I have read a couple old threads here on updates for servers, and I am looking for some mechanics to getting the actual updates done. I don't want automatic updates; I want to control when and what gets updated. First I have to determine that a particular server needs updates. I suppose a daily script that would run "yum check-updates' and emails me the results could work, but then I would only want the email IF there was something to update, at my limited use of this option does not show anything to trigger a notify on changes. Does anyone know of a script that would do this? Then there is the actual update. I learned long ago NOT to run yum over an SSH connection, as WHEN that connection breaks in the middle of an update, you can have quite a problem to clean up. All I have done todate is to start vncserver and connect via vnc to then run yum. I can even drop the vnc connection and come back later to check results. I have considered running yum disconnected (? when you end a command with &) and log the results to a file that you check later. What are practical approaches to this? I only have a few servers here to manage.
On 02/25/2013 02:48 PM, Robert Moskowitz wrote:> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated. > > First I have to determine that a particular server needs updates. I > suppose a daily script that would run "yum check-updates' and emails me > the results could work, but then I would only want the email IF there > was something to update, at my limited use of this option does not show > anything to trigger a notify on changes. Does anyone know of a script > that would do this?A daily cronjob could call "yum check-update" and use the return code to decide if the output should be mailed or not. From the yum man-page for "check-update": "Implemented so you could know if your machine had any updates that needed to be applied without running it interactively. Returns exit value of 100 if there are packages available for an update. Also returns a list of the packages to be updated in list format. Returns 0 if no packages are available for update. Returns 1 if an error occurred. Running in verbose mode also shows obsoletes." So redirect the output into a file and when the return code is 100 mail that file to the admin.> Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have done > todate is to start vncserver and connect via vnc to then run yum. I can > even drop the vnc connection and come back later to check results. I > have considered running yum disconnected (? when you end a command with > &) and log the results to a file that you check later. What are > practical approaches to this? I only have a few servers here to manage.Use "screen". That gives you a sort of virtual terminal (many in fact) that works just like a regular shell except that when your connection drops the session will just become detached. After you reconnect you can call "screen -R" to re-attache to that session and continue as if nothing happened. Scripts keep running in a detached session and the output will be there once you re-attach again just like with your VNC method. Regards, Dennis
> Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have done > todate is to start vncserver and connect via vnc to then run yum. I can > even drop the vnc connection and come back later to check results. I > have considered running yum disconnected (? when you end a command with > &) and log the results to a file that you check later. What are > practical approaches to this? I only have a few servers here to manage.This is where "screen" would come in very handy...eliminates the need to start up vncserver, you can still drop the connection and then come back and reattach to the screen session and get the results.
Robert Moskowitz wrote:> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated.Yeah, prod servers are nasty that way. You always want to do test or dev or the backup first, and wait a bit. <snip>> Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have doneThat sounds, to me, as though you have very serious communications issues that need to be solved, and yesterday. We've used ssh here, and at my previous two? three? contracts, for years, and almost *never* have an ssh connection break. We've got about 150 servers and workstations here, and I do most of the updates, and all of it with yum over ssh, though I've had times when I just yum -y update &, and check the logs in the morning. mark
On 02/25/2013 09:03 AM, Reindl Harald wrote:> > Am 25.02.2013 14:48, schrieb Robert Moskowitz: >> I have read a couple old threads here on updates for servers, and I am >> looking for some mechanics to getting the actual updates done. I don't >> want automatic updates; I want to control when and what gets updated. >> >> First I have to determine that a particular server needs updates. I >> suppose a daily script that would run "yum check-updates' and emails me >> the results could work, but then I would only want the email IF there >> was something to update, at my limited use of this option does not show >> anything to trigger a notify on changes. Does anyone know of a script >> that would do this? > /etc/cron.daily: > #!/bin/bash > ANG=C; yum -q check-updateI am searching all sorts of combinations to figure out what 'ANG' does. I keep getting results like "Emmanuel C. Yumang M.D" :) So please enlighten me. Checking the exit value seems to be important. I did find http://wiki.centos.org/YumCheckOrInstallUpdates which I am studying. And it does not use ANG...
On 02/25/2013 09:03 AM, Dennis Jacobfeuerborn wrote:> On 02/25/2013 02:48 PM, Robert Moskowitz wrote: > So redirect the output into a file and when the return code is 100 > mail that file to the admin. >> Then there is the actual update. I learned long ago NOT to run yum over >> an SSH connection, as WHEN that connection breaks in the middle of an >> update, you can have quite a problem to clean up. All I have done >> todate is to start vncserver and connect via vnc to then run yum. I can >> even drop the vnc connection and come back later to check results. I >> have considered running yum disconnected (? when you end a command with >> &) and log the results to a file that you check later. What are >> practical approaches to this? I only have a few servers here to manage. > Use "screen". That gives you a sort of virtual terminal (many in fact) that > works just like a regular shell except that when your connection drops the > session will just become detached. After you reconnect you can call "screen > -R" to re-attache to that session and continue as if nothing happened. > Scripts keep running in a detached session and the output will be there > once you re-attach again just like with your VNC method.Something I have never installed and obviously missed all the references to it. I do recall seeing it in some threads. Just installed it on one system and tested vis ssh from another. Very nice. Thought there would be something better out there. VNC has its place in the toolbox, but definitely too much for something like this. Yes I know about the discussions about NX being better than VNC. I actually run VNC over SSH. But I also run it over HIP which is a very interesting test of HIP and HIP mobility.
On 02/25/2013 08:48 AM, Robert Moskowitz wrote:> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated. > > First I have to determine that a particular server needs updates. I > suppose a daily script that would run "yum check-updates' and emails me > the results could work, but then I would only want the email IF there > was something to update, at my limited use of this option does not show > anything to trigger a notify on changes. Does anyone know of a script > that would do this? > > Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have done > todate is to start vncserver and connect via vnc to then run yum. I can > even drop the vnc connection and come back later to check results. I > have considered running yum disconnected (? when you end a command with > &) and log the results to a file that you check later. What are > practical approaches to this? I only have a few servers here to manage. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >Pulp is a Red Hat sponsored python application that manages local repo mirrors (basically a light version of Spacewalk). It has a client app that you can use to communicate with the Pulp server and bind to specific repositories. You can view the package catalog on each consumer, and then can push updates out to consumers at will. It uses MongoDB as the backend database where it keeps track of the package metadata, and has a pretty useful REST API. http://www.pulpproject.org/ -- _____________________ Phil Gardner PGP Key ID 0xFECC890C OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538
----- Original Message ----- | I have read a couple old threads here on updates for servers, and I | am | looking for some mechanics to getting the actual updates done. I | don't | want automatic updates; I want to control when and what gets updated. | | First I have to determine that a particular server needs updates. I | suppose a daily script that would run "yum check-updates' and emails | me | the results could work, but then I would only want the email IF there | was something to update, at my limited use of this option does not | show | anything to trigger a notify on changes. Does anyone know of a | script | that would do this? | | Then there is the actual update. I learned long ago NOT to run yum | over | an SSH connection, as WHEN that connection breaks in the middle of an | update, you can have quite a problem to clean up. All I have done | todate is to start vncserver and connect via vnc to then run yum. I | can | even drop the vnc connection and come back later to check results. I | have considered running yum disconnected (? when you end a command | with | &) and log the results to a file that you check later. What are | practical approaches to this? I only have a few servers here to | manage. This is where you need something like Katello or Spacewalk. These are management systems which look after managing your infrastructure in such a way that you can view what servers are out of compliance and what patches are waiting to be applied. I'm currently evaluating Katello as a long term solution to our Red Hat GNU/Linux management. I'd hazard to guess that you'll probably want to do the same too. -- James A. Peltier Manager, IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpeltier at sfu.ca Website : http://www.sfu.ca/itservices ?A successful person is one who can lay a solid foundation from the bricks others have thrown at them.? -David Brinkley via Luke Shaw
On Mon, Feb 25, 2013 at 7:48 AM, Robert Moskowitz <rgm at htt-consult.com> wrote:> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated.Keep in mind that to _not_ install an update, you have to know more than the RH engineers about the code. I usually assume they had a good reason for going to the trouble of shipping it and that they would have to have a very, very good reason to ship anything that would break an existing API in an update. Of course it is always good policy to test the combination of things you run in production on a non-critical box first.> First I have to determine that a particular server needs updates. I > suppose a daily script that would run "yum check-updates' and emails me > the results could work, but then I would only want the email IF there > was something to update, at my limited use of this option does not show > anything to trigger a notify on changes. Does anyone know of a script > that would do this?How about just joining the centos-announce mail list? -- Les Mikesell lesmikesell at gmail.com
On 02/25/2013 02:17 PM, Reindl Harald wrote:> > Am 25.02.2013 19:35, schrieb Robert Moskowitz: >> For example, an apache update MAY require that I first check what it >> will do to http.conf. > NOT ON RHEL/CENTOS > > there are no major upgrades with changing API/ABI/Config > that is why it is called "enterprise distribution"I did some archive digging and it was shorewall that got me on this. And then I went into conservative mode, as this impacted my firewall on Centos. Obviously overly conservative. I am learning more, and this time, for example, I am trying hard NOT to edit http.conf, instead to put some http.d/00-init-nn.conf files together so I can know as much as possible what I have added. I don't know yet if that can be done. I have done this on my test mail server. Will see if I can do it on my web server.
Am 25.02.2013 23:36, schrieb Reindl Harald:> > Am 25.02.2013 23:34, schrieb Tilman Schmidt: >> Am 25.02.2013 15:56, schrieb m.roth at 5-cent.us: >>> Robert Moskowitz wrote: >> >>>> Then there is the actual update. I learned long ago NOT to run yum over >>>> an SSH connection, as WHEN that connection breaks in the middle of an >>>> update, you can have quite a problem to clean up. All I have done >>> >>> That sounds, to me, as though you have very serious communications issues >>> that need to be solved, and yesterday. We've used ssh here, and at my >>> previous two? three? contracts, for years, and almost *never* have an ssh >>> connection break. >> >> It does happen. SSH is not as forgiving to network glitches as one >> would wish sometimes. A firewall that drops idle or long-running >> TCP connections, a DSL link doing its daily PPPoE disconnect at an >> inopportune moment, a VPN tunnel dropping, a hole in UMTS coverage, >> have all killed a SSH connection for me one time or another > > and that is why "screen" was inventedWell, not quite. IIRC screen is older than SSH and was actually invented to switch between multiple screens on a text mode terminal attached either via a modem or a null modem cable. But I agree that it comes in handy for this scenario, too.> everybody doing a yum-upgarde over WAN directly on SSH > instead use screen is a foll and should not maintain serversSure. Whatever a "foll" is supposed to be ... :-) -- Tilman Schmidt Phoenix Software GmbH Bonn, Germany -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130225/6d3c4714/attachment-0002.sig>
On Mon, February 25, 2013 09:03, Dennis Jacobfeuerborn wrote:> On 02/25/2013 02:48 PM, Robert Moskowitz wrote: >> I have read a couple old threads here on updates for servers, and I >> am >> looking for some mechanics to getting the actual updates done. I >> don't >> want automatic updates; I want to control when and what gets >> updated. >> >> First I have to determine that a particular server needs updates. I >> suppose a daily script that would run "yum check-updates' and emails >> me >> the results could work, but then I would only want the email IF >> there >> was something to update, at my limited use of this option does not >> show >> anything to trigger a notify on changes. Does anyone know of a >> script >> that would do this? >In crontab: MAILTO=whomever at whatever MAILFROM=this_system at whatever JOBNAME="Check for updates and report if found" ; /usr/bin/yum check-update -q The -q suppresses output unless there is something to report. Cron handles the rest. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Dne 25.2.2013 14:48, Robert Moskowitz napsal(a):> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated. > > First I have to determine that a particular server needs updates. I > suppose a daily script that would run "yum check-updates' and emails me > the results could work, but then I would only want the email IF there > was something to update, at my limited use of this option does not show > anything to trigger a notify on changes. Does anyone know of a script > that would do this? > > Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have done > todate is to start vncserver and connect via vnc to then run yum. I can > even drop the vnc connection and come back later to check results. I > have considered running yum disconnected (? when you end a command with > &) and log the results to a file that you check later. What are > practical approaches to this? I only have a few servers here to manage. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centosHi, We update all the boxes over ssh. Works fine. Those who are afraid of disconnections may always run it within tmux/screen session. As to managing the whole infra, the best tool for that is Spacewalk, but it might be too big for you. So, you can have nagios to check yum status on all the boxes. There is also a tool called apt-dater, see http://www.ibh.de/apt-dater/ Regardless the "APT" in the name it handles yum well. DH
On 02/25/2013 07:48 AM, Robert Moskowitz wrote:> I have read a couple old threads here on updates for servers, and I am > looking for some mechanics to getting the actual updates done. I don't > want automatic updates; I want to control when and what gets updated. > > First I have to determine that a particular server needs updates. I > suppose a daily script that would run "yum check-updates' and emails me > the results could work, but then I would only want the email IF there > was something to update, at my limited use of this option does not show > anything to trigger a notify on changes. Does anyone know of a script > that would do this? > > Then there is the actual update. I learned long ago NOT to run yum over > an SSH connection, as WHEN that connection breaks in the middle of an > update, you can have quite a problem to clean up. All I have done > todate is to start vncserver and connect via vnc to then run yum. I can > even drop the vnc connection and come back later to check results. I > have considered running yum disconnected (? when you end a command with > &) and log the results to a file that you check later. What are > practical approaches to this? I only have a few servers here to manage.Using screen on the remote server while on ssh is a very safe way to update remote servers. Screen will make your session persistent (it goes into detached mode if the connection drops, but still keeps running). You can detach from screen session (ctrl-a ctrl-d) then come back later and reconnect with screen -x. I literally manage/update hundreds of remote servers weekly using screen. I hardly every have enough X packages running on any of the servers I manage to run vnc. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: OpenPGP digital signature URL: <http://lists.centos.org/pipermail/centos/attachments/20130302/ba7a0d66/attachment-0002.sig>