Linux find binary package

Discover to which package a file belongs to

Related Packages and Files

Sometimes you want to know the related package of a file, before installation, or when it is already there. This is of great help during system hardening or general system cleanups. In this article we have a look at several ways to determine the relationships between files and the package they belong to. We have gathered this information for multiple Linux distributions.

CentOS, Fedora, RHEL

Show files for RPM packages

Show files for packages on the repository

If you use dnf, then you can query files from the packages that are in your repositories. The package itself does not have to be installed.

Use the -q option with dnf to show only the relevant output.

Show files per installed package

To show what files are in a package, use the rpm command.

If you have the file name, you can turn this around and find the related package.

The output will provide the package and its version.

To just see the package name, use the –queryformat option.

With yum you can do a similar request to see the related package.

And with DNF there is the provides argument.

This will give you possibly multiple hits, as a file can be part of packages from different repositories.

This data is less easy to parse due to the different types of lines.

Debian and Ubuntu

Discover related package

If you want to find the related package of a binary (or file), we first have to know the full path. If you know the binary, then use the which command to discover where it is stored. Using the find command is another option, but may be less efficient. With the dpkg package management tool we can find the related package.

Without the awk command, the output will look like this.

Show files installed by package

If you already know the package name, you can quickly look up the files that are installed by a Debian package.

Let’s do the same for the at package and see what it exactly installs (and where).

Gentoo

The first option is using equery, which is part of the package app-portage/gentoolkit.

The package itself should be installed.

Next alternative is qlist, which is part of app-portage/portage-utils

OpenSUSE

Systems running the distributions from SuSE can use the zypper tool to find the link between a file and a package.

Show related package

Got more useful commands to share? Let it know in the comments and we add them to the article.

Keep learning

So you are interested in Linux security? Join the Linux Security Expert training program, a practical and lab-based training ground. For those who want to become (or stay) a Linux security expert.

Run automated security scans and increase your defenses. Lynis is an open source security tool to perform in-depth audits. It helps with system hardening, vulnerability discovery, and compliance.

Continue reading

Troubleshooting a full /boot partition on Ubuntu

Show vulnerable packages on Arch Linux with arch-audit

Linux security guide: the extended version

How to solve an expired key (KEYEXPIRED) with apt

4 comments

Example for Arch Linux:

$ pacman -Qo /usr/bin/ls
/usr/bin/ls is owned by coreutils 8.26-1

Thanks for sharing Frank

Hey, place a like button somewhere in your blog pages!.

Those like buttons can leak information to Facebook and Twitter, so that is why there are none 🙂

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About Linux Audit

This blog is part of our mission: help individuals and companies, to scan and secure their systems. We simply love Linux security, system hardening, and questions regarding compliance.

Besides the blog, we have our security auditing tool Lynis. Open source, GPL, and free to use.

For those with enterprise needs, or want to audit multiple systems, there is an Enterprise version.

«One security solution to audit, harden, and secure your Linux/UNIX systems.»

Benefits:

• Perform audits within a few minutes
• Central management
• Powerful reporting
• Compliance checks (e.g. PCI DSS)
• Additional plugins and more tests

Enjoy the articles!

Linux and UNIX security automation

Lynis is a free and open source security scanner. It helps with testing the defenses of your Linux, macOS, and Unix systems. Typical use-cases for this software include system hardening, vulnerability scanning, and checking compliance with security standards (PCI-DSS, ISO27001, etc).

Recent Posts

Contact

This blog is part of our mission to share valuable tips about Linux security. We are reachable via @linuxaudit

Company details

CISOfy
De Klok 28,
5251 DN, Vlijmen, The Netherlands
+31-20-2260055

Источник

Binary package guide

Next to the usual support for source-based ebuilds, Portage also supports building and installing binary packages. This guide explains how to create them, install them, and how to setup a binary package server.

Contents

Introduction

There are many reasons why some system administrators like using binary packages for software installations on Gentoo:

• It allows administrators to save time when keeping similar systems updated. Having to compile everything from source can become time consuming. Maintaining several similar systems, possibly some of them with older hardware, can be much easier if only one system has to compile everything from source and the other systems use the binary packages.
• Do safe updates. For mission-critical systems in production it is important to stay usable as much as possible. This can be done by a staging server that performs all updates first to itself. Once the staging server is in a good state the updates can then be applied to the critical systems. A variant of this approach is to do the updates in a chroot on the same system and use the binaries created there on the real system.
• As a backup. Often binary packages are the only way of recovering a broken system (i.e. broken compiler). Having pre-compiled binaries around either on a binary package server or locally can be of great help in case of a broken toolchain.
• It aids in updating very old systems. The task of updating very old systems can be greatly eased using binary packages. It is usually helpful to install binary packages on old systems because they do not require build time dependencies to be installed/updated. Binaries packages also avoid failures in build processes since they are pre-compiled.

This guide will focus on the following topics:

• Creating binary packages.
• Distributing the packages to clients.
• Implementing binary packages.
• Maintaining the binary packages.

Near the end a few more advanced topics on dealing with binary packages will be covered.

Creating binary packages

There are three main methods for creating binary packages:

1. After a regular installation, using the quickpkg application.
2. Explicitly during an emerge operation by using the —buildpkg ( -b ) option.
3. Automatically through the use of the buildpkg (build binary packages for all packages) or buildsyspkg (build binary packages only for the system set) values in Portage’s FEATURES variable.

All three methods will create a binary package in the directory pointed to by the PKGDIR variable (which defaults to /var/cache/binpkgs ).

Using quickpkg

The quickpkg application (included in Portage) takes one or more dependency atoms (or package sets) and creates binary packages for all installed packages that match that atom.

For instance, to create binary packages of all installed GCC versions:

To create binary packages for the system set:

To create binary packages of all installed packages on the system, use the * glob:

There is a caveat with this method: it relies on the installed files, which can be a problem in case of configuration files. Administrators often change configuration files after installing software. Because this could leak out important (perhaps even confidential) data into the packages, quickpkg by default does not include configuration files that are protected through the CONFIG_PROTECT method. To force inclusion of configuration files, use the —include-config or —include-unmodified-config options.

Using —buildpkg as an emerge option

When installing software using emerge , Portage can be asked to create binary packages by using —buildpkg ( -b ) option:

It is also possible to ask Portage to only create a binary package but not to install the software on the live system. For this, the —buildpkgonly ( -B ) option can be used:

The latter approach however requires all build time dependencies to be previously installed.

Implementing buildpkg as a Portage feature

The most common way to automatically create binary packages whenever a package is installed by Portage is to use the buildpkg feature, which can be set in /etc/portage/make.conf like so:

With this feature enabled, every time Portage installs software it will create a binary package as well.

Excluding creation of some packages

It is possible to tell Portage not to create binary packages for a select few packages or categories. This is done by passing the —buildpkg-exclude option to emerge:

This could be used for packages that have little to no benefit in having a binary package available. Examples would be the Linux kernel source packages or upstream binary packages (those ending with -bin like www-client/firefox-bin).

Setting up a binary package host

Portage supports a number of protocols for downloading binary packages: FTP, FTPS, HTTP, HTTPS, and SSH/SFTP. This leaves room for many possible binary package host implementations.

There is, however, no «out-of-the-box» method provided by Portage for distributing binary packages. Depending on the desired setup additional software will need to be installed.

Web based binary package host

A common approach for distributing binary packages is to create a web-based binary package host.

Use a web server such as lighttpd (www-servers/lighttpd) and configure it to provide read access to /etc/portage/make.conf ‘s PKGDIR location.

Then, on the client systems, configure the PORTAGE_BINHOST variable accordingly:

SSH binary package host

To provide an authenticated approach for binary package mirrors, Portage can be configured to use the SSH protocol to access binary packages.

When using SSH, it is possible to use the root Linux user’s SSH key (without passphrase as the installations need to happen in the background) to connect to a remote binary package host.

To accomplish this, make sure that the root user’s SSH key is allowed on the server. This will need to happen for each machine that will connect to the SSH capable binary host:

The PORTAGE_BINHOST variable could then look like so:

/.ssh/config for setting ports or username. This location is ignored when Portage tries to rsync the packages back onto the client. Instead set all the options correctly in the PORTAGE_BINHOST variable.

NFS exported

When using binary packages on an internal network, it might be easier to export the packages through NFS and mount it on the clients.

The /etc/exports file could look like so:

On the clients, the location can then be mounted. An example /etc/fstab entry would look like so:

The NFS share is mounted on the local filesystem, so there is no need to set PORTAGE_BINHOST or use the —getbinpkg option. Instead, follow the normal procedures for installing binary packages, remembering to point PKGDIR to the NFS share so that portage knows where to find the packages:

Using binary packages

For binary packages to be usable on other systems they must fulfill some requirements:

• The client and server architecture and CHOST must match.
• The CFLAGS and CXXFLAGS variables used to build the binary packages must be compatible with all clients.
• USE flags for processor specific instruction set features (like MMX, SSE, etc.) have to be carefully selected; all clients need to support them.

The app-misc/resolve-march-native utility can be used to find a subset of CFLAGS that is supported by both the server and client(s). For example, the host might return:

While the client might return:

In this example CFLAGS could be set to -march=ivybridge -mno-rdrnd since -march=ivybridge is a full subset of -march=skylake . -mabm and -mrtm are not included as these are not supported but the client. However, -mno-rdrnd is included as the client does not support -mrdrnd . To find which -march ‘s are subsets of others, check the gcc manual, if there is no suitable subset set e.g. -march=x86-64 .

Optionally, it is also possible to set -mtune=some-arch or -mtune=native to tell gcc to tune code to a specific arch. In contrast to -march , the -mtune argument does not prevent code from being executed on other processors. For example, to compile code which is compatible with ivybridge and up but is tuned to run best on skylake set CFLAGS to -march=ivybridge -mtune=skylake . When -mtune is not set it defaults to whatever -march is set to.

When changing -march to a lower subset for using binary packages on a client, a full recompilation is required to make sure that all binaries are compatible with the client’s processor, to save time packages that are not compiled with e.g. gcc/clang can be excluded:

Similarly, app-portage/cpuid2cpuflags can be used to find a suitable subset of processor specific instruction set USE flags. For example, the host might return:

While the client might return:

In this example CPU_FLAGS_X86 can be set to avx f16c mmx mmxext pclmul popcnt sse sse2 sse3 sse4_1 sse4_2 ssse3 in /etc/portage/make.conf because these flags are supported by both the client and the host

Next to these, Portage will check if the binary package is built using the same USE flags as expected on the client. If a package is built with a different USE flag combination, Portage will either ignore the binary package (and use source-based build) or fail, depending on the options passed to the emerge command upon invocation (see Installing binary packages).

On clients, a few configuration changes are needed in order for the binary packages to be used.

Installing binary packages

There are a few options that can be passed on to the emerge command that inform Portage about using binary packages:

Option	Description
—usepkg ( -k )	Tries to use the binary package(s) in the locally available packages directory. Useful when using NFS or SSHFS mounted binary package hosts. If the binary packages are not found, a regular (source-based) installation will be performed.
—usepkgonly ( -K )	Similar to —usepkg ( -k ) but fail if the binary package cannot be found. This option is useful if only pre-built binary packages are to be used.
—getbinpkg ( -g )	Download the binary package(s) from a remote binary package host. If the binary packages are not found, a regular (source-based) installation will be performed.
—getbinpkgonly ( -G )	Similar to —getbinpkg ( -g ) but will fail if the binary package(s) cannot be downloaded. This option is useful if only pre-built binary packages are to be used.

In order to automatically use binary package installations, the appropriate option can be added to the EMERGE_DEFAULT_OPTS variable:

There is a Portage feature that automatically implements the equivalent of —getbinpkg ( -g ) without the need for updating the EMERGE_DEFAULT_OPTS variable with the —getbinpkg value:

Pulling packages from a binary package host

When using a binary package host, clients need to have the PORTAGE_BINHOST variable set in /etc/portage/make.conf or the sync-uri variable in /etc/portage/binrepos.conf . Otherwise, the client will not know where the binary packages are stored which results in Portage being unable to retrieve them.

The PORTAGE_BINHOST variable uses a space-separated list of URIs. This allows administrators to use several binary package servers simultaneously. The URI must always point to the directory in which the Packages file resides.

Reinstalling modified binary packages

Passing the —rebuilt-binaries option to emerge will reinstall every binary that has been rebuilt since the package was installed. This is useful in case rebuilding tools like revdep-rebuild are run on the binary package server.

A related option is —rebuilt-binaries-timestamp . It causes emerge not to consider binary packages for a re-install if those binary packages have been built before the given time stamp. This is useful to avoid re-installing all packages, if the binary package server had to be rebuild from scratch but —rebuilt-binaries is used otherwise.

Additional client settings

Next to the getbinpkg feature, Portage also listens to the binpkg-logs feature. This one controls if log files for successful binary package installations should be kept. It is only relevant if the PORT_LOGDIR variable has been set and is enabled by default.

Similar to excluding binary packages for a certain set of packages or categories, clients can be configured to exclude binary package installations for a certain set of packages or categories.

To accomplish this, use the —usepkg-exclude option:

To enable such additional settings for each emerge command, add the options to the EMERGE_DEFAULT_OPTS variable in the make.conf file:

Maintaining binary packages

Exporting and distributing the binary packages will lead to useless storage consumption if the binary package list is not actively maintained.

Removing outdated binary packages

In the app-portage/gentoolkit package an application called eclean is provided. It allows for maintaining Portage-related variable files, such as downloaded source code files, but also binary packages.

The following command will remove all binary packages that have no corresponding ebuild in the installed ebuild repositories:

For more details please read the Eclean article.

Another tool that can be used is the qpkg tool from the app-portage/portage-utils package. However, this tool is a bit less configurable.

To clean up unused binary packages (in the sense of used by the server on which the binary packages are stored):

Maintaining the Packages file

Inside the packages directory exists a manifest file called Packages . This file acts as a cache for the metadata of all binary packages in the packages directory. The file is updated whenever Portage adds a binary package to the directory. Similarly, eclean updates it when it removes binary packages.

If for some reason binary packages are simply deleted or copied into the packages directory, or the Packages file gets corrupted or deleted, then it must be recreated. This is done using emaint command:

Advanced topics

Creating snapshots of the packages directory

When deploying binary packages for a large number of client systems it might become worthwhile to create snapshots of the packages directory. The client systems then do not use the packages directory directly but use binary packages from the snapshot.

Snapshots can be created using the /usr/lib64/portage/python2.7/binhost-snapshot or /usr/lib64/portage/python3.3/binhost-snapshot tool. It takes four arguments:

1. A source directory (the path to the packages directory).
2. A target directory (that must not exist).
3. A URI.
4. A binary package server directory.

The files from the package directory are copied to the target directory. A Packages file is then created inside the binary package server directory (fourth argument) with the provided URI.

Client systems need to use an URI that points to the binary package server directory. From there they will be redirected to the URI that was given to binhost-snapshot . This URI has to refer to the target directory.

Understanding the binary package format

Binary packages created by Portage have the file name ending with .tbz2 . These files consist of two parts:

1. A .tar.bz2 archive containing the files that will be installed on the system.
2. A xpak archive containing package metadata, the ebuild, and the environment file.

See man xpak for a description of the format.

In app-portage/portage-utils some tools exists that are able to split or create tbz2 and xpak files.

The following command will split the tbz2 into a .tar.bz2 and an .xpak file:

The .xpak file can be examined using the qxpak utility.

To list the contents:

The next command will extract a file called USE which contains the enabled USE flags for this package:

The PKGDIR layout

The currently used format version 2 has the following layout:

The Packages file is the major improvement (and also the trigger for Portage to know that the binary package directory uses version 2) over the first binary package directory layout (version 1). In version 1, all binary packages were also hosted inside a single directory (called All/ ) and the category directories only had symbolic links to the binary packages inside the All/ directory.

In portage-3.0.15 and later, FEATURES=binpkg-multi-instance is enabled by default:

Unpacking with quickunpkg

Zoobab wrote a simple shell tool named quickunpkg to quickly unpack tbz2 files.

Источник