How to enforce completely automatic upgrades?

[Kimonoscroll]

I'm completely new to FreeBSD and wanted to challenge myself by using it. I was going over the Handbook and on the Updates and Upgrades section it says:

The system can be configured to automatically check for updates once every day by adding this entry to /etc/crontab:

@daily root freebsd-update cron

If patches exist, they will automatically be downloaded but will not be applied. The root user will be sent an email so that the patches may be reviewed and manually installed with freebsd-update install.

I added the bold for emphasis.

Is there a way to make upgrades, even system upgrades, automatic, and to make it restart as needed as well? I want to set it up and have it update when needed for security without my needing to interact with it.

 

[SirDice]

I'm completely new to FreeBSD and wanted to challenge myself by using it.

Awesome. You're in for a treat once you get the hang of it.

Is there a way to make upgrades, even system upgrades, automatic, and to make it restart as needed as well? I want to set it up and have it update when needed for security without my needing to interact with it.

You're franticly typing away on the next chapter of your new book. Haven't saved in a while because you're in the "zone". Suddenly the system reboots because it found an update and it automatically gets installed and rebooted without interaction.

Take it from a 30 year FreeBSD veteran, you don't want to install upgrades automatically.

 

[SirDice]

Sign up for the freebsd-announce mailing list. Don't worry it's very low volume. You'll get notified if something's important like security issues or new releases.

 

[mer]

Take it from a 30 year FreeBSD veteran, you don't want to install upgrades automatically.

FreeBSD, Linux, Windows, this applies to all of them.
Windows, say you tell update stuff "normal working hours are 8am to 6pm so you can apply and reboot outside of that". All good until that end of quarter crunch or "tax time" where 24 hrs/day just aren't enough and you haven't hit save on the tax return for that $20million client and Windows says "Applying updates and rebooting".

Toss in MS AI stuff and yeah, you're gonna lose data

 

[SirDice]

FreeBSD, Linux, Windows, this applies to all of them.

Wholeheartedly agree.

 

[Kimonoscroll]

FreeBSD, Linux, Windows, this applies to all of them.
Windows, say you tell update stuff "normal working hours are 8am to 6pm so you can apply and reboot outside of that". All good until that end of quarter crunch or "tax time" where 24 hrs/day just aren't enough and you haven't hit save on the tax return for that $20million client and Windows says "Applying updates and rebooting".

Toss in MS AI stuff and yeah, you're gonna lose data

Thanks for the response, I mostly agree however this is just a headless personal server serving static content, I don't plan on remoting into it often at all. It will never change and it being offline occasionally for an upgrade isn't an issue for me. I know Debian has the unattended-upgrades package to do something similar. Even a cron job running at 2am would be okay with me. Is it not possible at all? My main concern is security. I just don't want to forget about my server and find it pwned because I didn't patch a bug three months ago. Maybe I should try setting up FreeBSD as a desktop OS and not a remote server instead?

 

[Kimonoscroll]

Awesome. You're in for a treat once you get the hang of it.

Thanks! It's a whole new world for me. I'm coming from the Linux world and have always been fascinated by the BSD's.

You're franticly typing away on the next chapter of your new book. Haven't saved in a while because you're in the "zone". Suddenly the system reboots because it found an update and it automatically gets installed and rebooted without interaction.

Take it from a 30 year FreeBSD veteran, you don't want to install upgrades automatically.

Definitely valid lol, do you think this would also apply for a remote server serving static content? I don't mind if it's offline once in a while to reboot, nothing is ever going to change on it.

 

[mer]

Thanks for the response, I mostly agree however this is just a headless personal server serving static content, I don't plan on remoting into it often at all. It will never change and it being offline occasionally for an upgrade isn't an issue for me. I know Debian has the unattended-upgrades package to do something similar. Even a cron job running at 2am would be okay with me. Is it not possible at all? My main concern is security. I just don't want to forget about my server and find it pwned because I didn't patch a bug three months ago. Maybe I should try setting up FreeBSD as a desktop OS and not a remote server instead?

For this specific instance, sure you can set up FreeBSD to so this, but to me the question still comes down to "why" and "should I". Lets say an automatic upgrade fails; what should be the intended behavior? Failures happen in multiple ways: during the upgrade and "I think I upgraded and rebooted but the reboot failed and some services did not restart".

Auto upgrades are great when they work, but if they fail and you don't know until X days later, you now have a fun time scratching your head and going "WTF happened".

Sixes and Threes as my friends from Scotland have said.

 

[Erichans]

My main concern is security.

ENs (Errata Notices) and SAs (Security Advisories) are announced in the already referenced ML. They are also listed on www.freebsd.org and they have their own RSS feeds; plenty of options to get notified in time.

And btw, before applying an ER or SA, you do want to read them first to find out what all the hubba is about, right?

 

[SirDice]

Is it not possible at all?

It's certainly possible to do. But nothing "canned" ready-to-serve. So you'll have to whip up some script that does it. Definitely do-able, I just don't recommend it

My main concern is security. I just don't want to forget about my server and find it pwned because I didn't patch a bug three months ago.

While I generally agree with installing security patches as soon as possible, not all security patches can and will apply for your situation. Does a bug in a driver for a device you're not using affect you? No, it won't. So it's fine to postpone that patch and do this if something else comes up.

a headless personal server serving static content

This is also an important distinction. It's not so much a personal server, the question is more, is it reachable on the internet or not. The minute you allow connections on your server from the big bad internet you will get bots and other digital vermin knocking on your door. And generally most internet facing servers get pwned due to broken (web) applications, not so much bugs in the OS.

One other way the baddies tend to get into servers, bad passwords. So make sure you have a proper password on both root and your user account. And use something like blacklistd(8), security/sshguard or security/py-fail2ban, because your SSH will definitely get hammered.

do you think this would also apply for a remote server serving static content?

Well, I wouldn't. But what kind of 'static content'? You mean a static (HTML) web page?

 

[cracauer@]

Automatic updates within a release work for me without automatic reboots. Every now and then you reboot by hand. Obviously security problems in the kernel are not handled this way. But those are rare.

 

[SirDice]

Well, one thing our young padawan might not realize just yet, but on FreeBSD there's a clear and distinct separation of the "base OS" and third-party software; the ports and packages. freebsd-update(8) only updates (or upgrades) the base OS, not the installed ports/packages.

 

[Espionage724]

Is there a way to make upgrades, even system upgrades, automatic, and to make it restart as needed as well? I want to set it up and have it update when needed for security without my needing to interact with it.

I did this with cron:

ee '/etc/cron.d/freebsd-updater'

#
SHELL=/bin/sh

0 6 * * * root '/home/espionage724/.local/scripts/freebsd-updater.sh'

# End

Script:

ee ~/'.local/scripts/freebsd-updater.sh'

#!/bin/sh

ntpd -g -q > '/dev/null'

pkg update -f
pkg upgrade
pkg autoremove

zpool upgrade -a

service 'vsftpd' stop

sync
shutdown -r 'now' 'FreeBSD OS Updater'

# End

 

[mer]

Espionage724 be careful with zpool upgrade command without updating boot code; you can get yourself in a system that won't boot.

ETA:
It also looks like your script is upgrading packages, unless your have converted to pkgbase, the zpool upgrade command seems way out of place.

 

[Emrion]

Don't do that. Don't do automatic zpool upgrade.
I'm surprised you didn't ever face to a non-booting system.

The upgrade is almost always not useful unless you want some of the last zfs features. And if you want them, as mer stated, update your bootcode(s) BEFORE!

 

[Erichans]

I think for updates and upgrades there is a important distinction between those that carry security related issues and those that do not.

For auditing security issues of installed packages from the ports tree, you can use pkg audit -F; see pkg-audit(8) and 4.4.9. Auditing Installed Packages

Allthough I do not have a historic view, AFAIK, ZFS pool upgrades have not carried security relates issues. If this were to be the case, that will be part of an official SA as ZFS is part of the FreeBSD base install.

For some time now there have been quite a few changes in wrt the code base of pkg(8), resulting in a rapid succession of new versions. The build servers do not always have the most recent packages available all the time: building packages for the full ports tree takes time. "Blindly" upgrading of packages from the remote package servers can result in unexpected problems (unless you rely on a—well managed—locally provided package server).

P.S. pkg-upgrade(8), when run as root, will update the local pkg database, that is: it "uses" pkg update. When running pkg-update(8) explicitly, pkg update should suffice (only exceptional cirumstances require the use of -f).