Re: are unattended updates a good idea?
i have got about 50 Debian 6+7 Servers. They are doing all kind of
things like Webserver, Mailserver, DNS, etc…
I am using apticron to keep track of the updates, but i seem to use
more and more time updating the hosts.
I use apticron, cron-apt on various servers for several years now and
never had an issue with them.
Recently i came across the unattended-upgrade project
Do you think it is a good idea to do security updates automatically?
I use unattended upgrades so far only for one server for some month.
Never had an issue with it. But for me there is not much difference in
using apticron, cron-apt or unattended upgrades mechanism.
just don’t want to wake up one morning not having ssh access to my
Servers because an update broke everything. The servers are still very
important. I should not crash them at any time. On the other hand i
would like to be up2date with my security patches.
Normally these tools only install security updates in a safe way.
Meaning they should not do a major version upgrading of any installed
software. So breaking something is most unlikely but no one can
guarantee that. That's why you should always have a plan b, regardless
what you setup. How this is setup depends heavily on your network layout
and what kind of hardware or virtualization is used.
Is anyone else facing the same problem? What are your experiences
doing (blind) automatic security updates.
Or are you maybe using something completly diffrent like puppet?
You can do updates with Puppet (or every other configuration management
tool you like) but using it for updating the whole system is not the way
I would go. You would need to create a complete list of installed
packages on the server and keep this up2date in Puppet. This only moves
the problem to Puppet... And then you might have different package base
on different servers. This needs also be tracked. Other tools (like the
mentioned 3) are better for this. But you should use Puppet (or every
other configuration tool) to setup an automatic security update mechanism.
Whats your practical experience with lots of servers? (i am not
interested in theoretical advises :-P )
If you have "lots" (for some this means 1000 of servers, for others 10
is already a lot...) of servers you should use a configuration
management tool that automatically sets up automatic security updates.
The mentioned tools already provide you with everything you need on a
Debian system. What you use is a matter of taste.
In the past years I have setup this mechanism on about 400 servers and
never had real big issues. Sometimes the package list updates are stuck
but mostly recover in the next try. And if something is really wrong you
can always login to the server and repair the problem manually.
Monitoring these kind of things is really important but is a completely