back to article Server patching principles

In the imperfect world we live in, patching stuff, be it desktops, software or servers is a fact of life. We do it or we risk being exposed to the latest security threat, missing out on new functionality or suffering performance degradation. We discussed desktop client patching over in the desktop management workshop. In this …

COMMENTS

This topic is closed for new posts.
Boffin

OpenVZ

We have a pair of OpenVZ servers running the containers from common NAS (meaning it's a matter of seconds to push a container from one to the other).

I wrote the following function:

clusterfuck () {

running=`vzlist| grep running| awk '{print $1}'`;

if [ -z "$*" ]; then echo $running;

else for i in $running; do

echo "### $i ###";

vzctl exec2 $i "$*";

done;

fi

}

(named because of what happens if you're careless with it), and made one of the OVZ boxes AptCacher proxy. All the updates get picked up, but only the template container (DAMP) updates automatically, so if an update causes problems the Nagios starts screaming about the template.

Updating all the containers on a box is a matter of

root@VZserver# clusterfuck "aptitude update && aptitude safe-upgrade && aptitude clean"

Updating the boxes themselves requires shoving the containers to the other box, updating, rebooting if there's a new kernel, checking everything, and bringing the containers back.

0
0
Gold badge

WSUS and YUM

They are your friends.

As to app-specific patches...

*sob*

0
0
Coat

Oh, err...

"Anyway, nobody in their right mind spends money on tools without first working out to at least some degree where and how they will be used. Erm, right?"

Err, sure, mmm, yeah, I certainly don't do that, no way hosay...

0
0
This topic is closed for new posts.

Forums