Hi all,
Both RHEL 6 and CentOS 6 can be installed from any minor releases DVDs: 6.0, 6.1, 6.2, 6.3, etc. And then got continuous upgrade/update with command 'yum -y upgrade' if repos are setup correct.
But the repos infrastructure is different between the two. CentOS uses two repos:
..../centos/6/os/... repo and .../centos/6/updates/...
The updates/ repo contains ONLY updated RPMs between minor releases. currently the updates/ contains updates after 6.3. and the /centos/6/os/ points to 6.3Base.
Question #1:
supposed I installed with Centos 6.2 last year, and let's say Centos 6.4 comes out two months later and I have not updated a single package since initial installation until Centos 6.4 comes out (I am way too lazy :) ), then How can I setup my yum config to not miss any updated packages?
Should I put all three repos inside yum config?
centos-6.2-kickstart-os centos-6-os centos-6-updates or the centos-6.2-kickstart-os is not needed at all -- the centos-6-os and cnetos-6-updates together contains all latest RPMS since 6.0 -- ? The first way may render yum to report warning of 'duplicate RPM group definitions' or similar.
Questions #2:
I've heard that RHEL 6 uses a different path, they seems to have only one big continuously updated base os/ repository. all the RPMs updated since 6.0 (include RPMs at the published day of RHEL 6.0) are contained in the repo. So only the one repo is in need to upgrade systems at any time. Is this true? and if so, any benefits go with it?
Thanks.
--Robinson
On 02/08/2013 07:45 PM, Gelen James wrote:
Hi all,
Both RHEL 6 and CentOS 6 can be installed from any minor releases DVDs: 6.0, 6.1, 6.2, 6.3, etc. And then got continuous upgrade/update with command 'yum -y upgrade' if repos are setup correct.
But the repos infrastructure is different between the two. CentOS uses two repos:
..../centos/6/os/... repo and .../centos/6/updates/...The updates/ repo contains ONLY updated RPMs between minor releases. currently the updates/ contains updates after 6.3. and the /centos/6/os/ points to 6.3Base.
Question #1:
supposed I installed with Centos 6.2 last year, and let's say Centos 6.4 comes out two months later and I have not updated a single package since initial installation until Centos 6.4 comes out (I am way too lazy :) ), then How can I setup my yum config to not miss any updated packages?
Should I put all three repos inside yum config?
centos-6.2-kickstart-os centos-6-os centos-6-updatesor the centos-6.2-kickstart-os is not needed at all -- the centos-6-os and cnetos-6-updates together contains all latest RPMS since 6.0 -- ? The first way may render yum to report warning of 'duplicate RPM group definitions' or similar.
Questions #2:
I've heard that RHEL 6 uses a different path, they seems to have only one big continuously updated base os/ repository. all the RPMs updated since 6.0 (include RPMs at the published day of RHEL 6.0) are contained in the repo. So only the one repo is in need to upgrade systems at any time. Is this true? and if so, any benefits go with it?
There is no difference in the 2 approaches if you want the latest updated version of the OS. You just need to use centos-6-os and centos-6-updates. If you install from a CentOS-6.0 iso and run yum upgrade, you will have all the latest set of updated RPMs.
The one difference in having everything in one BIG repo is that you would have access to every single version, not just the latest version, of RPMS in that one repo. If you needed an older version of a particular package, it is fairly easy to do in that scenario.
The negative is that it would be much larger than only the latest RPMS.
Our vault.centos.org servers (were all the old releases are available if you actually need older RPMS for some reason), is 663GB. The mirror.centos.org trees are only 130GB. Since we push CentOS to more than 520 mirrors in 75 countries all over the world, we need to split out the latest trees (130GB) and make that available to millions of users. Vault (663GB) requires much more storage, but user demand is also much less for the older releases.
Remember, Red Hat is a billion dollar company and CentOS runs our infrastructure completely on donated servers ... the fact that we can serve millions of users 130GB of data for free is nothing short of amazing ... but many of our machines do not have the capacity to serve all 663 GB of data. But we do also provide vault.centos.org for users who actually need all 663GB of data.
On 02/08/2013 07:45 PM, Gelen James wrote:
<snip>
supposed I installed with Centos 6.2 last year, and let's say Centos 6.4 comes out two months later and I have not updated a single package since initial installation until Centos 6.4 comes out (I am way too lazy :)
That would be extremely unfortunate ... because there are *VERY IMPORTANT* security updates that come out between point releases.
There are 2 classes of these updates (Critical and Important) that should be applied ASAP after release to prevent root access by unauthorized users. It is extremely important to maintain Internet facing machines updated with security updates. There are 2 less severe security updates (Moderate and Low) that should also be installed, but are not as critical ... and there are also bugfix and enhancement updates that are a convenience, but likely not required.
Machines get rooted if security updates are skipped ... don't do it.
Our CentOS Announce list has "Topics" that split those announcements so you can minimize the traffice you get. One "topic" is "Security Updates" ... utilizing that and the Daily Digest feature, you can get one e-mail (only on days when we do a security release) to get minimum contact for only important announcements. Please use it.
To understand how Red Hat rates "Severity" ... please review this:
https://access.redhat.com/security/updates/classification/
Here is also some good reading concerning security metrics:
http://www.redhat.com/security/data/metrics/
Stay updated !!!
Thanks, Johnny Hughes
On 02/09/2013 05:58 AM, Johnny Hughes wrote:
On 02/08/2013 07:45 PM, Gelen James wrote:
<snip> > supposed I installed with Centos 6.2 last year, and let's say Centos 6.4 comes out two months later and I have not updated a single package since initial installation until Centos 6.4 comes out (I am way too lazy :) That would be extremely unfortunate ... because there are *VERY IMPORTANT* security updates that come out between point releases.
There are 2 classes of these updates (Critical and Important) that should be applied ASAP after release to prevent root access by unauthorized users. It is extremely important to maintain Internet facing machines updated with security updates. There are 2 less severe security updates (Moderate and Low) that should also be installed, but are not as critical ... and there are also bugfix and enhancement updates that are a convenience, but likely not required.
Machines get rooted if security updates are skipped ... don't do it.
Our CentOS Announce list has "Topics" that split those announcements so you can minimize the traffice you get. One "topic" is "Security Updates" ... utilizing that and the Daily Digest feature, you can get one e-mail (only on days when we do a security release) to get minimum contact for only important announcements. Please use it.
To understand how Red Hat rates "Severity" ... please review this:
https://access.redhat.com/security/updates/classification/
Here is also some good reading concerning security metrics:
http://www.redhat.com/security/data/metrics/
Stay updated !!!
Thanks, Johnny Hughes
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I would assume (and I know it's not good to do that!) that the updates and patches that are pushed out through the repos are something not to be ingored,....so why would the severity of one be that big an issue?....(and I'm just curious...not trying to start a war!..LoL!)
EGO II
I would assume (and I know it's not good to do that!) that the updates and patches that are pushed out through the repos are something not to be ingored,....so why would the severity of one be that big an issue?....(and I'm just curious...not trying to start a war!..LoL!)
For a start there's threes categories: bug fixes, enhancements and security fixes.
The first will cover things like typos in man pages or behaviour that is not right but has no risk to the system.
The second adds something new to a package - tzdata is a good example here.
The third is security issues - these will generally fix one or more CVE announcements.
Within that third category there are different levels of security issue depending on the nature of the problem.
For example if something needs an interactive login as an unprivileged user to cause a process (eg mysqld) to fail that could be low security risk given the need to be on the system and only a denial of service to that one subsystem and no data loss.
A higher category might be an unprivileged user being able to escalate their privileges to obtain increased access to a system they shouldn't have - there was a sudo exploit last year that would fall into this.
The most severe category of security issue would allow am unprivileged user to remotely gain privileged access... This leads to full system compromises and should always be patched asap - especially on public facing systems.
Sometimes it's possible to chain these things together... Fire example there might be a way for an unprivileged user to run arbitrary code (think a php big perhaps) which you could then chain to a local privilege escalation to take full control of a system.
This is also why selinux is important to confine services to prevent them from going out of their allowed domain and mitigating security issues as and when they arise.
As an admin rather than just updating everything all the time it's best practice to schedule updates and test them before major roll outs. Depending on the severity of the issue it may be something you delay to a standardised patching schedule (eg once a month update things) or treat as an emergency an roll out much quicker.
Does that help explain things?
On 02/10/2013 03:37 AM, James Hogarth wrote:
I would assume (and I know it's not good to do that!) that the updates and patches that are pushed out through the repos are something not to be ingored,....so why would the severity of one be that big an issue?....(and I'm just curious...not trying to start a war!..LoL!)
For a start there's threes categories: bug fixes, enhancements and security fixes.
The first will cover things like typos in man pages or behaviour that is not right but has no risk to the system.
The second adds something new to a package - tzdata is a good example here.
The third is security issues - these will generally fix one or more CVE announcements.
Within that third category there are different levels of security issue depending on the nature of the problem.
For example if something needs an interactive login as an unprivileged user to cause a process (eg mysqld) to fail that could be low security risk given the need to be on the system and only a denial of service to that one subsystem and no data loss.
A higher category might be an unprivileged user being able to escalate their privileges to obtain increased access to a system they shouldn't have
- there was a sudo exploit last year that would fall into this.
The most severe category of security issue would allow am unprivileged user to remotely gain privileged access... This leads to full system compromises and should always be patched asap - especially on public facing systems.
Sometimes it's possible to chain these things together... Fire example there might be a way for an unprivileged user to run arbitrary code (think a php big perhaps) which you could then chain to a local privilege escalation to take full control of a system.
This is also why selinux is important to confine services to prevent them from going out of their allowed domain and mitigating security issues as and when they arise.
As an admin rather than just updating everything all the time it's best practice to schedule updates and test them before major roll outs. Depending on the severity of the issue it may be something you delay to a standardised patching schedule (eg once a month update things) or treat as an emergency an roll out much quicker.
Does that help explain things? _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Most DEFINITELY! I can see I'll be "picking your brains" as MUCH as possible....as I attempt to get an RHCSA certification!...LoL! I've been using Fedora 18 and CEntOS on two different machines now, and I would always see these "SEL Alerts"...not knowing what they were....I will be paying MUCH more attention to them from now on. Also I am going to check for updates more frequently, I currently have my machien just give me a notification when there's new updates available, but maybe scheduling it for the last / first of every month isn't such a bad idea, at least I'd be able to keep track of what's going on on those machines! As it stands now I can't tell you when last either one of them were updated!....well thnaks so much for the info Mr. Hogarth!....Have a good weekend!
EGO II
-
Eddie G. O'Connor Jr. -
Gelen James -
James Hogarth -
Johnny Hughes