Skip to content

Instantly share code, notes, and snippets.

@FlorianHeigl

FlorianHeigl/yum.md

Last active May 21, 2017
Embed
What would you like to do?
yum patch management

Yum basic tunables

yum.conf

tune the metadata expiry or rather turn it off and use cron to keep it updated out of band

yum makecache / cron

yum makecache fast

fetch regular quick updates to make good use of cache yum-cron can also be asked to play well?

Yum maintenance

yum self update

lesson from apt/apk/pkg

rpmdb health check

??

Yum update management

--downloadonly

deltarpms

--security

CentOS warning

mind you this has no data in centos, and will simply report "everything is fine", no matter if you have some outstanding security patches. mind you it will also not tell you if any of your packages have an open vulnerability there is no patch for.

Other OS (RHEL, OEL)

plugin for check_mk to alert works.

reloads

They'll be happy once you patched, but you'll likely need to do more. kernel: reboot to update your kernel, or the hole stays in place. glibc: need to restart all affected services ssl: need to restart all affected services systemd: normally a systemctl daemon-reload is enough, but there have been bugs with poisonous results to be aware of. applications:

(LSOF magic)

--minimal

Will only fetch the minimal version to get of an update need, not the most recent version possible. Can be useful, but comes with a small risk of not 100% identical patch results if different systems have different software installed and so certain dependency packages are patched at different times.

important excludes

yum post-transaction hooks

http://confluence.wartungsfenster.de/pages/viewpage.action?pageId=19988497

example hooks

go here, still missing

  1. kernel
  2. openssl
  3. clustered software

Advice on handling reboots

defer reboots so you don't end up with random reboots of everything :)

yum LVM filesystem snapshots

automatic snapshots when software is installed. needs sed scripting to make sure only the core filesystems (i.e. /, /usr, /var) are snapshotted.

etckeeper

A plugin that safely commits /etc changes to git if you install packages - or nightly.

transaction plugin

[root@cobbler yum]# ls -l
total 16
drwxr-xr-x  3 root root   95 Oct 27  2015 history
drwxr-xr-x  3 root root   19 Oct 27  2015 repos
drwxr-xr-x  2 root root   80 Apr 13 15:32 rpmdb-indexes
-rw-r--r--  1 root root 1690 Feb 17  2016 transaction-all.2016-02-17.00:06.24
-rw-r--r--  1 root root  740 Feb 17  2016 transaction-done.2016-02-17.00:06.24
-rw-r--r--  1 root root   36 Oct 27  2015 uuid
drwxr-xr-x 34 root root 4096 Nov  4  2015 yumdb

-> use file age / file groups check to monitor for any unfinished transaction older than a day.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment