Bottom Line is if you do run unattended upgrades, be sure to exclude Zimbra packages.
So here we have a Zimbra 8.8.8 Network Edition system on Ubuntu 16.04. Zimbra is at Patch 9. Check this:
Code: Select all
root@zimbra:~# apt-get update; apt list --upgradable
Hit:1 http://archive.ubuntu.com/ubuntu xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:4 http://archive.ubuntu.com/ubuntu xenial-backports InRelease
Hit:5 https://repo.zimbra.com/apt/87 xenial InRelease
Hit:6 https://repo.zimbra.com/apt/zv1 xenial InRelease
Hit:7 https://repo.zimbra.com/apt/888patch xenial InRelease
Hit:8 https://repo.zimbra.com/apt/888patch-nw xenial InRelease
Reading package lists... Done
zimbra-common-core-jar/unknown 220.127.116.116227922-1.u16 amd64 [upgradable from: 18.104.22.1683613456-1.u16]
zimbra-network-modules-ng/unknown 22.214.171.1245704239-1.u16 amd64 [upgradable from: 126.96.36.1994260702-1.u16]
zimbra-nginx/unknown 1.7.1-1zimbra8.7b9.16.04 amd64 [upgradable from: 1.7.1-1zimbra8.7b7.16.04]
zimbra-patch/unknown 188.8.131.52.1536232008-2.u16 amd64 [upgradable from: 184.108.40.206.1535106934-2.u16]
zimbra-proxy-components/unknown 1.0.2-1zimbra8.7b1.16.04 all [upgradable from: 1.0.1-1zimbra8.7b1.16.04]
Now, as of this writing, we expect that Patch 10 is to be released soon. And if you manually edit the URL for the Patch 9 Release Notes, you get the Patch 10 release Notes document as it now stands: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.8/P10
Helpfully, that Release Notes document lists the updated packages included in the patch:
8.8.8 Patch10 Packages
Below are the latest available packages:
Package Name Version
zimbra-patch -> 220.127.116.11.1536232008-1
zimbra-common-core-jar -> 18.104.22.1686227922-1
zimbra-mbox-webclient-war -> 22.214.171.1247079283-1
zimbra-ldap-components -> 1.0.1-1zimbra8.7b1
zimbra-openldap-client -> 2.4.46-1zimbra8.7b2
zimbra-openldap-lib -> 2.4.46-1zimbra8.7b2
zimbra-openldap-server -> 2.4.46-1zimbra8.7b2
zimbra-lmdb -> 2.4.46-1zimbra8.7b2
zimbra-mta-components -> 1.0.5-1zimbra8.7b1
zimbra-openjdk -> 1.8.0u172b01-1zimbra8.7b5
zimbra-chat -> 126.96.36.1992350417-2
zimbra-nginx -> 1.7.1-1zimbra8.7b9
zimbra-proxy-components -> 1.0.2-1zimbra8.7b1
zimbra-patch -> 188.8.131.52.1536232008-2
zimbra-network-modules-ng -> 184.108.40.2065704239-1
zimbra-talk -> 220.127.116.112349058-1
Comparing the two, basically what I see is that ZImbra is populating the repositories a few packages at a time, instead of waiting until right before the Patch is released publicly. And what my apt list --upgradable command shows is that not all of the Patch 10 packages are yet in the repos. Are there inter-package dependencies in all/some of the packages to be distributed as part of the patch? I don't know.
But I do know that if I just ran "apt-get update; apt-get upgrade" today, I'd have a partially installed Zimbra Patch 10, and I don't how that would impact the functioning of my Zimbra system.
So, best to exclude all Zimbra packages from unattended-upgrades.
To exclude all Zimbra packages from unattended-upgrades: as root run:
Code: Select all
Then, add the "zimbra-"; line to this section:
Code: Select all
// List of packages to not update (regexp are supported)
Restart the unattended-upgrades service, then run as root (to be sure):
Code: Select all
root@zimbra:/etc# unattended-upgrades --dry-run --debug
Initial blacklisted packages: zimbra-
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=xenial', 'o=Ubuntu,a=xenial-security', 'o=UbuntuESM,a=xenial', 'o=Ubuntu,a=xenial-updates']
Checking: zimbra-common-core-jar ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-common-core-jar'
Checking: zimbra-network-modules-ng ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-network-modules-ng'
Checking: zimbra-nginx ([<Origin component:'zimbra' archive:'' origin:'Zimbra Collaboration Suite 8.7 Ubuntu16' label:'Zimbra Collaboration Suite 8.7 Ubuntu16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-nginx'
Checking: zimbra-patch ([<Origin component:'zimbra' archive:'' origin:'Repository for UBUNTU16' label:'Repository for UBUNTU16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-patch'
Checking: zimbra-proxy-components ([<Origin component:'zimbra' archive:'' origin:'Zimbra Collaboration Suite 8.7 Ubuntu16' label:'Zimbra Collaboration Suite 8.7 Ubuntu16' site:'repo.zimbra.com' isTrusted:True>])
skipping blacklisted package 'zimbra-proxy-components'
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
No packages found that can be upgraded unattended and no pending auto-removals
The above shows the partial inventory of Patch 10 packages already copied to the repos, but that none of them would be installed during an unattended-upgrade run on account of the exclusion.
I've asked Zimbra not to populate the repositories at all, until right before a Patch is formally released, but in the grand scheme of things this is not a big deal -- if you are not upgrading Zimbra packages automatically.
If someone wants to post the same steps to do this on RHEL/CentOS, that would be helpful as well.
Hope that helps,