Re: unattended-upgrades for baremetal servers on Debian
On Thu, 27 Nov 2025 18:25:44 +0200
George Shuklin <george.shuklin@gmail.com> wrote:
> On 11/25/25 7:39 PM, Charles Curley wrote:
> >> Given all that I came to ask for advice. Should we enable
> >> unattended-upgrades in Debian for baremetal servers (the same way
> >> as it is enabled for cloud VMs)? Mind, that this installation
> >> process is very automated, we ask users only on their partitioning
> >> preferences, hostname and ssh public key, so we can't simply 'ask
> >> user'.
> > I suggest you enable them, and document for your users that you have
> > done so and how to disable them.
>
> Can you give arguments in favor of this option, please?
>
Others have given answers with which I concur. For Debian specific
advice, I'll suggest the Securing Debian Manual, Javier
Fernández-Sanguino Peña,
https://www.debian.org/doc/manuals/securing-debian-manual/securing-debian-manual.en.pdf
and the discussion at https://wiki.debian.org/SecurityManagement I
notice, however, that the Securing Debian Manual does not mention the
unattended-upgrades package. Other than that, the advice there is still
good.
One thing to watch out for, though. You can have the unattended upgrade
reboot the machine if that's appropriate. If the boot process requires a
password (LUKS encryption, e.g.), you may want to disable automatic
reboots and have the administrator reboot at a time when the
administrator can provide that password.
--
Does anybody read signatures any more?
https://charlescurley.com
https://charlescurley.com/blog/
Reply to: