On Jan 29, 2009, at 2:23 PM, Sharpe, Sam J wrote:
Does anyone else have to live in a "if it works, don't update it" world, or is it just me?
My last employer has 10s of thousands of RHEL servers managed this way. My current environment is similar but smaller scale. Upgrades are almost always from one major RHEL version to another via reinstalls, once every few years for a given box. It is impractical to update running production systems en masse. Red Hat is pretty good about limiting the network services running by default, we turn off the few remaining ones so we're only left with SSH and our apps. Then patching is not really a security concern, more an app/feature/ compatibility issue and needs to be done only occasionally and in significant jumps. But running large-scale Internet services like I'm doing is rather a different world than places with lots of random user logins and the like. Those folks have to worry a lot more about privilege escalation via setuid apps and kernel bugs, which necessitates more frequent patching.
That said, this "real men don't use config management tools" plan is no crazy. Puppet/cfengine/etch are essential.
Jason _______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
