Automatic security updates
Background
TurnKey software appliance are configured to auto-update daily with the latest security patches.
Usually automatically updating software is considered to be a risky practice since updates may occasionally break existing functionality (e.g., changes to file formats, software interfaces, or expected behavior).
Ubuntu and Debian mitigate this risk by carefully backporting security fixes so that security updates change as little as possible, minimizing the likelyhood that things will break.
In practice we've found it is very rare for an Ubuntu security update to break something, so we believe it is beneficial to configure software appliances to auto-update security fixes by default. Advanced users can always disable this mechanism and apply security fixes manually if they want.
How it works
Users who wish to tweak the auto-update mechanism may find it helpful to understand how it is set up.
- A cron job is configured to run cron-apt daily:
- cron-apt is configured to only update from the security sources list:
$ cat /etc/apt/sources.list.d/security.sources.list deb http://archive.turnkeylinux.org/ubuntu hardy-security main deb http://archive.turnkeylinux.org/ubuntu hardy-security universe deb http://archive.ubuntu.com/ubuntu hardy-security main deb http://archive.ubuntu.com/ubuntu hardy-security universe # deb http://archive.ubuntu.com/ubuntu hardy-security restricted # deb http://archive.ubuntu.com/ubuntu hardy-security multiverse
- cron-apt is configured to install the updates automatically:
$ cat /etc/cron-apt/action.d/5-install autoclean -q -y dist-upgrade -q -y -o APT::Get::Show-Upgraded=true -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list -o Dir::Etc::sourceparts=nonexistent -o DPkg::Options::=--force-confdef -o DPkg::Options::=--force-confold
- cron-apt logs to /var/log/cron-apt/log
# cat /etc/cron.d/cron-apt # # Regular cron jobs for the cron-apt package # # Every night at 4 o'clock. 0 4 * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
