The VisibleThread VM is built on top of Ubuntu Linux, and from time to time critical patches are made available to the operating system and its components.
The VisibleThread security team monitor the security patches and update advisory notices if required.
Customers can choose to run their own patching program with some restrictions. Essentially we require that some critical parts of the VisibleThread architecture are 'pinned' to required supported versions. This is necessary to ensure the VisibleThread Application remains compatible with any patches or updates that may be applied to the server by your patching team.
Note: You should always ensure you have backed up/snapshotted your VisibleThread VM before applying updates as there may be unintended consequences. It is also good policy to test the updates on a test environment first.
Setting up for customer managed updates
Note: These instructions apply only to customers who are running the Ubuntu 16.04 operating system.
You can check which version of the operating system you are running by typing 'lsb_release -a' at the command line.
Before you begin updating or patching the VisbileThread VM, first create a file on VM called 'preferences' at '/etc/apt'. This file should be owned by root.
The file should have the following contents:
Package: postgresql* Pin: version 10* Pin-Priority: 550 Package: openssl* Pin: version 1.0.2* Pin-Priority: 550 Package: apache2 Pin: version 2.4.18* Pin-Priority: 550 Package: supervisor Pin: version 3.2* Pin-Priority: 550
Once this file is in place you can apply any updates using the Ubuntu package manager without overwriting services the VisibleThread application relies upon.
How to apply critical security updates on the Ubuntu OS
You can apply any available critical security updates to the VM from the command line using the 'unattended-upgrades' package.
First ensure the aptitude cache's are up to date:
sudo apt-get update
Now installed the unattended-upgrades package
sudo apt-get install unattended-upgrades
Now apply any critical updates
sudo unattended-upgrade -v
It's good practice to run these updates on a Monthly basis.