Tl;dr: Automatic updates on my home server caused 8 hours of downtime of all of renn.es’ docker services including email and public websites
I don’t want to seem rude, but in my opinion automated unattended updates on Gentoo is a bad idea.
That’s what I learned :-)
Edit: no saying that isn’t rude
While we are here: what do you think about unattended updates on Debian and such? (as such being derivatives, including Proxmox VE)
Unattended updates are 10x better because those programs allow you to only do security updates. Plus they are much more stable, and something like this would never happen on a stable distro.
What is the reason to shy away from Ubuntu? It is pretty solid in terms of automatic updating and rebooting. I used to be hardcore centos but I gave up after all of the hubbub around 8. I just need to server to update, reboot when necessary and keep running all my stuff so I don’t have to touch it. In my old age, I don’t care to tinker anymore - I just want my services running and I want reports given to me about health and status.
Also, if you’re concerned about privilege escalation, running a MAC is probably a good idea. SELinux saved my hide one a dozen years ago with a php bug where I did not sandbox an app properly. Thankfully, SELinux caught this and prevented anything bad from happening.
what is the reason you shy away from ubuntu? Canonical. Snaps. Ubuntu is the first server OS I used, and while it was quite good I think I prefer using a base distrobox instead of a derivative. If I’m going to use Debian, I’ll use Debian. Not Debian with corporate stuff on top.
As for SELinux: I’ve tried around a year ago. But as soon as I started doing stuff with users and tweaking docker permissions things went wrong and I just set it to permissive. Maybe I’ll try that again soon, because other parts of managing servers have become much easier over time as I learned. I agree that having a server without SELinux is quite dumb and not very professional.
Permissive mode is definitely a life saver. My path was usually exercising the application in permissive mode for a few days then running the SELinux scanner on the log file to determine what roles needed to be setup. Same with the Debian/Ubuntu equivalent.
Good luck!
Blind automatic upgrades are a bad idea even for casual home users. You could run into a Linus Tech Tips “do as I say” scenario where it uninstalls half your system due to a dependency issue. Or it could accidentally uninstall part of your system that you don’t notice.
I’m not sure how stable Gentoo’s default branch is but I know that daily upgrades on Arch Linux is close to suicide - you have a higher chance of installing a buggy package before it’s fixed if you install every package version as it comes in.
I’m surprised this strategy was approved for a public server - it’s playing with a loaded revolver and it looks like you were finally shot.