time II Manager, and the version number is 5.2.b.20210130 (30 Jan 2021) or later, Domain Time Server can function as your alternate update source. Domain Time Server must have DT2 over HTTP enabled and the checkbox Serve DTLinux Updates ticked. These settings create a virtual directory /dtlinux on the Domain Time Server machine.

Domain Time Server is HTTP-only, so your URL must begin with http. For example, if your Domain Time Server's IP address is 192.168.1.21, using the default HTTP port of 80, then your command line will be:

sudo dtlinux-update http://192.168.1.21/dtlinux

The files served by Domain Time Server are updated automatically when you upgrade Domain Time II Manager. You may also refresh the files manually in case a DTLinux update is available before the next DTWindows update. The default folder is C:\Program Files\Domain Time II\DTLinux\Updates. Administrative permission is required to change files in this folder.

Using Domain Time II Manager to push upgrades

All of the methods listed above are "pull" upgrades. That is, you need to take action on the Linux machine in order to obtain and install updates.

You may also enable "push" upgrades from Domain Time II Manager. To allow this, change the dt2Security:managerUpgrade value in /etc/opt/domtime/dtlinux.conf to true and apply the change. (If you make the change from Domain Time II Manager, it will be automatically applied. If you make this change from your Linux machine, then run sudo systemctl reload dtlinux.service).

Important: You should also set the dt2Security:allow variables to limit access to your Manager machine(s) only. These variables control what IP address(es) are allowed to connect and send or get files. By default, DTLinux accepts TCP connections from all RFC 1918 private IP ranges. This is likely too broad for security-aware admins. Use any combination of specific IP addresses or CIDR ranges that suits your needs.

If you want to restrict upgrade access beyond just Manager's IP address, you may use

sudo dtcheck -authorize <NameOrIP>

from the Linux command line, substituting a DNS name or an IP adddress for <NameOrIp>. This will create a text file called /opt/domtime/authorized.managers, which contains the IP address(es) of the Manager machine you specify plus an SHA256 hash unique to that Manager machine. If you use a DNS name instead of an IP address, then dtcheck will create an IP=hash value pair for each IP address returned by the DNS lookup query on the name.

When the authorized.managers file is present and contains at least one IP=hash value pair, then only Managers from the IP addresses listed will be allowed to push upgrades, restart the dtlinux service, or read/write the dtlinux.keys file. Other Managers may continue to manage your Linux machine, but not push upgrades, restart the dtlinux service, or read/write the dtlinux.keys file. You may add as many Managers as you want to the authorized.managers file. To revoke an authorization, use

sudo dtcheck -revokeAuth <IPAddress>

substituting an IP address for <IPAddress> You may also edit the authorized.managers file to remove IP addresses you no longer want to have special access. If you delete the authorized.managers file, or remove all the IP=hash values, then all Managers have equal access, and the only restrictions are based on the dt2Security:allow entries in your dtlinux.conf file.



This document last updated on 03 Mar 2021