Home / server / Questions / 942011
In Process
Jesse יִשַׁי
Asked: 2018-11-29 07:46:41 +0800 CST

Multi VPS: Best practice for semi-automated upgrades?

  • 772

I've got many virtual private servers, each needing some apt-get upgrade -y lovin' from time to time.

(Ubuntu 18.04)

Problems I face:

  • I don't have time to upgrade each one manually.
  • I don't want to put apt-get upgrade -y into a routine cron task because I want to know and control the servers' state.
  • Upgrading over breakable ssh?? Preach at me about the safeguards in place, but I'd rather pass.
  • There's a bug in the cloud images that might have been making interactive dialogs on upgrades (see the ubuntu-dev email below) ...I want to be bug-proof, kind of, if that's possible.

(Presume I've got apt update solved.)

Proposed solution in-progress: Run a test upgrade, then tell all other machine crons to upgrade—but how?

  1. Have a cron-run script that runs an if... -f test for a file, say .medoupgrade; if true, it runs the apt-get upgrade -y then deletes the .medoupgrade file.
  2. I run a manual upgrade on my test server. If I'm happy, then I ssh user@vps 'touch .medupgrade' to my machines; each machine's cron will see it and upgrade one time.
  3. What in the name of Linus-Sam Hill should go in the cron upgrader script??

Two questions, kind of:

1. Is my above method in 1–2 so far okay? Silly? Smart? Someone already dunnit?

I mean, I don't exactly see loads of people talking about their cron updates looking for .medoupgrade jobs. I can't find any, actually. But, I also don't see people blogging everyday about some other standard way to upgrade multiple servers at once either. All I see is everyone doing apt-get upgrade -y on their servers like it's from a favorite tattoo shop—or coffee mug.

My $64,000 Question:

2. What "safely" goes into a script that runs apt-get upgrade -y?

Is it safe to just put apt-get upgrade -y into a script on a VPS?

If I'm going to have a script run an upgrade while I'm not watching—not regularly, but still while I'm not watching—what's the safest way?

Digging already done:

They answered me: Ubuntu-devel-discuss Digest, Vol 144, Issue 13 – 1. Re: No more dialog in apt upgrade -y events

Here's the important part of what they said:

In your case, using DEBIAN_FRONTEND=noninteractive, running apt-get with -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" and redirecting stdin from /dev/null is probably appropriate.

Are they right, is that what I should run instead of apt-get upgrade -y? If so, what does all that look like in a script that's safe to run without me watching?

cron

0 Answers