Automated Update to 5.0- WHY?

Hi all,

my UCS 4.x (at latest 4.4-8 errata992) server was really running fine for a long time. I have configured as policy automated updates as follows:

app-release-update: 4.4-99
app-update-schedule: 03 0 * * 6 root /usr/sbin/univention-upgrade --noninteractive --enable-app-updates

The update to UCS 4.4-8 e992 (from UCS 4.4-8e987) happened a week a go on Saturday night just as configured.
When 5.0 was released no update occured. As planned. I wanted to do the upgrade manually.

This night (Saturday, 19.06.2021) at 0:03 the dist-upgrade started out of sudden and I was hit by having an UCS 5.x today. :exploding_head:

According to policies this should not happen at all! Even if the policies were configured wrong, it should have been upgrated to UCS5 at release date. But no, it just happened this night.

@Schwardt @damrose : Is there an explanation why the upgrade took place? Despite of the policies? The docs state this should work. But in my case it did not.

At current I have at least the issue the dhcp server did not (re-)start after upgrade. Any explanation there?

Thanks and greetings to Bremen, hope you are all doing well there!
updater.log available on request.



I got further with this. The policy of “Update to max 4.4-99” (app-release-update) was not assigned to the server in question.

This leads to the next question- why did it then do updates automatically all the time?




If no “Update to max version” is assigned, the update to the latest version is performed.

I also suspect that you’re using an app that has not been available for UCS 5.0 last saturday at 0:03, that’s why the update had been blocked. E.g. the let’s encrypt app has been released for UCS 5.0 last weekend and then there was no blocker app anymore and the automatic update has been performed.



Hi & Thanks for replying.

Did I get this right- even if the policy is NOT applied it will upgrade? What is the sense of the wording then?
I read:
Errata updates are always active no matter if the policy is assigned or not.
Release updates are not taking place, no matter if assigned or not.
When assigning the policy is depends on the policy.
When selected, realease updates take place.
When unticked, no updates will be performed.

If this is meant in another why it is at least strange wording…

And according the apps:
I doubt somehow this is the reason because these are the installed apps:

  • Active Directory-kompatibler Domänencontroller
  • DHCP-Server
  • Druckserver (CUPS)
  • Mailserver

Is any of these being release last weekend?

Still confused about the automated update having taken place…



No, this was a missunderstanding. I thought, only the Bis zu dieser UCS-version aktualisieren had been empty. If the policy is not assigned at all (and no other policy of this type) there should be no update performed.

You can check which policies and values are applied by logging into to the affected system and call
univention-policy-result -D "$(ucr get ldap/hostdn)" -y /etc/machine.secret "$(ucr get ldap/hostdn)"

To which of your computers/containers is your policy app-release-update attached to?



Did this again and this is the result:

DN: cn=praxis,cn=dc,cn=computers,dc=a-nb,dc=de

POLICY cn=praxis,cn=dc,cn=computers,dc=a-nb,dc=de

Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=a-nb,dc=de
Attribute: univentionAdminMayOverrideSettings
Value: 0

Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=a-nb,dc=de
Attribute: univentionAdminListWebModules
Value: modself

Policy: cn=default-users,cn=admin-settings,cn=users,cn=policies,dc=a-nb,dc=de
Attribute: univentionAdminListWizards
Value: None

Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=a-nb,dc=de
Attribute: univentionPWLength
Value: 8

Policy: cn=default-settings,cn=pwhistory,cn=users,cn=policies,dc=a-nb,dc=de
Attribute: univentionPWHistoryLen
Value: 3

Policy: cn=app-update-schedule,cn=policies,dc=a-nb,dc=de
Attribute: univentionCron
Value: 5 4 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 1,2,3,4,5,6,7,8,9,10,11,12 6,7

Policy: cn=app-update-schedule,cn=policies,dc=a-nb,dc=de
Attribute: univentionInstallationReboot
Value: 06:00

Policy: cn=app-update-schedule,cn=policies,dc=a-nb,dc=de
Attribute: univentionCronActive
Value: 1

Policy: cn=app-release-update,cn=policies,dc=a-nb,dc=de
Attribute: univentionUpdateVersion
Value: 4.4-99

Policy: cn=app-release-update,cn=policies,dc=a-nb,dc=de
Attribute: univentionUpdateActivate
Value: TRUE

The app-release-update has not been assigned to the host in question. Nothing else changed since then. So it should not have been updates as far as I can see.