[RndTbl] Linux patching best practices

Gilbert E. Detillieux gedetil at cs.umanitoba.ca
Mon Nov 29 11:33:31 CST 2010

On 2010-11-26 20:43, Adam Thompson wrote:
> For CentOS, I'm quite comfortable setting up automatic updates.
> It's not "best practices" but I've spent a LOT less time fixing
> post-update problems than I would have spent testing each update,
> over the years.  (This applies to Red Hat in general since RH2.1.)

I would tend to agree here, at least for the repos enabled by default in 
CentOS-Base.repo, i.e. base, updates, addons and extras.  What I do at 
work is allow auto-updates for those repos on the various workstations 
and non-critical servers I maintain.  For my most critical server, I run 
"yum update" manually, after I've determined that the updates didn't 
break anything on the other systems.

Not necessarily safe for third-party repos, however...  I've had some 
minor breakage with rpmforge packages, and catastrophic failures with 
some EPEL updates that were DOA and pushed out without the slightest bit 
of testing.  (They can also take forever to fix such broken packages.) 
I'd be sure to test these out on the least critical systems first, 
before updating anything important.

> I think the days of testing patches independently are gone because of
> manpower reasons, unless you're running in a high-availability
> environment.

Again, I mostly agree, but I would make exceptions for certain critical 
packages and/or critical systems, whether HA or not.  But, yeah, you 
can't test every update that comes out.

Gilbert E. Detillieux		E-mail: <gedetil at muug.mb.ca>
Manitoba UNIX User Group	Web:	http://www.muug.mb.ca/
PO Box 130 St-Boniface		Phone:  (204)474-8161
Winnipeg MB CANADA  R2H 3B4	Fax:    (204)474-7609

More information about the Roundtable mailing list