2

When we patch servers with apt-get, we just run apt update and apt upgrade, and take whatever updates are available. We patch our dev servers several days before we patch our production servers.

That doesn't always work out as-expected. Any updates released during that week go straight into production without getting tested on the dev servers.

What's the right way to be more precise about the packages and versions that get updated when running apt-get? How do I ensure only burned-in updates make it to the production servers?

Is there a way to export the package versions from the dev server and use it as a manifest for updating in production?

James
  • 1,083

1 Answers1

5

The only way to do this with any degree of certainty is to maintain your own mirrors. Sync the mirrors to the main ones by whatever schedule you want. Update dev using them, do whatever testing you need to, and then update production, and only then sync your mirror again. Or maintain two mirrors, so that you can simultaneously test a new iteration of updates while updating production to the tested batch.

Is there a way to export the package versions from the dev server and use it as a manifest for updating in production?

Sure there is, but if you try to force updates to specific versions, and those versions have since been superseded in the mirrors you use (and are now missing), you'll end up with broken dependencies and apt hell.

muru
  • 197,895
  • 55
  • 485
  • 740