BarCamp 2019 - Best practice for automatic updates




On February 1st, 2019 we had a BarCamp as part of the Univention Summit 2019. Several topics were discussed and the summary will be made available here. Further discussion and additions are welcome.


Best practices for automated updated in production environments (UCS, UCS with third-party repositories such as Kopano, UCS with Docker apps)

  • First approach: automate updates via UCS’s update policies
    • Differentiate between things that are usually hassle-free and those that require attention and manual intervention
    • Active third-party repositories (OX, Kopano, OPSI…) often lead to problems during (automated) updates
    • Wishes for enhancements / ideas:
      • separate update procedures for UCS security updates, bugfixes and app updates
      • fallback to older revisions of Docker images in case a Dockerized app fails to update
      • more tests of update procedures by app vendors
      • controls for limiting the errata level or app version number automated updates update to
      • use existing preup-scripts as standalone tools
  • Recommendations:
    • Note: reboot not only after the update, but before the update as well (e.g. due to kernel version issues)
    • run services in separate machines in order to avoid updating UCS base packages and packages from third-party repositories at the same time
    • create backups / snapshots before updating
    • test environments
    • use apt pinning selectively only, not as an automatism


Hi @Grandjean,

thank you very much for these best practies!
For our (non ucs) docker environments we used to test upgrades with the --project-name option of docker-compose.
We just copy the mounts and the docker-compose.yml file into a testfolder, an start:
docker-compose -p APP-XYZ-UPGRADE-TEST up -d
This creates a 100% copy of the productive environment. In that scenario you can test if the upgrade finishes successful.