infra security update

[Michael Scherer]

Hi,

Due to CVE on openssl and on kernel, I did upgrade various piece of the
infrastructure ( foreman, lists, stats, monitoring ), which implied a
few reboots ( due to kernel lagging behind, which is not that great with
local root exploit ). As this is friday and I assumed most of the Tel
Aviv office was not working, i hope this kept the disruption to a
minimum. However, if something is broken, please tell it so we can fix.

This also got me thinking. In order to bring a bit more order, what
about having a fixed schedule for upgrade ?

In my previous position, we were doing that once per month ( except
during end of quarter freeze ), with mandatory reboot ( cause if
something do not boot, you want to know it when you have a planned
outage, not when everyone is running around updating stuff ). Fedora has
a rather complex procedure to decide what to upgrade, hilighted on
http://infrastructure.fedoraproject.org/infra/docs/massupgrade.txt

So we could adopt a schedule ( once per month, unless there is something
critical, in which case we do it ASAP, with warning on the list and irc
). 

The schedule should of course take in account "business need", which is
"release schedule of ovirt".

So what about "first friday of the month, unless exception" ?

And by update, i mean "yum upgrade -y". Cleaning the list of repo on
various servers is also IMHO another task to discuss, to make sure the
task can be safely executed. ( having something like
mcollective/ansible/func is also needed, but that's more a convenience
than a requirement at this stage ).

-- 
Michael Scherer
Open Source and Standards, Sysadmin



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ovirt.org/pipermail/infra/attachments/20140606/5cfe8cd4/attachment.sig>