My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

General support questions
Post Reply
kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by kdpatil » 2020/11/19 03:00:33

Hi

Someone wrote in our forum

"My machines run yum update automatically weekly. It's worked great for several years. No messages needed."

In fact my server which i have full control , i too do that with a cron.

But then there are many prod applications, Say a Jira or confluence Application box, what i do is, i work with the owners & patch the box & reboot & let them know to check if any issues


Now with common sense that is safe approch

But this also have a over head...

So what is gernal practice or best practice folks follow ? do they run a cron or a playbook which will run every month say last Sat monring 9 am ... then customer can reboot when they want during the month ...

any downside if we do this in schedule ?

Thanks

tunk
Posts: 829
Joined: 2017/02/22 15:08:17

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by tunk » 2020/11/19 12:10:44

Don't know if it's recommended, but I'm using
yum-cron with automatic download and update.
A related question, what criteria are used to
decide when to reboot? E.g. should one reboot
for all new kernels?

User avatar
jlehtone
Posts: 3173
Joined: 2007/12/11 08:17:33
Location: Finland

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by jlehtone » 2020/11/19 12:30:18

The kernel is loaded into memory. If that code has a serious bug, then you need to load the new version.
Did RHEL 7.9 advertize support for "on-the-fly" kernel patches? If yes, then those remove a need for reboot.

There are other vital packages too. Like glibc. I doubt you can replace in-memory copy of that library without boot.

Somewhere (yum?, ansible?) I saw a "reboot_required" flag. Not sure what metadata it is calculated from.


In principle one should apply patches as soon as they are available to minimize the time the issues exist.
Rarely, (e.g. grub last summer), first patch has a problem and then instant install was more trouble.

If you have (third-party) services that do not automatically update with the OS, then you need to pay attention that the updates do not break your software stack. A simple yum-cron might not be good for you then.

User avatar
TrevorH
Forum Moderator
Posts: 29902
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by TrevorH » 2020/11/19 13:00:04

There are some packages that require a reboot and others where it's just easier. Things like kernel/glibc fall into the first category and for some others like openssl, ldap and things that are widely used by just about everything, it's easier to reboot than it is to work out which services need restarting and restart them.

There is a `needs-restarting` script that's part of yum-utils that can tell you what things need to be restarted but it no longer tells you about the kernel in el8.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

kdpatil
Posts: 31
Joined: 2020/10/20 07:19:31

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by kdpatil » 2020/11/20 01:33:34

TrevorH wrote:
2020/11/19 13:00:04
There are some packages that require a reboot and others where it's just easier. Things like kernel/glibc fall into the first category and for some others like openssl, ldap and things that are widely used by just about everything, it's easier to reboot than it is to work out which services need restarting and restart them.

There is a `needs-restarting` script that's part of yum-utils that can tell you what things need to be restarted but it no longer tells you about the kernel in el8.


thanks all

we patch once a month, and i have seen new kernel by then

so reboot is un-avoidable as such

this is more if political question

Infosec : Did you patch ?
Ops : yes we did
Infosec : scan shows kenrel is old
ops : yes as Application folks are not giving downtime post 'yum update -y ' , to reboot

now infosec fights with Application & not ops

User avatar
jlehtone
Posts: 3173
Joined: 2007/12/11 08:17:33
Location: Finland

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by jlehtone » 2020/11/20 09:25:40

kdpatil wrote:
2020/11/20 01:33:34
this is more if political question
...
now infosec fights with Application & not ops
Indeed.

When you have "real metal server", its POST can take minutes, and hence a reboot is quite observable.
When you have a VM, there is practically no POST, and reboot is mere seconds.

However, VM means that both the guest and the host will need reboots.
Given enough resources, all VMs can be live migrated away to clear a host for reboot.
That, of course, is more "juggling" for you to do.

The other avenue is when the application is a service: make it HA.
Whenever one application server goes down (for reboot), the other server(s) take the workload.

User avatar
KernelOops
Posts: 384
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: My machines run yum update automatically weekly. It's worked great for several years. No messages needed.

Post by KernelOops » 2020/11/20 09:58:50

I'll write about my personal experience...

Its all about a balance between convenience, reliability, services offered, security and downtime tolerance.

For most people, they can use yum-cron (CentOS 7) or dnf-automatic (CentOS 8) to make everything automatic with little worry that something will break. RHEL/CentOS is very reliable and updates rarely cause harm. (rare but some time ago a bad intel firmware caused servers to die)

If you run financial services, then chances are that you want to test updates in a pre-production environment, before production deployment, in addition, you definitely run multi-datacentre distributed high availability (HA) systems, so there is absolutely no downtime whatsoever.

Your mileage may vary :mrgreen:

PS:
An explanation is needed about CentOS updates: they are fixes, not real updates in the sense of a new version. The idea is to get an updated package that behaves exactly like the previous version. The only real difference, is between versions like 8.1 to 8.2 etc. At least the changes are well documented by Redhat.
--
I love my computer - all my friends live there.
--

Post Reply

Return to “CentOS 7 - General Support”