[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian update/upgrade good practices?

In <[🔎] BANLkTi=TzY5UoBaZXBqqAUBM2ysvBsk=KQ@mail.gmail.com>, Rafał Radecki wrote:
>I have a new LAN to administer, I have 8 Debian production servers
>which have been configured by someone else.
>I try to make a reasonable update/upgrade policy for those servers.
>Till now (for my home servers) I used aptitude update/upgrade and it
>was ok. But here every server has many services (Oracje, JBoss, VMWare
>2 Server, ...) and I think that now I should be more careful.
>Should upgrades/updates be made automatically or manually?

I'm a big fan of automatically, for updates from stable and stable-security.  
However, these have been known to, in rare cases, cause failures.

Even for very critical systems, having a rollback (using snapshot.d.o) and 
blacklist (pin to a -1 the troublesome version) policy should be enough, as 
long as you have 24/7 support that can do that.

>additional steps could be made?

unattended-upgrades, logcheck, and tripwire are my friends.  I think you might 
get along with them too.  If you have to put into production software that is 
not available in stable, I also suggest a cron job (unprivileged is fine) that 
runs (aptitude search '~U') -- manually upgrade that software as needed 
instead of relying on unattended-upgrades.

>When should be dist-upgrade made?


If you are just getting updates to stable, "upgrade" should always be 
sufficient.  Transitions that require a package to be removed should not occur 
during the lifetime of stable.

If you are upgrading a production system from Lenny to Squeeze (or a similar 
oldstable -> stable upgrade where a "dist-upgrade" is necessary), you should 
perform the upgrade on a test system that has as similar configuration and 
hardware as you can produce.  You may need to do a test upgrade a few times 
and you'll certainly want to test the services and do some clean up.  Once you 
have your procedures, which may be a lengthy addition to the release notes, 
depending your configuration and hardware, you can preform the upgrade to the 
production system.

>one site I have read that Debian's policy is to use stable versions
>and only add security updates... what do you think?

During the lifetime of a stable release, few (if any) new upstream versions 
are included in the updates.  Instead security and "other important" bug fixes 
are "backported" to the old version, in an attempt to keep stable as free-
from-change as possible.  (The patch fixing the issue is isolated, then 
mangled to apply to the old version and tested.)
Boyd Stephen Smith Jr.                   ,= ,-_-. =.
bss@iguanasuicide.net                   ((_/)o o(\_))
ICQ: 514984 YM/AIM: DaTwinkDaddy         `-'(. .)`-'
http://iguanasuicide.net/                    \_/

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to: