At what point is a Streisand instance too old?

[josephlhall]

I realize Streisand automates security updates, but is there any maintenance operators should do or anything to freshen the feature set of an old instance?

[alimakki]

Streisand's unattended upgrades will auto update what Ubuntu considers critical/security updates, as well as a handful of projects (Tor, Nginx, OpenVPN, shadowsocks-libev see [this].

OCServ, and LibreSwan are compiled from source and as far as I can tell there's no auto-update for either; they must be done manually if there's a need. Wireguard is the latest addition to Streisand however as far as I can tell it is not part of any auto update mechanism.

From what I gather these would be the 3 tools that may/could need maintenance if there was a concern, or alternatively wipe it and start fresh.

[josephlhall]

Thank you! It might be good to keep a MAINTENANCE.txt file or something in the root that detailed this... happy to propose a PR along what @alimakki says.

[lazerhawk]

What about older Streisand instances that were built on Ubuntu 14, considering we are now at 16? Security updates won't do distro updates.

I guess since the basic policy of Streisand is disposable instances, the usual course of action is to spin up a new instance with a newer Streisand version?

[josephlhall]

and if so, can it tell you when you need to peel off and stand up a more recent instance?

…

On Fri, Mar 17, 2017 at 1:00 AM, lazerhawk ***@***.***> wrote: What about older Streisand instances that were built on Ubuntu 14, considering we are now at 16? Security updates won't do distro updates. I guess since the basic policy of Streisand is disposable instances, the usual course of action is to spin up a new instance with a newer Streisand version?

[pchaganti]

👍

[alimakki]

@lazerhawk older instances may pose a problem. To illustrate my point, I'm still running a DigitalOcean VPS based on Ubuntu 14; recently the shadowsocks debian repo went offline, and this essentially broke unattended upgrades as apt would halt execution once it hit a 404 on the said repo.

Removing shadowsocks from the apt configuration resolved the problem, however it presented a risk since security upgrades were no longer being applied because of the dead repository.

Another example is when Streisand switched OpenVPN repositories to use the 2.4 branch instead of the 2.3. Unless you manually change that, you would not receive the latest features for that particular tool.

Also to take into consideration how many people use your gateway. If you're the only user there wouldn't be much friction in spawning a new server, in my case however I have a lot of relatives that now depend on it to circumvent VoIP censorship in the Arabian Gulf, thus making me apprehensive in spawning a new server and distributing new certificates.

To answer your question as to when an instance can get too old is a bit subjective and depends on your use case and threat model.

If you do plan on rotating, in my opinion every 4-6 months seems reasonable.

[cpu]

Thank you! It might be good to keep a MAINTENANCE.txt file or something in the root that detailed this... happy to propose a PR along what @alimakki says.

This sounds like a great idea 👍

[josephlhall]

Apologies for opening this back up... I should probably just ask @cpu very nicely via other means!

When I SSH into my instance it says:

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

160 packages can be updated.
3 updates are security updates.

And I'd like to apply any updates that might not be happening automatically (I could just rev the server but I'm not in a good place to do that for some days).

When I apt-get upgrade I do get a bunch of cruft about ShadowSocks, so I'm not sure if I should try and garden this instance or just pull it down and rev. Any advice appreciated.

[tiliarou]

I'm not sure where to ask but my ubuntu server 16.04.5 LTS is suggesting to upgrade to 18.04.1 LTS, would that be safe to do for my streisand setup ?

[cpu]

When I apt-get upgrade I do get a bunch of cruft about ShadowSocks, so I'm not sure if I should try and garden this instance or just pull it down and rev. Any advice appreciated.

@josephlhall Sorry for the long delay in reply! I've been MIA from Streisand responsibilities for a few months.

I 100% recommend pulling it down and creating a new instance. There's a few compelling reasons for this despite some of the prior advice in this thread about unattended security updates being applied:

1. At the time you would have set up your original instance there were still several important pieces of software built from source that would never be updated (:scream:). The project has managed to make substantial headway on that problem over the past year or so: Stop building components from source #1220
2. There was a bug with Streisand's auto-updates that wouldn't gracefully handle updates that had conflicting configuration changes (Notably a tor update tickled this bug initially). That's been fixed too but won't save old instances from getting stuck applying security updates in some cases: 24de9b9
3. The WireGuard PPA was missing from the auto-updates config for some time (:sweat:). That's been fixed as well, but again won't help existing instances: 1833643#diff-e7796b1ae1318ba8e045c4275875a4d0
4. You won't get any of the general Streisand improvements the project has made over the past while without recreating the instance (security wins like removing monit, the chance to customize which services are included, OpenVPN configuration improvements like tlscrypt, etc)

I'm not sure where to ask but my ubuntu server 16.04.5 LTS is suggesting to upgrade to 18.04.1 LTS, would that be safe to do for my streisand setup ?

@tiliarou It is not safe to upgrade a Streisand instance to 18.04. Streisand only supports 16.04 at the time of writing. @alimakki has a work-in-progress PR (#1453) that will allow Streisand to work with 18.04 but it:

1. Isn't ready yet
2. Will not let you upgrade an existing Streisand instance. You will have to destroy and recreate your instance when support is ready.