Errata Installation Affect Running Processes?

Latest response

Does errata installation affect a process that is currently running or do running processes require a reboot/restart to be impacted by new errata?

Responses

Good Morning Brian,

You could find an answer to your question in the RHEL 7 Security Guide, Chapter 3.1.3. Applying Changes Introduced by Installed Updates.

Also you could use the program needs-restarting to check wether a service/system restart is required or not after applying updates to your system. See needs-restarting(1) for additional information.

Here is an example output from an already up-to-date system:

# needs-restarting -r
No core libraries or services have been updated.
Reboot is probably not necessary.

Hope this helps, Joerg K.

Hi Brian,

There are different opinions about what would be the best practice. Applying updates like a new kernel definitely require a restart. Applying updates for applications don't necessarily - but to be on the safe side, it is always a good idea to reboot the system after updates are deployed, right because all services are restarted correctly and this practice prevents you from experiencing issues. :)

Regards,
Christian

You misunderstand, I wondering if in-memory running processes are affected by the installation of errata. Can the installation of errata directly affect a process that is currently running? Like could it suspend a service while it is updating, or does it simply update files and a reboot or service restart is required.

Is it possible to install errata with it not impacting a running system directly until the updated application is restarted or the system is rebooted?

No Brian, (in most cases) running processes are not affected until the running applications are getting re-started. :)

Regards,
Christian

Thanks! We have a few systems where downtime needs to be minimized and requires a delicate shutdown and start up sequence. If the errata can be installed prior to this, then the outage of the application is limited to the time it takes to execute all of this.

You're welcome, Brian ... I still recommend to reboot the system "as soon as possible" though. :)

Regards,
Christian

Yes, what we are talking about is like installing the Errata at say 5pm and when installation has completed, restart the servers at 5:15pm and bring up the applications in the correct order. Before, the owners would shut all applications down, then say it is OK to begin updating. This leads to longer than necessary outages for the applications. There is one wrinkle, I need to install VMWare tools on Red Hat server versions below 7.x. I think it is necessary to to this after a kernel update and reboot, rather than before the reboot?

Hi Brian,

First upgrade the kernel and reboot ... then install VMware tools and reboot the system again. :)

Regards,
Christian

I respectfully disagree. Applying errata most certainly can affect running processes, in at least two ways that I know of:

1) Updating certain packages will cause the daemon associated with the package to be restarted (e.g. OpenSSH package update -> sshd process is restarted; httpd (apache) package update -> httpd process is restarted).

2) In the specific case of Apache, I believe due to its default forking model, the 'httpd' process can hang if the 'glibc' package is updated such that the on-disk copy and in-memory copy no longer match. So when patching 'glibc' on a server running Apache, you must either stop and restart 'httpd' service or reboot the system.

Since O.P. is dealing with "uptime-critical" systems, I assume they have a test environment where they can confirm if either of these issues is present or not - then perhaps the overall patching process could be broken up into a bulk portion, run ahead of time with "sensitive" packages excluded, followed by a final "yum -y update && shutdown -r now" (or something like that) during the downtime window.

Hi James,

Yes, you are right ... and as it is with everything in life - there always exist some exceptions. Not to be misunderstood, I generally recommend to run upgrades when the systems are not in (production) use and to reboot the system afterwards, right as I said in my first response. I think what Brian meant was, if it would be dangerous running upgrades while users are doing their "normal" work, like editing files, working on documents or browsing the web. I think Brian is aware of the risks and acts accordingly ...
as he said - I'll quote : "Before, the owners would shut all applications down, then say it is OK to begin updating." But to make my statement above somewhat more precise - I have added "in most cases". :)

Regards,
Christian

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.