yum update best practices

[Jason Edgecombe]

sprizes at gmail.com wrote:
> Hello, we run approximately 400 Centos servers at our company. We use
> cfengine for configuration management.
>
> I am looking for some documentation to do patching including kernel
> patches. I was thinking of just having each host run yum update via
> cfengine but not sure if there are any gotchas there? Should I just do
> yum update? or should i exclude the kernel and be more careful with
> those? how about glibc?
>
> I am wondering what other people out there do with such large
> installations. I'd very much appreciate any help or suggestions on
> this.
>
>
> Also, kinda related to the above is my question about the correct yum
> behavior when installing kernels. I've seen it sometimes make the new
> kernel the default in grub.conf but sometimes it doesnt? what is the
> designed behavior?
>   
I'm currently using cfengine on RHEL5 with a nightly yum update for two 
machine configs for a total of 40 machines. I use a private yum repo 
that I manually sync with upstream after some testing. I would recommend 
excluding the kernel updates and having those be triggered manually or 
explicitly using cfengine. So far, I'm manually triggering kernel 
updates. I use openafs and vmware-server so I have some kernel-dependent 
rpms that must be kept on sync. My biggest problem is that I need to 
move to some way of locking some machines to certain versions of rpms. 
That would make it easier to roll out updates to my workstations before 
I push the updates to the servers.

One thing that's nice is using a disabled repository for testing things. 
With this strategy, I run "yum updates --enablerepo=testing" on a 
testing/staging server to try out new updates.

Be sure to look at using cobbler/koan and mrepo for 
provisioning/updates. I'm keeping an eye on those.

Jason