[Spacewalk-list] Need to setup monthly patching - while keeping base release frozen.

J Epperson spacewalk at epperson.homelinux.net
Fri Jan 13 02:27:26 UTC 2017 

 

I retired a bit more than a year ago, so I don't have scripting details
to share, but here's a conceptual outline of how we did it. 

Had the same situation when we first deployed spacewalk/Satellite. We
(okay, I) created RHSA-test and RHSA-prod patch channels for each base
OS. Scripted forced registration to one or the other based on group
membership, defaulted to prod group if no existing membership. On
monthly day 1 at 00:01am, cron script ran to clone RHSA updates into the
patch panels. There were procedures for using set management functions
to schedule test patching and production patching per overall security
policy and scripts to report unpatched systems at appropriate intervals.


If "real time" software (i.e. from latest) installation/update became
necessary for a system or group of systems, they could be resubscribed
to the "real" channel and the install done, with blacklisting of
*release packages as necessary to maintain base OS point. Robots checked
whether a system had been left in such a subscription state for more
than 24 hours, and forced them back to their patch channels. 

This was all in a medium scale (<10000 clients) environment, and the
policy stances were driven by service level agreement with the prime
customer and by their security policy. 

On 2017-01-12 15:36, Shaw, Michael wrote: 

> Hello, 
> 
> I walked into an environment that had no frozen channels and monthly patching happened by whatever was available in the channel at the time, i.e. if there was a kernel upgrade then the kernel upgraded. This has ended up causing issues. 
> 
> I have since then locked all of the hosts and created base OS channels, i.e. RHEL5.11, RHEL6.8, RHEL7.1, RHEL7.2, etc. I have also started creating a monthly patch channels but how can I merge the channels? 
> 
> I need to keep the hosts at certain release level, i.e. RHEL7.2, but still apply monthly patches. It doesn't seem like there is a straight forward way to do this? 
> 
> Regards, 
> 
> Mike 
> 
> --- 
> 
> Mike Shaw - Linux Systems Administrator 
> 
> ITS - Production Operations - PaaS 
> 
> Phone-919.541.6003 Skype-live:mdshaw89 
> 
> RTI International 
> 
> mshaw at rti.org 
> 
> _______________________________________________
> Spacewalk-list mailing list
> Spacewalk-list at redhat.com
> https://www.redhat.com/mailman/listinfo/spacewalk-list [1]
 

Links:
------
[1] https://www.redhat.com/mailman/listinfo/spacewalk-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/spacewalk-list/attachments/20170112/beb0dfe1/attachment.htm>

More information about the Spacewalk-list mailing list