[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-user
Subject: Re: Debian update/upgrade good practices?
From: "Boyd Stephen Smith Jr." <bss () iguanasuicide ! net>
Date: 2011-05-18 8:10:56
Message-ID: 201105180311.03060.bss () iguanasuicide ! net
[Download RAW message or body]
In <BANLkTi=TzY5UoBaZXBqqAUBM2ysvBsk=KQ@mail.gmail.com>, RafaĆ Radecki wrote:
>I have a new LAN to administer, I have 8 Debian production servers
>which have been configured by someone else.
>I try to make a reasonable update/upgrade policy for those servers.
>Till now (for my home servers) I used aptitude update/upgrade and it
>was ok. But here every server has many services (Oracje, JBoss, VMWare
>2 Server, ...) and I think that now I should be more careful.
>
>Should upgrades/updates be made automatically or manually?
I'm a big fan of automatically, for updates from stable and stable-security.
However, these have been known to, in rare cases, cause failures.
Even for very critical systems, having a rollback (using snapshot.d.o) and
blacklist (pin to a -1 the troublesome version) policy should be enough, as
long as you have 24/7 support that can do that.
>What
>additional steps could be made?
unattended-upgrades, logcheck, and tripwire are my friends. I think you might
get along with them too. If you have to put into production software that is
not available in stable, I also suggest a cron job (unprivileged is fine) that
runs (aptitude search '~U') -- manually upgrade that software as needed
instead of relying on unattended-upgrades.
>When should be dist-upgrade made?
"Never".
If you are just getting updates to stable, "upgrade" should always be
sufficient. Transitions that require a package to be removed should not occur
during the lifetime of stable.
If you are upgrading a production system from Lenny to Squeeze (or a similar
oldstable -> stable upgrade where a "dist-upgrade" is necessary), you should
perform the upgrade on a test system that has as similar configuration and
hardware as you can produce. You may need to do a test upgrade a few times
and you'll certainly want to test the services and do some clean up. Once you
have your procedures, which may be a lengthy addition to the release notes,
depending your configuration and hardware, you can preform the upgrade to the
production system.
>One
>one site I have read that Debian's policy is to use stable versions
>and only add security updates... what do you think?
During the lifetime of a stable release, few (if any) new upstream versions
are included in the updates. Instead security and "other important" bug fixes
are "backported" to the old version, in an attempt to keep stable as free-
from-change as possible. (The patch fixing the issue is isolated, then
mangled to apply to the old version and tested.)
--
Boyd Stephen Smith Jr. ,= ,-_-. =.
bss@iguanasuicide.net ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-'
http://iguanasuicide.net/ \_/
["signature.asc" (application/pgp-signature)]
--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/201105180311.03060.bss@iguanasuicide.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic