28 lines
1.8 KiB
Markdown
28 lines
1.8 KiB
Markdown
# Software Update Policy
|
|
|
|
## Responsibility
|
|
It is in the responsibilty of the owner/administrator of a system to care about the software update policy and its application.
|
|
|
|
From the regulatory side there is the "Weisung" [AA-9500-142 "Handling of Software Updates"](https://DLS01P.PSI.CH/documents/jsp/qv?pri=PSIcgc&ft=cgcDocument@STORE_MAIN_CGC&q_cgcId=ID22023011616445798386). It states that for security related updates "must be applied in a mandatory and timely manner". Exceptions need to be agreed with IT Security.
|
|
|
|
The Linux Core Group on the other side is reponsible to make the latest upstream Linux software updates available inside PSI.
|
|
|
|
|
|
## Automatic Updates
|
|
|
|
By default once a week (in the night from Sunday to Monday) security updates are automatically applied. Other updates, including Kernel updates, need to be installed manually.
|
|
|
|
This is [configurable](configuration/package_updates), you may switch it off completely, make it run daily or make it install all updates.
|
|
|
|
Reboots are never done automatically.
|
|
|
|
Also for software which have been installed from other sources than RPM package repositories (like `pip` or manual install) there is no automatic update procedure.
|
|
|
|
## Snapshots
|
|
|
|
On specially protected systems where stability is more important than being up-to-date, there is the option to freeze the provided RPM package version to a specified date. Also this can be [configured in Hiera](configuration/package_repositories)(chapter "Using Specific Package Repository Snapshot"). If such a system is set by such a "Repo Tag" to a specific snapshot, the update procedure cannot get newer than the given state.
|
|
|
|
Again, this should only be done for nodes in protected networks, e.g. with access restrictions through an [ssh gateway](../services-admin-guide/ssh_gateways) and requires consent with IT Security.
|
|
|
|
|