Hello,
I'm looking for a solution to automatically yum update security relevant packages on a couple hundred Centos6/7 servers. The deployment/trigger would be Ansible.
I looked into the "yum-plugin-security" and tested it on a CentOS 6 installation but always found no security relevant updates (yum list-security/yum --security update) where there should be at least a couple ones. I read around it and found that this solution is not working for CentOS (can you please confirm). What is the best practice to upgrade security relevant packages on live systems without service interruption?
Thanks in advance!
Cheers,
Chris
Chris,
I recommend you look into:
- Spacewalk: Centralized system management utility ( http://spacewalk.redhat.com/) - Errata update tool: https://github.com/mike-wendt/spacewalk-centos-errata - CentOS repos do not include the errata information in the repo itself (EPEL does include errata info in its repos), so others have created external tools that pull errata off of the mailing lists.
Combined, they would allow you to have a local mirror of the CentOS repos and push/pull only the packages you want to install.
Bill
On Tue, Dec 15, 2015 at 6:12 AM, Chris contact@progbau.de wrote:
Hello,
I'm looking for a solution to automatically yum update security relevant packages on a couple hundred Centos6/7 servers. The deployment/trigger would be Ansible.
I looked into the "yum-plugin-security" and tested it on a CentOS 6 installation but always found no security relevant updates (yum list-security/yum --security update) where there should be at least a couple ones. I read around it and found that this solution is not working for CentOS (can you please confirm). What is the best practice to upgrade security relevant packages on live systems without service interruption?
Thanks in advance!
Cheers,
Chris
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 12/15/2015 02:07 PM, Bill Howe wrote:
Chris,
I recommend you look into:
- Spacewalk: Centralized system management utility (
- Errata update tool:
https://github.com/mike-wendt/spacewalk-centos-errata - CentOS repos do not include the errata information in the repo itself (EPEL does include errata info in its repos), so others have created external tools that pull errata off of the mailing lists.
Combined, they would allow you to have a local mirror of the CentOS repos and push/pull only the packages you want to install.
Bill
On Tue, Dec 15, 2015 at 6:12 AM, Chris contact@progbau.de wrote:
Hello,
I'm looking for a solution to automatically yum update security relevant packages on a couple hundred Centos6/7 servers. The deployment/trigger would be Ansible.
I looked into the "yum-plugin-security" and tested it on a CentOS 6 installation but always found no security relevant updates (yum list-security/yum --security update) where there should be at least a couple ones. I read around it and found that this solution is not working for CentOS (can you please confirm). What is the best practice to upgrade security relevant packages on live systems without service interruption?
Thanks in advance!
Cheers,
Chris
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
please be aware that the Spacewalk was an OSS variant of Satellite 5. I would strongly recommend to build a "Satellite 6" from the OSS components. Just check the Satellite 6 @ Red Hat Customer Portal to find all the required components.
//Zdenek
Hello Zdenek,
Thanks for your answer. Is satellite 5 out of life? I see there is version 2.4 from October this year. I have no objections to stick with an older version when I can have "satellite 6", but what you mean with find the components?
Thanks in advance!
Cheers, Chris
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Zdenek Sedlak Sent: Tuesday, December 15, 2015 20:20 To: centos@centos.org Subject: Re: [CentOS] Upgrade security relevant packages
On 12/15/2015 02:07 PM, Bill Howe wrote:
Chris,
I recommend you look into:
- Spacewalk: Centralized system management utility (
- Errata update tool:
https://github.com/mike-wendt/spacewalk-centos-errata - CentOS repos do not include the errata information in the repo itself (EPEL does include errata info in its repos), so others have created external tools that pull errata off of the mailing lists.
Combined, they would allow you to have a local mirror of the CentOS repos and push/pull only the packages you want to install.
Bill
On Tue, Dec 15, 2015 at 6:12 AM, Chris contact@progbau.de wrote:
Hello,
I'm looking for a solution to automatically yum update security relevant packages on a couple hundred Centos6/7 servers. The deployment/trigger would be Ansible.
I looked into the "yum-plugin-security" and tested it on a CentOS 6 installation but always found no security relevant updates (yum list-security/yum --security update) where there should be at least a couple ones. I read around it and found that this solution is not working for CentOS (can you please confirm). What is the best practice to upgrade security relevant packages on live systems without service interruption?
Thanks in advance!
Cheers,
Chris
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Hi,
please be aware that the Spacewalk was an OSS variant of Satellite 5. I would strongly recommend to build a "Satellite 6" from the OSS components. Just check the Satellite 6 @ Red Hat Customer Portal to find all the required components.
//Zdenek _______________________________________________ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
On 12/15/2015 06:12 AM, Chris wrote:
Hello,
I'm looking for a solution to automatically yum update security relevant packages on a couple hundred Centos6/7 servers. The deployment/trigger would be Ansible.
I looked into the "yum-plugin-security" and tested it on a CentOS 6 installation but always found no security relevant updates (yum list-security/yum --security update) where there should be at least a couple ones. I read around it and found that this solution is not working for CentOS (can you please confirm). What is the best practice to upgrade security relevant packages on live systems without service interruption?
I will do the obligatory point out that JUST installing security updates and NOT also installing all the other updates that the security updates were built against is NOT supported in either CentOS or RHEL.
For example, look at this errata :
https://rhn.redhat.com/errata/RHSA-2015-2655.html
Read the Solution section, where it says:
"Before applying this update, make sure all previously released errata relevant to your system have been applied."
This does not say all previous security errata or some selected group of packages .. it says 'all previously released errata'. That means all Bugfix, Enhancement, and Security updates that were released before this errata was released .. and that means run a 'yum update' and install all updates.
If you are picking only security updates and all not all updates, then that is not a tested secure solution.
The only supported and tested solution is all updates.
-
Bill Howe -
Chris -
Johnny Hughes -
Zdenek Sedlak