[CentOS-devel] Delta RPMs disabled by default?

Sat Jul 12 04:34:54 UTC 2014
Nico Kadel-Garcia <nkadel at gmail.com>

On Fri, Jul 11, 2014 at 11:32 PM, Les Mikesell <lesmikesell at gmail.com> wrote:

> Yes, that's my point,  None of them do what I want a configuration
> tool to do.  Which I'd think anyone with more than a few machines
> would want.  And given that the packages are versioned and all that
> needs to happen is that the production updates need to go to the same
> version numbers that were tested together earlier, it doesn't seem
> like it should be a difficult thing for a tool to handle for you.
> But, I don't think there is even anything that will tell you the
> differences between two systems or verify that they have matching
> installations at the same update levels.

This has drifted profoundly from the delta rpms question, and might be
better over in the userland. I'll toss in a last note, if no one
minds.

Everyone in the business for a while runs into this. Almost everyone
winds up writing their own, because they have subtle differences in
what they want, and I'm afraid that most of them are quite amateurish
and do not scale well. Full blown package management at complete RPM
version and release control is theoretically straightforward. We've
discussed a basic "select a template environment, record it, and
propagate that package list" approach, which I've had fairly good
success with in environments up to 200 hosts. And the "do it in a
chroot cage", which is supported by mock based setups these days, is
very helpful because it allows very fast template setup and
modification, very efficiently, without actually building new hosts.

Auditing system packages is straightforward: no one I know if does it
without enormous infrastructure used for other ereasons, or without
simply running "ssh $hosnname rpm -qa" from an authoized central
server across all the hosts. You don't need yum for that, which is a
very network burdensome tool and blocks other yum activities.

But there's additional infrastructure needed. For example, the CentOS
releases go out of date. If you want to replicate a stable CentOS 6.1
environment, or pull in even *one* expired package from that
distribution for between your test setup and your production setup,
you either have to enable and talk to the CenOS 6.1 archive server,
which is not widely mirrored and therefore quite slow, or you have to
set up an internal CentOS 6.1 local mirror and configure it.
That's.... a bunch of extra work. A lot of admins wind up simply
ignoring it and hoping the problem will not surface, much like they
ignore putting passphrases on their SSH keys or much like they just
disable SELinux instead of learning it. They just don't consider it
worth the effort.

And until they git bit, hard, by subtle package discrepancies, they're
often quite correct. It's not worth the effort, just do 'yum install'
and hope for the best. It's not my approach, but it's understandable.