Re: Managing disperse servers

[Steve Kemp <skx@debian.org>]

On Fri Jun 13, 2008 at 12:06:50 +0100, Keith Edmunds wrote:

> How do others approach the problem of security updates? Up until now,
> we've done this manually with some help from 'cssh' for some servers;
> however, that solution doesn't scale as the number of servers increases.

> We're reluctant to have servers automatically install updates. We're
> looking at CfEngine and Puppet, but I'd be interested in hearing of other
> approaches.

  I think you need to choose; either you have automatic updates or
 you do it manually, though there is a middle-ground where you could
 apply automatically to machines A, B, and C.  Then after you observe
 no breakage for a period of time you could instruct machines D, E, F...,
 to update themselves too.

  I personally use cron-apt to auto-install security updates, at the
 (small) risk of suffering breakages if there is a borked security update.
 So far that hasn't been a problem, but I accept it is only a matter
 of time & bad luck until I get a borked upgrade requiring manual
 intervention on 200+ machines!

  Anytime you need to have manual intervention to apply updates you're
 running the risk of forgetting a few machines and having issues.

> I'm also interested in hearing of other techniques for managing multiple,
> mostly-similar (but not identical) systems. We're currently managing about
> 40 such servers, so not a huge number, but we're expecting that number to
> grow and we want to put some tools and techniques in place before we drown
> in trying to manually manage them.

  CFEngine is what I use at home and work.  I'd choose puppet for new
 installs, but in the Sarge-timeframe it wasn't around (or if it was
 I didn't trust it enough!)

Steve
-- 
Debian GNU/Linux System Administration
http://www.debian-administration.org/