At work, we copy the updates repo and point all our servers there. Every so often we freshen the mirror and begin the patch cycle. If you have reliable tests then you can test before rolling out, or just roll out to a couple of development servers first before generally deploying.

For my personal stuff I run Nagios with a plugin that checks the output of "yum list-security" (need the yum-security package) and flags an alert if there's a security related fix. Those I try to install fairly quickly. Otherwise I periodically upgrade the non critical packages, and schedule the critical ones (apache/nginx/php/ruby/mysql). See http://ertw.com/blog/2010/11/19/epel-nginx-rpm-and-upgrade-from-0-6-x-to-0-8-x/ for something that recently bit me :(

If you have packages that are critical to your application, you can put them under cfengine/puppet management to automate some of the tasks associated with keeping them up to date.

Most of the servers I take care of now are VPSes, so I never reboot for kernel upgrades.

Sean

On Fri, Nov 26, 2010 at 8:01 PM, Kevin McGregor <kevin.a.mcgregor@gmail.com> wrote:
At work I have two Ubuntu and two CentOS servers. What do you recommend as the best practice for applying updates? Specifically, do you do any testing on test machines first, or just wait until the updates are a certain age without hearing of any issues? Automatically apply them, or manually? Do you reboot the servers regularly regardless of whether you've patched them (something Windows administrators still do for their Windows servers!), or just wait until a kernel or other update requires it?

Kevin

_______________________________________________
Roundtable mailing list
Roundtable@muug.mb.ca
http://www.muug.mb.ca/mailman/listinfo/roundtable




--
Sean Walberg <sean@ertw.com>    http://ertw.com/