In <[🔎] BANLkTi=TzY5UoBaZXBqqAUBM2ysvBsk=KQ@mail.gmail.com>, Rafał Radecki wrote: >I have a new LAN to administer, I have 8 Debian production servers >which have been configured by someone else. >I try to make a reasonable update/upgrade policy for those servers. >Till now (for my home servers) I used aptitude update/upgrade and it >was ok. But here every server has many services (Oracje, JBoss, VMWare >2 Server, ...) and I think that now I should be more careful. > >Should upgrades/updates be made automatically or manually? I'm a big fan of automatically, for updates from stable and stable-security. However, these have been known to, in rare cases, cause failures. Even for very critical systems, having a rollback (using snapshot.d.o) and blacklist (pin to a -1 the troublesome version) policy should be enough, as long as you have 24/7 support that can do that. >What >additional steps could be made? unattended-upgrades, logcheck, and tripwire are my friends. I think you might get along with them too. If you have to put into production software that is not available in stable, I also suggest a cron job (unprivileged is fine) that runs (aptitude search '~U') -- manually upgrade that software as needed instead of relying on unattended-upgrades. >When should be dist-upgrade made? "Never". If you are just getting updates to stable, "upgrade" should always be sufficient. Transitions that require a package to be removed should not occur during the lifetime of stable. If you are upgrading a production system from Lenny to Squeeze (or a similar oldstable -> stable upgrade where a "dist-upgrade" is necessary), you should perform the upgrade on a test system that has as similar configuration and hardware as you can produce. You may need to do a test upgrade a few times and you'll certainly want to test the services and do some clean up. Once you have your procedures, which may be a lengthy addition to the release notes, depending your configuration and hardware, you can preform the upgrade to the production system. >One >one site I have read that Debian's policy is to use stable versions >and only add security updates... what do you think? During the lifetime of a stable release, few (if any) new upstream versions are included in the updates. Instead security and "other important" bug fixes are "backported" to the old version, in an attempt to keep stable as free- from-change as possible. (The patch fixing the issue is isolated, then mangled to apply to the old version and tested.) -- Boyd Stephen Smith Jr. ,= ,-_-. =. firstname.lastname@example.org ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
Description: This is a digitally signed message part.