[CentOS] yum update best practices

Sun Mar 9 11:56:03 UTC 2008
Johnny Hughes <johnny at centos.org>

sprizes at gmail.com wrote:
> Hello, we run approximately 400 Centos servers at our company. We use
> cfengine for configuration management.
> 
> I am looking for some documentation to do patching including kernel
> patches. I was thinking of just having each host run yum update via
> cfengine but not sure if there are any gotchas there? Should I just do
> yum update? or should i exclude the kernel and be more careful with
> those? how about glibc?
>

Patches or updates .. BIG difference :D

Whether you need to exclude certain packages from update depends upon 
the machines and functionality.

If you have local hardware drivers or other things that must be redone 
between kernels, then manually updating them would be good.  Other 
things like DRBD (requires a new kmod) could also dictate a need for a 
manual upgrade.

If you have none of those issues, then upgrades of the kernel should be OK.

Other things like glibc need to be updated as well, as newer packages 
are built against newer glibc's.  In practice, there is not usually a 
huge difference between the glibc's and new ones are only bug fixes or 
security fixes anyway.

> I am wondering what other people out there do with such large
> installations. I'd very much appreciate any help or suggestions on
> this.
> 

I would maintain a "TESTED" repo that contains the configuration I 
wanted on every machine and run yum update to keep the machines at that 
level.

Personally, I do important servers manually ... but that's just me.

> 
> Also, kinda related to the above is my question about the correct yum
> behavior when installing kernels. I've seen it sometimes make the new
> kernel the default in grub.conf but sometimes it doesnt? what is the
> designed behavior?
> 

The designed behavior is to make the most recently installed kernel (of 
the type specified in /etc/sysconfig/kernel ) be the default kernel ... 
if UPDATEDEFAULT=yes.  If someone has shifted to the kernel-PAE package, 
they would need to update /etc/sysconfig/kernel to make it set 
kernel-PAE and not kernel as the default.

If both settings are correct, then after install of a new kernel, it 
should be made the default.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos/attachments/20080309/1e4c317d/attachment-0005.sig>