Bottom Line is if you do run unattended upgrades, be sure to exclude Zimbra packages.
So here we have a Zimbra 8.8.8 Network Edition system on Ubuntu 16.04. Zimbra is at Patch 9. Check this:
Code: Select all
root@zimbra:~# apt-get update; apt list --upgradable
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:5 https://repo.zimbra.com/apt/87 xenial InRelease
Hit:6 https://repo.zimbra.com/apt/zv1 xenial InRelease
Hit:7 https://repo.zimbra.com/apt/888patch xenial InRelease
Hit:8 https://repo.zimbra.com/apt/888patch-nw xenial InRelease
Reading package lists... Done
Listing... Done
zimbra-common-core-jar/unknown 1.0.0.1536227922-1.u16 amd64 [upgradable from: 1.0.0.1533613456-1.u16]
zimbra-network-modules-ng/unknown 1.0.24.1535704239-1.u16 amd64 [upgradable from: 1.0.23.1534260702-1.u16]
zimbra-nginx/unknown 1.7.1-1zimbra8.7b9.16.04 amd64 [upgradable from: 1.7.1-1zimbra8.7b7.16.04]
zimbra-patch/unknown 8.8.8.10.1536232008-2.u16 amd64 [upgradable from: 8.8.8.9.1535106934-2.u16]
zimbra-proxy-components/unknown 1.0.2-1zimbra8.7b1.16.04 all [upgradable from: 1.0.1-1zimbra8.7b1.16.04]
root@zimbra:~#
Helpfully, that Release Notes document lists the updated packages included in the patch:
Comparing the two, basically what I see is that ZImbra is populating the repositories a few packages at a time, instead of waiting until right before the Patch is released publicly. And what my apt list --upgradable command shows is that not all of the Patch 10 packages are yet in the repos. Are there inter-package dependencies in all/some of the packages to be distributed as part of the patch? I don't know.8.8.8 Patch10 Packages
Below are the latest available packages:
Package Name Version
FOSS:
zimbra-patch -> 8.8.8.10.1536232008-1
zimbra-common-core-jar -> 1.0.0.1536227922-1
zimbra-mbox-webclient-war -> 1.0.0.1527079283-1
zimbra-ldap-components -> 1.0.1-1zimbra8.7b1
zimbra-openldap-client -> 2.4.46-1zimbra8.7b2
zimbra-openldap-lib -> 2.4.46-1zimbra8.7b2
zimbra-openldap-server -> 2.4.46-1zimbra8.7b2
zimbra-lmdb -> 2.4.46-1zimbra8.7b2
zimbra-mta-components -> 1.0.5-1zimbra8.7b1
zimbra-openjdk -> 1.8.0u172b01-1zimbra8.7b5
zimbra-chat -> 1.0.20.1532350417-2
zimbra-nginx -> 1.7.1-1zimbra8.7b9
zimbra-proxy-components -> 1.0.2-1zimbra8.7b1
NETWORK:
zimbra-patch -> 8.8.8.10.1536232008-2
zimbra-network-modules-ng -> 1.0.24.1535704239-1
zimbra-talk -> 1.0.11.1532349058-1
But I do know that if I just ran "apt-get update; apt-get upgrade" today, I'd have a partially installed Zimbra Patch 10, and I don't how that would impact the functioning of my Zimbra system.
So, best to exclude all Zimbra packages from unattended-upgrades.
To exclude all Zimbra packages from unattended-upgrades: as root run:
Code: Select all
nano /etc/apt/apt.conf.d/50unattended-upgrades
Code: Select all
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
"zimbra-";
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
Code: Select all
root@zimbra:/etc# unattended-upgrades --dry-run --debug
Initial blacklisted packages: zimbra-
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=xenial', 'o=Ubuntu,a=xenial-security', 'o=UbuntuESM,a=xenial', 'o=Ubuntu,a=xenial-updates']
Checking: zimbra-common-core-jar ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-common-core-jar'
Checking: zimbra-network-modules-ng ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-network-modules-ng'
Checking: zimbra-nginx ([<Origin component:'zimbra' archive:'' origin:'Zimbra Collaboration Suite 8.7 Ubuntu16' label:'Zimbra Collaboration Suite 8.7 Ubuntu16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-nginx'
Checking: zimbra-patch ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-patch'
Checking: zimbra-proxy-components ([<Origin component:'zimbra' archive:'' origin:'Zimbra Collaboration Suite 8.7 Ubuntu16' label:'Zimbra Collaboration Suite 8.7 Ubuntu16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-proxy-components'
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: ['zimbra-']
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
root@zimbra:/etc#
I've asked Zimbra not to populate the repositories at all, until right before a Patch is formally released, but in the grand scheme of things this is not a big deal -- if you are not upgrading Zimbra packages automatically.
If someone wants to post the same steps to do this on RHEL/CentOS, that would be helpful as well.
Hope that helps,
Mark