sprizes@xxxxxxxxx wrote:
Hello, we run approximately 400 Centos servers at our company. We use cfengine for configuration management. I am looking for some documentation to do patching including kernel patches. I was thinking of just having each host run yum update via cfengine but not sure if there are any gotchas there? Should I just do yum update? or should i exclude the kernel and be more careful with those? how about glibc?
Patches or updates .. BIG difference :DWhether you need to exclude certain packages from update depends upon the machines and functionality.
If you have local hardware drivers or other things that must be redone between kernels, then manually updating them would be good. Other things like DRBD (requires a new kmod) could also dictate a need for a manual upgrade.
If you have none of those issues, then upgrades of the kernel should be OK.Other things like glibc need to be updated as well, as newer packages are built against newer glibc's. In practice, there is not usually a huge difference between the glibc's and new ones are only bug fixes or security fixes anyway.
I am wondering what other people out there do with such large installations. I'd very much appreciate any help or suggestions on this.
I would maintain a "TESTED" repo that contains the configuration I wanted on every machine and run yum update to keep the machines at that level.
Personally, I do important servers manually ... but that's just me.
Also, kinda related to the above is my question about the correct yum behavior when installing kernels. I've seen it sometimes make the new kernel the default in grub.conf but sometimes it doesnt? what is the designed behavior?
The designed behavior is to make the most recently installed kernel (of the type specified in /etc/sysconfig/kernel ) be the default kernel ... if UPDATEDEFAULT=yes. If someone has shifted to the kernel-PAE package, they would need to update /etc/sysconfig/kernel to make it set kernel-PAE and not kernel as the default.
If both settings are correct, then after install of a new kernel, it should be made the default.
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos