sec(upgrades): Upgrade and reboot automation

Servers need to be updated regularly.

1. They should have operational unattended-upgrades.
2. Automatic reboot is to be done to apply new kernel. Reboot only at night and only if needed.

1. unattended-upgrades

This role haven't been reported from original project.

requirements.yml

  - name: jnv.unattended-upgrades
    version: v1.12.2

security.yml

# https://github.com/jnv/ansible-role-unattended-upgrades#readme
unattended_mail:                  "{{ admin_mail }}"
unattended_mail_only_on_error:    True
unattended_automatic_reboot:      False

2. Automatic reboot

Maybe set unattended_automatic_reboot to True is enough.
security.yml

# https://github.com/jnv/ansible-role-unattended-upgrades#readme
unattended_mail:                  "{{ admin_mail }}"
unattended_mail_only_on_error:    True
unattended_automatic_reboot:      True

If not, a script in crontab which test result of needrestart -q command.

added To Do label

added critical enhancement version::1.1.3 labels

assigned to @arthur.boudreault

changed the description

created branch 81-sec-upgrades-upgrade-and-reboot-automation to address this issue

mentioned in merge request !58

@michel-thomas When we talk about unattended upgrades, are we talking about security updates and Linux kernel updates for example? Or are we also talking about php updates, yunohost packages updates...?

unattended-upgrades is a Debian package that check updates every night, and is configured to apply all updates, or only security ones, or nothing. Default of this role (jnv.unattended-upgrades) is "only security".

When current update comes, nothing is done.
When security update comes, apt upgrade -y is launched, so current updates are also applied (because apt is applied to all updates by default).
But kernel updates, event if they are security updates and are installed, are not effective because they need reboot. And I configured this role to not reboot automatically.

Is there a possibility to only upgrade security updates with apt upgrade -y? Is it not dangerous to apply updates every time, whatever their criticality? In any case having a thorough monitoring of our YunoHost services would greatly help us to avoid being caught by surprise by a "bad upgrade".

This is how Debian works : apt upgrade is for all packages at once.

To only apply security updates, we have two ways:

1. change /etc/apt/sources.list and only keep security repository. Not acceptable.
2. pipe apt install with debsecan result, this tool lists CVE and other security updates. An using apt install instead of apt upgrade will only apply for listed packages. Too complicated and too risky.

Upgrade all in once when security updates appear is what I practice since 8 years, and very few problems occurs. Avoiding automatic reboot is a prudent approach, but not realistic with a great bunch of servers, so I have to change my mind and allow automatic reboot.

Some complement:

• all servers should be monitored. If something bad happens, we should be pinned.
• these servers are monolithic, no high availability, neither redundancy. Regular reboot is expected, and should only be launched for kernel updates (approximately once a month).

Okay. I have just checked and YunoHost apps are not updated through apt update which is a good thing because this is usually where things may get ugly (I've had some issues trying to update YunoHost apps recently and so it's easier to do it manually I guess).

News from galaxy!

https://galaxy.ansible.com/jnv/unattended-upgrades is deprecated

Please look at https://galaxy.ansible.com/weareinteractive/apt

Indeed, the maintained fork is here

Ok, let's go !

added Need review label and removed To Do label

Hello! This looks very useful and important security-wise, I would just like to mention that it could be interesting to add a warning (a simple mail to an admin user for example) when the reboot is needed and will happen. I see one use case (which, what a surprise, is mine ) - I need to unlock my LUKS device for my yunohost server to be able to start. With the email I would know that the server will reboot, or I can make sure I reboot it myself.

P.S.: writing this comment made me think that a simple cronjob, doing cat /var/run/reboot-required or something similar would do the trick too

All in all, thanks for your work, you're making my life of a hobbyist sysadmin so much easier

Hello and thanks for your encouragement!

Postponed reboot is a good idea in your case, but implies other major changes in our roles usage:

• we should intercept this /var/run/reboot-required flag and remove it
• then send an email to alert admin that a reboot is required
• and finally set the flag at a T+delay time which could be variable depends on adminsys

It seams a bit too complicated for now, and I prefer you open a new issue for this.

Workaround waiting this, is to set:

• apt_unattended_upgrades_automatic_reboot: no
• apt_unattended_upgrades_notify_error_only: no
• and reboot manually when asked to do

added Doing label and removed Need review label

changed milestone to %1.3.0

removed version::1.1.3 label

added 1.3.0 label

added To Do label and removed Doing label

added Doing label and removed To Do label