On Jul 16, 2008, at 9:08 AM, Terry wrote:
I have been asked to come up with a strategy for centralized patch management of our linux servers. Today, this is only centos and rhel. What is everyone else doing in this arena?
here's a reasonably straightforward scheme:
1) make sure yum is installed on all your systems (if you have RHEL4 boxes) 2) host your own yum repository 3) install an appropriate myrepo.conf in /etc/yum.repos.d on all your hosts
at this point you have a few options:
a) mirror the upstream base and updates repos for your architectures into your local repo and remove all the other contents of /etc/ yum.repos.d on all your hosts. this gives you the maximum control over when patches go out to your machines; unfortunately, capturing updates from RH is a bit arduous (one way to do is is to run one machine per architecture that has an RHN subscription, capture all the packages it downloads, and copy them into your local repository) and, especially if you're manually approving each package that gets copied over, it can introduce delay in the deployment of patches.
b) let your systems pull updates from RHN or from CentOS mirrors as normal, and add any additional packages via your custom repo. this scheme requires less effort, but may not be as "centralized" as you desire.
both of these schemes scale to accommodate other third-party repositories, though you have to think about whether you want other repositories to clobber packages from your distribution. these should also scale to accommodate other RPM-based distributions.
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v