help-cfengine
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Patching Solaris machines with cfengine

From: Ian Wallace
Subject: Re: Patching Solaris machines with cfengine
Date: Tue, 5 Feb 2002 16:37:12 -0700 
cool, didn't know about the kernel patches potentially not working/screwing 
up the system without a reboot.  that's not so nice.  I guess it's the old 
buyer beware (and admin be cautious) scenario.

I like the idea of patching low priority machines, rebooting, seeing that 
they still work, etc. and then moving up to machines that are more sensitive. 
 
I think we'll have to start doing that here, because even though the machine 
is probably easily rebuildable (jumpstart etc).  the wasted time to do that 
is not ... and very frustrating.

thanks!
ian

On Tuesday 05 February 2002 04:20 pm, Katherine Morris wrote:
> Sure, there are lots of patches that can be installed without a reboot.
> But, I patched my workstation with a new kernel patch one time and forgot
> to reboot it for a couple of weeks.  It never came back, I had to
> re-jumpstart it.
>
> According to Sun, they only guarantee that the kernel patch will work
> properly when applied in single user mode.
>
> We have a rollout procedure where patches get applied to low criticality
> systems first and then we migrate through four phases of criticality until
> all of the systems are patched.
>
> FYI
>
> ----- Original Message -----
> From: "Ian Wallace" <iwallace@context.com>
> To: "Katherine Morris" <klmorris@pobox.com>; "Didier CONTIS"
> <didier@ece.gatech.edu>; <help-cfengine@gnu.org>
> Sent: Tuesday, February 05, 2002 6:15 PM
> Subject: Re: Patching Solaris machines with cfengine
>
> > I agree with K that you shouldn't just go winging patches on machines,
> > however we use cfengine, along with a list of patches that should be
>
> applied
>
> > and the CheckPatches, GetApplyPatch scripts that you can get from Sun to
> > automate the whole process.
> >
> > We haven't run into any problems yet (cross my fingers, etc).  We tend
> > not
>
> to
>
> > worry about the fact that you should be rebooting machines after kernel
> > patches etc.  All of our environments are development only and we take
>
> that
>
> > risk knowingly.  I guess we'd rather patch the machines then not patch at
>
> all.
>
> > Production is a whole different ball game.
> >
> > If you want more info just say so and I can share the cfservd
>
> configuration,
>
> > one line shellcommands that we use for this.
> >
> > cheers
> > ian
> >
> > On Tuesday 29 January 2002 07:28 am, Katherine Morris wrote:
> > > If you're talking about applying OS patches, I wouldn't recommend
> > > automating this in general.  Your Solaris versions are foreign to me
>
> since
>
> > > I run mostly 2.5.1 up through 8 and am currently evaluating 9.  I don't
> > > know Linux yet, so maybe that's where the disconnect is...
> > >
> > > However Solaris OS patches in general require some knowledge about what
> > > you're patching and why, reading the README's is highly advisable prior
>
> to
>
> > > patching as well.  Sun's not perfect either, and some patches break
> > > things... it would be terrible to break everything at once! There's
> > > also potential user intervention involved if you apply a patch which
> > > requires you to reboot your systems.  Particularly if you have any
> > > slack-ass
>
> admins
>
> > > you work with that don't update configuration files after they make
>
> changes
>
> > > on the fly and should be fired. (vent)
> > >
> > > If you're using "patch" in a more general sense, we're basically using
>
> it
>
> > > for security fixes/changes.
> > >
> > > -K
> > >
> > >
> > > ----- Original Message -----
> > > From: "Didier CONTIS" <didier@ece.gatech.edu>
> > > To: <help-cfengine@gnu.org>
> > > Sent: Monday, January 28, 2002 12:06 PM
> > > Subject: Patching Solaris machines with cfengine
> > >
> > > > -----BEGIN PGP SIGNED MESSAGE-----
> > > > Hash: SHA1
> > > >
> > > >
> > > > Hi,
> > > >
> > > > I was wondering how people are patching their Solaris systems using
> > > > cfengine.
> > > > Which tool combined with cfengine works the best.
> > > >
> > > > I am starting to deploy 2.0.a16. Most of Solaris systems are however
> > > > still running 1.6.x
> > > >
> > > > I am already doing that under Linux using autoupdate + cfengine.
> > > >
> > > > Thanks in advance for any feedback.
> > > >
> > > > Regards - Didier.
> > > >
> > > > -----BEGIN PGP SIGNATURE-----
> > > > Version: PGPfreeware 6.5.3 for non-commercial use
> > > > <http://www.pgp.com>
> > > >
> > > > iQA/AwUBPFWFF3qEbTtUcuwQEQIQ6gCfdOW5/x9Xce+AEt3ZsOK/mFSLsywAn1Xt
> > > > 45PY8hDIZxuf7cLimoFfz9QA
> > > > =8D3o
> > > > -----END PGP SIGNATURE-----
> > > >
> > > >
> > > > _______________________________________________
> > > > Help-cfengine mailing list
> > > > Help-cfengine@gnu.org
> > > > http://mail.gnu.org/mailman/listinfo/help-cfengine
> > >
> > > _______________________________________________
> > > Help-cfengine mailing list
> > > Help-cfengine@gnu.org
> > > http://mail.gnu.org/mailman/listinfo/help-cfengine
> >
> > --
> > Ian Wallace - iwallace@context.com
> > Senior Consultant, Context Managed Services
> > (W) 303.209.5623 (H) 303.388.9858
> >
> > _______________________________________________
> > Help-cfengine mailing list
> > Help-cfengine@gnu.org
> > http://mail.gnu.org/mailman/listinfo/help-cfengine

-- 
Ian Wallace - iwallace@context.com
Senior Consultant, Context Managed Services
(W) 303.209.5623 (H) 303.388.9858
reply via email to
[Prev in Thread] Current Thread [Next in Thread]