LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Patching infrastructure (https://www.linuxquestions.org/questions/linux-security-4/patching-infrastructure-4175653902/)

daviddon 05-14-2019 03:59 PM

Patching infrastructure
 
I just got in my hand a lab with a lot of out of date Linux OS server. Currently, the lab is not connecting to the internet. We will have these servers connecting the internet soon. I want these servers to be up to date before I open them up the outside. What should be the right way to patch these servers? What is the best tool to do patching? Also, should I scan these servers first before I start patching them? If so, what tool is the most efficient tool for the purpose?

jefro 05-14-2019 07:57 PM

Not a clear way to proceed I'd think.

We may need to know any programs on these to decide what way to go first.
We may need to know age of computers and specs.
Might need to know the distro and version.

If you just want to use this stuff in a lab then consider getting newest supported version on some media and either build one at a time or disperse a clone across the lab.

daviddon 05-15-2019 08:40 AM

I am thinking about using Ansible as a tool to patch my Linux servers. Do you think it is overdone to use Ansible for my 30 servers lab? If so, what other tools I should use?

TB0ne 05-15-2019 09:00 AM

Quote:

Originally Posted by daviddon (Post 5995047)
I just got in my hand a lab with a lot of out of date Linux OS server. Currently, the lab is not connecting to the internet. We will have these servers connecting the internet soon. I want these servers to be up to date before I open them up the outside. What should be the right way to patch these servers? What is the best tool to do patching? Also, should I scan these servers first before I start patching them? If so, what tool is the most efficient tool for the purpose?

Since you've told us absolutely NOTHING about these servers, what do you think we'll be able to tell you?? Version/distro of Linux on them? Functions? Number of users? Purpose of the servers??

Without details, not much we can tell you. If you're going to connect them to the Internet anyway, and they're just lab systems, why bother? Let them update on their own. If there are problems, they're lab boxes....format/reload. That's what they're for.

daviddon 05-15-2019 10:36 AM

These are Centos 6 and 7 boxes. They are currently connecting to Centos distro but currently, there is no internet connection. They are used for high intensity imaging application. There are around 200 users.

RickDeckard 05-15-2019 03:56 PM

Do you have any hardware they need to connect to? Any software they need to run besides a base system install? Any networks of any type, like for instance does your lab which I will refer to as Lab A have to be linked up with Lab B? There may not be a connection to the Internet at large, but local area should definitely be a question you need to answer.

Good form is always to update your systems in stages just in case anything happens. That way, you can expedite a rollback later.

daviddon 05-16-2019 09:18 AM

This lab is used for medical research. Most of the equipments are connected to high intensity body scan. The software running on these servers are mostly in house built. The lab is currently not linked to any other lab.

TenTenths 05-16-2019 10:16 AM

Ok, so you're talking about an actual laboratory. Many users on here would consider a "lab" to more akin to a sandbox / test environment.

You say that these machines are CentOS, so why not create a local mirror of the CentOS repositories and point your machines to use that instead of the external repos.

daviddon 05-16-2019 10:23 AM

TenTenths - should I use Ansible or similar tools to point my machines to the local repository? Or is using Ansible overkill for my lab environment?

TenTenths 05-16-2019 10:26 AM

Quote:

Originally Posted by daviddon (Post 5995687)
TenTenths - should I use Ansible or similar tools to point my machines to the local repository? Or is using Ansible overkill for my lab environment?

If you're happy using Ansible to manage an environment then sure, go ahead. Whatever makes your config management easier. Use Ansible, SALT, Puppet, Rundeck, the only time using these tools is "overkill" is if you're managing just ONE server!

dc.901 05-16-2019 11:42 AM

Quote:

Originally Posted by daviddon (Post 5995687)
TenTenths - should I use Ansible or similar tools to point my machines to the local repository? Or is using Ansible overkill for my lab environment?

The machines are not connected to the Internet, but are they atleast on a LAN?
If not, that is the first thing you will have to do.

RickDeckard 05-16-2019 11:56 AM

In that case, update a server containing that software as a test environment and run it through close to real world usage of your special in-house software first.

hydrurga 05-16-2019 12:01 PM

daviddon, can I strongly suggest that you seek assistance from the IT department, or similar, at your organisation and get a Linux expert in to advise you on your setup. If, for example, you are going to be connecting a group of servers to the internet then it's going to be a struggle starting from scratch, which you seem to be, and developing your systems by leaning heavily on the advice from internet forums (we're fine for one-off issues etc., but for ground-up design you need closer one-on-one advice).


All times are GMT -5. The time now is 12:17 PM.