Best practice for unattended upgrades on immutable servers

Niro

4/27/23, 7:09 PM

I use packer to build immutable Ubuntu 20.04 servers.

How can it work smoothly with unattended upgrades?

Since the image is not bundled like it was in the past the updates do not apply to new instances. It means that when a server comes up unattended upgrades will need to run full upgrades. This is problematic because some of them requires reboot + it prolongs the server get-up time.

What is the best practice for unattended upgrades on immutable servers?

113

0 + 0

security

packer

unattended-upgrades

ubuntu-20.04

immutable

AlexD

4/27/23, 7:22 PM

rebuild the golden image as soon as there are new unattended upgrades (or just do it daily), then redeploy the servers.

Niro

4/27/23, 9:05 PM

@AlexD There are different servers and replacing them is complicated due to running cron jobs. Its not a feasible solution

Score:2

Server

John Mahowald

4/28/23, 3:02 AM

My test for immutable Linux servers would be mounting /usr read only for the duration of the host's lifetime. Debian or Ubuntu boxes with unattended upgrades enabled are not immutable.

But you must still apply updates. New immutable images should be created for every package update of the system software. Lots of images, yes, but the point of immutable is to have a known set of packages, that only changes when replaced atomically by another known set on reboot.

When creating new images, install packages and update all to the latest. Disable unattended upgrades. Possibly remove apt altogether. How to accomplish this varies, could be preseed scripting, or post provisioning commands, or something else. Complete all changes to the system before archiving it as an image.

Over in Red Hat land, they have ostree for an atomic upgrade system, and composer aka image builder for image creation in general. Ubuntu possibly has an answer to these.

0 + 0

Niro

4/28/23, 1:10 PM

Thanks @john. I understand what you're saying but there must be a better way

John Mahowald

4/28/23, 1:48 PM

What do you need improved? You asked for an immutable system. And all software must be updated, this is the same servicing you had to do before, delivered differently.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Best practice for unattended upgrades on immutable servers

TH: แนวทางปฏิบัติที่ดีที่สุดสำหรับการอัปเกรดแบบอัตโนมัติบนเซิร์ฟเวอร์ที่ไม่เปลี่ยนรูป

RO: Cele mai bune practici pentru upgrade-uri nesupravegheate pe servere imuabile

VI: Phương pháp hay nhất để nâng cấp không giám sát trên các máy chủ không thay đổi

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.