Example Patch Policy (RHEL)

Example Patch Policy

RHEL / CentOS / ...

Security Updates:

Constantly check security updates - yum-security

http://www.cyberciti.biz/faq/redhat-fedora-centos-linux-yum-installs-security-updates/

The downside:

If you don't run a actively patched RHEL breed, then the yum-security plugin becomes useless. It can only report security updates that are visible in *your* upstream repositories. So if RHEL has a security patch you will not be warned about in the many months until CentOS picks up that release.

It'd be best for you to be a good citizen and have at least one RHEL subscription.

(or OEL, or...)

Full Updates:

Safe time

  • Keep downtimes short by automatically downloading updates
  •  Run automatic backups before your update

Scarce downtime:

Full Update 8 times a year, delay reboots for kernel update until downtime.

Fuzzy area: Service restarts, Consistency userland - kernel. As long as you stay within same minor release all fine.

Easy downtime:

Full Update 8 times a year

Nowadays there's even some OSS tools for patch management, i.e. some float around FUNC. The downside is that these aren't created for Enterprise enviroments and won't cover all your needs. But you can expect basic functionality like "frozen" yum repos and timed updates. 

 

Tools for repository management:

Pulp  by RedHat et (emerging technologies lab). Also have a look at the addon called Juicer.

mREPO by Dag Wiers