Automatic Updates

Submitted by admin on
Body

Updating a Drupal site is sometimes difficult, time-consuming, and expensive. It may appear easy its face, but ensuring secure and reliable updates that give assurance to site owners and availability to site visitors is a tricky problem.

The Automatic Updates service for Drupal aims to simplify this process and provide confidence that an update will apply cleanly.

Please note that Automatic Updates is a Strategic Initiative for the Drupal Project. The Initiative is still in progress, so there are some important elements to take note of:

  • The Automatic Updates module is not yet in core. An initial prototype is available as a contributed module at: https://drupal.org/project/automatic_updates; however, the core solution will be different from this module (building on parts of it, but not reusing the whole thing).
    • In this first phase, the Automatic Updates module included the Public Service Announcement but this functionality has been by added to Drupal core see Responding to critical security update advisories
    • The module only supports Composer based installations.

Key Features of the Automatic Updates Module

Update readiness checks

Not all sites are able to always update. The readiness checks are an automated method to determine if a site is ready for automatically updating once a new release is provided to the community. For example, sites that have un-run database updates, are mounted on read-only file systems or do not have sufficient disk space to update in-place can't receive automatic updates. If your site is failing readiness checks and a PSA is released, it is important to resolve the underlying readiness issues so the site can quickly be updated.

In-place updates

Once the PSA service has notified a Drupal site owner of an available update, and the readiness checks have confirmed that the site is ready to be updated, the site administrator can update via the Update form.

Installation

At the moment, the Drupal Automatic Updates module is available as a contributed module from Drupal.org. In a later iteration, and after significant community testing, it will be included in Drupal core. At that time, all you will need to do is upgrade to the version of Drupal that includes the feature.

To install the contrib version of the Automatic Updates module, you will follow the same instructions that you would use for many other modules on Drupal.org:

composer require drupal/automatic_updates:^2

Requirements

Automatic Updates requires Composer 2.3.5 or later.

For this module to work, Drupal must be able to change its own code base. Not all hosting environments allow this; for example, at this time, Automatic Updates is likely incompatible with most offerings from Acquia, Pantheon, or similar providers. If your Drupal site is hosted in such a set-up, we recommend using Automatic Updates in a local development environment, then pushing the changes to the hosting environment.

Additionally, the 8.x-2.x version of Automatic Updates requires that your Drupal site be managed by Composer. Most sites created with Drupal 8.8 or later are Composer-managed by default.

Attended Use

The Readiness check feature will run regularly to ensure that there are no problems that would prevent an update from applying. Drupal Core's Update module, which is required by this module, will notify site administrators when security updates are available.

On the module configuration page, a user can choose to manually trigger the in-place update.

Unattended Use

Unattended updates are currently disabled. The Drupal Association is currently implementing The Update Framework on drupal.org. Upon completion of this project unattended updates will be enabled by integrating the PHP-TUF library into this module which will provide a client-side implementation of The Update Framework.

Extending Automatic Updates

Automatic Updates provides an event-based API that allows developers to hook into nearly every part of the update process. The API can be used to check for errors and stop the update from proceeding, or even starting in the first place, all without affecting your live Drupal site. It can also be used to implement custom triggers at each successful stage of the update process.

The architecture of the Automatic Updates System

Core Features

Readiness Checks

The readiness checks are a pluggable system allowing a variety of different types of checks to be run, and warnings or errors to be displayed in the Drupal admin interface.

Drupal.org Infrastructure

Automatic Updates for Drupal are supported by the infrastructure of Drupal.org and funded by the activities of the Drupal Association.

Deliberate limitations

  • Fully automatic, completely unattended updates (i.e., done during cron runs) are not yet supported. This will come when drupal.org's packaging system supports The Update Framework.
  • This module does not support updating across major versions of Drupal core (for example, Drupal 9 to Drupal 10), because major version updates are disruptive. See the Upgrade Status module for help with that.
  • It is not possible to update a development snapshot of Drupal core to any other version.
  • It is not possible to downgrade to an older version of Drupal, or undo an update once it's complete.
  • Multisites are not supported because it's not possible to automatically keep all the sites in a multisite synchronized with changes in the underlying code base.

Providing Feedback

To provide your feedback on this first generation of the Automatic Updates module, please create an issue in the Automatic Updates issue queue.

Knowledge Category
Updating Drupal