Unattended Upgrades
Aviatrix unattended upgrades automatically apply operating system security updates to Aviatrix Controllers and Gateways. This capability helps you maintain a strong security posture by ensuring that critical OS‑level vulnerabilities are patched without requiring manual intervention.
Unattended upgrades are designed to reduce exposure to known vulnerabilities while minimizing operational overhead.
What Unattended Upgrades Do
What Is Included
Unattended upgrades apply only to the underlying operating system packages. This includes, but is not limited to:
-
Security updates for the Linux distribution
-
Core OS components (for example, OpenSSL and shell utilities)
These updates are delivered using the standard Linux unattended-upgrades mechanism and focus on security‑related patches.
What Is Not Included
Unattended upgrades do NOT update Aviatrix software components, including but not limited to:
-
Controller application services
-
Gateway dataplane or control‑plane software
-
Aviatrix features, functionality, or configuration
|
Aviatrix software upgrades must still be performed manually through the Controller UI or CoPilot UI, following standard upgrade procedures. See Upgrade your Controller and Gateways to the Latest Aviatrix Supported Images (AWS and Azure Only). |
Supported Versions
Unattended upgrades are available starting with the following versions. Earlier versions do not include this capability.
| Component | Minimum Version | Status |
|---|---|---|
Controller |
8.0 |
Supported |
Gateway |
8.1 |
Supported |
CoPilot |
— |
Not yet supported |
How Unattended Upgrade Are Applied After Initial Deployment
When a Controller or Gateway is first deployed, unattended upgrades do not take effect immediately. The upgrade process relies on two independent background processes, each running on its own 24‑hour schedule:
-
Package Index Refresh: The periodic
aptpackage index refresh downloads the latest list of available security updates from Debian repositories. -
Security Upgrade Process: The unattended security upgrade process installs any eligible patches identified during the most recent index refresh.
|
Because these two timers are not synchronized, they may run out of phase. After a Controller or Gateway is first launched, it can take up to 48 hours for all eligible operating system security updates to be fully applied. This behavior is expected and does not indicate a failure or misconfiguration. During this period, the system will progressively update itself as each scheduled process runs. |
Network Requirements
For unattended upgrades to function, the Controller and Gateways must have outbound (egress) connectivity on TCP port 443 to the following Debian official package repositories:
-
deb.debian.org -
security.debian.org
|
If outbound access is restricted (for example, by firewall rules or proxy configuration), unattended upgrades may not be able to retrieve security updates. Ensure your network policies allow egress traffic to the repositories listed above. |
Reboot Behavior
Unattended upgrades do NOT automatically reboot Controllers or Gateways.
If an operating system security update includes a new kernel or otherwise requires a reboot, you are responsible for scheduling and performing the reboot in accordance with your maintenance and change‑management practices.
|
We recommend incorporating reboot checks into your regular maintenance windows to ensure kernel‑level patches take full effect. |
Visibility and Status
There is currently no UI indicator or status view showing when Unattended Upgrades are running or what updates have been applied.
If you require confirmation of applied updates or need assistance, contact Aviatrix Support.