Charles Gregory wrote:
On Tue, 4 Nov 2003, nosp wrote:Just write a little cron script that runs the update check tool of your choice,
The trained monkey can still run up2date and it will still work ok.
That was not my worry. My worry was how to get the TM to remember to do
so.
up2date -l apt-get update yum <whatever>
and then redirect the output to a file or pipe it to a grep that checks for the presence
of available updates, and then if found e-mails your organizations TM list.
You will need to worry a bit more than usual in case up2date picks up
a big upgrade that needs human intervention.....
Can you give an example of this?
I would think that this depends on your particular installation.
For example on my companies network we have some OLD X.25 cards that
have proprietary binary drivers that work with a particular RedHat 7.2 kernel.
So, we don't install new 7.2 kernel's on those boxes.
Also for example, we have some perl modules that got installed and configured
by a contractor, and we have no idea what he did on a particular box, but we know
it works with the perl that is installed there, and not on other boxes with different
perl installs. So we don't install perl updates on that box.
You need to understand what particular packages might be "SENSITIVE" to an upgrade for your environment.
Again, this depends on your environment..... just as much human intervention as is required by a standard
is-this-going-to-affect-me decision when the "upgrade this rpm RIGHT
NOW before you get hacked" situation happens once every six months or
so.
Actually, I'm hoping to *not* have human *decision making* involved when the 'upgrade right now' message comes in, it should just be a knee-jerk response to run up2date as soon as *any* notice arrives. Which is why I would like to have some sort of notice actually arrive. :-)
If you install Fedora from the Fedora Core repositories and you only use Fedora Core
packages, and you don't write any compiled code or customize anything on your boxes
at all (except for minimal things like adding users or turning on or off services). Then
you probably can get away with just having a cronjob install all updates when they become
available. There is no need for a TM, or even a permanent HTM (after the cronjob is in place).
However this is rarely the case. Usually an HTM receives errata notices and examines the
errata and then tests it on a few workstations or test/devel boxes. If that seems fairly
non-troublesome after a day or two, then maybe a few internal/intranet servers might get the upgrade.
And if there is still no trouble, then the mission critical servers (which are in pairs to enact some
sort of clustering, right?) will cut over to the patch while leaving their standby system on the old
patch revision in case a failback is necessary. Then if after a few weeks no one has reported
any problems, (or if another patch comes out that has to be installed) the standby system will
get the patch installed.