Suchismita Panda via FreeIPA-users wrote:
> Thanks all for the reply.
>
> Circling back again - We have to do the normal OS upgrade for the
> FreeIPA servers and would like to exclude the FreeIPA package to be
> upgraded. I would like to know the name of the Freeipa packages which
> should be held back from automatic upgrade.
>
> A list would be really helpful.

It's a tricky question. IPA is more than just the freeipa-* packages.
It's 389-ds, pki-*, sssd-*, a ton of python packages, openldap client
libraries, openssl, nss, bind, krb5. And that's just off the top of my head.

In a CentOS/RHEL environment we discourage picking and choosing packages
to upgrade since we only test against what is in a given release. In
Fedora things are bit more fluid so we do the best we can with Requires,
but it isn't feasible to set dependencies on every possible package.

So by blocking freeipa-server and freeipa-client you'll likely hit the
highlights but no promises nothing will break. There can be big
differences between Fedora releases.

rob

>
> On Thu, Apr 15, 2021 at 1:34 PM <hedrick@rutgers.edu
> <mailto:hedrick@rutgers.edu>> wrote:
>
>     We haven’t had a failure in the last couple of updates. But there
>     have been enough problems in upgrades that we do it manually. In
>     fact we duplicate all of our VMs, setting up a duplicate set of
>     servers, and first try the upgrade on them before we do it in
>     production. We have too many eggs in one basket to risk problems
>     with IPA.
>
>     > On Mar 31, 2021, at 2:45 PM, Suchismita Panda via FreeIPA-users
>     <freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>     >
>     > Hi,
>     >
>     > I would like to know the best practice for patching FreeIPA-Server
>     packages. We generally have daily patching enabled in our servers.
>     Will it be a good idea to do automatic patching of FreeIPA-Server
>     packages?
>     >
>     > If we want to restrict the FreeIPA-Server packages from
>     automatomatic upgrade and rather keep it for manual upgrade, what
>     are the packages we should hold back with a version restriction? And
>     how frequently should we do the manual upgrade? If the
>     FreeIPA-client packages are upgraded regularly by daily
>     patching(yum-cron or unattended upgrade) will there be any problem
>     with authentication, if the FreeIPA-Servers  are behind version upgrade?
>     >
>     > We have two FreeIPA environments, one with CentOS7 and another
>     with CentOS8. And we have FreeIPA clients mostly with Ubuntu(18 and
>     20) and CentOS (7 and 8).
>     >
>     > Any help and guidance is appreciated.
>     >
>     > Thanks
>     > Suchi
>     > _______________________________________________
>     > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     > To unsubscribe send an email to
>     freeipa-users-leave@lists.fedorahosted.org
>     <mailto:freeipa-users-leave@lists.fedorahosted.org>
>     > Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     > List Guidelines:
>     https://fedoraproject.org/wiki/Mailing_list_guidelines
>     > List Archives:
>     https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>     > Do not reply to spam on the list, report it:
>     https://pagure.io/fedora-infrastructure
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>