New Feature : Automatic Updates

We've just released a new feature that should make a big difference to most of our users, by saving you a lot of work and worry : Automated OS Security Updates.  Even better, we're providing it in a modern, safe and secure, 'best practice' way that takes advantage of the unique benefits of AWS.

We all know that it's important to apply security updates regularly to keep our systems secure.  This is particularly important for servers and especially ones running open source software stacks like the PHP stack we're all familiar with.  Until now you still had to do this manually (for instance by redeploying your stack regularly, or logging into your EC2 instances and running 'yum update')

Now when there's a new security update to the operating system that runs on your EC2 Instances in Idealstack, or to the hosting containers that Idealstack provides that actually run your sites, your stack can be automatically re-deployed to use these changed versions.  

Due to the magic of how Idealstack handles these updates this can happen without downtime and will safely rollback if there's a major failure.

Important Note: this will apply updates to the OS and platform components like Apache, PHP etc  - it doesn't update your sites (for instance with new versions of Wordpress or Drupal) - that's still your responsibility.

Another Important Note: if you make local changes to the EC2 instances that Idealstack runs, these updates, like any stack deploy, will blow away all your changes. You shouldn't make these sorts of updates to the images - containers and instances in Idealstack are "Cattle not pets"  - if you need to tweak something on the instances let us know and we can suggest some better options.

Here's how it works

1. When you edit or create a stack you can specify a maintenance period.  It defaults to happen nightly
   
2. Each night at the chosen time, Idealstack will scan your stack to see what versions of the key components (ie the EC2 AMI and the hosting containers) you are running, and whether there is an update to apply.
3. If there is an update, Idealstack will automatically redeploy your stack.  It redeploys the currently deployed version, so if you have undeployed changes these will not accidently be deployed as part of this process.
4. During this deploy, new versions of the EC2 instances and hosting containers are booted.
5. Once your sites are healthy according to the healthchecks (.healthcheck.php) the old containers will be shutdown and the old instances removed.
6. If any of these steps fail the stack should rollback to it's previous state.  That tends to raise a flag with our engineering team to investigate, but at least your sites should still be safe.

What will be updated?

• The ECS optimised AMI provided by AWS will be updated to it's latest version.
• On the hosting containers, which define the actual platform for your sites:
  • OS-level security updates will be applied.
  • The "minor version" of PHP may be upgraded, for instance if you are running php 7.1, the version may change from 7.1.29 to 7.1.30.  This theoretically should never introduce breaking changes unless the PHP core team have messed something up.

Why this is pretty great

Many of the other ways of running PHP out there, such as VPS's or running your own servers, require you to spend a lot of time applying  OS updates.  Even if they do have a system for applying updates automatically, it's unlikely it happens in such a 'cautious' way as Idealstack does it.  Each time this runs it:

• Completely removes the old instance or container and replaces it with a standardised, tested, secure new version.  Since containers and instances in Idealstack are 'cattle not pets', anything 'quirky' or 'weird' thats happened on that machine (eg local changes, even hacking or malware) is blown away completely.
• If your site doesn't run on the new environment, the update gets rolled back automatically. 
  • This is done by running the file .healthcheck.php on your site.  By default this only checks that PHP is running.  You can update that file yourself though to check anything else you need (just be aware that if the healthcheck fails the hosting container will be destroyed and recreated - if this ends out happening to all your hosting containers for a site the site will be offline).

At Idealstack one of our design principles is 'Best practice by default'.  We're trying to give PHP developers practical ways to do the things "the right way".  This approach of treating servers as cattle not pets, automating things like updates but in a "safe" way is what the big players in IT all do (Google, Facebook etc).  But it hasn't really been practical for regular web hosting until now, so we're pretty excited about this feature.