Upgrading multiple Debian servers at once
I'm currently working at a SaaS company, and at the moment we have multiple Debian servers running in our data centre to support our application.
In the past, when a security update was released, we were able to log into each machine and manually update them with the required update. As we've got more clients (and thus, more servers), we've found that doing this by hand is starting to become a major hassle.
I was just wondering if it were a way (or best practise) to upgrade multiple servers at the same time each time an updates come out?
I'm considering writing a cron script which will automatically apply all updates every weekend, though was thinking there's probably a more elegant way to do this?
Solution 1:
Debian patterns for Puppet.
Are configuration management tools (Puppet, Chef) capable of keeping installed packages up to date?
Wikipedia's blog entry and link to their repository (all the configs except the passwords).
Solution 2:
Sounds like a good enough reason to actually install the unattended-upgrades package as part of your default build and retroactively on your existing servers. As the description itself says:
This package can download and install security upgrades automatically and unattended, taking care to only install packages from the configured APT source, and checking for dpkg prompts about configuration file changes.
This script is the backend for the APT::Periodic::Unattended-Upgrade option.
Once installed all you need to do is modify /etc/apt/apt.conf.d/50unattended-upgrades
to taste to specify which Origins
to process upgrades for along with blacklisting specific packages not to upgrade unattended. You can also specify an email address to send reports out to and whether or not to reboot automatically if a package requests one after upgrading.
I use this for all the remote servers I maintain for clients and have it send the reports to me so that I don't have to log into them all one by one and perform the upgrades.
Solution 3:
apt-dater may be helpful for centralised package management as long as you can access your servers over SSH. It may be easier than configuration management tools that might depend on additional daemons...