I am using unattended-upgrades across multiple servers. I would like package updates to be rolled out gradually, either randomly or to a subset of test/staging machines first. Is there a way to do that for APT on Ubuntu?

An obvious option is to set some machines to update on Monday and the others to update on Wednesday, but that only gives me only weekly updates…

The goal of course is to avoid a Crowdstrike-like situation on my Ubuntu machines.

edit: For example. An updated openssh-server comes out. One fifth of the machines updates that day, another fifth updates the next day, and the rest updates 3 days later.

  • Snot Flickerman@lemmy.blahaj.zone
    link
    fedilink
    English
    arrow-up
    4
    ·
    4 months ago

    You could set your staging environment PCs to be checking for updates hourly and installing them daily.

    You could set your other PCs to just be downloading the updates daily but only install them on certain days of the week.

    That means your staging servers could be constantly updated, but your other servers only download the updates, but wait until a certain day to install them.

    I’m not sure you can set the timer based on a specific package being updated without some bash scripting alongside checking for which things are getting updated in your staging servers, and then using that script to update the unattendedupgrades control files on your second and third tier PCs in the fleet to adjust when they’re supposed to install those updates.

    I can’t currently find anything on prohibiting specific packages or only installing selected updates from the downloaded updates. Perhaps you could use a mix of systemd downloading the updates and a cronjob for installing them?


    Further, Ubuntu/Debian is technically already doing this as well. They already have staggered rollouts in APT.

    If you’ve ever updated via command line and seen the phrase “These packages have been kept back” or “these following upgrades have been deferred due to phasing” it’s because they’re purposefully withholding those updates from you, to make sure they roll out safely to everyone. That way, if a handful of users who get a phased rollout have issues, the rollout can be undone before it goes out to everyone.

    • remram@lemmy.mlOP
      link
      fedilink
      arrow-up
      2
      ·
      4 months ago

      I found the page about “phased upgrades” (somehow missed it searching for “staggered”, “incremental”, “delayed”, etc). Thanks for the pointer!

      Unfortunately it doesn’t seem configurable on my end, and it rolls out in about 54 hours so it can take out most of my machines before I have time to react (my first machine might update ~20h into the phased rollout, the rest will break within 24h). Bummer!

      • just_another_person@lemmy.world
        link
        fedilink
        arrow-up
        2
        ·
        4 months ago

        That doesn’t even have anything to do with this. Phased upgrades are about CHANNELS. As in a select number of systems get the upgrades before anyone else. This is similar to a staging environment in that it minimizes risk. You clearly do not understand what you are asking for here, and are unable to articulate it well enough for us to understand either. I suggest you ask in a different way with more information.

      • just_another_person@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        You should be more courteous to the guy who has been responding to you, because he’s giving you exactly what you’re asking for, you just don’t know how to ask for it properly. Just a piece of advice 🤌

        That being said, since you don’t know what you’re afraid of exactly, I can tell you in my long history of running thousands of Linux machines, containers and VMs at scale, I’ve never ever once since an unattended upgrade do anything that couldn’t immediately be rolled back or fixed. The worst I’ve seen is services impacted that do not start. So why don’t you just chill out a tiny a bit about your Jellyfin server or whatever you’re being rude about.

        • remram@lemmy.mlOP
          link
          fedilink
          arrow-up
          3
          ·
          4 months ago

          I find it hard to stay courteous in the presence of people like you, who reply without reading my post, call me “duder” and say I “don’t understand what I am asking for”.

          Thankfully, I did get a great answer from someone else.