apt-get update and apt-get upgrade in Chef

The Opscode "apt" cookbook's default recipe will run apt-get update to ensure that the package cache is updated. We recommend putting that early in your node's run list so later on packages can be installed with the correct versions.

We generally don't recommend that users use "apt-get upgrade" in a recipe, for a couple reasons.

1. apt-get may upgrade a package that has conflicting configuration or other issues that cannot be resolved without running the command again, or running other apt/dpkg commands manually.
2. Automated upgrades of all packages on the system can have unintended side effects on the running system (the edge cases are many and possibly thorny, so I can't cover them all).

Instead, use the "upgrade" action for packages that should always update to the latest version.

package "nginx" do  action :upgradeend

If you're reusing a cookbook that defines the cookbook, you can write a recipe that modifies the action of the existing resource, like this:

resources("package[nginx]").action(:upgrade)

The #resources method in a recipe will look up in the Resource Collection the specified resource (package nginx). Then sending the #action method with the argument :upgrade will tell Chef that the action should be to upgrade.

Edit Update: Do be careful when choosing packages that would be upgraded automatically in this way. An upstream change in a package can cause detrimental effects on the system. This is especially true if such a package does a restart of services it manages during the post installation scripts. Know your infrastructure, and if in doubt run your own package repository that has the critical packages you need for the application stack.

The Apt chef recipe will not update with every chef run. The attribute which controls this is called periodic_update_min_delay and is set to 86400 (The attribute should be called sec_delay). If the following file exists and is older than 24 hours apt will update the cache.

/var/lib/apt/periodic/update-success-stamp

It also appears that the apt recipe (default.rb) includes a directive to force an update which your recipe could call.

# For other recipes to call to force an updateexecute 'apt-get update' do

If you're doing that though, you'll want a not_if to avoid running it too often at which point you might as well call it manually yourself. I got sick of messing with this and ended up just calling apt-get update in a stanza before my install.

execute "apt-get-update" do  command "apt-get update"end

I suspect the long-term solution for security updates is to set update delay to a few hours.