Re: OS patching via cfengine

[Nate Campi]

On Thu, Mar 06, 2003 at 10:32:48PM +0100, Thomas Glanzmann wrote:
> 
> We're using a automounted NFS directory. But if you can you should
> always use a more reliable protocoll like http and do check sums before
> applying patches. We had two scenarios which left us with 50 unusable
> Solaris workstations:
>       Once we applied a NFS patch and while applying that patch the
>       patchmgr could not reach the the patch via NFS.
> 
>       Another day went the NFS server with patches down while our
>       workstations applied patches.
<snip>
> 
> Drop me an eMail and I send you the Solaris autopatch script. For
> Linux/Debian box it is nice to system updates. We do this every hour
> automatically on 70 Linux machines.

I think experiences like the NFS patching problems are very helpful,
thanks for sharing that. I agree that moving patches/updates to the
local filesystem and verifying the files before starting the patch
install is the right way to do it. We have some solaris patch cluster
install scripts that do it this way (using scp then md5 to verify).

On the same topic, but with a debian focus, has anyone had any problems
with debian auto-updates using stable (apt-get -q -q -y -u
dselect-upgrade)? I do it on some non-production hosts and my
workstation, but I've always been hesitant to do it for production
hosts. Kernels are always separate packages and never actually upgrade,
right?

I know this skirts the edge of bind off-topic but uses like this are
central to what we all use cfengine for, and it's good to compare
experiences IMHO.
-- 
Nate Campi    http://www.campin.net