apt-get update needed so that packages are kept updated

[mvl22]

I do a manual package update on the servers from time to time, but this isn't ideal.

sudo apt-get -y update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade && sudo apt-get -y autoremove

I think the chef process ought to do this update itself.

I don't think there should be any concerns about things breaking: Debian/Ubuntu maintenance is pretty good, and their policy is not to have version changes within updates (e.g. Postgres won't suddenly go from 9.3 to 9.6 in the same release series). In any case, if someone were installing things from new, the latest package versions would be found.

[mvl22]

@nikolai-b Could you give some thought to this?

[nikolai-b]

Hmm, we already have unattended-upgrades but that only installs security updates. We can change it to do that in /etc/apt/apt.conf.d/50unattended-upgrades I'm somewhat afraid of that as it means the system might do strange things between deployments.

If you want I can upgrade packages when deploying in the chef scripts. It has minor extra risks (as we are then doing multiple things - updating our code and the underlying system at the same time) but I agree it is very likely to be safe.

[mvl22]

If you want I can upgrade packages when deploying in the chef scripts.

That's what I was thinking - that the Chef run should include updating packages. Presumably if a failure occurs we would get an e-mail.