Kevin Williams writes: > The main use case I see for this is to manage a fleet of more than 10 or > so machines/VMs/instances. rdist or a package such as Ansible could > manage the crontab and possibly search announce@ on marc.info for > keywords to hold off on the upgrade.
Blind updating out of cron is utter madness. If there are any merge errors in /etc (think sshd_config for starters), you can end up with a machine you cannot log in to, or that's just acting out destructively. At work I manage a herd of a dozen OpenBSD machines. We "upgrade" by perforing a full network install. The process is pxe boot / fdisk / install / reboot / ansible (create the logins) / reboot / rdist / reboot / verify everything is running correctly (esp. pf), / reboot. The entire process takes 20 minutes per machine, so I can update the entire herd in < 1 day. Although we typically spread it over two or three days. All these machines run as carped a/b pairs, so we upgrade the b hosts first and run on them for a day or two to check for regressions, then upgrade the a machines and switch back to them. The primary reason for installing from scratch is to verify we have not introduced any bugs into the network installation and configuration steps, as this is a core part of our disaster recovery process. It also ensures we launch out of the box with up-to-date packages. And if the number of machines gets entirely out of hand, it should be simple enough semi-automate a good part of the process using expect and some glue. --lyndon
