Performing Acquia Automation security updates using CloudAPI and Drush

Acquia Automation provides security updates using a combination of Acquia CloudAPI and Drush. This document lists all relevant commands, in order, for each step.

Requirements

To replicate these steps, you will need the following items:

Initial checks

Before starting, Acquia Automation examines the following items:

  • RA preferences for Do Not Inform
  • If the update status is currently paused
  • If a WELCOME tag is deployed on the Production environment.

If any of the previous states are not found, Acquia Automation proceeds. At various points in the process, the RA preferences are checked to ensure that the correct steps are taken.

Step One

  1. Check for updates:
    1. Check the Production environment for security-only updates (run against each multisite separately):

      drush pm-updatestatus --security-only --fields='name,existing_version,candidate_version' --update-backend=drush --uri=default
    2. Check the Production environment for Acquia-recommended updates:

      drush pm-updatestatus acquia_connector apachesolr mollom memcache acquia_lift personalize visitor_actions --security-only --fields='name,existing_version,candidate_version' --update-backend=drush --uri=default
    3. Check RA for an already fully updated branch (using the same drush commands as in the previous step).
    4. If there are no updates or RA is secure, stop. Otherwise, complete the following steps:
  2. RA preference check:
    1. Inform Only: A ticket is created and the process is complete.
    2. Update and Deploy: the process continues.
  3. Prepare the RA Environment:
    1. Production tag is deployed to the RA Environment (using drush/cloudapi):

      drush @sitename.ra ac-code-path-deploy $originating_tag
    2. Databases are copied from the Production environment to RA (using drush/cloudapi):

      drush @sitename.prod ac-database-copy db_name ra
    3. Download and install Registry Rebuild and run to clean up changed paths:

      drush pm-download registry_rebuild-7.x --yes=TRUE
      drush rr --uri=default
    4. Disable CSS/JS aggregation to fix Stage File Proxy issues:

      drush vset preprocess_js 0 --uri=default
      drush vset preprocess_css 0 --uri=default
    5. Enable LiveDev on RA (using drush/cloudapi):

      drush @sitename.ra ac-environment-livedev action enable
  4. Create and apply updates to the update branch while RA is in LiveDev:
    1. Create the branch:

      git fetch --all --tags && git checkout -b $branch_name $originating_tag
    2. Update core:

      drush pm-updatecode drupal --check-updatedb=0 --yes=TRUE --no-backup=TRUE --version-control=backup --security-only --uri=default
    3. Commit the core update:

      git add . -A && git reset acquia-files; cd docroot && git reset sites/*/files files;
      git commit -m $commit_message
    4. Update insecure and proactively maintained modules individually:

      drush pm-updatecode $module  --check-updatedb=0 --yes=TRUE --no-backup=TRUE --version-control=backup --uri=default --check-disabled
    5. Commit the module updates:

      git add . -A && git reset acquia-files; cd docroot && git reset sites/*/files files;
    6. Repeat the previous step until all modules are secure.
    7. Look for and attempt to apply patches using Drush Patch File.
    8. Add Stage File Proxy:

      drush pm-enable stage_file_proxy --yes=TRUE --uri=default
      drush php-eval ''print conf_path();'
      drush vget file_public_path   --uri=default
      drush variable-set stage_file_proxy_origin http://$site_url --uri=default
      drush variable-set stage_file_proxy_origin_dir sites/default/files   --uri=default
      drush variable-set stage_file_proxy_use_imagecache_root 1 --format=boolean --uri=default
    9. Check for and disable Secure Pages:

      drush pm-info securepages --yes=TRUE --uri=default
      drush pm-disable securepages --yes=TRUE --uri=default
    10. Run DB updates (run against each multisite separately):

      drush updatedb-status --uri=default
    11. Push the updated branch to the repository:

      git push -u origin $branch_name
    12. The new branch is deployed to the RA environment (using drush/cloudapi):

      drush @sitename.ra ac-code-path-deploy $branch_name
    13. LiveDev is disabled (using drush/cloudapi):

      drush @sitename.ra ac-environment-livedev action disable
  5. At this point in the process, Acquia RA generates a ticket listing what updates were performed and what the next steps in the process are.

Step Two

  1. If necessary, redeploy the RA update branch to the RA environment (using drush/cloudapi):

    drush @sitename.ra ac-code-path-deploy $branch_name
  2. Check if RA is up to date compared to the Production environment using Git commands. The script commands check the Production environment’s commit log against what is on the update branch ($branch_name).
    1. If there are any commits after the inverse grep, the Production environment is ahead of the update branch and the current Production tag needs to be merged into the update branch ($branch_name), redeployed to the RA environment, and retested before Step Two.
    2. If the result of the inverse grep is blank, continue.
  3. Enable LiveDev on RA (using drush/cloudapi):

    drush @sitename.ra ac-environment-livedev action enable
  4. Back up the testing environment databases (using drush/cloudapi):

    drush @sitename.test ac-database-instance-backup db_name
  5. Copy production databases to the testing environment (using drush/cloudapi):

    drush @sitename.prod ac-database-copy db_name ra
  6. Tag the update branch and deploy to the testing environment (using drush/cloudapi):

    git tag -a -m '' -m 'Tag $update_tag generated automatically from $branch_name' $update_tag $branch_name
    drush @sitename.test ac-code-path-deploy $update_tag
  7. If you have not already done so in Step One, download and install Registry Rebuild for drush rr:

    drush pm-download registry_rebuild-7.x   --yes=TRUE --root='\''~/.drush'\'
  8. If necessary, determine the website aliases and run drush rr against them:

    drush sa @sites --format=json -y
    drush rr   --uri=default
  9. Set preprocess_js and preprocess_css to 0 for all websites:

    drush vset preprocess_js 0 --uri=default
    drush vset preprocess_css 0 --uri=default
  10. Check the testing environment database(s) for updates:

    drush updatedb-status   --uri=default
  11. Update the testing environment database(s):

    drush updatedb --uri=default
  12. Disable live development on the RA environment (using drush/cloudapi):

    drush @sitename.ra ac-environment-livedev action disable
  13. At this point, Acquia RA updates the ticket with the newly created tag name and lists the next steps required to proceed to step 3 of the process.

Step Three

  1. Redeploy the RA Step Two tag to the RA environment (using drush/cloudapi):

    drush @sitename.ra ac-code-path-deploy $update_tag
  2. Grab the variables from the Step Two tag git log:

    cd /var/www/html/sitegroup.ra/docroot/.. && cd /var/www/repo/sitegroup;git log tags/$update_tag
  3. Check if RA is up to date compared to the Production environment with the following Git commands. The script commands check the Production environment’s commit log against what is on the update tag ($update_tag). This is the same process as used in Step Two.
  4. Production databases are backed up (using drush/cloudapi):

    drush @sitename.ra ac-database-instance-backup db_name
  5. Deploy update_tag to the Production environment (using drush/cloudapi):

    drush @sitename.ra ac-code-path-deploy $update_tag
  6. Determine the website aliases:

    drush sa @sites --format=json -y
  7. Check the Production environment database(s) for updates:

    drush updatedb-status   --uri=default
  8. Update the Production environment database(s):

    drush updatedb --uri=default
  9. Enable Live Development on the RA environment (using drush/cloudapi):

    drush @sitename.ra ac-environment-livedev action enable
  10. Merge update_tag into customer selected repository branch (using drush/cloudapi) in RA environment:

    git merge origin/<branch_name> -m "initials: Some commit message"
  11. Disable live development on RA environment (using drush/cloudapi):

    drush @sitename.ra ac-environment-livedev action disable
  12. At this point, Acquia RA updates the ticket to inform that the process was completed successfully and, if applicable, that the branch has been merged back into the specified development branch (typically master).

Contact supportStill need assistance? Contact Acquia Support