[Triumf-linux-managers] bum update of el7 rpcbind

Tue May 23 12:14:58 PDT 2017

On 05/23/2017 09:48 AM, Konstantin Olchanski wrote:
> This morning a bum update of rpcbind landed from the sky ...

Thanks for telling people about this bug.

If you have auto-updates enabled then you might be interested in locking 
rpcbind (and possibly others) at a particular version while allow other 
auto-updates to continue.  The TRIUMF kickstart of CentOS-7 enables 
auto-updates with triumf-yum-cron-apply_updates .
[ 
http://mirror.triumf.ca/triumf/7/x86_64/repoview/triumf-yum-cron-apply_updates.html 
]

Individual packages can be locked at a particular version with 
yum-plugin-versionlock which is installed by the TRIUMF kickstart for 
CentOS-7 or can be manually installed on other el7 (and el6) systems.  
You can lock rpcbind at the version currently installed with:

     rpm -q rpcbind >> /etc/yum/pluginconf.d/versionlock.list

However, just locking individual packages might cause auto updates to 
fail due to dependency problems, or you might forget that you have done 
it and miss a critical update.  The ATLAS tier-1 centre does not enable 
auto-updates but does regular staging and testing before updating all 
the servers and worker-nodes. Those of us without the dedicated 
personnel resources of the tier-1 centre, must take a more reactionary 
approach that involves being alerted when updates to locked-packages are 
available

On TRIUMF linux servers I lock all packages which are actively in-use, 
while allowing auto-updates of other packages  I use the package 
"lock-packages"
[ 
http://mirror.triumf.ca/triumf-server/7/x86_64/repoview/lock-packages.html ]
which provides a helper for yum-plugin-versionlock .   Packages to be 
locked are specified (without version numbers) glob style in 
/etc/yum/lock-packages.globs .

e.g for servers which are part of an NIS cluster, I lock the NIS and NFS 
packages (rpcbind, ypbind, nfs-utils, autofs) .  The command 
"lock-packages" updates /etc/yum/pluginconf.d/versionlock.list . 
Packages can be unlocked for manual update with "lock-packages -u".

To be alerted when new updates are available, I use a plugin for nagios 
(the alerting system used for TRIUMF servers).
[ 
http://mirror.triumf.ca/triumf-server/7/x86_64/repoview/triumf-nagios-plugins-yum_updates.html 
]
It could be run standalone from a cron job and allows thresholds to be 
set in the number of days that an update has been available before 
issuing a warning.

Another minor problem is that sometimes after doing a manual update and 
testing, it's possible to forget to relock packages.  So I have another 
nagios alert on that
[ 
http://mirror.triumf.ca/triumf-server/7/x86_64/repoview/triumf-nagios-plugins-version_locks.html 
]

This alert solves another minor problem, that occasionally there's a 
change in the list of packages matched by a glob.

If you are interested in using these packages and want more info, then 
let me know.

--
Kel Raywood
TRIUMF Information Services & Technology