Tl;dr: Automatic updates on my home server caused 8 hours of downtime of all of renn.es’ docker services including email and public websites

  • Yote.zip@pawb.social
    link
    fedilink
    English
    arrow-up
    4
    arrow-down
    1
    ·
    1 year ago

    Blind automatic upgrades are a bad idea even for casual home users. You could run into a Linus Tech Tips “do as I say” scenario where it uninstalls half your system due to a dependency issue. Or it could accidentally uninstall part of your system that you don’t notice.

    I’m not sure how stable Gentoo’s default branch is but I know that daily upgrades on Arch Linux is close to suicide - you have a higher chance of installing a buggy package before it’s fixed if you install every package version as it comes in.

    I’m surprised this strategy was approved for a public server - it’s playing with a loaded revolver and it looks like you were finally shot.

    • tarneo@lemmy.mlOP
      link
      fedilink
      arrow-up
      5
      ·
      1 year ago

      I’m surprised this strategy was approved for a public server

      The goal was to avoid getting hacked on a server that could have many vulnerable services (there are more than 20 services on there). When I set this up I was basically freaked out by the fact I hadn’t updated mastodon more than a week after the last critical vulnerability in it was found (arbitrary code execution on the server). The quantity of affected users, compared to the impact it would have if hacked, made me choose the option of auto-updates back then, even if I now agree it wasn’t clever (and I ended up shooting myself I’m the foot). These days I just do updates semi-regularly and I am subscribed to mailing lists like oss-security to know there’s a vulnerability as early as possible. Plus I am not the only person in charge anymore.

      • Yote.zip@pawb.social
        link
        fedilink
        English
        arrow-up
        3
        ·
        1 year ago

        I’m not a real sysadmin so take it with a grain of salt, but in all reality this is probably why you would choose something like Debian for a server instead a bleeding-edge distro. Debian quickly backports security updates and fixes but otherwise keeps everything else stable and extremely well-tested, which pretty much 100% prevents serious bugs from reaching its Stable branch. You may still need to figure out an appropriate strategy for keeping your Mastodon container updated, but at least the rest of your system isn’t at risk of causing catastrophic errors like this. Also, Debian Stable does allow you to auto-upgrade security patches only, if you still want that functionality.

        • tarneo@lemmy.mlOP
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          I totally agree. But I just wouldn’t necessarily say gentoo is a bleeding edge distro: it’s kinda up to the user. They are free to configure the package manager (portage) however they want and can even do updates manually. I just like the idea of having newer packages at the cost of stability, because I also use the server as a shell account host (with an isolated user ;-)) and need things like the latest neovim. These days I would know if an update failed because I would literally be in front of the process and test services are working after the updates, so I’d know if I have to rollback. This makes it basically like a stable distro IMO (even though the packages aren’t battle tested before being pushed as updates).

          • skilltheamps@feddit.de
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            1 year ago

            I don’t know to what extent you got molested by the prophets of immutable distros yet, but I can only recommend to join the cult. Install Fedora IoT (or CoreOS) and simply know that you’ll get a working container host (powered by podman) with every update. The whole discussion about which distro might survive whatever massacre the respective package manager commits next becomes superflous: You simply get the next image that was built upstream solely to serve containers. The whole package-udpating-shengiangs is done by other people for you, you only collect the sweet result. The only “downside” is that one has to become familiar with containers, but since you run docker already that should work out. Also for stuff like tinkering with the latest tools, just put those in a distrobox. That way they are indipendent from your solid container host, and you can mess them up in whatevery way you fancy and dispose them without any traces left behind.

            Edit: To give one more example why this is awesome: It wouldn’t even matter which one you install, you can just rebase to the other (IoT lives in the fedora-iot remote. silverblue, coreos and the others in the fedora remote. Just for anybody who might be confused by only looking at ostree remote refs fedora)

            • tarneo@lemmy.mlOP
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              To me, this is only one of the few advantages of immutability. I have already used nixOS on a server and I really didn’t like having to learn how to do everything the right way. As for distrobox, to me it sounds quite like an additional failure point: it is an abstraction over the containers concept that hides the actual way it is done from you. I’d say if you run an app in a container, go all the way: make the container yourself. To me it just sounds like a bad idea, and I didn’t really like distrobox when I tried it. I just want to say that both of these concepts (immutability, distrobox) would be great if it was perfectly done. But the learning curve of nixos and the wackiness of distrobox drove me away.

              • skilltheamps@feddit.de
                link
                fedilink
                arrow-up
                1
                ·
                edit-2
                1 year ago

                The learning curve of NixOS is also what keeps me from trying it out, hence I prefer the “take it or leave it” mantra of the immutable fedoras, and try to keep the amount of packages I have rpm-ostree layer on top minimal.

                As for Distrobox, yes there’s ways it can fail, altough that happened rarely to me. What happens mostly is that the distro inside distrobox goes kaput because that’s just what mutable distros beared with a plethora of questionable tooling installed with “curl something | bash” does. But for me that’s the point of distrobox: separate all that shady cruft one may need for work/developing/etc from the host os. It’s a place for messing about without messing up the computer and with it the bits that need to keep working

                • tarneo@lemmy.mlOP
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  You convinced me for immutable fedora. Maybe I’ll try it out sometime on our backup/testing server and maybe it will make its way to production if I’m happy with it.

                  As for distrobox I’ll see.

                  The main reason I used Gentoo is because of being able to reduce the attack surface with USE flags. But as it seems the tradeoffs with it are greater than the advantages (the mastodon issue I mentioned). If I don’t switch the server to immutable fedora, I’ll just use something like plain fedora or debian I think.

    • The whole “do as I say” prompt existed to make sure that stuff doesn’t happen automatically. It’s rather unfortunate that people don’t read the warnings and just continue when something is clearly wrong, but with that problem fixed by just plain refusing to do some operations I think updates aren’t that big of a risk.

      I wouldn’t run headless automatic updates on a server you’re not willing to spend a day on fixing at the worst moment you can imagine, but automatic updates don’t have to be bad. Debian/Ubuntu’s unattended-upgrades script have never caused me any trouble, especially with their stable release schedule. Maybe they cause a few minutes of performance issues and a few dropped connections, but the automatic security updates are worth the minor inconvenience.

      • Yote.zip@pawb.social
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Right, it was clearly LTT’s fault for not reading, but automatic upgrades are the same thing as not reading. I’ve been using Linux for a very long time now, and I’ve seen Apt try to do some very stupid things before. Maybe it’s better nowadays but I don’t know if I’ll ever shake the gut instinct to not allow Apt to do whatever it thinks is right.

        • I’ve run into apt asking me if I want to remove my entire desktop environment before, but very rarely did it leave things as broken as bad as what triggered the “do as I say” prompt.

          Honestly, for Linux to gain any popularity, apt/dnf/pacman commands need to disappear from the Linux basics everyone needs to get through. We have had GUI package managers forever and they need to be more user friendly (and detect when you’re doing very stupid things with clear warnings, like “doing this will probably break your entire install” without expecting the end user to read a wall of cryptic text).

          The trick to apt is to make sure nothing gets removed when you install stuff and only a few packages get removed if you uninstall stuff. Aptitude is better at listing the impact of what you’re doing and will suggest alternatives, but it can still use a GUI to make things clear for normal people.

          • Yote.zip@pawb.social
            link
            fedilink
            English
            arrow-up
            1
            ·
            1 year ago

            Yeah I really don’t trust GUI package managers yet. I feel like they shouldn’t be that hard to get working properly, but I always seem to get quirky behavior when I try to use them. As for readability apt is one of the worse tools IMO. I’ve been using nala lately and really like how it lays out its operations. Contrast that format to what Linus saw in his video.

            Maybe we could have a blacklist of packages/metapackages marked “important” that cause warnings, like xorg, pipewire, pulseaudio, kde-desktop, gnome-desktop, etc. If you’re uninstalling something like that you better hit confirm twice because that’s not typical behavior.