We’ve had good experience doing just release upgrades, e.g from 8.1 to 8.2. For that I do
yum update, I,e. the whole thing. My assumption is that testing is done on systems with
the full release.! So upgrading just some things gives us a configuration that hasn’t been
tested. We did a full reinstall from 7 to 8, and presumably will for future major
releases. Of course if there’s a security problem in ssh, I’d upgrade just that
immediately. I’d be more skeptical of upgrading any package actually used by IPA.
We also clone all the VMs and try out the full set of upgrades before doing it on
production. This requires using a hacked copy of DNS that identifies the production
hostnames with the IPs of the clones. I did a similar test before the move from 7 to 8.
On Jul 16, 2021, at 5:38 PM, Suchismita Panda <suchismita.83(a)gmail.com> wrote:
Hello,
Following up again for my question in the previous email, pasted below. It would be really
helpful, if it could be answered -
We are using CentOS currently for our FreeIPA servers, as per your advice we will skip the
full OS automatic patching. If we limit the automated patching to just target kernel
packages, will that be risk free?
Thanks
Suchi
On Fri, Jun 18, 2021 at 11:21 AM Suchismita Panda
<suchismita.83@gmail.com<mailto:suchismita.83@gmail.com>> wrote:
Thank you for your reply. We are using CentOS currently for our FreeIPA servers, as per
your advice we will skip the full OS automatic patching. If we limit the automated
patching to just target kernel packages, will that be risk free?
-Suchi
On Thu, Jun 17, 2021 at 1:00 PM Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
Suchismita Panda via FreeIPA-users wrote:
Thanks all for the reply.
Circling back again - We have to do the normal OS upgrade for the
FreeIPA servers and would like to exclude the FreeIPA package to be
upgraded. I would like to know the name of the Freeipa packages which
should be held back from automatic upgrade.
A list would be really helpful.
It's a tricky question. IPA is more than just the freeipa-* packages.
It's 389-ds, pki-*, sssd-*, a ton of python packages, openldap client
libraries, openssl, nss, bind, krb5. And that's just off the top of my head.
In a CentOS/RHEL environment we discourage picking and choosing packages
to upgrade since we only test against what is in a given release. In
Fedora things are bit more fluid so we do the best we can with Requires,
but it isn't feasible to set dependencies on every possible package.
So by blocking freeipa-server and freeipa-client you'll likely hit the
highlights but no promises nothing will break. There can be big
differences between Fedora releases.
rob
On Thu, Apr 15, 2021 at 1:34 PM
<hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>
<mailto:hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>>> wrote:
We haven’t had a failure in the last couple of updates. But there
have been enough problems in upgrades that we do it manually. In
fact we duplicate all of our VMs, setting up a duplicate set of
servers, and first try the upgrade on them before we do it in
production. We have too many eggs in one basket to risk problems
with IPA.
> On Mar 31, 2021, at 2:45 PM, Suchismita Panda via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>>
wrote:
>
> Hi,
>
> I would like to know the best practice for patching FreeIPA-Server
packages. We generally have daily patching enabled in our servers.
Will it be a good idea to do automatic patching of FreeIPA-Server
packages?
>
> If we want to restrict the FreeIPA-Server packages from
automatomatic upgrade and rather keep it for manual upgrade, what
are the packages we should hold back with a version restriction? And
how frequently should we do the manual upgrade? If the
FreeIPA-client packages are upgraded regularly by daily
patching(yum-cron or unattended upgrade) will there be any problem
with authentication, if the FreeIPA-Servers are behind version upgrade?
>
> We have two FreeIPA environments, one with CentOS7 and another
with CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and
20) and CentOS (7 and 8).
>
> Any help and guidance is appreciated.
>
> Thanks
> Suchi
> _______________________________________________
> FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
<mailto:freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
> To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
<mailto:freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>>
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure