Just wondering what tools and techniques people are using to keep on top of updates, particularly security-related updates, for their self-hosting fleet.
I'm not talking about docker containers - that's relatively easy. I have Watchtower pull (not update) latest images once per week. My Saturday mornings are usually spent combing through Portainer and hitting the recreate button for those containers with updated images. After checking the service is good, I manually delete the old images.
But, I don't have a centralised, automated solution for all my Linux hosts. I have a few RasPis and a bunch of LXCs on a pair of Proxmox nodes, all running their respective variation of Debian.
Not a lot of this stuff is exposed direct to the internet - less than a handful of services, with the rest only accessible over Wireguard. I'm also running OPNsense with IPS enabled, so this problem isn't exactly keeping me up at night right now. But, as we all know, security is about layers.
Some time ago, on one of my RasPis, I did setup Unattended Upgrades and it works OK, but there was a little bit of work involved in getting it setup just right. I don't relish the idea of doing that another 40 or so times for the rest of my fleet.
I also don't want all of those hosts grabbing updates at around the same time, smashing my internet link (yes, I could randomise the cron job within a time range, but I'd rather not have to).
I have a fledgling Ansible setup that I'm just starting to wrap my head around. Is that the answer? Is there something better?
Would love to hear how others are dealing with this.
Cheers!
I set up flexo for Arch Linux update caching and squid proxy for Alpine, Debian. This stops me from having to download the same files over and over.
Yeah - a caching proxy would alleviate the pain on internet link, for sure. So flexo is similar to Unattended Upgrades for Debian, yeah? Automates pacman?
No, Flexo is not like Unattended Upgrades. Flexo just downloads packages in a cache for you to download them locally using pacman as usual. It's mainly to increase download speeds and decrease doubledownloadsing the same files in one network to different clients. Unattended Upgrades is actually installing security updates automatically without user input. This is by design not supported and not possible on Arch Linux.
Ah, gotcha. Missed that bit about Squid being for Alpine and Debian. Makes more sense now. Cheers.