How to activate security updates on Ubuntu

Please take a moment to read the security recommendations for VREs. If you wish to keep using the same VRE for longer than 3 weeks, automatic security updates for the VRE’s OS must be turned on. This manual describes how to enable these for any VREs running Ubuntu Linux. At the moment security updates for Ubuntu are turned on by default on ResearchCloud, so no action should be necessary. This manual exists in case this default setting changes in the future.

Contact us if you run into any problems with the instructions below.

Understanding automatic security updates for Ubuntu

The Ubuntu OS has a feature called “unattended upgrades” that will automatically install security updates for installed packages as they become available. These are currently enabled on ResearchCloud by default. However, you can easily activate the feature yourself, as long as you have admin rights on the workspace.

For longer-living workspaces, it is also heavily recommended to install a vulnerability scanning tool that actively monitors your workspace for weaknesses. Please contact us for help with this.

Please note:

  • These updates are only for system packages installed using Ubuntu’s package management system, apt. Any other software on the workspace (for instance, software installed directly from Github) will not be updated by this mechanism. If this is security sensitive (for instance, if it is a web application), you will need to find other ways of keeping it secure and updated.
  • Only security patches will be installed, so the ‘major’ version of the packages you use will remain the same.

Advanced notes:

  • For almost all updates, the new version will become active immediately. This means that in very rare cases, an update may interfere with a running process. There is thus a tradeoff between security and stability, but such interference is rare and enabling unattended upgrades is considered best practice for Ubuntu servers.
  • There is one exception to the rule that updated versions will become automatically active: if the Linux kernel itself is updated, this will require a pause/resume of the workspace to become active. This happens rarely, but you can monitor for this by installing the aforementioned scanning tool (contact us).

Manually enabling automatic security updates

Prerequisites

  • A Catalog Item using Ubuntu Linux
  • Admin rights on the workspace

Workspaces with a desktop environment

See here for how to login on the workspace.

Steps:

  1. In the Applications menu (top left), go to Settings > Software & Updates.
  2. Go to the Updates tab.
  3. From the dropdown When there are security updates, select Download and install automatically.

Alternatively, you can open a terminal and follow the instructions below for enabling security updates from the command line.

Workspaces with command line access

See here for how to login on the workspace with SSH.

In you terminal, execute the following commands:

sudo systemctl enable apt-daily.timer
sudo systemctl enable apt-daily-upgrade.timer
sudo systemctl start apt-daily.timer
sudo systemctl start apt-daily-upgrade.timer