infra security update

Eyal Edri eedri at redhat.com
Sun Jun 8 06:55:52 UTC 2014 


----- Original Message -----
> From: "Michael Scherer" <mscherer at redhat.com>
> To: infra at ovirt.org
> Sent: Friday, June 6, 2014 2:29:44 PM
> Subject: infra security update
> 
> Hi,
> 
> Due to CVE on openssl and on kernel, I did upgrade various piece of the
> infrastructure ( foreman, lists, stats, monitoring ), which implied a
> few reboots ( due to kernel lagging behind, which is not that great with
> local root exploit ). As this is friday and I assumed most of the Tel
> Aviv office was not working, i hope this kept the disruption to a
> minimum. However, if something is broken, please tell it so we can fix.
> 
> This also got me thinking. In order to bring a bit more order, what
> about having a fixed schedule for upgrade ?



> 
> In my previous position, we were doing that once per month ( except
> during end of quarter freeze ), with mandatory reboot ( cause if
> something do not boot, you want to know it when you have a planned
> outage, not when everyone is running around updating stuff ). Fedora has
> a rather complex procedure to decide what to upgrade, hilighted on
> http://infrastructure.fedoraproject.org/infra/docs/massupgrade.txt
> 
> So we could adopt a schedule ( once per month, unless there is something
> critical, in which case we do it ASAP, with warning on the list and irc
> ).



> 
> The schedule should of course take in account "business need", which is
> "release schedule of ovirt".
> 
> So what about "first friday of the month, unless exception" ?
> 
> And by update, i mean "yum upgrade -y". Cleaning the list of repo on
> various servers is also IMHO another task to discuss, to make sure the
> task can be safely executed. ( having something like
> mcollective/ansible/func is also needed, but that's more a convenience
> than a requirement at this stage ).

we use 'fabric' for these kind of stuff in redhat, so we might be able to 
use that for oVirt as well.

+1 for monthly maintenance window,Friday sounds good, since most of the users are from tlv office.
we can keep sunday as optional also, if a critical server should be up on a certain friday.
so either tlv office of non-tlv can performan the outages.

also, worth adding it to the calendar, as a monthly maintenance outage,
where we can update servers like jenkins/gerrit/formean etc...
we can use either ovirt cal [1] or open a new infra cal for that. 

thought, we should map pkg we want to keep latest, and ensure them via puppet,
while the maintenance windows will be used for reboots and downtimes.

we also should update that info on the wiki once ready [2]

[1] https://www.google.com/calendar/ical/ppqtk46u9cglj7l987ruo2l0f8%40group.calendar.google.com/public/basic.ics
[2] http://www.ovirt.org/Infra

> 
> --
> Michael Scherer
> Open Source and Standards, Sysadmin
> 
> 
> 
> 
> _______________________________________________
> Infra mailing list
> Infra at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/infra
>

More information about the Infra mailing list