The plan is to outtask system updates for some RHEL machines to system operations department.

As nobody can guarantee that an update is successful, we need to put some aces up our sleeves in case of an emergency.

One idea was to take one disk out of the RAID array and rebuild the whole system on another disk. In case we need to revert simply reconstruct the array from the backup disk. Alas the operation personell is not always in the datacenter to exchange disks (follow the sun support) and also this procedure does not scale well.

Since the affected machine is a dom0 of various host machines the outtime must be minimal. Also there is heavy use of SELinux so traditional backup will not work either.

Moreover it should be possible that untrained personell may perform the task.

Another possibility is to adapt a cloning process (tar/rsync based or serverless on the SAN or LVM snapshots) that is usually used to make snapshots of whole clusters. It needs to be adapted for SELinux (rather easy) but that also means heavy quality assurance tests until it may be used for such productive systems. We don't know if there is enough time for that.

Do you have any suggestions what other possibilities may be used to perform safe updates? What would you prefer? What are your procedures for a safe update that may be also performed by junior admins?

Why can't you do a backup/restore? My understanding is dump and restore should work and perserve all your SELinux contexts just fine on all the Red Hat distributions.

how often do you apply patches? and once a patch is available, do
you need to have them applied asap?

rpm/up2date has the rollback option (that i really don't use .

but for me, evaluating the patches first on a clone of a
critical environment is the best practice to make sure
the updates won't break anything.

and since these are OS updates, i don't think the
backup/restore idea is the ideal solution.
but i do have a weekly fs dump of our OS partitions (using
LVM snapshots and dump command) just in case i
need to make reference to some files
in case i did something to mess up my system.
but for application of patches, that i do on a quarterly
basis, i never had the situation that calls for a rollback
because of application problems.