Re: infra security update
----- Original Message -----
From: "Michael Scherer" <mscherer(a)redhat.com>
To: infra(a)ovirt.org
Sent: Friday, June 6, 2014 2:29:44 PM
Subject: infra security update
Hi,
Due to CVE on openssl and on kernel, I did upgrade various piece of the
infrastructure ( foreman, lists, stats, monitoring ), which implied a
few reboots ( due to kernel lagging behind, which is not that great with
local root exploit ). As this is friday and I assumed most of the Tel
Aviv office was not working, i hope this kept the disruption to a
minimum. However, if something is broken, please tell it so we can fix.
This also got me thinking. In order to bring a bit more order, what
about having a fixed schedule for upgrade ?
In my previous position, we were doing that once per month ( except
during end of quarter freeze ), with mandatory reboot ( cause if
something do not boot, you want to know it when you have a planned
outage, not when everyone is running around updating stuff ). Fedora has
a rather complex procedure to decide what to upgrade, hilighted on
http://infrastructure.fedoraproject.org/infra/docs/massupgrade.txt
So we could adopt a schedule ( once per month, unless there is something
critical, in which case we do it ASAP, with warning on the list and irc
).
The schedule should of course take in account "business need", which is
"release schedule of ovirt".
So what about "first friday of the month, unless exception" ?
And by update, i mean "yum upgrade -y". Cleaning the list of repo on
various servers is also IMHO another task to discuss, to make sure the
task can be safely executed. ( having something like
mcollective/ansible/func is also needed, but that's more a convenience
than a requirement at this stage ).
we use 'fabric' for these kind of stuff in redhat, so we might be able to
use that for oVirt as well.
+1 for monthly maintenance window,Friday sounds good, since most of the users are from tlv
office.
we can keep sunday as optional also, if a critical server should be up on a certain
friday.
so either tlv office of non-tlv can performan the outages.
also, worth adding it to the calendar, as a monthly maintenance outage,
where we can update servers like jenkins/gerrit/formean etc...
we can use either ovirt cal [1] or open a new infra cal for that.
thought, we should map pkg we want to keep latest, and ensure them via puppet,
while the maintenance windows will be used for reboots and downtimes.
we also should update that info on the wiki once ready [2]
[1]
https://www.google.com/calendar/ical/ppqtk46u9cglj7l987ruo2l0f8%40group.c...
[2] http://www.ovirt.org/Infra
--
Michael Scherer
Open Source and Standards, Sysadmin
_______________________________________________
Infra mailing list
Infra(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/infra