BarCamp 2019 - Best practice for automatic updates

update
barcamp

#1

Preface:

On February 1st, 2019 we had a BarCamp as part of the Univention Summit 2019. Several topics were discussed and the summary will be made available here. Further discussion and additions are welcome.

Summary:

Best practices for automated updated in production environments (UCS, UCS with third-party repositories such as Kopano, UCS with Docker apps)

  • First approach: automate updates via UCS’s update policies
    • Differentiate between things that are usually hassle-free and those that require attention and manual intervention
    • Active third-party repositories (OX, Kopano, OPSI…) often lead to problems during (automated) updates
    • Wishes for enhancements / ideas:
      • separate update procedures for UCS security updates, bugfixes and app updates
      • fallback to older revisions of Docker images in case a Dockerized app fails to update
      • more tests of update procedures by app vendors
      • controls for limiting the errata level or app version number automated updates update to
      • use existing preup-scripts as standalone tools
  • Recommendations:
    • Note: reboot not only after the update, but before the update as well (e.g. due to kernel version issues)
    • run services in separate machines in order to avoid updating UCS base packages and packages from third-party repositories at the same time
    • create backups / snapshots before updating
    • test environments
    • use apt pinning selectively only, not as an automatism

#2

Hi @Grandjean,

thank you very much for these best practies!
For our (non ucs) docker environments we used to test upgrades with the --project-name option of docker-compose.
We just copy the mounts and the docker-compose.yml file into a testfolder, an start:
docker-compose -p APP-XYZ-UPGRADE-TEST up -d
This creates a 100% copy of the productive environment. In that scenario you can test if the upgrade finishes successful.

Cheers
Sebastian