Preface:
On February 1st, 2019 we had a BarCamp as part of the Univention Summit 2019. Several topics were discussed and the summary will be made available here. Further discussion and additions are welcome.
Summary:
Best practices for automated updated in production environments (UCS, UCS with third-party repositories such as Kopano, UCS with Docker apps)
- First approach: automate updates via UCS’s update policies
- Differentiate between things that are usually hassle-free and those that require attention and manual intervention
- Active third-party repositories (OX, Kopano, OPSI…) often lead to problems during (automated) updates
- Wishes for enhancements / ideas:
- separate update procedures for UCS security updates, bugfixes and app updates
- fallback to older revisions of Docker images in case a Dockerized app fails to update
- more tests of update procedures by app vendors
- controls for limiting the errata level or app version number automated updates update to
- use existing preup-scripts as standalone tools
- Recommendations:
- Note: reboot not only after the update, but before the update as well (e.g. due to kernel version issues)
- run services in separate machines in order to avoid updating UCS base packages and packages from third-party repositories at the same time
- create backups / snapshots before updating
- test environments
- use apt pinning selectively only, not as an automatism