Yum Service Question

[kwebdesign]

This doesn't really have anything to do with ART or ART's packages, but I value the opinions of the people who post here, so I'm looking for some input.

I am running CentOS 4, and by default, it is set to run yum nightly and install any available updates. This morning, an update to bind-chroot caused named to fail and it took me several hours to get it running again (see http://atomicrocketturtle.com/forum/vie ... php?t=1454).

My question is, should yum be configured to automatically install updates like that? Is that considered good practice? I like the convenience of not having to check it, but just having it install everything (including kernel updates) without warning seems to just be begging for this kind of problem (especially if you have a PSA repo set up, which I do, but I keep it disabled because PSA releases are not always stable).

Is there a way to have the service check for updates and send a notification, but not install them? That would be my preference, so that I don't have to check it manually but I can review the changes before they are installed, or even install them on a test box first.

What kind of update process do you use?

[breun]

My question is, should yum be configured to automatically install updates like that? Is that considered good practice?

I would never do that on a server.

I like the convenience of not having to check it, but just having it install everything (including kernel updates) without warning seems to just be begging for this kind of problem (especially if you have a PSA repo set up, which I do, but I keep it disabled because PSA releases are not always stable).

Is there a way to have the service check for updates and send a notification, but not install them? That would be my preference, so that I don't have to check it manually but I can review the changes before they are installed, or even install them on a test box first.

You coiuld have cron mail you the output of yum check-update.

What kind of update process do you use?

I'd suggest something like this:

- Run yum update manually every week.
- Test systems are always a good idea.
- Subscribe to the centos-announce mailinglist (you can select your CentOS version(s) in the Mailman interface) so you know if there are any highly critical updates and so you can decide whether you need an extra yum update run or if you can wait till the next planned run.

[scott]

I run automatic updates on my systems with rollbacks enabled. If you've got packages built correctly then this is not going to be a problem. PSA unfortunately is not designed to be rolled back, since they do all sorts of complex actions external to the rpm system. So the caveat here is that I dont have the PSA channel enabled by default.

http://blog.chris.tylers.info/index.php ... edora.html

[kwebdesign]

Thanks for the input. I didn't know about the rollback feature in yum. I may need to look at that.

Bruen - I've thought about having cron mail the output of yum check-update, but wouldn't that send you an e-mail ever day, even if there was nothing to update? I guess that wouldn't be so terrible, but ideally I'd like something fixed like rkhunter - only notify me when action is needed.

I have a VMware test server, which saved my butt in this case (I always keep a stable snapshot handy). Maybe I'll set that to continue to update automatically, and then check it before manually updating the production box.

[breun]

Bruen - I've thought about having cron mail the output of yum check-update, but wouldn't that send you an e-mail ever day, even if there was nothing to update? I guess that wouldn't be so terrible, but ideally I'd like something fixed like rkhunter - only notify me when action is needed.

Some bash fu should make it possible to only send out an email when there are updates available. Something like this:

Code: Select all

#!/bin/sh
updates=$(yum check-update | awk 'c{print} /^$/{c=1}')
test "$updates" && mail -s "$HOSTNAME - yum updates" you@domain.com < $updates

Save this as a script in /etc/cron.daily/ (you might want to test it first) and chmod 755 it.