Thank you very much! Your comments has been really helpful. Cheers, Mario
On Sat, Jan 31, 2015 at 12:53 PM, Michael Zoet <[email protected]> wrote: > Hi, >> >> Hello List, >> >> i have got about 50 Debian 6+7 Servers. They are doing all kind of >> things like Webserver, Mailserver, DNS, etc… >> >> I am using apticron to keep track of the updates, but i seem to use >> more and more time updating the hosts. > > > I use apticron, cron-apt on various servers for several years now and never > had an issue with them. >> >> >> Recently i came across the unattended-upgrade project >> https://wiki.debian.org/UnattendedUpgrades. >> >> Do you think it is a good idea to do security updates automatically? > > > I use unattended upgrades so far only for one server for some month. Never > had an issue with it. But for me there is not much difference in using > apticron, cron-apt or unattended upgrades mechanism. > >> I >> just don’t want to wake up one morning not having ssh access to my >> Servers because an update broke everything. The servers are still very >> important. I should not crash them at any time. On the other hand i >> would like to be up2date with my security patches. > > > Normally these tools only install security updates in a safe way. Meaning > they should not do a major version upgrading of any installed software. So > breaking something is most unlikely but no one can guarantee that. That's > why you should always have a plan b, regardless what you setup. How this is > setup depends heavily on your network layout and what kind of hardware or > virtualization is used. >> >> >> Is anyone else facing the same problem? What are your experiences >> doing (blind) automatic security updates. >> >> Or are you maybe using something completly diffrent like puppet? > > > You can do updates with Puppet (or every other configuration management tool > you like) but using it for updating the whole system is not the way I would > go. You would need to create a complete list of installed packages on the > server and keep this up2date in Puppet. This only moves the problem to > Puppet... And then you might have different package base on different > servers. This needs also be tracked. Other tools (like the mentioned 3) are > better for this. But you should use Puppet (or every other configuration > tool) to setup an automatic security update mechanism. > >> >> Whats your practical experience with lots of servers? (i am not >> interested in theoretical advises :-P ) >> > > If you have "lots" (for some this means 1000 of servers, for others 10 is > already a lot...) of servers you should use a configuration management tool > that automatically sets up automatic security updates. The mentioned tools > already provide you with everything you need on a Debian system. What you > use is a matter of taste. > In the past years I have setup this mechanism on about 400 servers and never > had real big issues. Sometimes the package list updates are stuck but mostly > recover in the next try. And if something is really wrong you can always > login to the server and repair the problem manually. Monitoring these kind > of things is really important but is a completely different topic. > > Michael > > > > > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: https://lists.debian.org/[email protected] > -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/canfxojdvxjht8q28hujybwbs6r_e43onwqroyevwyahwf8w...@mail.gmail.com
