[CentOS] Spacewalk? Local repo? Cache?

Mon Sep 29 19:03:38 UTC 2014
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Mon, September 29, 2014 1:19 pm, Les Mikesell wrote:
> On Mon, Sep 29, 2014 at 12:59 PM, Chris Beattie <cbeattie at geninfo.com>
> wrote:
>> I have a mix of CentOS 5, 6, and now 7 servers at work.  There are
>> enough of them now that it is starting to make sense for them to get
>> updates from an internal source.
>> I've seen RHN Satellite in years past.  It looks like it may be a way to
>> allow Windows admins here (familiar with WSUS) to update Linux boxes.  A
>> local repo might be easier to set up, but (as with Spacewalk) it seems
>> like we'd end up with a lot of packages we don't need.  A proxy and a
>> sufficiently-large cache might do the trick if the first Linux box to
>> get updates populates the cache which the files the others will need,
>> but I haven't looked into this enough to see if there's even a way that
>> works.
>> How do you all keep a dozen or more Linux boxes updated?
> I don't think there is a way to do it that doesn't take more human
> effort than it is worth unless you have limited internet access.  It
> is basically designed not to work.   A simple squid proxy with the
> file size bumped up will work with no extra attention (and be useful
> for all your internet accesses), but the first dozen or so runs are
> probably going to pick different mirror URLs instead of reusing the
> copy you have already cached. You can change the repo mirrorlist entry
> to a fixed system - but then your updates will break if it is down.
> Or you can mirror a bunch of stuff you'll never need into your own
> repo.  Or set up some special-case thing that only works for Centos -
> or maybe even just one version of Centos.

I guess my feeling will not hurt if I add my reply *here* ;-)

We keep local mirror, which I'm pointing my CentOS boxes to. When I know
some update is critical I kick the script that walks through all boxes and
installs all updates accumulated by that time (yum clean all; yum -y
update). In the past when I had awfully important servers under CentOS
(they are FreeBSD now), I was testing updates on a separate box first to
see if they will or will not break anything, and find the way to not have
production stuff broken before actually install updates. I kick my script
into action to the contrary to having daily, hourly or weekly cron job as
I have system integrity verification system which will give me a kick
every time anything changes without a reason. This makes cron job
prohibitive for me (and requires me to incorporate that integrity stuff
into update script, - which is beyond the scope here).


Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247