unattended-upgrades for baremetal servers on Debian
Good day.
I work in a baremetal hosting provider. One of the services we provide
to our customers, is automatic installation for an operating system on a
freshly ordered server. One of such operating systems is Debian.
I'm responsible for maintaining this image. It has few small changes
compare to a stock Debian, mostly related to disk partitioning, enabled
ssh access and a proper configuration for our network.
For a long time there was a motto we used when we decided if something
should be done in the image or not: try to keep it as close to upstream
as possible.
It was fine and nice until I got a bug report that there is no
unattended-upgardes on our baremetal Debian, but there is one present in
the cloud image (we do also cloud computing).
I thought it's a simple bug (add it, cover with tests, forget), but I
decide to see why it's not there, and I found a lot of confusion.
Few facts:
* Official Debian Cloud image does include unattended-upgrades due to
installation due to dependency from debian-cloud-images-packages.
* Debian installer (Trixie) asked about unattended upgrades but only in
expert mode and with default set to 'no'.
* Ubuntu (the most known Debian derivative) enables it as 'recommends'
for ubuntu-server-minimal
* Security manual for Debian does not mention unattended-upgrades at all
(https://www.debian.org/doc/manuals/securing-debian-manual/ch10.en.html)
* Debian parted with Ubuntu-style software-properties-gtk in Trixie.
I found this wonderful long thread debating it
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=875858#:~:text=Ubuntu%20has%20a%20patch%20adding,to%20merge%20this%20into%20Debian
which only added confusion.
Given all that I came to ask for advice. Should we enable
unattended-upgrades in Debian for baremetal servers (the same way as it
is enabled for cloud VMs)? Mind, that this installation process is very
automated, we ask users only on their partitioning preferences, hostname
and ssh public key, so we can't simply 'ask user'.
Ideas:
* As close to upstream
* Unified experience between cloud and baremetal
* Best practices
What is your opinion? Are there any guidelines or recommendations by Debian?
Reply to: