
Ask HN: How do you/your company handle host security updates in production? - whitepoplar
Unattended-upgrades? Manually in response to security mailing lists? Configuration management? Teardown and rebuild at fixed intervals?<p>If you&#x27;re uncomfortable with how it&#x27;s currently done, what would you change?
======
LinuxBender
Bare metal, yum update. VM's, new image build from a pipeline.

Currently, yum is a problem because people tainted repos and didn't understand
rpm dependency conundrums they could get in to. I warned them several times.
Now it takes a massive team of people to update the OS. It's even more
complicated than that, but I would need to write a blog about it.

Image builds at least force them to fix the conundrums prior to reaching the
staging or test areas.

What would I change? None of what I stated is a technical problem. Bare metal,
VM's and containers can all be as easy to update and maintain.

~~~
whitepoplar
If you were running VMs/Baremetal with fast deprovisioning/provisioning, what
would be your ideal setup that a single person could manage?

~~~
LinuxBender
Depending on the scale and predicted growth of the business, I would probably
use one of the commercially supported on-prem solutions that deploys image
builds, manages ILO's, etc.. e.g. rackN, foreman, etc... to guide future
employees down a consistent path. I would probably also complement that with
Ansible AWX or Ansible Tower for orchestration and run-time configuration
changes.

I would keep the images really small, simple, up to date and use Ansible to
add any service specific packages. Image builds of each service can turn into
a massive amount of storage really quick.

