Like any operating system manufacturer, Univention usually publishes weekly updates. As an administrator, you want to install them as soon as possible. However, in large UCS environments with many connected servers, manual updates can take a lot of time, which is not always available every week. The easiest way to reduce such a big workload is to automate the task by using policies.
In the following, I want to explain how you can set up an automated update of UCS systems by using the policy ‘maintenance settings‘.
How you can sustainably reduce administrative expenditures with policies via LDAP
Policies are administrative settings that you can apply to containers and thus to more than one object via links in the LDAP directory. They are hereditary to the underlying objects, whereby the setting closest to the object is always adopted. Therefore administration can become much easier by using the same setting for any number of objects, e. g. passwords, the configuration of UCS server systems and also for software updating.
Set up a schedule for weekly updates
The policy maintenance settings specifies the point of time at which a system searches for available errata and release updates and installs them if necessary.
It can be customized in the module policies in the UMC.
Under the tab ‘general’ you can define whether updates should take place during system startup or shutdown or at any other specified time. For example, if you want the package to be maintained on Fridays at 10 p.m., you can specify it with a cron setting. Set the time by entering month, weekday, day, hour and minute. Enter, for example, Friday as the weekday, 22 as the hour and 0 as the minute. Under the tab ‘referencing objects’ you can see all current links of the policy.
Linking policies to LDAP objects
Once the policy is created, it can be linked to an LDAP object. To do so, you select the tab ‘policy‘ in the LDAP browser for the requested object. The maintenance settings are thus adopted. If necessary, you can also create a new policy here. If all computers of the UCS system are located in the container computers, the policy maintenance settings can be applied to all systems in the container by creating a corresponding link.
Note that in a domain, the DC Master should be updated first, followed by the DC backups. For example, if the maintenance takes place on Fridays at 10 p.m., a new policy could be linked to the DC Master, which sets the update to the previous day. In this example, the DC Master updates itself weekly on Thursdays at 10 p.m. The other computers in the environment follow 24 hours later.
System mails to root
As usual with cron jobs, output such as error messages are sent by e-mail to the local mailbox of the user in whose context the job is running – in our case “root”. In order not to collect these e-mails from every system, you can set up a policy to ensure that the e-mails are sent to the correct addressee, such as to the system administrator. To do this, you create a Univention Configuration Registry policy in the policy module, which configures the local receiver “root” for all UCS systems as alias for another address.
For the variable mail/alias/root enter the required e-mail address. By linking to the LDAP directory, e. g. directly at the LDAP base, this policy is applied to the selected objects and the emails of the system update are sent to the specified address. This and other policies are applied hourly by default.
Conclusion: With little effort a lot of gain in safety and simplicity
As shown in this example, policies offer the potential for automation and can be flexibly adapted to any UCS system. They are defined in just a few steps and offer high reliability and security for your IT systems. In addition, automation leads to enormous time savings compared to manual configuration of updates. Policies are therefore an important tool that significantly simplifies the work of UCS system administrators.