Jump to content
  • 0

Updating Xen hosts - yum?


jon yeargers

Question

Posted

I spent some time today reading about Spectre and how to update my Xen hosts.. and then started wondering about the base OS underneath. Do I still need to run `yum update` on my xen hosts periodically?

 

Probably a dumb question. 

12 answers to this question

Recommended Posts

Posted

I would think something like OMSA technically breaks the official Citrix support as well. If it came down

to it with Dom0 issues they could make you uninstall it before troubleshooting. 

 

--Alan--

 

Posted
1 hour ago, Alan Lantz said:

I would think something like OMSA technically breaks the official Citrix support as well. If it came down

to it with Dom0 issues they could make you uninstall it before troubleshooting. 

 

--Alan--

 

Yes, you really want to be careful about doing anything that might void your support contract (if you have one) or breaking something, regardless of whether you have support or not.

 

-=Tobias

Posted

This is an interesting question, that we also encountered in XCP-ng, which doesn't use "packs" update but `yum` directly. For Citrix Hypervisor, you are using "Updates" which are basically ISO file, containing signed RPMs by Citrix. So you don't have a Yum repo like for CentOS or Red Hat distro.

 

Here is what we choose to tell for XCP-ng (which is NOT XenServer/CH but it's reasonable advice anyway)

* If your needed package is available on CentOS and doesn't have any dependency, and doesn't interfere with kernel it might work without any issue

* NEVER enable a whole repository because this will break your install

* if you are pretty sure the package is without any risk, you can enable the repo ONLY during the yum command, eg yum install packagename --enablerepo='epel'

 

Again, that's the advice we gave on XCP-ng, in the meantime we are working to embed/put a repo for very low risk packages, like htop and similar ones.

Posted

SNMP is already a part of the base XenServer so using SNMP shouldn't be an issue. 

I have 3rd party management software on my XenServers, no issues ever. But I just

use it for monitoring, not pushing out firmware.

 

--Alan--

 

Posted

Only issue with SNMP is the need to probably unblock port 161 on the XS firewall side (possibly also 162 if SNMPTRAP is also used). I just query the hosts, and don't put any of the monitoring software on them, so it's just a read-only access from the outside.

 

-=Tobias

Posted
9 hours ago, Olivier Lambert said:

This is an interesting question, that we also encountered in XCP-ng, which doesn't use "packs" update but `yum` directly. For Citrix Hypervisor, you are using "Updates" which are basically ISO file, containing signed RPMs by Citrix. So you don't have a Yum repo like for CentOS or Red Hat distro.

 

Here is what we choose to tell for XCP-ng (which is NOT XenServer/CH but it's reasonable advice anyway)

* If your needed package is available on CentOS and doesn't have any dependency, and doesn't interfere with kernel it might work without any issue

* NEVER enable a whole repository because this will break your install

* if you are pretty sure the package is without any risk, you can enable the repo ONLY during the yum command, eg yum install packagename --enablerepo='epel'

 

Again, that's the advice we gave on XCP-ng, in the meantime we are working to embed/put a repo for very low risk packages, like htop and similar ones.

 

If you're on a private net or behind various firewalls, it take a bit more to get around those hurdles. See for example: https://www.mycugc.org/blogs/cugc-blogs/2017/02/21/direct-updating-of-modern-dell-server-and-peripher

 

-=Tobias

Posted

Yep, this should work for allowing SNMP through the firewall.

 

iptables -N SNMP-Input

iptables -I INPUT -j SNMP-Input

iptables -A SNMP-Input -p udp --dport 161 -j ACCEPT

 

/sbin/service iptables save

 

--Alan--

 

Posted

There's also an equivalent TCP service on that same port number for SNMP, but it's not so commonly used. Check what you are running and add accordingly for TCP, should that be necessary.

 

-=Tobias

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...