Use of PPA to send simple updates
I wish to setup a PPA to send simple changes to several hundreds of ubuntu 12.04 machines in the field. Simple changes mean that bash script changes and configuration file updates and possibly other software updates including new software installations that can be installed via apt-get install. Several questions that have come up to my mind are,
- Can PPA be used to send script updates?
- Can I configure client machines to get updates only from this PPA and install them automatically just like unattended-Upgrades? (Of course I know this option is possible but a good set of tools to achieve this is expected).
I know this is a broad question, but an answer with few pointers is highly appreciated.
Solution 1:
I wished to do the same thing, but I chose using a private repository made using reprepro
over PPAs. All my clients are on the same LAN, so it's simpler for me.
I think this is pretty workable irrespective of whether you use PPAs or a private repository.
- Modifying existing configuration files is best handled by using
dpkg
diversions, IMO.config-package-dev
is a blessing for this. The Debian Wiki is a good starting point for information on this. - Adding script files or your own software isn't that difficult by packaging them. There are plenty of packaging guides. Again, the Debian wiki is a great starting point. It's simpler to make binary packages than the intro, which will be the case with scripts and configuration files.
- Adding new software from other repositories can be done by making them dependencies of your packages. Specify an exact version or use
apt
pinning. - Unattended upgrades for custom repositories is already handled: How to enable silent automatic updates for any repository? I don't know of any way a server can push updates to a client. You might want to consider
puppet
(viakick
ing) or its ilk. Or you might write a script on the server which uses SSH to run updates on the client. Or have a script which checks for updates when the network comes up. - Above all, ensure that your package maintenance scripts (
preinst, postinst, prerm, postrm
) are idempotent and that package removal undoes all changes. These scripts can do a lot of things, but do not do anything affectsapt
ordkpg
in them. Minimise the work done in these scripts.
In my case, I use a package to configure LDAP and NTP, add a custom global vimrc
enabling common options, make various configuration changes (like enabling sudo
for a group, banning shutdown), adding an unprivileged local user/group, etc. Another package adds our self-generated CA certificate and repository signing key and marks them trusted in the postinst
script, and adds an entry in sources.list.d
for our repository.
I haven't yet converted all the systems to this process, so I can't comment yet about its effectiveness.