On 05/27/2010 08:51 AM, Gordon Messmer wrote: > On 05/27/2010 05:55 AM, Jerry Franz wrote: > >> I have *twenty* virtual machines I deploy updates to before it ever >> touches my production systems. Not everything is testable on >> non-production machines. >> > ... > >> Now back to fixing the SELinux configuration on a machine I had to put >> in 'permissive' mode a few weeks ago because the last round of SELinux >> updates broke the web server's ability to open its own log files. >> > That sounds like the sort of thing that you'd have noticed if you'd > applied the update and started the service on a test host before production. > I have finite resources. If I had junior admins who could spend weeks doing testing of every update before deployment, twice as many physical machines as I now have so I could deploy dozens of VMs _just for testing updates_ (and let's not even begin to discuss the non-virtualizable machines such as the backups storage servers) , an extra co-location rack to put those additional servers in, and the budget to fix any emergent SELinux breakage, then, yeah, that would work. At a net cost several times higher than my current budget. Or I can turn off SELinux on most of my systems and not get my systems gratuitously broken every few to several months by SELinux policy updates. For my current budget. Hmmm.... What to do... What to do.... -- Benjamin Franz