TurnKey automatically installs the latest security updates over the network:
- The first time you boot a new appliance deployment (you can choose to skip this)
- Every night, around 4 AM.
Usually automatically updating software is considered to be a risky practice since updates may occasionally break existing functionality (e.g., changes to file formats, software interfaces, or expected behavior).
Debian mitigate this risk by carefully backporting security fixes so that security updates change as little as possible, minimizing the likelyhood that things will break.
In practice we've found it is very rare for a security update to break something, so we believe it is beneficial to configure software appliances to auto-update security fixes by default. Advanced users can always disable this mechanism and apply security fixes manually if they want.
Installing security updates on demand
In a root shell, run the following command:
If that doesn't work you may be running an older version of TurnKey. Try this instead:
Caution: This isn't 100% full-proof. Make sure we can reach you.
Unfortunately, we can't fix everything automatically so it's still very important that we be able to contact you when necessary. Make sure you're subscribed to TurnKey's low-traffic announcements newsletter.
Otherwise you may not know that a problem requires your attention until it's too late. Sure, thanks to automatic security updates we usually don't need to bother you regarding security issues, but there are occasional exceptions...
- Not everything can be updated automatically: automatic security updates only work for supported software that is maintained using the package management system. Not all software is installed through the package management system. Not all software installed through the package management is supported. See the limitations section below for details.
- Some bugs can break automatic updates: even though security updates change as little as possible and are exceptionally well tested, mistakes can still happen. Usually these can be caught and fixed with another automatic update, but manual intervention is still required for bugs that break the auto-updates mechanism or one of its dependencies (e.g., Ubuntu broke cron).
How it works
Users who wish to tweak the auto-update mechanism may find it helpful to understand how it is set up.
1) A cron job is configured to run cron-apt daily.
# cat /etc/cron.d/cron-apt # # Regular cron jobs for the cron-apt package # # Every night at 4 o'clock. 0 4 * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
2) cron-apt is configured to only update from the security sources list.
# cat security.sources.list deb http://archive.turnkeylinux.org/debian wheezy-security main deb http://security.debian.org/ wheezy/updates main deb http://security.debian.org/ wheezy/updates contrib # deb http://security.debian.org/ wheezy/updates non-free
3) cron-apt is configured to install the updates automatically:
$ cat /etc/cron-apt/action.d/5-install autoclean -q -y dist-upgrade -q -y -o APT::Get::Show-Upgraded=true \ -o Dir::Etc::sourcelist=/etc/apt/sources.list.d/security.sources.list \ -o Dir::Etc::sourceparts=nonexistent \ -o DPkg::Options::=--force-confdef \ -o DPkg::Options::=--force-confold
4) cron-apt logs to /var/log/cron-apt/log
TurnKey Linux 14 is based on Debian 8 (Jessie). The Debian Security Team provides backported security fixes for all packages in Debian as required, which TurnKey systems are configured to automatically install.
However, Debian's security coverage does not apply to packages that do not originate from Debian.
- Trusted third party repositories: ideally the Debian package repositories would cover 100% of our software needs. Unfortunately in practice there's a lot of good software out there that Debian does not support. In these cases, TurnKey will install software directly from trusted third party repositories.
Note that any packages that does not originate from Debian is documented on the product page, and also in the product's source code.
- TurnKey Linux custom packages: TurnKey contains a few custom packages which are updated directly by the Core developers from the project's cryptographically signed package repository.
- Software installed from source code: unfortunately, many of the most popular open source web applications (e.g., Joomla) are not packaged by Ubuntu or Debian. This means that they have to be installed and maintained by hand directly from upstream source code and no automatic security updates can be provided through the package management system.
Fortunately, most web applications run with reduced privileges and are developed in high-level programming languages that are less susceptible to many of the most serious low-level security vulnerabilities. Also in the appliance model, each application is confined to its own virtual machine. This limits the potential damage somewhat but vigilance is still recommended, especially for high-risk usage scenarios.
When a TurnKey appliance includes software installed from upstream source code, this is usually the first thing documented on the appliance page.
You can use the "apt-cache policy" command to determine a package's origin. Note that you should generally run "apt-get update" prior to ensure that your local package index is up to date wit the repository servers.
# apt-cache policy openssh-server openssh-server: Installed: 1:6.0p1-4+deb7u1 Candidate: 1:6.0p1-4+deb7u1 Version table: *** 1:6.0p1-4+deb7u1 0 500 http://security.debian.org/ wheezy/updates/main amd64 Packages 500 http://cdn.debian.net/debian/ wheezy/main amd64 Packages 100 /var/lib/dpkg/status
So in the case of openssh-server, we have the most recent version installed and are receiving updates automatically from the security.debian.org repository.