automatic nightly updates

[Eric Rostetter]

Quoting Jim Popovitch <jimpop at yahoo.com>:

> On Sun, 2005-04-24 at 14:49 -0400, Dan Schlitt wrote:
> > I guess it is my paranoia from 15 years of system administration but I
> > would never do unattended patching of any computer I really cared about.
> 
> What about a cluster of 50+ webservers?

I see this no different that a cluster of 5 mail servers, or a stand-alone
database server, or a single compute machine.  If it is different, it is
in that I can test things on one of the 50+ machines and find any problems
there before I install it on the rest.

> I think part of this discussion needs to define what is applicable and
> what isn't.  As has been previously stated there are cases when
> auto-update doesn't apply, i.e. complex database servers, etc.  However
> for every case that can be made against auto-update, there is an
> alternate case for auto-update.

See the recently updated https://www.fedoralegacy.org/docs/autoupdates.php

> Think of an enterprise with 1500
> desktop PCs all around the world.  Who is going to visit all locations
> to update?

You don't need to.  No one said you did.  But that doesn't mean you should
just have them all do auto updates from the vendor or a third party.

> What about webserver farms?  How about distributed internal
> DNS/NIS servers where the loss of one system isn't critical?  etc, etc.

See above.  It doesn't matter.  Remember, you *can* apply updates automatically,
from another source, after testing.  Just don't forget to do the rest of the
work up front.

> People need to understand that every environment is unique and what
> doesn't work in one instance may very well work very well in another.

I think this is all addressed, though maybe not heavily, in the autoupdates.php
web page.  Not to mention the Red Hat, Microsoft, or a zillion other 
Best Practices Guides out there, all of which say don't use auto updates
of untested software on production machines.

> -Jim P.

-- 
Eric Rostetter