To yum update? Or not?
please forgive this rather straightforward question.
First off, I'm not a sysadmin, and my experience with Linux is somewhat limited.
About 3-4 months ago, I set up a CentOS server in work, for a variety of reasons. We are using it as a development server for web sites (which our clients have access to), subversion server, and we're hosting a wiki on there for internal communication too, so it has become quite an important tool for us. (Probably more important than we thought it would be when I set it up!)
It has come to my attention that Yum wants to update about 250 packages to the latest versions in the repo.
Since the server is working fine for us, should I take the risk of updating these packages? Do the security risks outweigh the risk of the server breaking when I update everything?
I should point out that while I have backups of everything, it would take time to set everything up the way it is just now, and I don't have very much free time at work at the moment!
If the advice is to update, are there any best practices that could be passed on to make the process as safe as possible?
Thanks in advance for any advice.
UPDATE - Thanks for your responses everyone. If I had enough rep to upvote everyone, I would. ;) I've decided to ghost the hard drive and update. Unfortunately, getting hold of a full or part time sysadmin isn't an option at the moment, so I'll just have to deal with the issue as well as I can!
Quick and dirty (ie. Battlefield Administrator) solution:
Take your system offline (I hope you can) and do a NortonGhost backup (or something similar) to a 2nd hard drive.
Boot up the 2nd hard drive (to make sure your backup actually works) and do the yum update on THAT drive.
If it all works... congratulations!
If it screws something up... go ahead and put in your ORIGINAL drive and come up with a "Plan B".
UPDATE:
Just thought I'd mention that the real issue here is "Do I update my waaaay out of date system and risk messing it up?" or "Do I leave my perfectly good working system unpatched and risk having it hacked/compromised?"
The answer is... once you get your system patched via the steps above... try and stay on top of it by backing it up frequently AND patching it frequently.
Then you'll have the best of both worlds. ;-)
Yes, update.
RHEL (and therefore CentOS) are careful not to update versions to anything incompatible, instead they backport bugfixes and security fixes, so the actual changes to packages are minimal and reasonably unlikely to cause compatibility problems.
If any config files have changed, the packages will tell you about a .rpmorig or .rpmnew file that gets created. It depends on the configuration of the RPM itself. You can look for warnings about any of those being created and either put your old config back ("cp foo foo.bak; cp foo.rpmorig foo") or look at the .rpmnew files and incorporate any changes into your config.
The problem is less noticeable if you update regularly.
We have a lot of systems that get updated quarterly (every 3 months); and very rarely see any problems from package updates. (except on systems doing weird kernel things to access LUNs from a SAN)
While yes, it would take time to upgrade, And in the same manor, it would take time to restore if something went wrong, How much pain/suffering would it be if the data on that system was deleted through a exploit / hack?
For the most part upgrades from the CentOS base repositories are safe to install, The only time i've had update issues with CentOS is when i start / or needed to use a outside repository (DAG, RPMForge, Ect ect..)
The Best Setup for this kind of thing is to have a hot-swappable server ready, so you can test the updates on it before deploying them to the live server.