Hi,
Hello List, i have got about 50 Debian 6+7 Servers. They are doing all kind of things like Webserver, Mailserver, DNS, etc… I am using apticron to keep track of the updates, but i seem to use more and more time updating the hosts.
I use apticron, cron-apt on various servers for several years now and never had an issue with them.
Recently i came across the unattended-upgrade project https://wiki.debian.org/UnattendedUpgrades. Do you think it is a good idea to do security updates automatically?
I use unattended upgrades so far only for one server for some month. Never had an issue with it. But for me there is not much difference in using apticron, cron-apt or unattended upgrades mechanism.
I just don’t want to wake up one morning not having ssh access to my Servers because an update broke everything. The servers are still very important. I should not crash them at any time. On the other hand i would like to be up2date with my security patches.
Normally these tools only install security updates in a safe way. Meaning they should not do a major version upgrading of any installed software. So breaking something is most unlikely but no one can guarantee that. That's why you should always have a plan b, regardless what you setup. How this is setup depends heavily on your network layout and what kind of hardware or virtualization is used.
Is anyone else facing the same problem? What are your experiences doing (blind) automatic security updates. Or are you maybe using something completly diffrent like puppet?
You can do updates with Puppet (or every other configuration management tool you like) but using it for updating the whole system is not the way I would go. You would need to create a complete list of installed packages on the server and keep this up2date in Puppet. This only moves the problem to Puppet... And then you might have different package base on different servers. This needs also be tracked. Other tools (like the mentioned 3) are better for this. But you should use Puppet (or every other configuration tool) to setup an automatic security update mechanism.
Whats your practical experience with lots of servers? (i am not interested in theoretical advises :-P )
If you have "lots" (for some this means 1000 of servers, for others 10 is already a lot...) of servers you should use a configuration management tool that automatically sets up automatic security updates. The mentioned tools already provide you with everything you need on a Debian system. What you use is a matter of taste. In the past years I have setup this mechanism on about 400 servers and never had real big issues. Sometimes the package list updates are stuck but mostly recover in the next try. And if something is really wrong you can always login to the server and repair the problem manually. Monitoring these kind of things is really important but is a completely different topic.
Michael