Best practice: unattended-upgrades vs OMV for security updates?

  • Hi there,


    I am still a OMV beginner and running multiple test instances of OMV6. So far it looks good to go away from trueNAS to a much easier End-User Handling of OMV vs. TrueNAS.

    So many thanks to the maintainer of this great project!


    What is not clear to me is the update system of OMV6


    Debian provides unattended-upgrades, which ensure that critical security updates of debian get installed quickly on the machine.

    My policy is also to be protected before to have the confidence, that the system gets changed planned. Means I accept a failure of a service over by automatic updates, vs a manually controlled environment, which gets planned upgrades. The reason is that human resources (incl. me) may be missing due to illness, overloaded, or whatever else.


    So I would like to ensure that the security updates published by Debian team, get "immediatly" (through the daily cron) upgraded automatically.

    I cannot see such a behavior of the OMV6 update system


    Also I am not clear if OMV update system and unattended-upgrades can coexist beside on the same system.


    Also for me it is not clear if the crontab of chrony executes reliably the crontab, which contains the daily/weekly/monthly tasks for unattended upgrade.


    Can someone clarify all these questions?

  • I cannot see such a behavior of the OMV6 update system

    By default, OMV6 installs automatically the security updates from Debian unless you deactivate it.

    Security updates not installed automatically in OMV6 - Updates/Upgrades - openmediavault


    As for running along side unattended-upgrades, there was a report by a user that it screwed OMV.

    This was at the beginning of the v6 and no other reports from anyone happened again, or at least, there was no new threads about it.

    Maybe because (almost) noone uses unattendeed-upgrades:

    unattended-upgrades decided to uninstall openmediavault packages - why? - Updates/Upgrades - openmediavault

  • By default, OMV6 installs automatically the security updates from Debian unless you deactivate it.

    Security updates not installed automatically in OMV6 - Updates/Upgrades - openmediavault

    My issue is that I cannot see settings about the automatic updates. And the documentation here is also confusing


    Code
    The server uses cron-apt to
    perform a daily apt-get update and fetch upgrade packages automatically. If you
    have notifications enabled you receive an email every time packages are ready
    for install.

    so the documentation states only a download, but the install/upgrade of the packages is not named. Neither is there a setting on the UI to see if this feature is active of disabled?


    So can you please clarify that the installation of the security relevant packages are done really automatically? And where can I find the setting for this feature?

    To be specific, the setting is it available on the UI?


    Code
    sudo omv-env get OMV_APT_USE_OS_SECURITY
    gives nothing


    If the security updates get automatically installed by OMV, what is the delay of the updates from the point debian releases a security update for the distribution?

    To be clearer:

    - Debian 11 gets an security update for sshd at 4.July 11:30am

    what time will be this update available to OMV6 update system?
    what time will be this update installed via OMV6 update system?

  • My issue is that I cannot see settings about the automatic updates. And the documentation here is also confusing

    Please, see this post from votdev that sates at the Head-Line that Security-Updates are installed automatically:


    And this confirmation from ryecoaaron about it:


    If you want to check the setting that is set, it's just a matter of:

    sudo omv-env get OMV_APT_USE_OS_SECURITY

    And to confirm (in case you still don't trust it)

    sudo omv-env set OMV_APT_USE_OS_SECURITY true


    As for the documentation, you are right, it is a bit scarce but you need to see this in an unbiased perspective:

    OMV is coded and maintaned by only 2 persons and a few other enthusiasts/helpers that create/write documentation on their free time.

    Keeping all info up to date is not the same as other solutions that have a lot of supporters/helpers/coders etc.


    If you (us) really like OMV, then we try to keep up-to-date with the changes as we see them coming.


    And, if all else fails, the forum is always a good source of updated info. ;)


    To be specific, the setting is it available on the UI?


    sudo omv-env get OMV_APT_USE_OS_SECURITY

    gives nothing

    About it gives nothing:


    Unfortunetly, these environment settings aren't on the GUI.

    Most need to be set via CLI


    Custom Configuration — openmediavault 6.x.y documentation

  • I think, you a misunderstanding how OMV works. OMV pulls from the debian repos as soon as there is something to fetch.


    cat `which omv-upgrade` gives essentially this:


    Code
    apt-get update
    apt-get --yes --allow-downgrades --allow-change-held-packages --fix-missing \
            --auto-remove --allow-unauthenticated \
            --show-upgraded --option DPkg::Options::="--force-confold" dist-upgrade

    and cat /etc/cron.daily/openmediavault-cron-apt gives

    Code
    # Remove the '/etc/cron.d/cron-apt' file installed by the cron-apt package.
    rm -rf /etc/cron.d/cron-apt
    
    # Download and install packages.
    test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt
    
    # Send an email when a reboot is required.
    if [ -e "/run/reboot-required" ]; then
        echo "A reboot of the system is required to complete a package upgrade." | mail -E -s "Reboot required" root
    fi

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!