On Thu, Feb 12, 2009, Les Mikesell wrote:
Bill Campbell wrote:
That sounds like the kiss of death for any critical service. Can't it figure out ahead of time that this is going to happen and let the service keep running unchanged with a warning message about needing the update instead?
You're missing the point. If the service is already running, the changes won't take effect until you restart the service with the new binaries. And the whole patching exercise is what maintenance windows are for, anyway. Note that it's critical SERVICE, not critical SERVER. The former is more important than the latter, so ideally you should be able to take down the latter in order to upgrade one implementation of the former.
I understand the distinction very well. In the time we have been using this method, we have never taken down a service for any significant period of time (the services are restarted on installation by the RPM SPEC files' %pre, %post processing).
Of course we don't do things that are likely to take a critical service down without proper prior planning (often found out the hard way on our own systems :-). If an update is likely to have an impact on operations, it is scheduled during a maintenance window.
In other words you'd dedicated sufficient human resources to undo whatever damage the package management system causes...
Isn't that what our customers are paying us to do?
That has to be true now matter how one is doing updates.
I have personally updated clamav on more than 50 machines in an afternoon without having any of them down for more than a minute, and that time mostly because clamav takes a while to restart.
FWIW, we normally have clamav updates installed at all our client sites with 24 hours of the first notice that there's a new version out from swatch looking at the freshclamav.log file. This includes downloading the new tarball, updating the OpenPKG SRPM, building, testing in-house, and deployment. Often this is complete before people on this CentOS list start asking questions about the update or saying it won't build.
Oh, and these updates are on a variety of Linux systems ranging from SuSE 9.0 Pro, SLES9, SLES10, CentOS 4.5 through CentOS 5.x, and at least one FreeBSD box -- all from the same SRPM file.
Bill