Skip to main content
This page describes what to do in case of an Icinga alert. For more information you could search the govuk-puppet repo for the source of the alert
Warning This document has not been updated for a while now. It may be out of date.
Last updated: 22 Dec 2020

Outstanding security updates

Machines are configured to automatically install security updates on a daily basis.

  • This is triggered by the /etc/cron.daily/apt script.
  • Relevant config can be found in /etc/apt/apt.conf.d.

This alert indicates automatic updates have stopped working. While this is not normally a critical issue, it becomes so if we start missing out on security patches.

Check the output of the last automatic upgrade:

less /var/log/unattended-upgrades/unattended-upgrades.log

If you get No such file or directory, it’s likely this is a new instance that has not been triggered to update via cron yet. You could acknowledge it until it is next scheduled to run, or you could try running the upgrade manually:

sudo unattended-upgrade -d --dry-run

If the unattended upgrades log looks okay, check which security updates are outstanding:

apt-get upgrade -s | grep -i security

You may find that the upgrades are on a deny list in govuk-puppet (for example, mysql-server-5.5 which needs upgrading manually).