How to automate security updates


#1

So with EE4, I know we are moving to a Docker style system and some things are different.

On my EE3 box, I was using this to automate Ubuntu security updates. . .

So. . .I was just curious what the best course of action was for this. I can’t log into the terminal every day and check for security updates on my VPS.

Does everything mentioned in the linked article still apply to EE4? Even adding NGINX and MariaDB to the Unattended-Upgrade::Package-Blacklist in the way it suggests?

Thanks in advance!


#2

I ask, because step 3 says to sudo nano /etc/apt/apt.conf.d/20auto-upgrades, but that file doesn’t exist so I’m essentially creating that file with the following contents. . .

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";

And I just wanted to make sure if that was the correct thing to do or not.


#3

@Endda In v4, your whole stack is on docker. So to update any part of the server stack - nginx, php etc… You have to update the image of containers. As that can only be done by EE devs, you don’t need to worry about it.

EE team will keep a tab of upstream dependencies and keep updating the docker images. Hence all you have to do to ensure that everything is up to date is keep updating EE and to latest version.

This is another benefit of v4 - We’ll be able to ship updates to the stack much easily and reliably than before :slight_smile: :rocket:


#4

Yea so there’s a lot here that isn’t laid out and is only confusing me. . .

There’s a reason why the original link I provided shows you how to keep security updates auto-updated. . . in your Linux distro while leaving out everything else alone. If a big component receives a major update and the website is not compatible with it then it can break your website.

Firstly, how should I set up my VPS so that security updates on my VPS get automatically updated? The second half of step 2 of that guide talks about leaving some things out. For example, NGINX, MariaDB, etc.

To be clear here, with EE4 installed, what do I need to add to that backlist because, as you said, “your whole stack is on docker.” That tutorial gave clear examples of adding NGINX, and MariaDB, which make sense for EE4 because they are part of the LEMP stack AND they gave the proper syntax.

With EE4 installed, what else needs to go into that blacklist file since they are being handled by EE4? And what is the proper syntax (e.g., “PHP” or “PHP7” or “PHP7.2”, etc

Keeping a VPS updated with security updates is important so if I leave something out here, or put something that I’m not supposed to, then my whole server could go down.

Then, with you saying

  • all you have to do to ensure that everything is up to date is keep updating EE and to the latest version

. . .you’re basically asking me to log into the terminal and do an “ee cli update” every day to make sure those docker containers are updated? I just found out how to ‘watch’ the EE github, so I can at least know when to do these updates, but how are these updates handled?

Will an update to EE4.0.5 (for example) update the PHP docker to default to the new PHP 7.3? Or since EE4 ships with PHP 7.2, will it stay on 7.2 forever?


#5

This is not something that i’m too sure of and you would have to experiment by yourselves to see if it works.

With EE4 installed, what else needs to go into that blacklist file since they are being handled by EE4? And what is the proper syntax

I’m not sure of syntax as I haven’t used that package myself, but you need to blacklist PHP and Docker in it. Only allow security updates on both of them.

EE team will communicate to users if dependencies on the host need to be updated.

. . .you’re basically asking me to log into the terminal and do an “ee cli update” every day to make sure those docker containers are updated? I just found out how to ‘watch’ the EE GitHub, so I can at least know when to do these updates, but how are these updates handled?

Currently, I don’t have a solution that’s guaranteed to work, and even running ee cli update on cron might introduce some problems. So as I said before, it is something that you might have to test it and see if it works for you. For now, this step is best performed manually when you get notified from GitHub of new EE release.


#6

Hi @Endda

Did you find a solution / proper way to have automatic updates on the server? I usually follow this steps on all my new servers: https://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/

Should I keep do in it? Any changes I must make?

@kirtan Any further advice?