| | 1 | = Unattended Upgrades = |
| | 2 | |
| | 3 | May First/People Link keeps servers up to date using [https://wiki.debian.org/UnattendedUpgrades unattended upgrades], meaning that most software packages are upgraded automatically as new releases are made via Debian. |
| | 4 | |
| | 5 | == Phase in == |
| | 6 | |
| | 7 | We are phasing in this policy. During the initial phase, the default setting will use the default settings of the unattended upgrades package - namely, only security packages from Debian will be upgraded. |
| | 8 | |
| | 9 | In the second phase, we will expand this to all Debian packages except backports. |
| | 10 | |
| | 11 | == Configuration == |
| | 12 | |
| | 13 | Unattended backups are configured on a per-server basis via the server's .pp file in puppet. |
| | 14 | |
| | 15 | Here's a sample default: |
| | 16 | |
| | 17 | {{{ |
| | 18 | class { "mayfirst::m_unattended_upgrades": |
| | 19 | uu_upgrade_email => $parent |
| | 20 | } |
| | 21 | }}} |
| | 22 | |
| | 23 | The $parent variable is pulled in from the top of the file where the email address of the server's parent should be identified. This email address will receive a message if there are any errors during the upgrade. |
| | 24 | |
| | 25 | This configuration will only upgrade security packages during the initial phase, and later will be expanded to include all Debian packages except backports. This default can be changed by passing in a new `$uu_origin_patterns` variable. Some examples include: |
| | 26 | |
| | 27 | {{{ |
| | 28 | uu_origin_patterns => "origin=*" # Upgrade everything from any repo |
| | 29 | uu_origin_patterns => "a=stable" # Only upgrade from stable archive |
| | 30 | }}} |
| | 31 | |
| | 32 | In addition, you can specify packages that should ''not'' be upgraded with: |
| | 33 | |
| | 34 | {{{ |
| | 35 | uu_package_blacklist => [ "freeswitch*", "certbot" ] |
| | 36 | }}} |
| | 37 | |
| | 38 | (Note - wildcards are possible. Also, pinning is respected.) |
| | 39 | |
| | 40 | == Notes == |
| | 41 | |
| | 42 | As parent, you can take steps to retain control over the upgrade process. Some steps you may consider: |
| | 43 | |
| | 44 | * In the server $purpose string, provide explicit directions to other team members about when and how you want help (e.g. Hands off, never touch please). |
| | 45 | * Comment out the unattended upgrades entirely and leave a comment explaining why and under what circumstances you are ok with another team member upgrading a package (e.g. only upgrade under critical security vulnerability) |
| | 46 | * Adding packages to the black list (implies that you don't want other admins upgrading them). Commenting is useful here so we know why |
| | 47 | * |
| | 48 | |
