[arch-general] "Automatic" upgrade
Hi, I know it is highly discouraged and that it can break the machine, but I have a good reason to do it anyway: It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I want to access the machine --, and the other person who has root access to the machine doesn't think of doing the upgrade regularly: Last upgrade was 2 months ago, despite regular reminders. However I want to do it the best way: - Check that the Arch news didn't change - ssh is run as a service and not a socket (it's a headless machine) - Ignore ssh, linux, grub upgrades - Transmit the log by email (I *will* read it) - Send by email the list that will be upgraded before doing the upgrade Anything else I should check before running an automatic upgrade? Any other advice? Thanks in advance for any advice! Best regards, -- Ismaël
On 11.02.2014 11:42, Ismael Bouya wrote:
It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I want to access the machine --
Set up an automatic tunnel (simple service that just runs autossh or similar) or use a VPN (openvpn, tinc) and do the upgrade yourself. Automatic upgrades won't work if there are conflicts which sadly happens quite a few times every year.
(Tue, Feb 11, 2014 at 12:56:39PM +0100) Florian Pritz :
On 11.02.2014 11:42, Ismael Bouya wrote:
It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I want to access the machine --
Set up an automatic tunnel (simple service that just runs autossh or similar) or use a VPN (openvpn, tinc) and do the upgrade yourself.
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"... (The machine which has Archlinux is an exception and he's not aware of its existence) It's one thing to ask someone to manually create a tunnel so that I can access the machine once in a while. It's another one to bypass the sysadmin politics and risk problems if anything happens.
Automatic upgrades won't work if there are conflicts which sadly happens quite a few times every year.
Sure, but I can do it manually then... -- Ismael
On 2014-02-11 13:17, Ismael Bouya wrote:
(Tue, Feb 11, 2014 at 12:56:39PM +0100) Florian Pritz :
On 11.02.2014 11:42, Ismael Bouya wrote:
It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I want to access the machine --
Set up an automatic tunnel (simple service that just runs autossh or similar) or use a VPN (openvpn, tinc) and do the upgrade yourself.
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"...
That's pretty idiotic attitude. Even working machine needs security patches etc.
(Tue, Feb 11, 2014 at 01:20:12PM +0100) paladin@jstation.cz :
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"...
That's pretty idiotic attitude. Even working machine needs security patches etc.
I do agree with you on that point, and on many others which you cannot imagine before you face it, but that's not something I can change. (Just in case it wasn't clear: I'm obviously not that person) -- Ismael
On Tue, Feb 11, 2014 at 01:17:22PM +0100, Ismael Bouya wrote:
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"... (The machine which has Archlinux is an exception and he's not aware of its existence) It's one thing to ask someone to manually create a tunnel so that I can access the machine once in a while. It's another one to bypass the sysadmin politics and risk problems if anything happens.
You could establish a VPN/tunnel originating from the server you want to update. That way, from the machine's view, it is an outgoing connection and might not be restricted by the firewall. You can then use the existing tunnel to ssh back to the machine. Of course this would require an accessible server somewhere outside. -- Constantin
(Tue, Feb 11, 2014 at 01:29:30PM +0100) Constantin :
You could establish a VPN/tunnel originating from the server you want to update. That way, from the machine's view, it is an outgoing connection and might not be restricted by the firewall. You can then use the existing tunnel to ssh back to the machine. Of course this would require an accessible server somewhere outside.
Sure, that's what I understood in the former message, and already thought of doing it. The problem that I have (maybe it wasn't clear in my message) is that then I give an "obvious" *permanent* entry point to a network that is willingly closed. If anything happens (even if I'm quite confident with the security of the machine, we never know), it's my responsibility, and I don't want that. -- Ismael
You could setup a cron job on that server that checks for a specific code in a dropbox directory, or in an email account, and when received, it deletes the {mail|file} and activates a SSH tunnel or a VPN with which you can connect to. All you should have to do when you want to connect is send the email / put the file, wait a bit and then connect to the server. You'll have to close the tunnel when you disconnect however, or perhaps the same cron job can close it upon receiving another code. -- L'ignoranza è un male curabile, è sufficiente la volontà. On 11 February 2014 13:35, Ismael Bouya <ismael.bouya@normalesup.org> wrote:
(Tue, Feb 11, 2014 at 01:29:30PM +0100) Constantin :
You could establish a VPN/tunnel originating from the server you want to update. That way, from the machine's view, it is an outgoing connection and might not be restricted by the firewall. You can then use the existing tunnel to ssh back to the machine. Of course this would require an accessible server somewhere outside.
Sure, that's what I understood in the former message, and already thought of doing it. The problem that I have (maybe it wasn't clear in my message) is that then I give an "obvious" *permanent* entry point to a network that is willingly closed. If anything happens (even if I'm quite confident with the security of the machine, we never know), it's my responsibility, and I don't want that.
-- Ismael
Op 11 feb. 2014 13:17 schreef "Ismael Bouya" <ismael.bouya@normalesup.org> het volgende:
(Tue, Feb 11, 2014 at 12:56:39PM +0100) Florian Pritz :
On 11.02.2014 11:42, Ismael Bouya wrote:
It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I
want
to access the machine --
Set up an automatic tunnel [...] That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"... (The machine which has Archlinux is an exception and he's not aware of its existence) It's one thing to ask someone to manually create a tunnel so that I can access the machine once in a while. It's another one to bypass the sysadmin politics and risk problems if anything happens.
How about establishing regular maintenance intervals? This way, the VPN could be active on these times for you to use and be disabled the rest of the time. Depending on the setup, this could be easily automated. If i understand the admin correctly, he'll be happy with the fixed timing (easier to plan for). This kind of appointment could even work for situations where the Arch-box initiates the connection. Since the admins know about in advance (and agreed to), they won't just block it. mvg, Guus
How about establishing regular maintenance intervals?
This way, the VPN could be active on these times for you to use and be disabled the rest of the time. Depending on the setup, this could be easily automated. If i understand the admin correctly, he'll be happy with the fixed timing (easier to plan for).
Yes, that's more or less what I was starting to think of after Al O'Nerd suggestion (which was better than what I thought of so far but still had the problem of a potential undesired access while I'm "not there"), but you put it in words better than me. Thanks all for your help! -- Ismael
On 02/11/2014 07:17 AM, Ismael Bouya wrote:
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"
Then your sysadmin is incompetent, since he is completely ignorant of the concept of "security upgrades". DR
On Tue, Feb 11, 2014 at 5:19 PM, David Rosenstrauch <darose@darose.net>wrote:
On 02/11/2014 07:17 AM, Ismael Bouya wrote:
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"
Then your sysadmin is incompetent, since he is completely ignorant of the concept of "security upgrades".
DR
While I agree on disagreeing with this sysadmin, I think that their point of view is not properly represented. I've know that position before: 1. Upgrades sometimes go wrong. 2. Upgrades that go fine sometimes have unexpected behavior. 3. My machine is not connected to the Internet, so it's not exposed to attack. The sysadmin conclusion is therefore: 1. What do I gain upgrading? Nothing. 2. What do I lose upgrading? Maybe something goes wrong. My guess here is that this "secure" network is full of non-upgraded (Windows?) machines, and security is attained exclusively by network isolation. So my advice to the OP is to play safe and not to program any kind of inbound tunnel. That could end in disaster and you would be responsible! Just limit the access to your mole's handmade tunned, or play by the rules and not upgrade (ug!). Just my €0.02. -- Rodrigo
(Tue, Feb 11, 2014 at 07:00:41PM +0100) Rodrigo Rivas :
My guess here is that this "secure" network is full of non-upgraded (Windows?) machines, and security is attained exclusively by network isolation.
No they are all on linux. The problem here is that it creates a lot of problem for work: outdated browser (some websites unaccessible), outdated bash and programs (Hard to believe, but they have evolved a lot!!). We must do everything by ourselves, hence the "hidden" machine: to handle backup of our datas since he doesn't do it properly (last year his backup/nfs server failed and we stayed a few months with an inconsistently rebuilt home, and the "emergency solution" went to break also afterwards and...)
So my advice to the OP is to play safe and not to program any kind of inbound tunnel. That could end in disaster and you would be responsible! Just limit the access to your mole's handmade tunned, or play by the rules and not upgrade (ug!).
Hum hum... I'm still hesitating on what exactly I will do, but it won't stay like that... Anyway, thanks all for all the advices! -- Ismael
On 2014-02-11 13:17, Ismael Bouya wrote:
(Tue, Feb 11, 2014 at 12:56:39PM +0100) Florian Pritz :
On 11.02.2014 11:42, Ismael Bouya wrote:
It's highly unpractical to me to access the machine from where I am -- even remotely: I need someone to manually open a tunnel each time I want to access the machine --
Set up an automatic tunnel (simple service that just runs autossh or similar) or use a VPN (openvpn, tinc) and do the upgrade yourself.
That's not an option. The network on which the machine is is willingly inaccessible from outside: The sysadmin there has the principle that "a machine that works shouldn't be upgraded, because then it can break"... (The machine which has Archlinux is an exception and he's not aware of its existence) It's one thing to ask someone to manually create a tunnel so that I can access the machine once in a while. It's another one to bypass the sysadmin politics and risk problems if anything happens.
Can the machine download emails from a remote server? You could set something up that downloads emails from a certain mailbox, validates they're PGP signature, and runs the body as a shell script. Tedious, but it works.
Automatic upgrades won't work if there are conflicts which sadly happens quite a few times every year.
Sure, but I can do it manually then... -- Ismael
-- Hugo Osvaldo Barrera
(Tue, Feb 11, 2014 at 09:51:10PM -0300) Hugo Osvaldo Barrera :
Can the machine download emails from a remote server? You could set something up that downloads emails from a certain mailbox, validates they're PGP signature, and runs the body as a shell script. Tedious, but it works.
Yes (I didn't test it actually but I think I can have it), but it's always the same problem: I have to trust "something" (a GPG key, an SSH key, a VPN, a machine, whatever...) outside of the closed network. The advantage of what I was trying to do in the first place (automatic upgrades) is that I don't need to open a hole to access the machine as long as there is no problem. -- Ismael
participants (9)
-
Al O'Nerd
-
Constantin
-
David Rosenstrauch
-
Florian Pritz
-
Guus Snijders
-
Hugo Osvaldo Barrera
-
Ismael Bouya
-
paladin@jstation.cz
-
Rodrigo Rivas