Clarification on upgrading LAMP stack

joelnatid 2017-07-14 20:51:07 UTC #1

IMPORTANT, please fill the questions

We assume you are using Bitnami to deploy your application.

Which version of the application are you using?:
Installed version was 4.7-0 though it now has WP 4.8
WP_Multisite image
Please choose how you got the application: Installer (Windows, Linux, macOS), cloud image (AWS, GCE, Azure, ...) or VM (VMDK, VBOX):
AWS cloud image
Have you installed any plugin or modified any configuration file?:
I have upgraded WP to 4.8 and made some htaccess modifications
Describe here your question/suggestion/issue (expected and actual results):

Can someone please detail and clarify the steps needed to upgrade PHP and Apache for security reasons? I am using 4 WP Multisite VMs in AWS, created through Bitnami images, in a production environment on sites receiving thousands of hits per day, because at the time of signing up it wasn't clear that they were not easily updatable and so apparently more suited for testing environments...

Do I need to create all new AWS VMs or is there a way to upgrade the LAMP stack within my existing VMs? From reading documentation and other posts, it seems that I am going to need to launch all-new VMs from updated images, take them online, actually migrate the WordPress installations from the old to new VMs, then update the IP addresses or disassociate my existing elastic IPs and reassociate them with the new VMs... if all this is true, it makes me wonder why I bothered to use Bitnami images at all when it would have been much easier to just create an Amazon Linux VM through their system and be able to just update/upgrade everything from the command line in ways more familiar to me (as I know my way around Linux). I originally went with Bitnami setting these up due to relatively limited AWS knowledge at the time.

Or is there a better way? Can I just install a new version of the stack within the existing VMs without having to spin up all-new VMs? Then do something like sudo mv... to migrate the WordPress installations over to the new version on the same server?

Any help will be appreciated. I do have to say, if I am going to have to actually spin up new VMs from updated images each time it is "necessary" to update, I'll probably abandon Bitnami and go my own way.

silvio 2017-07-17 09:33:27 UTC #2

Hi,

I suppose you are using a Bitnami WordPress stack. In order to upgrade components like PHP, Apache. etc, you need to create a backup of your data (https://docs.bitnami.com/aws/apps/wordpress/#how-to-create-a-full-backup-of-wordpress), stop all the servicer /opt/bitnami/ctlscript stop. Reinstall the new WordPress stack in the same location (/opt/bitnami) and restore your backup. Then you may have to reconfigure some minor details.

Best regards,
Silvio Fernández

tjanson 2017-11-10 12:11:58 UTC #3

To be honest, I find this surprising. That's a pretty involved procedure, meaning that many people simply won't bother, leading to a ton of unpatched VMs.

Don't get me wrong, I don't blame you, especially since I'm using your products entirely for free. So I'm definitely not entitled to anything, and regardless of this issue I really enjoy working with Bitnami as a development platform.

I'm just honestly curious how you think this works in practice for VMs that are used in a production context where security is essential (assuming you condone such use at all). I had hoped that deploying security updates was precisely the thing that a Bitnami stack abstracts away.

Is this better when using a Docker-based stack rather than a VM?

jsalmeron 2017-11-13 09:34:01 UTC #4

We decided long time ago to go for the approach where we provide almost every component an app needs to work properly. This way our installers and images have several advantages as be predictability, easy to audit for security, or reproducible testing environments: https://engineering.bitnami.com/articles/four-simple-steps-to-application-immutability.html

This comes with a price for when those components needs to be upgraded. It is a trade-off between upgradeability and predictability/audit-ability. In the container landscape, we also support Apache, PHP, MySQL and several applications. The upgrade process is similar, as a new container with the upgraded components is deployed. You can check more here: https://bitnami.com/containers

Best regards,

Javier J. Salmerón

Was my answer helpful? Click on

dexelaza 2018-01-28 22:21:24 UTC #5

tjanson > To be honest, I find this surprising. That's a pretty involved procedure, meaning that many people simply won't bother, leading to a ton of unpatched VMs.

jsalmeron > It is a trade-off between upgradeability and predictability/audit-ability.

I have to agree with @tjanson, creating barriers to applying security patches is going to lead to more systems in the wild that are vulnerable to exploits.

The clincher here is that this was a conscious decision by bitnami to sacrifice security and call it a "trade-off". This is simply unacceptable for modern web applications. And there is no way I am going to deploy a brand new stack every single time something needs to be patched.

Thank you for providing a fantastic experience on everything prior to this issue, but this is a deal breaker. Good luck and goodbye.

jloramas 2018-01-29 18:25:26 UTC #6

@dexelaza, thanks for your feedback. I'm sorry to hear our approach for packaging apps does not fit your needs.

Any case, you are misinterpreting @jsalmeron words. We are not sacrificing security in favour of other capabilities but upgradeability, which is a pretty different thing.

I would like to explain you more in-depth our approach to security, because we take it seriously.

We believe patching or upgrading directly a production system is not a good practice, and, while it can work for just a few machines it does not scale properly. So our approach to security is based on immutability, image-based deployments and continuos delivery best practices, where the idea is to manage services and software deployments in a way that components are replaced rather than changed. You can get a more complete picture of this industry trend in this article: https://msdn.microsoft.com/en-us/magazine/mt826329.aspx

So in addition to trying to provide a good experience in our solutions, we keep track of all the components and applications we ship in every installer or cloud images, ensuring they are always updated, tested and secured for you to use, so you can easily implement those best practices in a simpler way than if you have to do them completely from scratch on your own.

Integrating our installers and images in your own deployment pipeline in an automated way is something you have to balance if it deserve or not based on your particular needs, as it will depend on the amount of servers you are managing and the service level you want to provide to your users.

I hope this explanation helps.

Best regards,
José L. Oramas

Bitnami provides free all-in-one installers, virtual machines and cloud images for popular open source applications. Get them now!