Why is auto-update not recommended



  • In searching for ways to automatically upgrade pfSense, I have come across many posts that recommend against automatic updates to pfSense via executing pfSense-upgrade -y but I do not see concrete reasons why this is bad? I would want to be on the latest version and run it at a time when my network traffic is off and not critical. What am I missing?



  • @atclaus said in Why is auto-update not recommended:

    What am I missing?

    The subject is known, you saw the posts. If none of them are show-stoppers for you, you could implement a daily cron job that executes "pfSense-upgrade -y".


  • Netgate Administrator

    Yes, there are some example methods in other posts but as you saw you should not do this in general.

    Asides from the fact that an upgrade almost always necessitates a reboot which breaks whatever is happening at that moment there may be something in the release notes that applies specifically to you that breaks everything. Until you read the notes you don't know.

    Steve


  • LAYER 8 Global Moderator

    Yeah would never in a million years suggest auto update your firewall..

    As mentioned you should really read and adhere to anything in the release notes before update.



  • +3 for the above responses. I worked for a Fortune 500 U.S. corporation in the IT group for many years. We were a complete Windows shop for the majority of the business network. Even with that, while we did regularly install updates, it was a very controlled process with lots of application testing required before any update was placed on the WSUS servers for distribution to client devices and servers on the business network.

    I was also involved in process control network security for power plants, and the testing requirements there were even more extreme before any software change was made or an update installed.

    So the auto-update idea might be OK for a home user, but still potentially aggravating if an update goes south. But auto-update is a potential disaster waiting to happen for a large business network. How would you like to be the IT guy that enabled an auto-update that took down the power plant control network and plunged your entire region of the country into complete and utter darkness? ... ☺ .


  • LAYER 8 Global Moderator

    Home user example of problem... You just left for 2 week vacation, and your update goes south and your connection is dead.. Now no vpn back home, now no access to your plex, etc.

    If you want to automate something - automate a notification that you will notice that an update is available, so you can then do the update when it makes sense to do it.. After!! you have read the notes for any special things that might have to be taken into account before the update.



  • @bmeeks said in Why is auto-update not recommended:

    +3 for the above responses. I worked for a Fortune 500 U.S. corporation in the IT group for many years. We were a complete Windows shop for the majority of the business network. Even with that, while we did regularly install updates, it was a very controlled process with lots of application testing required before any update was placed on the WSUS servers for distribution to client devices and servers on the business network.

    Many years ago, I was in 3rd level support (OS/2 and OS/2 & Windows apps) at IBM Canada. Part of my job was to do integration testing of updates, before inflicting them on the users.



  • Thanks all for your input. Very helpful. I forgot for a moment that this is enterprise class software/hardware that I am using at home/small business. That being said, @johnpoz your at home case makes a lot of sense too! I followed another post with some PHP that should check and email me about updates (albeit is not working yet - weekend troubleshooting). Will use that and not auto update. Appreciate the education!


Log in to reply