Suchismita Panda via FreeIPA-users wrote: > Hi, > > I would like to know the best practice for patching FreeIPA-Server > packages. We generally have daily patching enabled in our servers. Will > it be a good idea to do automatic patching of FreeIPA-Server packages? > > If we want to restrict the FreeIPA-Server packages from automatomatic > upgrade and rather keep it for manual upgrade, what are the packages we > should hold back with a version restriction? And how frequently should > we do the manual upgrade? If the FreeIPA-client packages are upgraded > regularly by daily patching(yum-cron or unattended upgrade) will there > be any problem with authentication, if the FreeIPA-Servers are behind > version upgrade? > > We have two FreeIPA environments, one with CentOS7 and another with > CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and > CentOS (7 and 8). >
As you might expect, it's complicated. For an IPA server I wouldn't recommend automated package upgrades as long as you have attentive system admins. Packages for CentOS* tend to be more batch-driven so I don't think it would be a huge burden. We recommend upgrading one server at a time when a new IPA release comes out. This is because new LDAP entries can be introduced and running simultaneous upgrades has caused replication conflicts in the past. We do recommend against cherry-picking changes. In RHEL testing is all done against a static set of packages. If mix-and-matching happens all bets are off. Running mixed server versions is fine for a time. We definitely recommend keeping them in sync because there can be feature differences between them so you may not fully reap all benefits until they are all upgrades. Clients are another matter. "client" is a rather generic term post ipa-client-install. At that point the client packages are whatever configuration was created by the installer to be consumed by default by sssd. It is generally considered safe to keep those up-to-date. ipa-client does not have a mechanism for applying updates on upgrades. It is fine to run mixed client/server versions. In that case any operational differences will be mostly defined by differences in sssd. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure