Re: unattended-upgrades by default?
Op 25-12-16 om 01:43 schreef Paul Wise:
> On Sun, Dec 25, 2016 at 8:34 AM, Paul van der Vlis wrote:
>
>> I am doing this myself already on desktop systems so I have some
>> experiences with it.
>
> Thanks for sharing your experience.
>
>> What I would really like is a mechanism where the user can tune after
>> how many days the upgrade will occur. Maybe a default could be after 2
>> days. People who like to have faster updates can change this to 0 days,
>> and this people do extra testing of the updates. When big problems occur
>> with an update, the installation of the update should be stopped in some
>> way for the people who have set it at 2 days.
>
> How do you propose to transmit the info about problematic updates from
> early testers to folks who update later?
I think those users can contact the security team. The security team
could remove or replace a security update, or give information.
Other people can also share information about experiences with the
update, so there is already information on the internet if you use the
2-day default.
I use a script on a few servers to realize this, it's not perfect:
http://vandervlis.nl/files/updateafter
>> It would be nice to have a way to configure a notice (by e-mail?) in
>> case of an error apt or dpkg error.
>
> /etc/apt/apt.conf.d/50unattended-upgrades:
> Unattended-Upgrade::Mail "root";
> Unattended-Upgrade::MailOnlyOnError "true";
Thanks.
>> I would like something as "apt-get update; apt-get dist-upgrade".
>> So not only "apt-get upgrade", and for everything in sources.list, so
>> not only for security updates. I would like to go from Debian 9.1 to
>> 9.2, but not from Debian 9 to 10.
>
> /etc/apt/apt.conf.d/50unattended-upgrades:
> Set Unattended-Upgrade::Origins-Pattern to match which packages you
> want to upgrade.
I use "*" and that works fine, I would like it as default.
People who do not want it have many ways to change it.
I am not sure, but if you only use "apt-get update; apt-get upgrade" I
expect you do not have a secure system anymore after some time.
>> Using a program what has been upgraded can give strange problems. I have
>> seen this e.g. with e-mail clients and browsers. I would like it when
>> desktop users could get a message that programs has to be restarted.
>> Not sure this is important for servers too, I would think so.
>
> apt install needrestart needrestart-session
Thanks, I will study that.
>> I don't think it's an good idea to enable automatic reboots by default.
>
> I think we either need a Linux kernel livepatch service or automatic reboots.
I would like a kernel livepatch, but it's not there at the moment.
I don't like automatic reboots as a default, but if many people wants
them I can live with it, when I can turn them off.
I use "at" to reboot very early in the morning:
-----------
TIJD="5:00"
MAIL="paul@vandervlis.nl"
echo "$HOSTNAME is rebooted on $TIJD" | mail -s "$HOSTNAME is rebooted
on $TIJD" $MAIL
echo "mail -s '$HOSTNAME becomes rebooted now' $MAIL; reboot" | at $TIJD
----------
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
Reply to: