Re: Managing disperse servers
On Fri Jun 13, 2008 at 12:06:50 +0100, Keith Edmunds wrote:
> How do others approach the problem of security updates? Up until now,
> we've done this manually with some help from 'cssh' for some servers;
> however, that solution doesn't scale as the number of servers increases.
> We're reluctant to have servers automatically install updates. We're
> looking at CfEngine and Puppet, but I'd be interested in hearing of other
> approaches.
I think you need to choose; either you have automatic updates or
you do it manually, though there is a middle-ground where you could
apply automatically to machines A, B, and C. Then after you observe
no breakage for a period of time you could instruct machines D, E, F...,
to update themselves too.
I personally use cron-apt to auto-install security updates, at the
(small) risk of suffering breakages if there is a borked security update.
So far that hasn't been a problem, but I accept it is only a matter
of time & bad luck until I get a borked upgrade requiring manual
intervention on 200+ machines!
Anytime you need to have manual intervention to apply updates you're
running the risk of forgetting a few machines and having issues.
> I'm also interested in hearing of other techniques for managing multiple,
> mostly-similar (but not identical) systems. We're currently managing about
> 40 such servers, so not a huge number, but we're expecting that number to
> grow and we want to put some tools and techniques in place before we drown
> in trying to manually manage them.
CFEngine is what I use at home and work. I'd choose puppet for new
installs, but in the Sarge-timeframe it wasn't around (or if it was
I didn't trust it enough!)
Steve
--
Debian GNU/Linux System Administration
http://www.debian-administration.org/
Reply to: