Re: unattended-upgrades by default?
Rhonda D'Vine wrote:
> * Steve McIntyre <steve@einval.com> [2016-11-03 19:47:28 CET]:
> > One of the topics that we've been talking about yesterday is automatic
> > software upgrades of cloud images. Some of the cloud platform
> > providers really want this so that unsophisticated / inexperienced
> > users of Debian images on their platforms will be secure by
> > default. But there are potential issues here:
> >
> > * if users are providing a service like a database from a cloud
> > instance, there may be unexpected (potentially lengthy) downtime if
> > upgrades happen. Of course, this can be mitigated by disabling the
> > upgrade job on those machines if desired but that needs people to
> > know to do this. Experienced users will probably be dealing with
> > upgrades already, so this should not be an issue.
>
> It's not only databases. It's also caching services like varnish, or
> cluster software which would trigger a failover then.
>
> In theory I'm all for it, but there definitely should be some more fine
> tuning for that. Please don't auto-restart varnish by needrestart, it
> puts a lot of load on the backend which might be a very bad idea. And
> the downtime that a mysql upgrade brings along is kinda annoying.
I absolutely agree that you usually can't restart services automatically
on production servers, and you have to coordinate with the admin to
choose an appropriate time.
However, I'd also suggest that more services and service management
tools need mechanisms for zero-downtime upgrades. For instance, with
some care, services running via socket activation can restart without
losing any connections.
- Josh Triplett
Reply to: