Security Patches and Updates#

During installation the system will automatically install the application named “security” which is a collection of all the latest security patches available for the various pieces of software in the platform at the time the system was built. Updates to this application are released to customers regularly. The security application provides these updates but does not automatically install them - allowing customers with concerns to verify them on lab machines first for example. Some security updates may also require scheduled downtime to complete and for this reason the final installation of updates is a manually triggered process.

The health command will inform the user if any security updates are currently available but not installed. Users can install security updates at any time by running the command:

security update

Those who would prefer to automate this can create a scheduled command to do so on a regular basis. The security update will install all operating system updates to both the main system and the application jails, but it will not generally contain updates to the core applications themselves - these are shipped separately as new application install versions as they require additional QA to ensure compatibility.

To manage security updates in a cluster, two options are available:

  1. Run security update on each node in the cluster.

  2. Carry out the update in two steps:

    1. From the primary unified node, run:

      cluster run notme security update

      Wait for security updates to complete on these nodes in the cluster.

    2. Then on the primary unified node, run:

      security update

Example output:

platform@development:~$ security update
You are about to upgrade the system, which may cause services to restart.
   Do you wish to continue? y
Application snmp processes stopped.
Installing updates for the main operating system
Starting system security update. This will take a few minutes
Checking packages to start the update process
Updating applications
Application processes stopped.

Application services:firewall processes stopped.
Application services processes started.
Updating /opt/platform/apps/mongodb/chroot
...........................................
Updating /opt/platform/apps/voss-deviceapi/chroot
......................................
Updating /opt/platform/apps/selfservice/chroot
.........................................
Updating /opt/platform/apps/nginx/chroot
......................................
The system is preparing for core security updates.
   This is a required step and will require a reboot
Core security updates are now completed, system is configuring updates

Application processes stopped.
Application  processes started.
Your system is fully updated and may require a reboot.
   Run 'system reboot' or 'cluster run all system reboot' if updates were applied.
platform@development:~$ system reboot
You are about to reboot the system. Do you wish to continue? y