[rhn-users] Off-line update

RHN-Users Readers role.rhn-users at axoria.net
Wed Mar 3 21:46:22 UTC 2004 

On Wed, 2004-03-03 at 21:02, Hill Webmaster wrote:

> I am in the process of purchasing several licenses for RHEL 3. My
> network security folks require that all security patches be applied
> before connecting the machine to the network. Are all the updated rpms
> available for download in the RHN? If so, does anyone know the proper
> method to upgrade all the updated rpms? Can that be done with a single
> wildcarded rpm freshen or upgrade command or something similar once
> all the new rpm packages are in a directory somewhere? Is it necessary
> or does rpm automatically restart appropriate services after upgrading
> a program, service or library?

To answer your second question first -- Yes, rpm generally tries to
restart things appropriately. However, if you've edited config files and
the update wants the new config file it installed (usually ".rpmnew") to
be effective for the update to be complete, you may need to intervene. I
usually watch lists and servers to make sure I know what's being
updated, doing some of it manually (have up2date set to download-only)
and if a lot of things are updated I'll sometimes reboot. Usually, I
just restart any services that I feel warrant it.

As for your first question ... yes, good one! I have the same dilemma. I
found that Update 1 for ES 3.0 already covers most of the updates, so
using the latest Update instead of original ISOs is a good idea, of
course. Beyond that, I took a pragmatic compromise approach. I really
need to expose a newly installed machine to RHN for it to be able to see
what needs updating. (The RHN software is open-source, so no doubt it's
possible to compile the package-list offline and do it some other way,
but I don't know and it might be complicated.)

So, the compromise I came up with was to install the server offline
initially, then configure firewall/routing so that the only Internet
traffic that can get to/from the newly installed server is the correct
RHN server on the right port. This is not entirely secure, but I figure
it is more secure than the brick walls of my premises, for example. It's
hard to crack and it would become very evident if it had been messed
with before I depended on the server's integrity, I believe.

This isn't a secure answer to your question, but it is simple and
effective, and feels adequate to me. I'm not installing machines for
multi-billion Euro transactions with some large financial institution
though, so you choose! Hope this is at least of some help. In any case,
I'll be watching the thread in case someone has a better idea.

-- 
Best regards,
James.
________________________________________________________________________
Axoria Ltd UK: Internet Security, Dynamic Websites, Software Engineering
http://www.axoria.net/                                              E&OE

More information about the rhn-users mailing list