Given how well connected perfsonar boxes are, they ought to be getting security updates.
In particular, Centos 6.5 is suceptible to the Heartbleed OpenSSL bug, which might not be serious in this context but certainly ought to be patched.
Jeremy
On 9 Apr 2014, at 13:46, Winnie Lacesso wrote:
> Greetings Wise People!
>
> I'm way behind as have only been 10% LCG support last 2 years so apologies
> if this is elementary.
>
> Bristol has 2 perfsonar hosts. Both are whatever standard install is
> provided by the perfsonar folks apparently CentOS 6.5.
> (I did not install it, Dr Kreczko did I presume following whatever
> instructions the perfsonar folks provide)
>
> We find that yum-cron is installed, creating /etc/cron.daily/0yum.cron,
> but it is not chkconfig'd on.
> It looks like lots of repos are left enabled (which might cause problem
> with clashing versions I suppose)
>
> Is this correct for perfsonar? So they don't auto-install security updates
> overnight. One has 44 updates pending from several months back...
>
> Is there some danger for perfsonar in allowing automatic nightly security
> updates?
>
> IIRC yum-cron is a fairly different animal than yum-autoupdate which
> is what all our SL hosts use. yum-cron exists for SL but we found it does
> not allow (or not without nitpicky config) excludes like kernel (I think).
> So we use yum-autoupdate on SL & they get all but kernel nightly sl-security
> updates.
>
> So can people who have perfsonar boxen tell me
> . is yum-cron installed or yum-autoupdate
> . is it correct to have yum-cron chkconfig'd on or off ?
>
> We do want stable perfsonar, maybe auto updates will make it unstable, but
> shouldn't security updates be applied since they have ports open to the
> outside world??
>
> Winnie Lacesso / 55% HPC Storage Admin, 20% Particle Physics, 25% SysOps
> HH Wills Physics Laboratory, Tyndall Avenue, Bristol, BS8 1TL, UK
> University of Bristol
|