Roots Discourse

Upgrade packages on production server

I have a couple of questions that I can’t find the answer to.

  1. What is the best way to update packages on staging and production servers when running Trellis? Should I just ssh in to the server and run ”apt-get upgrade” or is there an Ansible command to do this? Will the packages ”upgrade” when I provision the server?

  2. Is it ”safe” to run the provision command at any time? Will my database, files or config files get overwritten?


  1. Never do anything manually that causes any side-effect. Meaning you can SSH into your server to look at things, troubleshoot etc, maybe restart services, but don’t changes files, change packages, etc. It defeats the purpose of Trellis.

If you want to update packages you have a few choices:

  • add a task to run apt-get upgrade (not recommended since it’s system wide but at least test on staging/dev first)
  • manually specify a version for any tasks that install a package (see apt Ansible docs)
  • add a latest=yes argument to any apt action (see Ansible docs)
  1. Yes it’s completely safe. That’s the magic of Ansible and proper server configuration management :smile:

Great answer, thanks!

Just curious, why isn’t upgrading packages in Trellis workflow/commands by default?

Because it’s not deterministic. In fact it already isn’t :frowning:

What we should be doing in Trellis is explicitly setting every package version and then periodically bumping them once the newer versions have been tested.

So would it also be against the purpose of Trellis to set up unattended-upgrades for security updates? A security fix usually contains no incompatible changes, so in that regard it would still be somehow deterministic…

Ideally you’d have a staging server to test security updates on. In reality it’s probably almost always fine to just apply these in production.

Either way, you should definitely keep your servers up to date with security updates.