1.8 KiB
Software Update Policy
Responsibility
It is in the responsibilty of the owner/administrator of a system to care about the software update policy and its application.
From the regulatory side there is the "Weisung" AA-9500-142 "Handling of Software Updates". It states that for security related updates "must be applied in a mandatory and timely manner". Exceptions need to be agreed with IT Security.
The Linux Core Group on the other side is reponsible to make the latest upstream Linux software updates available inside PSI.
Automatic Updates
By default once a week (in the night from Sunday to Monday) security updates are automatically applied. Other updates, including Kernel updates, need to be installed manually.
This is configurable, you may switch it off completely, make it run daily or make it install all updates.
Reboots are never done automatically.
Also for software which have been installed from other sources than RPM package repositories (like pip or manual install) there is no automatic update procedure.
Snapshots
On specially protected systems where stability is more important than being up-to-date, there is the option to freeze the provided RPM package version to a specified date. Also this can be configured in Hiera(chapter "Using Specific Package Repository Snapshot"). If such a system is set by such a "Repo Tag" to a specific snapshot, the update procedure cannot get newer than the given state.
Again, this should only be done for nodes in protected networks, e.g. with access restrictions through an ssh gateway and requires consent with IT Security.