Re: are unattended updates a good idea?
Thank you very much! Your comments has been really helpful.
Cheers,
Mario
On Sat, Jan 31, 2015 at 12:53 PM, Michael Zoet <Michael.Zoet@zoet.de> wrote:
> Hi,
>>
>> Hello List,
>>
>> i have got about 50 Debian 6+7 Servers. They are doing all kind of
>> things like Webserver, Mailserver, DNS, etc…
>>
>> I am using apticron to keep track of the updates, but i seem to use
>> more and more time updating the hosts.
>
>
> I use apticron, cron-apt on various servers for several years now and never
> had an issue with them.
>>
>>
>> Recently i came across the unattended-upgrade project
>> https://wiki.debian.org/UnattendedUpgrades.
>>
>> Do you think it is a good idea to do security updates automatically?
>
>
> I use unattended upgrades so far only for one server for some month. Never
> had an issue with it. But for me there is not much difference in using
> apticron, cron-apt or unattended upgrades mechanism.
>
>> I
>> just don’t want to wake up one morning not having ssh access to my
>> Servers because an update broke everything. The servers are still very
>> important. I should not crash them at any time. On the other hand i
>> would like to be up2date with my security patches.
>
>
> Normally these tools only install security updates in a safe way. Meaning
> they should not do a major version upgrading of any installed software. So
> breaking something is most unlikely but no one can guarantee that. That's
> why you should always have a plan b, regardless what you setup. How this is
> setup depends heavily on your network layout and what kind of hardware or
> virtualization is used.
>>
>>
>> Is anyone else facing the same problem? What are your experiences
>> doing (blind) automatic security updates.
>>
>> Or are you maybe using something completly diffrent like puppet?
>
>
> You can do updates with Puppet (or every other configuration management tool
> you like) but using it for updating the whole system is not the way I would
> go. You would need to create a complete list of installed packages on the
> server and keep this up2date in Puppet. This only moves the problem to
> Puppet... And then you might have different package base on different
> servers. This needs also be tracked. Other tools (like the mentioned 3) are
> better for this. But you should use Puppet (or every other configuration
> tool) to setup an automatic security update mechanism.
>
>>
>> Whats your practical experience with lots of servers? (i am not
>> interested in theoretical advises :-P )
>>
>
> If you have "lots" (for some this means 1000 of servers, for others 10 is
> already a lot...) of servers you should use a configuration management tool
> that automatically sets up automatic security updates. The mentioned tools
> already provide you with everything you need on a Debian system. What you
> use is a matter of taste.
> In the past years I have setup this mechanism on about 400 servers and never
> had real big issues. Sometimes the package list updates are stuck but mostly
> recover in the next try. And if something is really wrong you can always
> login to the server and repair the problem manually. Monitoring these kind
> of things is really important but is a completely different topic.
>
> Michael
>
>
>
>
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> Archive: [🔎] 54CCC23C.5020200@zoet.de">https://lists.debian.org/[🔎] 54CCC23C.5020200@zoet.de
>
Reply to: