Automating updates for Drupal has been a hotly debated topic for many years with a number of strong views expressed from all sides and some recent encouraging progress but as of yet still no resolution.
Due to Drupal's complexity, automating updates is not a trivial task however the importance of such functionality came to a head a couple of years back in October 2014 with the 'Drupageddon' where an exploit had been discovered in which users were told if they did not patch their system within just a few hours then it was likely their sites were toast.
As Drupal adoption continues, the pressure to implement such functionality grows and a sprinkling of commercial offerings have appeared, most notably Drop Guard which grew from an internal tool built by German Drupal web & mobile app agency Bright Solutions. Bright created the ERPAL distribution of Drupal, an all-in-one e-business backroom platform, so they know their Drupal and I was eager to try out their service. It also looks like the Drop Guard site itself is built on top of ERPAL.
As usual with Drupal there are a million-and-one things on my try-out list with more exciting stuff appearing each day, so I was excited when I saw a tweet from Drop Guard offering a free ticket to DrupalCon Dublin in return for an impartial review of their service - I wasn't planning on going but this meant I could just about justify attending, and I would finally get round to setting up automated updates for my new purkiss.com which I'd just started to build in Drupal 8.
I replied within a few seconds and won the prize! Of course now I had to do the work, so for the past month and a half I've been road-testing their service and below is my report. I'm actually writing this in the extended sprints on the Saturday before DrupalCon - I had planned on writing it before but one thing led to another and I ended up having to do some client work, but as luck and Drupal small-world would have it, one of the first Drupalers I met this morning just happens to be working on building a new user interface for Drop Guard so not only did I manage to gain a little more info on the service and company, but also a sneak peek at what looks like a much more user-friendly interface to this important service offering.
I must admit, my review would have been quite different if I hadn't seen those mock-ups, so I'm very glad I did - everything happens for a reason, etc.!
What's the offering?
Billed as "The update management system for automation and quality assurance", Drop Guard provides continuous security for Drupal, targeted at hosting providers, Drupal agencies, freelancers and non-profits - the latter of which they have recently offered a free of cost tier for, which in my mind is a very Good Thing. For individual sites they currently have three pricing option - €9pcm plus tax for up to 30 contrib modules covered, €29 for up to 70, and €59 for up to 150, plus tailored offerings for agencies.
All packages offer the same functionality underneath - fully controllable workflow for updates, automated patch detection and application - provided you set up everything as needed, which can be done through their integration into Continuous Integration ('CI') tools and options for Secure Shell ('SSH') deployments.
Seamless integration with the major Drupal-specific hosting providers is also part of the offering, so all-in-all a good offer for the price, considering how much time is spent on these tasks plus the knowledge that if there's an urgent update and you're not around, or asleep, or without a connection, your site(s) are safe. I do wonder what will happen as more companies launch similar services, whether it will be a race to the lowest price until core decides to provide it for free? More on that later...
A note on our value as a community
I'm going to be particularly picky with my review because I believe there is a space for this kind of value-added service in the market but I think over the next couple of years the landscape will be very different with a number of offerings, so hopefully by providing detailed feedback I can provide more value than just a review saying "it's great".
As an offering that has grown from the community I would very much like to see Drop Guard succeed and not be overtaken by something which comes along with bigger financial backing but perhaps no 'soul', and as a community I believe it's in our hands to support these kinds of community-grown offerings - if we just watch from the sidelines but don't join in their growth by helping out, recommending and of course using their service then we are not in a position to complain if they disappear.
I also really appreciate the opportunity they have given me to attend DrupalCon as it means I can be around kindred folk enjoying the many DrupalCon goings-on and get to run my BoF sessions (shameless plug: Co-op BoF Tuesday 5pm, Freelancers & Contractors BoF Wednesday 5pm, both Wicklow Room 3). I believe this kind of value sharing between companies and community is the way forward - "growing the pie for everyone" as I've heard time and again at various Drupal events. So hopefully my review will provide value to you too, please do feel free to comment using the form at the bottom of this article, it would be great to hear what your experiences, thoughts and opinions on the subject - don't be shy!
Step 1: Creating an account
So, on to the system itself - I was particularly interested to see how this worked as many projects I've worked on utilise CI, however apart from playing around with Jenkins for a while some time ago, I'd not had a pressing reason to set anything up for myself - it had always been something someone else had done. I soon found out I was not going to be Drop Guard's 'usual' customer as for me when I read 'Automated patch detection and application' I naively had the impression I was just going to enter a few login details and Drop Guard was going to magically work everything out for me whilst I get on a plane to go lay on a beach somewhere. As usual though, there's a little more than that to do to set everything up, but once it is then yes, perhaps it's ok to go catch that plane!
The account creation screen to me has a few too many fields to fill out in this current day and age where quickly lose interest - not that it has too many questions, but really all you need is an email address - the rest can be added later. For mission-critical required information, sure, but other questions seem more relevant to what Drop Guard want in order to profile you as a customer type, which don't seem to have any immediate effect on what I'm presented with after login, so I would say leave them out and let users choose once in the system. There's also a 'Promo Code' field, which to me just makes me feel like there's a promo code lying around somewhere I should be searching the net for. As I also found out later, it defaults to the account creation screen, so when you come back to the website you have to click the 'I have an account' in order to log in, I would say switch that - it's how most other sites work and if I want to create an account I have no problem in clicking a tab but it does get slightly annoying having to click every time I log back in.
There's also a link underneath the registration form to their slack channel which slightly worried me as I'm not a user of slack due to its proprietary nature - as a developer of Free/Libre Open Source Software many of my answers come from searching the web for similar situations, and unless you pay slack a lot of money, that history is not available for search so although it's a nice user-friendly interface I would much prefer to see people adoption more open solutions such as Mattermost. I presume here there are other options for support so carry on my journey.
As previously mentioned I'm going to be picky, but it's what I felt, so it's what I'm going to type - also remember with a redesign on the cards things may have changed by the time you read this!
Step 2: Adding a project
Once you've registered and confirmed your email by clicking on the link that's sent to you, a screen is presented where you can set up your first project. There's only a few fields to fill out - a name for your project, the URL of your code repository (Git only, but I'm unsure of any value supporting other code versioning systems, if they still exist) and a field for tags. This tags field threw me a little as there was no description as to how the tags would be used, I'm presuming they're if you have a number of sites then tagging is useful but I wouldn't necessarily have the field here.
I was encouraged to see the link to the support chat, now I know I don't have to use slack to get in touch with Drop Guard if I need any help. Of course being me it's now a little annoying as I go from screen to screen as if these chat things auto-open I often think someone's there waiting for me to talk so I always end up clicking to minimise it!
I experienced problems with the system not accepting my Git URL which, after a few conversations with the Drop Guard team turned out to be browser caching issues which I believe perhaps came from the heavy in-development phase the system was at the time, and all worked well after clearing my cache so if you do by chance experience issues. Saying that though, I've just tried to add another project and it's come up with the same error - 'Git username can't contain ":" and "@" characters'. I cleared all my caches (which is a pain now I'm going to have to log in to everything again!), so no doubt I'll be approaching the Drop Guard at DrupalCon to see what the deal is - go see Drop Guard at booth #105 if you're attending!
Step 3: Site config
To enable access to your Drupal site, Drop Guard has its own module on drupal.org which you download and install on your site. This module provides you with a User ID and Access Token which you enter into this screen, along with the URL of your site. All very simple & has my specific details so no screen shot for this step.
Step 4: Update behaviours
You now get to choose what type of updates you want Drop Guard to do anything with and how to handle them. I found this a little overwhelming to begin with and although there is a 'Reload best practices', I believe there could be perhaps three options available in order to provide different levels of security based on best practices. You could then delve deeper into the individual settings. I was encouraged that you can apply changes to different branches, this system really does cover all potential update workflows.
Step 5: Events
Once you've selected your update behaviours you now get the opportunity to attach actions to these events - request a URL, send an email, execute an SSH command, merge a branch, and create a task in project management system. You can add any number of these to each event depending on your particular workflow - for me at this moment I'm happy just being sent an email, but I can see how easy it's going to be to hook into my CI once I've set it up(!).
Step 6: Integrations
The last setup screen is if you want to connect to your project management system, which I don't have so can't really comment on the functionality other than to say I'm sure it's useful for those who do - the options at the moment are for Jira and Redmine.
Step 7: Sit back and relax!
And that's it, now it's time to sit back, relax, and let Drop Guard do the hard work for you! Although I'm only using it on a very small site it's still very useful as the Drop Guard system emails are far more descriptive than the out-of-the-box Drupal site ones so I can judge better as to whether I need to do something or not. I look forward to setting up continuous integration for my site and configuring Drop Guard to do a lot more for me. I guess I could start by just setting up a few SSH commands to run on specific events, we'll see if I have some time once I get back after DrupalCon...
I've really enjoyed testing the system out and communicating back and forth with the team and as mentioned look forward to integrating my own site more into the update system than it is right now and feel very confident Drop Guard will be able to deal with a number of different scenarios in any which way I want it to. That's if I manage to get to the bottom of my original issue of not being able to add a site - in this day where more of these types of services are appearing on what seems a daily basis, if I find one that works for me out-of-the-box first time, that's probably going to be the one I end up using. I do feel that you're kind of dropped in the deep end straight away and this could perhaps be split up a little more depending on the audience. In a way I felt that if you had all that knowledge already then perhaps you have your own system set-up so it's going to be a choice whether you pay for a system like this or continue down your own path.
Currently I don't see the value differential between the various services, but then as said I'm not their typical client. If the aim is for hosting companies and agencies then they also have the added issue of eventually it being more cost effective in the long term to develop their own systems, but I don't really know enough about what's involved in running this service so can't comment any more than I know a site builder who's built a system that suits their needs, on their own, which manages hundreds of sites. Obviously not everyone's capable of doing that, but it's a case of hunting out that niche where this system hits a sweet spot and then developing your market from there. Or if the idea is to simply build the 'best' system then sell to some large hosting provider then I guess that's a way forward too.
As well as creating a few simple options to ease people into the service I did wonder why they don't market the system on the code security side too - as they have access to your system it would be easy to see whether the code has been changed since they last checked - to me as a user knowing if my code has changed is kinda important and could be a good 'value add' service to market - hacked protection!
It will be interesting to see this market develop, momentum is certainly gathering as I see a seemingly similar offering launched recently, plus more Drupal-specific agencies offering this service as part of their packages. With Drupal core also potentially offering at least some of this then companies in or thinking of entering this space will seriously need to think about what their USP is as there's nothing here which is 'secret sauce', it's all Free/Libre Open Source Software. Let's hope it doesn't become a race to the bottom in terms of price-point, and if it does then let's do it all in core because you can't beat Free.
Once again I'd like to thank Drop Guard for this opportunity and encourage you to try out Drop Guard for yourself, and if you're lucky enough to be in Dublin for DrupalCon then go see them at their booth!
It will be interesting to see this market develop, momentum is certainly gathering as I see a seemingly similar offering launched recently
Just wondering what this service was? You alluded to their being a couple, I'm curious what they are, if you don't mind saying.
Apologies, I realised I half-set up my rule to email me comments when posted but didn't get it working!
I saw someone tweeting a lot @ people saying he's set up a new service offering this, did a quick search but can't find it now, will post if I do. It was the usual @ everybody with Drupal in their profile so immediately made it look like a low-quality offering IMO.
Also a number of Drupal shops are offering this as part of their hosting offering, I saw Annertech is doing this, amazee.io are I believe hooked up to Drop Guard.
I've seen a couple around, just did a quick google and found another - http://inet-design.com/fully-managed-drupal-hosting.html