We haven’t had a failure in the last couple of updates. But there have been enough problems in upgrades that we do it manually. In fact we duplicate all of our VMs, setting up a duplicate set of servers, and first try the upgrade on them before we do it in production. We have too many eggs in one basket to risk problems with IPA.

> On Mar 31, 2021, at 2:45 PM, Suchismita Panda via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> Hi,
>
> I would like to know the best practice for patching FreeIPA-Server packages. We generally have daily patching enabled in our servers. Will it be a good idea to do automatic patching of FreeIPA-Server packages?
>
> If we want to restrict the FreeIPA-Server packages from automatomatic upgrade and rather keep it for manual upgrade, what are the packages we should hold back with a version restriction? And how frequently should we do the manual upgrade? If the FreeIPA-client packages are upgraded regularly by daily patching(yum-cron or unattended upgrade) will there be any problem with authentication, if the FreeIPA-Servers  are behind version upgrade?
>
> We have two FreeIPA environments, one with CentOS7 and another with CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and 20) and CentOS (7 and 8).
>
> Any help and guidance is appreciated.
>
> Thanks
> Suchi
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure