Comprehensive security update automation: 1. Debian OS (unattended-upgrades) — tightened to security-only: - Removed general Debian updates (prevents feature/breaking changes) - Only Debian-Security origins auto-installed - Email admin on every upgrade via ops@performancewest.net - Auto-reboot at 4 AM if kernel update requires it - needrestart auto-restarts services after library updates 2. Docker CE — major version guard: - Patch updates within pinned major version auto-applied - Major version jumps held + admin alerted for manual review - docker-ce, docker-ce-cli, containerd.io all version-guarded 3. Container base images — daily at 3:30 AM: - Pulls latest base images for all docker-compose services - Compares image digests — only rebuilds if changed - Restarts only affected services (not full stack) - Alerts admin on rebuild failures requiring manual intervention - Covers both prod and dev compose projects 4. k3s — weekly Sunday at 3:45 AM: - Patch updates within current minor auto-applied - Minor/major upgrades alert admin for manual review - Verifies node Ready status after update - Alerts on failures with investigation instructions 5. Admin notifications via SMTP: - [INFO] for successful patches - [WARNING] for available major upgrades needing review - [CRITICAL] for failures requiring immediate intervention - Falls back to syslog if SMTP unavailable Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
35 lines
2.4 KiB
Django/Jinja
35 lines
2.4 KiB
Django/Jinja
#!/usr/bin/env bash
|
|
# ══════════════════════════════════════════════════════════════════════════════
|
|
# Docker Version Guard — Performance West
|
|
#
|
|
# Checks if a Docker CE major version upgrade is available. If so, holds the
|
|
# current packages and alerts the admin. Patch updates within the pinned
|
|
# major version are allowed to flow through unattended-upgrades.
|
|
#
|
|
# Run by: apt pre-invoke hook or manually
|
|
# ══════════════════════════════════════════════════════════════════════════════
|
|
set -euo pipefail
|
|
|
|
PINNED_MAJOR="{{ docker_major_version_pin }}"
|
|
ALERT_SCRIPT="/usr/local/bin/pw-security-alert"
|
|
|
|
current_version=$(dpkg-query -W -f='${Version}' docker-ce 2>/dev/null || echo "0.0.0")
|
|
current_major=$(echo "$current_version" | grep -oP '^\d+' || echo "0")
|
|
|
|
# Check what's available
|
|
apt-get update -qq 2>/dev/null
|
|
available_version=$(apt-cache policy docker-ce 2>/dev/null | grep 'Candidate:' | awk '{print $2}')
|
|
available_major=$(echo "$available_version" | grep -oP '5:\K\d+' || echo "$current_major")
|
|
|
|
if [ "$available_major" != "$PINNED_MAJOR" ] && [ "$available_major" != "$current_major" ]; then
|
|
# Major version jump detected — hold packages and alert admin
|
|
apt-mark hold docker-ce docker-ce-cli containerd.io 2>/dev/null || true
|
|
logger -t "pw-docker-guard" "Docker CE major upgrade available: $current_version -> $available_version (held)"
|
|
|
|
$ALERT_SCRIPT "Docker CE Major Upgrade Available — Manual Review Required" \
|
|
"A Docker CE major version upgrade is available but has been held:\n\n Current: $current_version (major $current_major)\n Available: $available_version (major $available_major)\n Pinned major: $PINNED_MAJOR\n\nMajor Docker upgrades may include breaking changes. Please review the changelog and upgrade manually:\n\n apt-mark unhold docker-ce docker-ce-cli containerd.io\n apt-get update && apt-get upgrade docker-ce docker-ce-cli containerd.io\n systemctl restart docker\n cd {{ project_dir }} && docker compose up -d" \
|
|
"warning"
|
|
else
|
|
# Same major — ensure packages are NOT held (allow patch updates)
|
|
apt-mark unhold docker-ce docker-ce-cli containerd.io 2>/dev/null || true
|
|
fi
|