General

It seems regular (monthly, if not weekly or even daily) software updates have been the norm these days. As some of these updates will contain critical security fixes, we'll need to stay on top of things. Things are fairly easy to manage, thanks to tools like yum and up2date. As of 21 May 2006, everything is still done manually. I suspect the best solution would be a cron job that lists any needed updates (and is silent otherwise). That would mesh nicely with root mail monitoring -- assuming we ever get that done. :)

If a reboot is needed (for a new kernel), we can do that remotely. I just did one now (21 May 2006), and timed it. liberty took almsot exactly 3 minutes to reboot. That is measured from the from the shutdown command to when liberty starts responding to ping again. SSH was available within seconds of the ping response.

-- BenScott - 21 May 2006

Permissions

We had customized certain file and directory permissions. For example, the sysadm group had group-ownership of the /etc/httpd/conf/ and /etc/httpd/conf.d/ directories, and files therein. This meant any member of the sysadm group could edit the webserver config, without needing to use root privilages at all. Running a text editor as root is suboptimal.

This broke when Apache was updated in the course of a normal CentOS software update. Since an update is just a new package, customized permissions were clobbered back to package defaults.

I'm not sure what the fix is for this. Perhaps some sort of RPM option (unlikely to exist)? Perhaps a script that sets/fixes permissions that we run (kludgey and non-automatic)?

-- BenScott - 15 Oct 2006