zypper patch as cron job - is that a good idea?

I want to make script which does zypper patch and after finished maybe pop-up alert window theese was updated and also root (you’ve to restart)… Cause I want my machine to be secured as well as possible and on the other hand do not want do update as soon as some updates are available, just those critical. Is that a good idea??

On 2015-07-17 20:16, roberto68 wrote:
>
> I want to make script which does zypper patch and after finished maybe
> pop-up alert window theese was updated and also root (you’ve to
> restart)… Cause I want my machine to be secured as well as possible and
> on the other hand do not want do update as soon as some updates are
> available, just those critical. Is that a good idea??

IMO, no.

You might run a cron job to download the updates, but I would never
apply then automatically, only at a time of my choosing. And remember
that to apply the updates you need to restart all the affected
applications and services; till you do, they are still using the old,
unpatched, unsecure versions.

Thus automatic updates are useless, yet they might make your machine
crash, when you are not there.

However, there is a yast module to automate this, if you want.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

It is a bit of personal taste. I tend to follow robin_listas here. I only will install anything on a system at the moment I decide to do that. Most of the time during the weekly maintenance window. When need arises also after consulting the users.

In any case, your idea about creating a pop-up window on the screen of a user is not trivial. Not only in designing exactly what to do (think of there being no end-user session, there being one and there being more as well ass local as remote), but also technical (nobody can open a window on somebodies session without his/her consent and even then …).

The lack of this in 2015 is a horrible oversight if you ask me. It should at least be an option, without having to script it yourself.

ok so what’s is the yast module for that? is it in yast by default or I’ve to install it? or I’d simplify it: if there’s any patch I want to some little pop up/ rollover on the bottom panel - is there some - can that yast module perform that?

On 2015-07-18 10:36, Miuku wrote:
>
> robin_listas;2719944 Wrote:
>> And remember that to apply the updates you need to restart all the
>> affected applications and services; till you do, they are still using
>> the old, unpatched, unsecure versions.
> The lack of this in 2015 is a horrible oversight if you ask me. It
> should at least be an option, without having to script it yourself.

It is far from trivial. Very far.

Restarting some things can crash sessions, some times the entire machine.

Quite often the trick is to exit the session (kde, gnome), and this can
not be automated or the users will be very pissed. Same goes for reboot.

Windows solves the issue by automatically popping a window requesting to
reboot the machine, but you can postpone it. If you suggest this in
Linux, people will be mad at you.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On 2015-07-18 12:06, roberto68 wrote:
>
> ok so what’s is the yast module for that? is it in yast by default or
> I’ve to install it?

I don’t remember, I have never used it, in decades. I don’t see it in
this laptop. It should be in the “software section”

Have a look at this module:

yast2-online-update-configuration - Configuration of Online Update

it may be it.


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

Only files that are in use at the moment they are replaced will stay used for what they are used for at that moment in time.

Simple example:
When program aap (executed from the file path/to/aap) is running and the update will replace path/to/aap, the still running program will still use the old path/to/aap when it it needs it (to load a segment or so), thus it will not break. Every new execution of aap (from path/to/aap) will use the new file. Thus both will run parallel without any issue. No need to log out (let alone reboot). simply ending the execution of the “old” aap will free the file (and the discspace).

There are of course more complicated cases. An application using more then one file during execution could be caught when some files are in use by it, then the update replaces some other files and the application starts using those files after the update. That could cause incompatibilities, not very likely except when an update of an application is replacing it with a new version with a complete different structure (e.g. other names for configuration files or complete different configuration layout). Not something that you will see with a security update.

And when you understand the above, it will be clear that problems will be more likely with more complicated applications. Thus the advice to reboot on a kernel update (kernel could be incompatible with modules to be leaded). Same for the desktop. Less so for simple programs.

Practical experience: I only do a reboot when recommended, sometimes a logout/login when I assume that the desktop I use is heavily involved. Else I just carry on, leaving it to the shutdown at the end of the day. Never had a problem related to this.

Nevertheless, I like to do YaST Online Update, etc. in a “maintenance window”. And you may interprete that as you ike. But i will e.g. never do such an action on a system where my wife is actualy working on.

For a desktop maybe but for a server it was quite trivial. I just wrote a script that parses zipper ps output, matches a list of services that don’t map 1:1 to their process name from a predefined list and services that can’t be restarted (like systemd)

Still, I shouldn’t have to do this in 2015. There should be an option to restart server services automatically. I know, openSUSE is mainly aimed at the desktop and I should use SLES but… it’s actually the same thing there, I use the same script on both systems.

On 2015-07-18 18:46, Miuku wrote:
>
> robin_listas;2719985 Wrote:
>> It is far from trivial. Very far.
> For a desktop maybe but for a server it was quite trivial. I just wrote
> a script that parses zipper ps output, matches a list of services that
> don’t map 1:1 to their process name from a predefined list and services
> that can’t be restarted (like systemd)

And you restart them, even if some user may be using them and may be
disrupted? :-o


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On 2015-07-18 14:16, hcvv wrote:

>
> Nevertheless, I like to do YaST Online Update, etc. in a “maintenance
> window”. And you may interprete that as you ike. But i will e.g. never
> do such an action on a system where my wife is actualy working on.

I only do updates when I can afford to restart things, even reboot. Ie,
a maintenance window. I check “zypper ps” output, and restart what is
needed. Pretty often, a reboot is the fastest and safest method, instead
of chasing what is needed to restart what :slight_smile:


Cheers / Saludos,

Carlos E. R.

(from 13.1 x86_64 “Bottle” (Minas Tirith))

On Sat, 18 Jul 2015 16:46:02 +0000, Miuku wrote:

> robin_listas;2719985 Wrote:
>> It is far from trivial. Very far.
> For a desktop maybe but for a server it was quite trivial. I just wrote
> a script that parses zipper ps output, matches a list of services that
> don’t map 1:1 to their process name from a predefined list and services
> that can’t be restarted (like systemd)
>
> Still, I shouldn’t have to do this in 2015. There should be an option to
> restart server services automatically. I know, openSUSE is mainly aimed
> at the desktop and I should use SLES but… it’s actually the same thing
> there, I use the same script on both systems.

Arguably, trivial for the services you use. Not necessarily trivial for
everyone.

Personally, I just make time once a week to update my systems. That way,
I’m in control of what gets updated when, and I can plan any service
interruptions (I’m the only one who uses most of the services, but a
disruption in the middle of my workday, or coming in to work in the
morning and finding stuff broken = not good when my main job is not
fixing broken systems).

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Most of them are clustered so it doesn’t matter, however I do not want to restat the entire system when it should be a trivial thing to restart the said services automatically.

Things that I have issues with mainly are named, nginx, php-fpm, Tomcat and other services that often get updated or depend on services / libraries that get updated often - for example when glibc got updated, bang - everything needed to be restarted, libidn patch the other day required many to be restarted and so forth.

It’s not an issue for me any more as I wrote my own solution for the problem, it just feels like a waste of time having to re-invent the wheel for something that should be there already. Checking Google, I’m not the only one who has been wasting their time on this issue :slight_smile:

“clustered” is not synonymous to “continuously available”. So at least currently opened sessions may be interrupted and new sessions cannot be established for some period of time. Of course it may not matter for you but it may matter for clients using services :slight_smile:

Certainly but in our use cases the content isn’t as dynamic as it would be on a service like a shopping site. The content is served by multiple vSphere (with HA extensions) run SUSE boxes that use clustered Tomcats and MariaDB with nginx+php-fpm as the frontend.

Still, I’m just pointing out that it would be nice to have an optional opt-in functionality that would restart services upon updates if files are in use. I emphasize optional, not on by default.

OK I’ll have a look at the yast2-online-update-configuration. Miuku can you post that script here, or is it on some blog? and I’ll simplify it i just want some alert that I need to do zypper patch as soon as there’s patch available.