TurnKey Linux Virtual Appliance Library

Automatic security updates

Background

TurnKey automatically installs the latest security updates over the network:

  1. The first time you boot a new appliance deployment (you can choose to skip this)
  2. Every night, around 4 AM.

Usually automatically updating software is considered to be a risky practice since updates may occasionally break existing functionality (e.g., changes to file formats, software interfaces, or expected behavior).

Ubuntu and Debian mitigate this risk by carefully backporting security fixes so that security updates change as little as possible, minimizing the likelyhood that things will break.

In practice we've found it is very rare for an Ubuntu security update to break something, so we believe it is beneficial to  configure software appliances to auto-update security fixes by default. Advanced users can always disable this mechanism and apply security fixes manually if they want.

Caution: This isn't 100% full-proof. Make sure we can reach you.

Unfortunately, we can't fix everything automatically so it's still very important that we be able to contact you when necessary. Make sure you're subscribed to TurnKey's low-traffic announcements newsletter.

Otherwise you may not know that a problem requires your attention until it's too late. Sure, thanks to automatic security updates we usually don't need to bother you regarding security issues, but there are occasional exceptions...

  1. Not everything can be updated automatically: automatic security updates only work for supported software that is maintained using the package management system. Not all software is installed through the package management system. Not all software installed through the package management is supported.  See the limitations section below for details.
     
  2. Some bugs can break automatic updates: even though security updates change as little as possible and are exceptionally well tested, mistakes can still happen. Usually these can be caught and fixed with another automatic update, but manual intervention is still required for bugs that break the auto-updates mechanism or one of its dependencies (e.g., Ubuntu broke cron).

How it works

Users who wish to tweak the auto-update mechanism may find it helpful to understand how it is set up.

1) A cron job is configured to run cron-apt daily. 

# cat /etc/cron.d/cron-apt
#
# Regular cron jobs for the cron-apt package
#
# Every night at 4 o'clock.
0 4     * * *   root    test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt

2) cron-apt is configured to only update from the security sources list.

$ cat /etc/apt/sources.list.d/security.sources.list

deb http://archive.turnkeylinux.org/ubuntu lucid-security main
deb http://archive.turnkeylinux.org/ubuntu lucid-security universe

deb http://archive.ubuntu.com/ubuntu lucid-security main
deb http://archive.ubuntu.com/ubuntu lucid-security universe
# deb http://archive.ubuntu.com/ubuntu lucid-security restricted
# deb http://archive.ubuntu.com/ubuntu lucid-security multiverse

3) cron-apt is configured to install the updates automatically:

$ cat /etc/cron-apt/action.d/5-install
autoclean -q -y
dist-upgrade -q -y -o APT::Get::Show-Upgraded=true \
                   -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list \
                   -o Dir::Etc::sourceparts=nonexistent \
                   -o DPkg::Options::=--force-confdef \
                   -o DPkg::Options::=--force-confold

4) cron-apt logs to /var/log/cron-apt/log

Installing security updates on-demand

You can invoke the cron-apt script described above from the command line at any time (e.g., you don't feel like waiting for the nightly security updates cron job):

/usr/sbin/cron-apt

Limitations

TurnKey Linux 11 is based on Ubuntu 10.04 (Lucid), a Long Term Support release for which Canonical (Ubuntu's sponsor) has guaranteed free security updates until April 2015.

This guarantee is limited to packages in the "main" component of the Ubuntu package repositories, comprising roughly 7000 of the most important packages and provide good coverage for the core operating system.

However, Canonical's Long Term Support guarantee does not apply to:

  • Non-main packages: packages in non-main components of the Ubuntu repositories (e.g., "universe" and "multiverse") are not guaranteed by Canonical, though updates to non-main packages may still be provided by the Ubuntu community.

    When required and when there are no better alternatives, a TurnKey appliance may contain non-main packages. Usually this is for software with low security sensitivity.
     
  • TurnKey Linux custom packages: TurnKey contains a few custom packages which are updated directly by the Core developers from the project's cryptographically signed package repository.
     
  • Software installed from source code: unfortunately, many of the most popular open source web applications (e.g., Joomla) are not packaged by Ubuntu or Debian. This means that they have to be installed and maintained by hand directly from upstream source code and no automatic security updates can be provided through the package management system.

    Fortunately, most web applications run with reduced privileges and are developed in high-level programming languages that are less susceptible to many of the most serious low-level security vulnerabilities. Also in the appliance model, each application is confined to its own virtual machine. This limits the potential damage somewhat but vigilance is still recommended, especially for high-risk usage scenarios.

    When a TurnKey appliance includes software installed from upstream source code, this is usually the first thing documented on the appliance page.

You can use the "apt-cache policy" command to determine a package's origin:

$ apt-cache policy openssh-server
openssh-server:
  Installed: 1:5.3p1-3ubuntu4
  Candidate: 1:5.3p1-3ubuntu4
  Version table:
 *** 1:5.3p1-3ubuntu4
        650 http://archive.ubuntu.com lucid-security/main Packages

So in the case of openssh-server, we have the most recent version installed and are receiving updates automatically from the lucid-security repository.

Comments
larnold's picture

Sequencing of "Setup"

L. Arnold - Wed, 2010/11/17 - 00:56.

As I am normally needing to setup tests on static ip's, it would be helpful if the TKLBAM and Update setup could be specified after the IP address is entered.  The one time I tried to do it before seemed to cause problems, but once built it is not obvious always where to get the auto updates going (maybe I haven't looked that hard).  TKL BAM is easy to start and I would rather not backup too soon.

Would it be possible to move these two steps after "network configuration" is complete?

JedMeister's picture

Auto security updates run everyday at 4am anyway.

Jeremy (aka JedMe... - Wed, 2010/11/17 - 01:39.

So at worst your appliance will be without the latest security updates until 4am. But as long as you have a DHCP running and accessable to your appliance, the updates on first boot should work regardless of whether you change the IP later or not. All the appliance needs is access to the internet and a valid IP address to do the updates.

Not quite sure what you're asking for in relation to TKLBAM, but it shouldn't matter what order its done in and if you'd rather do it after setting a static IP then you can do that from Webmin pretty easily.

If that still isn't meeting your needs I have some other ideas of how you could execute those scripts so it would run again but I'd rather wait until I've got access to a TKL appliance so I know it will work.

Probably best to post in the forum with a clear outline of what you are trying to acheive and why.


larnold's picture

4:00 AM works

L. Arnold - Tue, 2011/02/22 - 19:53.

I tried to run the script "above" but wants to run at a "randomized" time around 4:00 am.

Instead I ran:

"apt-get update" and it seemed to do something similar to a security update

Not trying to accomplish anything other than having a complete install before 4 AM.

Not a big deal.  My DMZ does not have dhcp running on it so I can't easily toggle.  Seems my firewall will only facilitate dhcp (itself) on the inside network  -  short of time to set up a server just for a few dhcp addresses on the DMZ.

Guest's picture

warning: security update with buggy PAM breaks CRON (stopped)

SM - Wed, 2011/06/01 - 00:07.

Hi, a quick note to warn everybody that as of a few hours ago (31st May 2011, 23:00 GMT) ubuntu security updates where distributing a PAM update that breaks CRON and therefore any macinhe running any meaningful operation based on CRON will not perform correctly.

https://bugs.launchpad.net/ubuntu/+source/pam/+bug/790538

I'm immediately disabling security updates (low risk host; stable monitoring very very important)

Take care

SM

alon's picture

Update: Fixed

Alon Swartz - Wed, 2011/06/01 - 07:19.

Thanks for reporting the issue, this was a serious blunder upstream.

The regression was fixed, went through QA and new packages published within 9 hours of the bug being reported on LP. During that time the buggy packages were removed from the archive to prevent further breakage.

If you were affected, you should restart the cron service and update to the latest packages.

JedMeister's picture

Thanks for the heads up

Jeremy (aka JedMe... - Wed, 2011/06/01 - 07:46.

Although I have read (on the bug report) that a new (fixed) update has now been released. Anybody who got the dodgey update will however need to at least restart cron as cron will not start the auto update (to collect the fixed update) until that is done. Probably doing a manual update would be a good idea anyway.

[update] Alon beat me. Got sidetracked with my browser window open and thats what happens :)


Guest's picture

Proxy

spaceyjase - Fri, 2011/11/18 - 16:07.

Had an issue where this wasn't happening - there's a daemon running that is configured by /etc/apt/apt.conf/01turnkey which causes apt to pull it's config from there rather than an exported variable or whatever (unless you reboot I guess).  Adding:

Acquire::http::Proxy "http://your.proxy.here:port";

Should resolve the problem.