Consider a small-mid size Drupal Project. Usually what happens is that once development is complete, sites (Drupal or Wordpress or any other framework) are left forgotten. This leaves the site vulnerable to attack, especially when a new Drupal security release is announced as it exposes the vulnerability publicly. It is good if a site is properly maintained & updated at regular intervals. But not at all recommended if left unattended.
Many a time people have questions like:
- “Has anyone built the script which will download, backup, and install the updates?”
- “Why upgrade, with all security updates which pop up? It seems like I need to upgrade every month.”
What if we had a process where Drupal could automatically update itself removing the vulnerability altogether.
There have been talks since the past few years about automating the Drupal core updates, thus a Drupal core strategic initiative was formed “Automatic Updates”. If successful, it would secure a lot of vulnerable Drupal sites.
Currently, the Automatic Update feature is being developed as a contributed module and eventually, it will be shipped into Drupal core as an experiment and finally if all goes well it could land as a new Drupal core feature.
Since the work for Automatic Updates is so vast, tasks are being worked in phases. Currently, Automatic Updates is divided into the following two phases out of which, phase I is now stable.
Objectives of Phase I
- Providing a JSON feed of Drupal Public service announcements from Drupal.org
- Displaying PSAs in the Drupal admin interface
- Providing an extensible update readiness check system
- Generating update packages from Drupal.org
- Securing the update packages with a signing system
- Applying the updates, manually or automatically, with roll-back
In this first phase, the Automatic Updates module includes the Public Service Announcement and Readiness Check features and can apply In-Place Updates manually or on cron. Updates that contain database updates will cause a rollback of the update.
Objectives of Phase II
- Providing an A/B front-end controller for more robust testing/roll-back features
- Supporting contributed module automatic updates
- Supporting composer-based site installs
The goal is to implement a secure system for automatically installing updates in Drupal, lowering the total cost of ownership of maintaining a Drupal site, and improving the security of Drupal sites.
Public service announcements (PSAs)
Announcements for highly critical security releases for core and contrib modules are done infrequently. When a PSA is released, site owners should review their sites to verify they are up to date with the latest releases and the site is in a good state to quickly update once the fixes are provided to the community.
Drupal.org provides a JSON feed of Drupal Public Security Announcements to be consumed by the automatic updates module.
That feed includes values for the following:
- type (core, module, theme, etc)
- project: the short name of the project the PSA is for
- title: The title of the PSA
- is_psa: The flag which indicates that the post is a PSA (and not another kind of Security Advisory)
- link: The link to the full PSA on drupal.org
- insecure: Metadata about what versions of the affected project are known insecure
- pubDate: The date the PSA was published
Readiness Checks
Below are possible points that should be checked to decide whether a site is ready for an upgrade or not.
Sites can’t receive automatic updates in case
- If they don’t have sufficient disk space.
- If sites are placed on a read-only file system.
- If sites have un-run database updates(Pending database updates)
- Any modifications made to the Drupal core source code.
When PSA is released and the site is failing readiness checks, it is important to resolve the readiness issues so the site can quickly be updated.
A quick look at how to use Automatic Updates
Step 1: First, check if the update is available or not by going to “Reports » Available Updates” from the administration pages.
Step 2: Install & Configuration of automatic updates contrib module. Go to “Config » System » Automatic Updates”.
Step 3: Now check the PSAs and Readiness checks in the configurations. Notice the PSA shown in the messages section.
Step 4: Click on the “Manually run the readiness checks” link under READINESS CHECKS.
If the Readiness check has failed a list of error failed checks are shown in messages. These error messages with reasons can also be found under “Errors found” of the status report page.
Step 5: If Readiness check shows “No issues found. Your site is ready for automatic updates”. It means our site is ready for an automatic upgrade.
Step 6: Click on the “manually update now” link inside the “Experimental” section to upgrade the site.
Wish to contribute to Automatic Updates?
- You can contribute to Automatic Update by picking up an issue from issue queue or pick issues tagged automatic updates phase 2
- Join the automatic update team in #autoupdates channel in Drupal slack
- Link to project Automatic updates
- Link to strategic initiative page: https://www.drupal.org/about/strategic-initiatives/automatic-updates