Debian considering automated upgrades
The Debian project is looking at possibly making automatic minor upgrades to installed packages the default for newly installed systems. While Debian has a reliable and stable package update system that has been an inspiration for multiple operating systems (the venerable APT), upgrades are, usually, a manual process on Debian for most users.
The proposal was
brought up
during the
Debian
Cloud sprint in November
by longtime Debian Developer Steve McIntyre. The rationale was to
make sure that users installing Debian in the cloud have a "secure"
experience by default, by installing and configuring the
unattended-upgrades
package
within the images. The unattended-upgrades package contains a Python
program that automatically performs any pending upgrade and is
designed to run unattended. It is roughly the equivalent of doing
apt-get update; apt-get upgrade in a cron job, but
has special code
to handle error conditions, warn about reboots, and selectively upgrade
packages. The package was originally written for Ubuntu by Michael
Vogt, a longtime Debian developer and Canonical employee.
Since there was a concern that Debian cloud images would be different
from normal Debian installs, McIntyre suggested installing
unattended-upgrades by default on all Debian installs, so that
people have a consistent experience inside and outside of the cloud. The
discussion that followed was interesting as it brought up key issues
one would have when deploying automated upgrade tools, outlining
both the benefits and downsides to such systems.
Problems with automated upgrades
An issue raised in the following discussion is that automated upgrades may create unscheduled downtime for critical services. For example, certain sites may not be willing to tolerate a master MySQL server rebooting in conditions not controlled by the administrators. The consensus seems to be that experienced administrators will be able to solve this issue on their own, or are already doing so.
For example, Noah Meyerhans, a
Debian developer,
argued
that "any reasonably well managed production host is going to be
driven by some kind of configuration management system
" where
competent administrators can override the defaults. Debian, for
example, provides the policy-rc.d
mechanism
to disable service restarts on certain packages out of the
box. unattended-upgrades also features a way to disable upgrades on
specific packages that administrators would consider too sensitive to
restart automatically and will want to schedule during maintenance
windows.
Reboots were another issue discussed: how and when to deploy kernel
upgrades? Automating kernel upgrades may mean data loss if the reboot
happens during a critical operation. On Debian systems, the kernel
upgrade mechanisms already provide a /var/run/reboot-required flag
file that tools can monitor to notify users of the required
reboot. For example, some desktop environments will popup a warning
prompting users to reboot when the file exists, although Debian
doesn't currently feature an equivalent warning for command-line
operation. Vogt suggested
that the warning could be shown along with the usual /etc/motd
announcement.
The ideal solution here, of course, is reboot-less kernel upgrades, which is also known as "live patching" the kernel. Unfortunately, this area is still in development in the kernel (as was previously discussed here). Canonical deployed the feature for the Ubuntu 16.04 LTS release, but Debian doesn't yet have such capability, since it requires extra infrastructure among other issues.
Furthermore, system reboots are only one part of the problem. Currently, upgrading packages only replaces the code
and restarts the primary service shipped with a given package. On
library upgrades, however, dependent services may not necessarily
notice and will keep running with older, possibly vulnerable,
libraries. While libc6, in Debian, has special code to restart
dependent services, other libraries like libssl do not notify
dependent services that they need to restart to benefit from
potentially critical security fixes.
One solution to this is the
needrestart package which
inspects all running processes and restarts services as necessary. It
also covers interpreted code, specifically Ruby, Python, and Perl. In
my experience, however, it can take up to a minute to inspect all
processes, which degrades the interactivity of the usually satisfying
apt-get install process. Nevertheless, it seems like
needrestart
is a key component of a properly deployed automated upgrade system.
Benefits of automated upgrades
One thing that was less discussed is the actual benefit of automating
upgrades. It is merely described as "secure by default
" by
McIntyre in
the proposal, but no one actually expanded on this much. For me,
however, it is now obvious that any out-of-date system will be
systematically attacked by automated probes and may be taken over to the
detriment of the whole internet community, as we are seeing with
Internet of Things devices. As Debian Developer Lars Wirzenius said:
One could compare automated upgrades with backups: if they are not automated, they do not exist and you will run into trouble without them. (Wirzenius, coincidentally, also works on the Obnam backup software.)
Another benefit that may be less obvious is the acceleration of the feedback loop between developers and users: developers like to know quickly when an update creates a regression. Automation does create the risk of a bad update affecting more users, but this issue is already present, to a lesser extent, with manual updates. And the same solution applies: have a staging area for security upgrades, the same way updates to Debian stable are first proposed before shipping a point release. This doesn't have to be limited to stable security updates either: more adventurous users could follow rolling distributions like Debian testing or unstable with unattended upgrades as well, with all the risks and benefits that implies.
Possible non-issues
That there was not a backlash against the proposal surprised me: I expected the privacy-sensitive Debian community to react negatively to another "phone home" system as it did with the Django proposal. This, however, is different than a phone home system: it merely leaks package lists and one has to leak that information to get the updated packages. Furthermore, privacy-sensitive administrators can use APT over Tor to fetch packages. In addition, the diversity of the mirror infrastructure makes it difficult for a single entity to profile users.
Automated upgrades do imply a culture change, however: administrators approve changes only a posteriori as opposed to deliberately deciding to upgrade parts they chose. I remember a time when I had to maintain proprietary operating systems and was reluctant to enable automated upgrades: such changes could mean degraded functionality or additional spyware. However, this is the free-software world and upgrades generally come with bug fixes and new features, not additional restrictions.
Automating major upgrades?
While automating minor upgrades is one part of the solution to the problem of security maintenance, the other is how to deal with major upgrades. Once a release becomes unsupported, security issues may come up and affect older software. While Debian LTS extends releases lifetimes significantly, it merely delays the inevitable major upgrades. In the grand scheme of things, the lifetimes of Linux systems (Debian: 3-5 years, Ubuntu: 1-5 years) versus other operating systems (Solaris: 10-15 years, Windows: 10+ years) is fairly short, which makes major upgrades especially critical.
While major upgrades are not currently automated in Debian, they are
usually pretty simple: edit sources.list then:
# apt-get update && apt-get dist-upgrade
But the actual upgrade process is really much
more complex. If you run into problems with the above commands, you will
quickly learn that you should have followed the
release notes,
a whopping 20,000-word, ten-section document that outlines all the
gory details of the release. This is a real issue for large
deployments and for users unfamiliar with the command line.
The solutions most administrators seem to use right now is to roll their own automated upgrade process. For example, the Debian.org system administrators have their own process for the "jessie" (8.0) upgrade. I have also written a specification of how major upgrades could be automated that attempts to take into account the wide variety of corner cases that occur during major upgrades, but it is currently at the design stage. Therefore, this problem space is generally unaddressed in Debian: Ubuntu does have a do-release-upgrade command but it is Ubuntu-specific and would need significant changes in order to work in Debian.
Future work
Ubuntu currently
defaults to "no automation"
but, on install, invites users to enable unattended-upgrades or
Landscape, a proprietary
system-management service from
Canonical. According to Vogt, the company supports both projects
equally as they differ in scope: unattended-upgrades just upgrades
packages while Landscape aims at maintaining thousands of machines
and handles user management, release upgrades, statistics, and
aggregation.
It appears that Debian will enable unattended-upgrades on
the images
built for the cloud by default. For regular installs, the consensus that
has emerged
points at the Debian installer prompting users to ask if
they want to disable the feature as well. One reason why this was not
enabled before is that unattended-upgrades had serious bugs in
the past that made it less attractive. For example, it would simply
fail to follow security updates,
a major bug that was fortunately promptly fixed by the maintainer.
In any case, it is important to distribute security and major upgrades on Debian machines in a timely manner. In my long experience in professionally administering Unix server farms, I have found the upgrade work to be a critical but time-consuming part of my work. During that time, I successfully deployed an automated upgrade system all the way back to Debian woody, using the simpler cron-apt. This approach is, unfortunately, a little brittle and non-standard; it doesn't address the need of automating major upgrades, for which I had to revert to tools like cluster-ssh or more specialized configuration management tools like Puppet. I therefore encourage any effort towards improving that process for the whole community.
More information about the configuration of unattended-upgrades can be found in the Ubuntu documentation or the Debian wiki.
| Index entries for this article | |
|---|---|
| Security | Distribution security |
| GuestArticles | Beaupré, Antoine |
Posted Dec 15, 2016 6:20 UTC (Thu)
by tnoo (subscriber, #20427)
[Link] (13 responses)
And on desktops: do we want reboots during presentations, or major changes in software before an extended trip without reasonable internet connection? Don't follow the path of commercial dummy-user systems, we're all adults here.
Posted Dec 15, 2016 13:15 UTC (Thu)
by mikapfl (subscriber, #84646)
[Link] (1 responses)
Posted Dec 16, 2016 0:57 UTC (Fri)
by pabs (subscriber, #43278)
[Link]
The browsers are updated to new major versions in Debian stable, since there is no sane way to provide normal security updates for browsers in 2016. Luckily Firefox has ESR, but still, that will eventually lead to having to backport Rust to be able to compile Firefox ESR.
Posted Dec 15, 2016 13:44 UTC (Thu)
by itvirta (guest, #49997)
[Link] (1 responses)
Library upgrades are usually done by unlinking the old version and creating a new one, instead of overwriting the file,
> or upon a new start of the software (triggered by scripts or events), will eventually lead to problems that are unpredictable and difficult to recover from.
If a stable update contains more than bugfixes or the like, thus breaking any sensible application, I would count that as a bug with the updated package itself.
> do we want reboots during presentations
Of course not. But unattended-upgrades doesn't reboot, it merely sends an email suggesting nicely that you might want to.
Posted Dec 16, 2016 4:04 UTC (Fri)
by zlynx (guest, #2285)
[Link]
For example, some binary data file that is used by a set of applications. It is accessed through a library. The main application keeps on running, using the old library and the old data file.
But wait! What happens when some innocent DBUS event launches one of these small utility programs? It spins up, the new library determines that it should upgrade the binary data file, it locks it, updates it IN PLACE, and continues on. Everyone should be happy right?
No! Suddenly the old app that is still running has a new format to deal with and it has no idea what just happened.
Sometimes I think certain developers never actually use their own stuff. And if I recall correctly this was "fixed" by having the install script just kill everything that could have the file open.
Posted Dec 15, 2016 15:22 UTC (Thu)
by Seegras (guest, #20463)
[Link]
If this really is your problem, the automated upgrades are not your problem.
I usually pummel those who deploy "self-compiled code which requires certain libraries." with some kind of heavy implement, in order to hammer in some sanity into their brains.
Posted Dec 15, 2016 23:38 UTC (Thu)
by mcatanzaro (subscriber, #93033)
[Link] (3 responses)
I'm surprised that Debian is going the complete opposite direction of Fedora here on update reliability. It's one thing to automatically *prompt* users to install updates, or to do so automatically during a reboot... but completely unattended seems to make more sense for servers that are actually unattended.
Posted Dec 16, 2016 1:00 UTC (Fri)
by pabs (subscriber, #43278)
[Link]
Posted Dec 16, 2016 4:10 UTC (Fri)
by zlynx (guest, #2285)
[Link] (1 responses)
Posted Dec 17, 2016 9:31 UTC (Sat)
by Cato (guest, #7643)
[Link]
Posted Dec 15, 2016 23:58 UTC (Thu)
by st (guest, #96477)
[Link]
Posted Dec 16, 2016 1:42 UTC (Fri)
by JanC_ (guest, #34940)
[Link] (2 responses)
* by default it only upgrades for security issues; you could also configure it to only upgrade from your own private tested repository, if you think that's necessary on certain critical systems
etc.
And in any case, removing or disabling it is easy if that's what you really want/need.
Posted Dec 16, 2016 1:48 UTC (Fri)
by JanC_ (guest, #34940)
[Link] (1 responses)
Posted Dec 17, 2016 9:34 UTC (Sat)
by Cato (guest, #7643)
[Link]
Ansible is lightweight compared to Puppet/Chef/Salt etc - only requires SSH and Python on target server (and you can bootstrap to install Python if needed), and is easy to learn since its scripts are executed sequentially. See http://docs.ansible.com/
Posted Dec 16, 2016 10:30 UTC (Fri)
by maniax (subscriber, #4509)
[Link]
For the cattle farms and the pets I run and had run, I've seen very few problems with automated updates in the last 7 years, mostly on servers which were co-administated with people without enough experience. Otherwise, cron-apt does it job pretty well, and if you read debian-security-announce, you know what to expect and if there's something that will affect your code or services.
I've tried to do the path of manual update (first on one server of the cluster, then on the rest), but with the quality of debian security updates, it's a waste of time, the automated stuff just works and you can check it in your email in the morning.
Automated release upgrades are a different matter, but the existing tools make that pretty easy to do them manually and seem to work fine (which has been one of the reasons for my dislike of ubuntu, where those were creating a lot more problems)
Posted Dec 16, 2016 23:01 UTC (Fri)
by davidstrauss (guest, #85867)
[Link]
There is no such thing as "reboot-less kernel upgrades." There is live kernel patching, where you inject a modified implementation or filtering routine (usually to mitigate a vulnerability), but you're still running the old kernel. Eventually, such live patches will stack up and be too unwieldy to keep adding -- and the box will need to reboot. These live patches also have to be specifically implemented as live patches; you can't just take a kernel diff and naively make one. (For example, the upstream fix may alter a key data structure in the kernel, while a live patch usually can't do that and has to take a different approach.)
I'm no aware of any vendor, even the enterprise ones, that promises the ability to perpetually avoid reboots.
Posted Dec 18, 2016 12:33 UTC (Sun)
by kooky (subscriber, #92468)
[Link] (1 responses)
Mix together with https://packages.debian.org/jessie-backports/reboot-notifier and I know when I need to reboot. (makesure cron can send email)
[ I've always meant to write a script to do overnight reboots based on reboot-notifier, but I just haven't done it yet ]
It just works. I'd rather be secure and have a 30 second overnight outage every few months.
For a few absolutely critical servers, I do updates manually.
The needrestart package described is good, but it really doesn't work well with unattended upgrades.
Posted Dec 18, 2016 14:32 UTC (Sun)
by pabs (subscriber, #43278)
[Link]
Posted Dec 18, 2016 20:58 UTC (Sun)
by satbyy (guest, #107278)
[Link] (1 responses)
Posted Dec 18, 2016 22:50 UTC (Sun)
by pabs (subscriber, #43278)
[Link]
Debian considering automated upgrades
Well, on a compute node that runs some brittle self-compiled code, you just opt out of the automated upgrades. We are only talking about the default value changing, debian will certainly not make it impossible to change the configuration.
Debian considering automated upgrades
And for your fear of desktop usage breaking due to "major changes in software": We are talking about debian stable updates here. There are no major changes in software in debian stable, that's the point of debian stable. By the way: On the desktop, all the big desktop environments already have their own automated or semi-automated updating systems, so for the desktop this is not even new, it is the reality already.
Debian considering automated upgrades
Debian considering automated upgrades
which would corrupt the binary image in memory.
Of course, if you're running something very sensitive, disable the automatic updates.
Debian considering automated upgrades
Debian considering automated upgrades
> which requires certain libraries.
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
* it allows for a configurable blacklist of packages that will never be upgraded
* it can try to fix interrupted upgrades automatically (or you can disable this)
* you can configure it to delay upgrades until shutdown/reboot
* automatic reboot is possible but optional, can be scheduled to happen immediately or at a particular time, and when disabled it's easy for other programs or scripts to check if a reboot is wanted at a more opportune moment
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
(and you need to remember to set to hold mysql and whatever db server you use, to skip the downtime on that and because that upgrade is one of those you need to watch)
Debian considering automated upgrades
Debian considering automated upgrades
Debian considering automated upgrades
I have been using Debian considering automated upgrades
checkrestart all these days. Is needrestart any different ? Both seem to do the same thing.
Debian considering automated upgrades