Suchismita Panda via FreeIPA-users wrote:
Hi,
I would like to know the best practice for patching FreeIPA-Server
packages. We generally have daily patching enabled in our servers. Will
it be a good idea to do automatic patching of FreeIPA-Server packages?
If we want to restrict the FreeIPA-Server packages from automatomatic
upgrade and rather keep it for manual upgrade, what are the packages we
should hold back with a version restriction? And how frequently should
we do the manual upgrade? If the FreeIPA-client packages are upgraded
regularly by daily patching(yum-cron or unattended upgrade) will there
be any problem with authentication, if the FreeIPA-Servers are behind
version upgrade?
We have two FreeIPA environments, one with CentOS7 and another with
CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and
CentOS (7 and 8).
As you might expect, it's complicated.
For an IPA server I wouldn't recommend automated package upgrades as
long as you have attentive system admins. Packages for CentOS* tend to
be more batch-driven so I don't think it would be a huge burden.
We recommend upgrading one server at a time when a new IPA release comes
out. This is because new LDAP entries can be introduced and running
simultaneous upgrades has caused replication conflicts in the past.
We do recommend against cherry-picking changes. In RHEL testing is all
done against a static set of packages. If mix-and-matching happens all
bets are off.
Running mixed server versions is fine for a time. We definitely
recommend keeping them in sync because there can be feature differences
between them so you may not fully reap all benefits until they are all
upgrades.
Clients are another matter. "client" is a rather generic term post
ipa-client-install. At that point the client packages are whatever
configuration was created by the installer to be consumed by default by
sssd. It is generally considered safe to keep those up-to-date.
ipa-client does not have a mechanism for applying updates on upgrades.
It is fine to run mixed client/server versions. In that case any
operational differences will be mostly defined by differences in sssd.
rob