I still operate under the assumption that glibc and kernel updates "require" a reboot to be prudent on a Linux OS.
With CentOS Xen 5.6 (standard installation, SELinux enabled) is there an FAQ or general user consensus as to when to do a reboot after what updates?
On Fri, May 06, 2011 at 09:45:31AM -0400, Ben M. wrote:
With CentOS Xen 5.6 (standard installation, SELinux enabled) is there an FAQ or general user consensus as to when to do a reboot after what updates?
In my opinion, is the change sufficiently urgent that existing running processes need to pick it up?
For example, a glibc patch means the new glibc will be executed by new processes, but already running programs will have the old glibc mapped into memory; if there's a security issue with the old glibc then already running processes may still be exploitable.
Another example could be the tzdata patches; if your timezone is impacted then existing processes may not pick up the changes unless they're restarted.
Of course a new kernel doesn't run until you reboot :-)
I tend to reboot after glibc and kernel patches, but not normally after any other (but I do restart services as necessary, eg httpd after an apache patch).
Stephen Harris wrote:
On Fri, May 06, 2011 at 09:45:31AM -0400, Ben M. wrote:
With CentOS Xen 5.6 (standard installation, SELinux enabled) is there an FAQ or general user consensus as to when to do a reboot after what updates?
In my opinion, is the change sufficiently urgent that existing running processes need to pick it up?
For example, a glibc patch means the new glibc will be executed by new processes, but already running programs will have the old glibc mapped into memory; if there's a security issue with the old glibc then already running processes may still be exploitable.
Another example could be the tzdata patches; if your timezone is impacted then existing processes may not pick up the changes unless they're restarted.
Of course a new kernel doesn't run until you reboot :-)
I tend to reboot after glibc and kernel patches, but not normally after any other (but I do restart services as necessary, eg httpd after an apache patch).
I do same on services, or reboot if convenient.
What do you think about SELinux and libvirt updates (in Dom-0)?
I see SELinux reinitialized (and locked me out while doing so for a few scary seconds, hahaha)? Would that require a reboot to encompass all that it protects when policies are updated?
-
Ben M. -
Stephen Harris