perfSONAR User Q&A and Other Discussion

[Andrew Lake <>]

Hi,

The answer to your question is "maybe". The particular cassandra update you 
mention should be fine, but there may come a day when an update comes along 
that breaks things. The trade-off is if you are not updating from all the 
repos then you may miss some security related updates. CentOS is only some of 
the packages on the system and any package could potentially have a 
vulnerability. We have many users that want to be hands-off as possible and 
auto-update everything. We went with this as the default under the theory 
that a broken host is better than a compromised host. If you are not 
comfortable with this you are free to change the yum settings as you see fit. 
 See http://docs.perfsonar.net/manage_update.html#automatic-updates for  
discussion on this topic.  We also have a notice on the Enabled Services page 
and in our release notes about the risks involved. 

Thanks,
Andy

On Oct 22, 2014, at 9:05 AM, Winnie Lacesso 
<>
 wrote:

> Good afternoon,
> 
> Jason Zurawski recommended these questions be asked on the perfsonar-user 
> list (instead of to him). This was written yesterday.
> 
> I notice that in the perfsonar install we have (someone else did it, but I
> assume it's fairly standard) that
> 1. the middleware repos are all left enabled (but not working due to #3)
> 2. the CentOS repos are NOT enabled   /* make that were */
> 3. nightly yum updates (via yum-cron) are shut off    /* make that were */ 
> 
> Normally for security we want nightly yum updates ON with the source OS 
> (we usually use SL, these are the only CentOS) repos left enabled so 
> security updates can happen.
> (The recent openssl update has not auto-yum-installed on these; it has on
> all our securely configured SL)
> 
> /* Note: openssl updated last night since the CentOS repos were enabled  
> yesterday */
> 
> Normally for stability we DON'T want the middleware repos left enabled 
> since, as 
> https://twiki.cern.ch/twiki/bin/view/EMI/GenericInstallationConfigurationEMI3#Important_note_on_automatic_upda
> says: "Sometimes middleware updates require non-trivial configuration 
> changes or a reconfiguration of the service. This could involve service 
> restarts, new configuration files, etc, which makes it difficult to ensure 
> that automatic updates will not break a service. Thus
> WE STRONGLY RECOMMEND NOT TO USE AUTOMATIC UPDATE PROCEDURE OF ANY KIND "
> 
> It seems the perfsonar install as I inherited it is upside down from that.
> 
> yum-cron is now turned on so that automatic security updates like 
> openssl should get installed. (Will check tomorrow.)   /* Confirmed */
> 
> The CentOS repos are enabled (I hope; there was neither enabled=0 nor 
> enabled=1 in the repos which I've never seen before; I added enabled=1)
> 
> There is a cassandra middleware update pending. Is it safe to leave the
> middleware repos all enabled & nothing related to perfsonar will break?
> 
> /* Hope so - it did update last night! */
> 
> We have 2 perfsonar servers so would like to ensure BOTH are set for 
> nightly security updates & not set for nightly middleware updates - unless 
> the perfsonar Experts say that is perfectly safe.
> 
> Grateful for your advice!
> 
> 
> Winnie Lacesso / Bristol University Particle Physics Computing Systems
> HH Wills Physics Laboratory, Tyndall Avenue, Bristol, BS8 1TL, UK
>