Lock to "current release" enabled by default from 7.5

(Giacomo Sanchietti) #41


@stephdl already requested me yesterday in a private chat :smiley: And the answer today is yes, we are working on it.

I would like to not add such feature in the UI, but we are going to define an API for template-customs or extra repos.

(Davide Principi) #42

I can agree on your statement except for this part. CentOS updates are tested and stable, but need to be handled with care when minor distro releases or other exceptional circumstances occur. Educating people about how to deal with them is not enough.

Wherever possible, we must avoid the possibility of making errors with Server Manager. This is the goal of Server Manager in general, and of this #feature in particular.

(Stefano Zamboni) #43

I know that centos updates are stable and tested… on plain centos.
if you upgrade a NS maybe they are not.

and I disagree on educating people… we’re talking to “sysadmins”… not windows users.

A so called sysadmin should know that:

  • if you see many updates, don’t apply them on production server without rewieving them
  • tests on VM are mandatory if your server is mission critical (see above)
  • backup is your friend
  • a linux server with data is not a toy
  • don’t (generally speaking) trust what you see on a web interface… if you have doubts, ask your CLI

as I told in a private message, hiding a server management behind a fine web GUI is ok, but you’d never hide to final users that they are using a server, not a play station, otherwise you’re going the same path M$ and Apple designed in the past “be a sysadmin with next -> next -> next -> finish”… is all ok when it works (99% of times), but it becomes a nightmare when something goes wrong.

(rob, some work for you, I think)

(Michael Träumner) #44

That’s fine for me.

Yes that’s right, but I’ve seen people here, who are not sysadmins. Give them a chance to use nethserver too. I think the way we go with a simple gui and and the chance to do much more configuration at the terminal is OK.
Another idea is a switch between expert and non expert for the gui, which enables or disables some functions. For example Fritz!OS does it.

(Stefano Zamboni) #45

you got the point: if we aim this product to everybody, nothing that could be potentially destructive must be available from the GUI…

think about an unexperienced user that uses NS at the office…

(Davide Principi) #46

Software update policy 4

I’ll go with separate configuration button. Please tell me if text labels are good! Further information can be available also from the Help button and the manual.

(Dan) #47

Then why have the GUI at all? After all, we’re talking to sysadmins, they shouldn’t need one. But that’s the point of this project, isn’t it? It certainly was the point of e-smith/SME Server: to provide a stable, secure Linux server distro that could be competently administered by someone who isn’t a professional sysadmin. “You’re a sysadmin, you should know better than to install the updates that show up in our update manager” is a cop-out.

(Stefano Zamboni) #48

Dan, my friend, I’m not against the web gui, at all

I’m against the message that “linux is easy as 1,2,3”: many times here I saw people coming with no knowledge at all about DNS, DHCP, security and linux asking for help…
the answers, other than a given solution, rarely told users “please, read carefully all the documentation” or a quickier “RTFM”

IOW, we’re giving fishes but doing nothing to learn fishing… and that’s bad, 'cause you’ll have many users doing worng thing and damages

all my POV, as usual


probably i miss something… but are we sure that we did’nt need updates from epel furing the 7.5 release cycle?
i’m quite sure, for example (but my memory is worse than my english) that during the 7.4 cycle we need an update of shorewall (i’ve had the problem because on arm32 not all epel package are available as for x64)

i must also admit that i use update from gui only for testing so for me is ok, but, do you think is too complicated to make a check like
" Apply update from third part repositories only if [nsrelease==centosrelease] "?
i mean, keep enabled repo until the available centos is the same version of the ns version installed…

(Davide Principi) #50

Yes it’s too complicated for me. At least I didn’t find any feasible way to do it.

@giacomo remembers it! We hope it is a rare situation, but if will happen again the solutions are:

  • temporarily switch to the “update all” policy, or
  • run yum update from the command line

Also we (developers) should add a “RPM require” in spec files for specific versions expecially for EPEL and other third party dependencies.

I think a wise method of using this new feature is:

  • start with “update all” policy
  • review and apply updates
  • when CentOS releases a new minor version enable the version lock
  • wait for the upgrade button to appear
  • upgrade
  • revert to “update all” policy and reiterate

This feature does not solve all possible stability issues of NethServer, but is a good improvement IMO.

(Giacomo Sanchietti) #51

The biggest problem is that you wan’t be able to install anything requires an EPEL package when CentOS release a new minor.

By the way, a solution exists, you need a full EPEL mirror … and you con do it it with a Dartagnan installation (or a Nethesis subscription of course! :stuck_out_tongue: )

(Davide Principi) #52

Software update policy 5 (final?)

  1. The first time Software center is opened, the following screen appears. It happens on new installations and existing ones, too:

  1. Picking one is mandatory, otherwise a validation error occurs:

  1. After Save the Software center page is displayed as usual. Press the Configure button to go to the previous form again, to change policy or yum-cron settings

Please comment!

(Michael Kicks) #53

This version for software updates gives only 2 options
-stay to current release
-update to newer release
IMO should be possible to:
-stay to current stable release
-update to a newer stable release (dropdown with the list of supported stable)
-update to latest packages available (including tests)

I know that could be a bit tricky but i think that this kind of approach could help to manage the situation for next stable release (7.6) or major version (nethserver 8)
This approach could also help to choose the upgrade path in case of different situations.
For instance, a sysadmin which want to test full upgrade of production enviroment with the latest stable release…

That’s only a hint… :slight_smile:

(Alessio Fattorini) #54

We can’t cover all the needs but we can try to give people a choice

  • being conservative (update just my release) stable mode
  • being brave (update all) edge mode

For me, if we explain that well it’s a good balance.
As we know, making a complex interface with a lot of choices confuses people.

(Davide Principi) #55

No no! The two options are two ways of updating the system in the same release

I want to add it as a yellow banner with a button that appears when a new minor is available: what do you think?

(James Nesbitt) #56

Although I usually like being brave, when it comes to my NethServer installation at home - I have to treat it as Production class which means I do need to be a little conservative with it.

(Davide Principi) #57

Ok let’s give a name to the available choices. A name is important to understand what we’re talking about and for documentation references. I don’t like “brave”, I’d prefer “expert” because one must understand what is being updated. It gets the best of security fixes and updates. “Conservative” still needs some expertise but is less error-prone.

So this is my proposal

  • Conservative
  • Expert

I’ll send a screenshot soon

About stable/edge mode: both policies are stable in the same way IMO. It depends on how they are used.

(Rob Bosch) #58

Make that all repositories that are not able to differentiate between minor / point updates. The goal is to not break a running server because of upstream point updates.

But if you are expert but can’t differentiate between updates (choose what to update and what not), there is not much ‘expert’ about updating. Then it’s more like rolling dice.
Wouldn’t it be feasible to have an option to allow and disallow updates on a per-package basis?

(Davide Principi) #59

We discussed that #feature in the past and I agree with @giacomo here Cherry pick updates in Software Center :

To be able to cherry pick updates, you need a deep understanding of rpm packages interactions and system libraries.

That proposal was not able block dependencies, so I abandoned it because it solves the problem partially.

What changes with “software update policy” is the set of repositories enabled during updates.

I’d name it “expert” because it requires some expertise about what’s happening, as we learned during the past week, when some people just pressed “update” even if a “new distribution is available” warning was displayed. The “conservative” policy would make that kind of mistake impossible.

…but please suggest other names! I’m sure my proposal can be improved!

Both policies wouldn’t save us from a badlock-like regression coming from upstream. If that happens again in the future, the only thing that can help is a careful review (and backup) before updating.

(Giacomo Sanchietti) #60

Come on guys, if you’re able to choose what updates to select, you’re enough expert do it by from the command line line. It’s just a couple of commands to learn! :wink: