Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Running yum update -y can be dangerous #521

Closed
igorgrin opened this issue Apr 5, 2019 · 7 comments
Closed

Running yum update -y can be dangerous #521

igorgrin opened this issue Apr 5, 2019 · 7 comments
Assignees
@michaelklishin
Labels
usability
Milestone
5.7.6

Comments

@igorgrin
Copy link

igorgrin commented Apr 5, 2019

It looks like in version 5.7 "yum update -y" got introduced.

chef-cookbook/providers/erlang_yum_repository_on_bintray.rb

Line 27 in c5792a4

command 'yum update -y'

That line updates every package on the server. That can be dangerous, a single cookbook should not manage the whole system. For example, I got mongodb upgraded to version 4 because I ran rabbitmq recipe after mongodb recipe.
@michaelklishin
Copy link
Member

@igorgrin what alternatives are there for resources that introduce new yum repos? Note that the command's action is :nothing by default so you cannot accidentally upgrade anything.

@michaelklishin michaelklishin changed the title yum update Running yum update -y can be dangerous Apr 8, 2019
@michaelklishin
Copy link
Member

So the only way to update a single repo is this hack which should work well in our case.

@michaelklishin michaelklishin added this to the 5.7.6 milestone Apr 8, 2019
@michaelklishin
Copy link
Member

@igorgrin please give the tip of v5.x a try?

@michaelklishin michaelklishin mentioned this issue Apr 8, 2019
Merged
11 tasks
@igorgrin
Copy link
Author

igorgrin commented Apr 9, 2019

That does look like a hack... If you add a new repo file to /etc/yum.repos.d/ and then run "yum install yourpackage", it should pull the package from that newly added repo, no? Why do we need to run "yum update" at all?

@igorgrin
Copy link
Author

igorgrin commented Apr 9, 2019

For action: nothing, I understand that this is just a service template, but then you call it on line 57, right?

chef-cookbook/providers/erlang_yum_repository_on_bintray.rb

Line 57 in c5792a4

notifies :run, 'execute[yum update]', :immediately

@michaelklishin
Copy link
Member

My point was that you must opt in to use therabbitmq::erlang_yum_repository_on_bintray` provider.

The yum_repository resource uses the same hack for metadata retrieval. So I concluded it's the best we can do with yum at the moment.

We run yum update because without while the yum_repository docs claim that it automatically performs an update, I found it wasn't sufficient in my tests of our Bintray repo provider. However, we now have much better test coverage so if they still pass without the update exec, I have no problem with that.

We now only update a single repo now and Yum should support version pinning (the lack pf which is the real problem with such accidental updates).

michaelklishin added a commit that referenced this issue Apr 10, 2019
@michaelklishin
erlang_yum_repository_on_bintray: remove "yum update #{new_resource.n…
44e6bbd 
…ame}"

References #521.
@michaelklishin
Copy link
Member

I removed the yum update and all tests seem to be still passing 👍

@michaelklishin michaelklishin self-assigned this Apr 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@michaelklishin michaelklishin

Labels
usability
Projects
None yet
Milestone
5.7.6
Development

No branches or pull requests
2 participants
@michaelklishin @igorgrin