How Often Should I Update our Linux Server?How do you handle updates on a server?Mirror two production servers onto two dev serversHow to update a live webserver?How often to upgrade PHP & MySQLHow can I test apt-get updates on a test box before deploying to production?Automating enabling and disabling specific services for brief maintenance windowsDebian // synchronize packages/version between multiple serversHow quickly should I action the update announcements on the CentOS mailing lists?Enforcing apt-get version continuity on UbuntuWhat is correct for security updates on Ubuntu apt-get upgrade -s | grep security or unattended upgrades?
Why was this character made Grand Maester?
Is keeping the forking link on a true fork necessary (Github/GPL)?
Did this character show any indication of wanting to rule before S8E6?
Does an eye for an eye mean monetary compensation?
Finding all files with a given extension whose base name is the name of the parent directory
Is there a simple example that empirical evidence is misleading?
Variable declaraton with extra in C
Why is the Eisenstein ideal paper so great?
Can we assume that a hash function with high collision resistance also means highly uniform distribution?
Why A=2 and B=1 in the call signs for Spirit and Opportunity?
What is the recommended procedure to land a taildragger in a crosswind?
Are cells guaranteed to get at least one mitochondrion when they divide?
Low voltage shutdown with regulator using microcontroller
Which European Languages are not Indo-European?
Why did Jon Snow admit his fault in S08E06?
What are nvme namespaces? How do they work?
What were the Ethiopians doing in Xerxes' army?
Cardio work for Muay Thai fighters
Heat lost in ideal capacitor charging
How to determine if a hyphen (-) exists inside a column
Would Buddhists help non-Buddhists continuing their attachments?
Can a ring of spell storing and access to Find spells produce an endless menagerie?
Why isn't Tyrion mentioned in the in-universe book "A Song of Ice and Fire"?
USPS Back Room - Trespassing?
How Often Should I Update our Linux Server?
How do you handle updates on a server?Mirror two production servers onto two dev serversHow to update a live webserver?How often to upgrade PHP & MySQLHow can I test apt-get updates on a test box before deploying to production?Automating enabling and disabling specific services for brief maintenance windowsDebian // synchronize packages/version between multiple serversHow quickly should I action the update announcements on the CentOS mailing lists?Enforcing apt-get version continuity on UbuntuWhat is correct for security updates on Ubuntu apt-get upgrade -s | grep security or unattended upgrades?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am responsible for managing both our production server (mail, web, database are all on one server) and our test server. Both are built on Debian. However as I am very new to system administration, I have only been installing updates as I come across things that have to be updated so that I can have newer features and get bug fixes. Its a pretty ad hoc process right now, and I'd like to make it less so.
So I am wondering how people who know what they're doing handle this? How often do you perform upgrades on your servers? Is the upgrade process different between test and production? Do you always upgrade any test servers first? And do you do a full update of all software, or do you just install selected updates?
linux debian update apt
add a comment |
I am responsible for managing both our production server (mail, web, database are all on one server) and our test server. Both are built on Debian. However as I am very new to system administration, I have only been installing updates as I come across things that have to be updated so that I can have newer features and get bug fixes. Its a pretty ad hoc process right now, and I'd like to make it less so.
So I am wondering how people who know what they're doing handle this? How often do you perform upgrades on your servers? Is the upgrade process different between test and production? Do you always upgrade any test servers first? And do you do a full update of all software, or do you just install selected updates?
linux debian update apt
add a comment |
I am responsible for managing both our production server (mail, web, database are all on one server) and our test server. Both are built on Debian. However as I am very new to system administration, I have only been installing updates as I come across things that have to be updated so that I can have newer features and get bug fixes. Its a pretty ad hoc process right now, and I'd like to make it less so.
So I am wondering how people who know what they're doing handle this? How often do you perform upgrades on your servers? Is the upgrade process different between test and production? Do you always upgrade any test servers first? And do you do a full update of all software, or do you just install selected updates?
linux debian update apt
I am responsible for managing both our production server (mail, web, database are all on one server) and our test server. Both are built on Debian. However as I am very new to system administration, I have only been installing updates as I come across things that have to be updated so that I can have newer features and get bug fixes. Its a pretty ad hoc process right now, and I'd like to make it less so.
So I am wondering how people who know what they're doing handle this? How often do you perform upgrades on your servers? Is the upgrade process different between test and production? Do you always upgrade any test servers first? And do you do a full update of all software, or do you just install selected updates?
linux debian update apt
linux debian update apt
asked May 18 '09 at 15:33
Noah GoodrichNoah Goodrich
7,04462016
7,04462016
add a comment |
add a comment |
11 Answers
11
active
oldest
votes
I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
add a comment |
On top of previous answers - a couple more specifically Debian things: you should Subscribe to debian-security-announce and debian-announce and / or check out the Debian Security page.
add a comment |
Assuming you are running the stable release of Debian, most patches will be security or bug related which should mean that there won't be too many major changes between versions of any given package. According to the debian patch policy patches should also have been in testing for some time before being moved to the stable branch by the maintainer. Obviously This won't stop breakages when patching but should prevent them in most cases.
It would be prudent to ensure that your testing sever is kept upto date and any packages that have bugs affecting you and your servers should be kept up to date. All packages that have security advisories against them should be updated as soon as you know the patch is stable.
Debian is usually a very stable OS and not one you should be overly concerned with breakages on however always read what is going to be updated before it get updated and keep an eye out for anything that seems strange. I use VCS on my /etc/ dir as well to ensure that any config file changes can be seen with a 'git diff' command.
add a comment |
I do a dry run (first) to see what is going to be updated. Sometimes, libraries (lets call it libfoo for this example) change their API, which breaks programs that we wrote / installed ourselves. If some critical library is updated, I grab the source and try rebuilding our stuff against it prior to updating.
I also check to see that we're not jumping to an intermediate version of some public service, ie apache, etc. I'd rather stay a year behind and not encounter random breakage, unless the update is critical.
If you are a system administrator, you should be pulling RSS feeds from sites like Secunia, which should let you know way ahead of time if your distro is going to be pushing some patches.
Do not ever, ever just blindly upgrade / update. Unfortunately, the task of knowing what is broken falls on you, not your distro package manager, especially if your systems support programmers.
add a comment |
Where I work we have a pretty extensive process that involves using software called PatchLink to notify us of the most important security related updates, and we apply them after testing, on a package by package basis. We have thousands of servers though.
If you only have two servers the process should be much simpler. Although I do not think doing an "apt-get update/upgrade" is your best bet.
I would monitor patches for the software you are running, and make decisions based on the fixes in those releases on when to upgrade.
Since you have a test server, obviously, always test the update before applying them.
add a comment |
Manual updates are best as mentioned here in the sense that you can see what's happening. However, for very large numbers of servers that might become impractical. Dry run is a standard practice, in fact, most package managers will ask you before proceeding.
Updating regularly tends to be best though it can be a bit of a balancing act. Frequent updates means less in one go and less to go wrong at once. If things do go wrong there are fewer candidates to inspect. Packages are also slightly better at updating in smaller steps, as generally when the programmer updates they're looking at going from the last version to the next, whether they'll give any attention beyond the last version can vary, though this tends to matter mostly for software that's rapidly evolving.
Not all updates are non-disruptive. You'll want to watch out for this. Some will restart services leading to down time.
In an ideal setup you might have the following:
- A means of seemlesly switching servers (A/B or tick tock). This means you update one while it's on the bench, then simply swap the traffic from the current one to the new one. This may be more complicated for services such as databases.
- The ability to test updates. You should have test servers that are practically clones of production (but without connecting to any production services). These would allow you to test updates first.
- A good backup strategy, incremental is ideal. You never know. It's always better to be safe than sorry.
- Be aware of which times have the most activity and what level of downtime is tolerable.
- Know how to rollback an update or a specific package.
- Have your own package mirrors so updates are consistent and predictable across servers. This is the first step towards a decent unattended system that you can trust. It means you can update the mirror, run update on one or more test machine then if that's good let it go out automatically. I had an excellent time with aptly managing around 800 EPOS machines.
- A good level of consistency so that you can know that if something will work here, it'll work there.
Some of these can be overkill to varying degrees for small setups but should be kept in mind.
Generally speaking, updates are usually relatively painless for server distros. This is because they nearly always only stick to bug fixes and security updates. You may however have problems if people have done odd things to the system or you add additional package sources.
Although it's moderately rare, they do occasionally make mistakes and break compatibility between minor package versions.
add a comment |
I like cron-apt to automate this process, but as @dinomite pointed out on another question regarding updates, configuring it specifically to automate security-related updates is a very smart idea -- you can then manually update what you need. I had been using cron-apt for all updates but actually changed this based on his answer. If you like it, you should probably vote his answer up rather than this one.
add a comment |
On debian i install cron-apt and edit its configuration file to mail me if ther are any changes. this way i get notified if there are updates for my systems and do the updates by hand
add a comment |
Along the same lines as cron-apt you should take a look at the unattended-upgrades package http://packages.debian.org/lenny/unattended-upgrades.
Its very easy to configure and will enable you to have security updates downloaded and applied automatically but leave other updates for manual upgrading (or at your discretion upgrade everything!).
The Official Ubuntu Server Guide, has a reasonably detailed section covering the use of the unattended-upgrades package https://help.ubuntu.com/9.04/serverguide/C/automatic-updates.html
Note: depending on your level of caution/paranoia you can do a rolling upgrade on a group of test servers first, then if there are not issues, allow your production boxes to update, although I personally have not come across any trouble with security updates wrecking havoc so far (knock on wood)...
There is also a config option to mail you the results of each security update as well, once its applied. Also, if there were any dialog or interactive prompts that were presented during the update, ones that will need manual tweaking by a sysadmin, it will mention these as well.
add a comment |
I personally turn off automatic updates and do not regularly perform any sort of updating of packages on servers in my environments, unless: (a) there is an important CERT advisory for one of packages on my system; (b) I need to upgrade individual packages for specific reasons; (c) OS or packages are reaching end-of-cycle, they won't be supported any more and we need to continue having support. My reasoning is that upgrading without knowing what's being changed or why leaves too much room for something breaking. I've been doing things like this for going on 14 years and it works well.
add a comment |
Besides the stuff that is mentioned you should use some kind of monitoring tool (Nagios or whatever floats your boat) to alert you of updates.
As far as how often goes: As soon as there's an update available!
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f9490%2fhow-often-should-i-update-our-linux-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
11 Answers
11
active
oldest
votes
11 Answers
11
active
oldest
votes
active
oldest
votes
active
oldest
votes
I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
add a comment |
I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
add a comment |
I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.
Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.
Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)
I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)
That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)
answered May 18 '09 at 16:01
Brent Brent
14.6k166195
14.6k166195
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
add a comment |
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
4
4
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
I work very hard to touch each server every 30 days. I have 80+ servers at this point. I do them in batches by functional group or by operating system.
– Thomas Denton
May 18 '09 at 17:13
2
2
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
We have a cron script that runs the equivalent for our SLES/OpenSuSE boxes nightly; when it finds that it needs packages, it submits a ticket to the system administration queue in our trouble ticket system. (It keeps track of which ones it's submitted before in a file in /tmp so that it doesn't spam the queue.)
– Karl Katzke
Jun 6 '09 at 22:23
4
4
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
Debian has two packages, apticron and cron-apt, which do a similar thing and email you if there are any updates available. IME, apticron has the edge by emailing you the changelog so you can see what has changed.
– David Pashley
Jun 6 '09 at 22:28
add a comment |
On top of previous answers - a couple more specifically Debian things: you should Subscribe to debian-security-announce and debian-announce and / or check out the Debian Security page.
add a comment |
On top of previous answers - a couple more specifically Debian things: you should Subscribe to debian-security-announce and debian-announce and / or check out the Debian Security page.
add a comment |
On top of previous answers - a couple more specifically Debian things: you should Subscribe to debian-security-announce and debian-announce and / or check out the Debian Security page.
On top of previous answers - a couple more specifically Debian things: you should Subscribe to debian-security-announce and debian-announce and / or check out the Debian Security page.
answered May 18 '09 at 16:12
x3jax3ja
27328
27328
add a comment |
add a comment |
Assuming you are running the stable release of Debian, most patches will be security or bug related which should mean that there won't be too many major changes between versions of any given package. According to the debian patch policy patches should also have been in testing for some time before being moved to the stable branch by the maintainer. Obviously This won't stop breakages when patching but should prevent them in most cases.
It would be prudent to ensure that your testing sever is kept upto date and any packages that have bugs affecting you and your servers should be kept up to date. All packages that have security advisories against them should be updated as soon as you know the patch is stable.
Debian is usually a very stable OS and not one you should be overly concerned with breakages on however always read what is going to be updated before it get updated and keep an eye out for anything that seems strange. I use VCS on my /etc/ dir as well to ensure that any config file changes can be seen with a 'git diff' command.
add a comment |
Assuming you are running the stable release of Debian, most patches will be security or bug related which should mean that there won't be too many major changes between versions of any given package. According to the debian patch policy patches should also have been in testing for some time before being moved to the stable branch by the maintainer. Obviously This won't stop breakages when patching but should prevent them in most cases.
It would be prudent to ensure that your testing sever is kept upto date and any packages that have bugs affecting you and your servers should be kept up to date. All packages that have security advisories against them should be updated as soon as you know the patch is stable.
Debian is usually a very stable OS and not one you should be overly concerned with breakages on however always read what is going to be updated before it get updated and keep an eye out for anything that seems strange. I use VCS on my /etc/ dir as well to ensure that any config file changes can be seen with a 'git diff' command.
add a comment |
Assuming you are running the stable release of Debian, most patches will be security or bug related which should mean that there won't be too many major changes between versions of any given package. According to the debian patch policy patches should also have been in testing for some time before being moved to the stable branch by the maintainer. Obviously This won't stop breakages when patching but should prevent them in most cases.
It would be prudent to ensure that your testing sever is kept upto date and any packages that have bugs affecting you and your servers should be kept up to date. All packages that have security advisories against them should be updated as soon as you know the patch is stable.
Debian is usually a very stable OS and not one you should be overly concerned with breakages on however always read what is going to be updated before it get updated and keep an eye out for anything that seems strange. I use VCS on my /etc/ dir as well to ensure that any config file changes can be seen with a 'git diff' command.
Assuming you are running the stable release of Debian, most patches will be security or bug related which should mean that there won't be too many major changes between versions of any given package. According to the debian patch policy patches should also have been in testing for some time before being moved to the stable branch by the maintainer. Obviously This won't stop breakages when patching but should prevent them in most cases.
It would be prudent to ensure that your testing sever is kept upto date and any packages that have bugs affecting you and your servers should be kept up to date. All packages that have security advisories against them should be updated as soon as you know the patch is stable.
Debian is usually a very stable OS and not one you should be overly concerned with breakages on however always read what is going to be updated before it get updated and keep an eye out for anything that seems strange. I use VCS on my /etc/ dir as well to ensure that any config file changes can be seen with a 'git diff' command.
answered May 18 '09 at 16:11
PixelSmackPixelSmack
48548
48548
add a comment |
add a comment |
I do a dry run (first) to see what is going to be updated. Sometimes, libraries (lets call it libfoo for this example) change their API, which breaks programs that we wrote / installed ourselves. If some critical library is updated, I grab the source and try rebuilding our stuff against it prior to updating.
I also check to see that we're not jumping to an intermediate version of some public service, ie apache, etc. I'd rather stay a year behind and not encounter random breakage, unless the update is critical.
If you are a system administrator, you should be pulling RSS feeds from sites like Secunia, which should let you know way ahead of time if your distro is going to be pushing some patches.
Do not ever, ever just blindly upgrade / update. Unfortunately, the task of knowing what is broken falls on you, not your distro package manager, especially if your systems support programmers.
add a comment |
I do a dry run (first) to see what is going to be updated. Sometimes, libraries (lets call it libfoo for this example) change their API, which breaks programs that we wrote / installed ourselves. If some critical library is updated, I grab the source and try rebuilding our stuff against it prior to updating.
I also check to see that we're not jumping to an intermediate version of some public service, ie apache, etc. I'd rather stay a year behind and not encounter random breakage, unless the update is critical.
If you are a system administrator, you should be pulling RSS feeds from sites like Secunia, which should let you know way ahead of time if your distro is going to be pushing some patches.
Do not ever, ever just blindly upgrade / update. Unfortunately, the task of knowing what is broken falls on you, not your distro package manager, especially if your systems support programmers.
add a comment |
I do a dry run (first) to see what is going to be updated. Sometimes, libraries (lets call it libfoo for this example) change their API, which breaks programs that we wrote / installed ourselves. If some critical library is updated, I grab the source and try rebuilding our stuff against it prior to updating.
I also check to see that we're not jumping to an intermediate version of some public service, ie apache, etc. I'd rather stay a year behind and not encounter random breakage, unless the update is critical.
If you are a system administrator, you should be pulling RSS feeds from sites like Secunia, which should let you know way ahead of time if your distro is going to be pushing some patches.
Do not ever, ever just blindly upgrade / update. Unfortunately, the task of knowing what is broken falls on you, not your distro package manager, especially if your systems support programmers.
I do a dry run (first) to see what is going to be updated. Sometimes, libraries (lets call it libfoo for this example) change their API, which breaks programs that we wrote / installed ourselves. If some critical library is updated, I grab the source and try rebuilding our stuff against it prior to updating.
I also check to see that we're not jumping to an intermediate version of some public service, ie apache, etc. I'd rather stay a year behind and not encounter random breakage, unless the update is critical.
If you are a system administrator, you should be pulling RSS feeds from sites like Secunia, which should let you know way ahead of time if your distro is going to be pushing some patches.
Do not ever, ever just blindly upgrade / update. Unfortunately, the task of knowing what is broken falls on you, not your distro package manager, especially if your systems support programmers.
answered May 18 '09 at 15:46
Tim Post♦Tim Post
1,4051224
1,4051224
add a comment |
add a comment |
Where I work we have a pretty extensive process that involves using software called PatchLink to notify us of the most important security related updates, and we apply them after testing, on a package by package basis. We have thousands of servers though.
If you only have two servers the process should be much simpler. Although I do not think doing an "apt-get update/upgrade" is your best bet.
I would monitor patches for the software you are running, and make decisions based on the fixes in those releases on when to upgrade.
Since you have a test server, obviously, always test the update before applying them.
add a comment |
Where I work we have a pretty extensive process that involves using software called PatchLink to notify us of the most important security related updates, and we apply them after testing, on a package by package basis. We have thousands of servers though.
If you only have two servers the process should be much simpler. Although I do not think doing an "apt-get update/upgrade" is your best bet.
I would monitor patches for the software you are running, and make decisions based on the fixes in those releases on when to upgrade.
Since you have a test server, obviously, always test the update before applying them.
add a comment |
Where I work we have a pretty extensive process that involves using software called PatchLink to notify us of the most important security related updates, and we apply them after testing, on a package by package basis. We have thousands of servers though.
If you only have two servers the process should be much simpler. Although I do not think doing an "apt-get update/upgrade" is your best bet.
I would monitor patches for the software you are running, and make decisions based on the fixes in those releases on when to upgrade.
Since you have a test server, obviously, always test the update before applying them.
Where I work we have a pretty extensive process that involves using software called PatchLink to notify us of the most important security related updates, and we apply them after testing, on a package by package basis. We have thousands of servers though.
If you only have two servers the process should be much simpler. Although I do not think doing an "apt-get update/upgrade" is your best bet.
I would monitor patches for the software you are running, and make decisions based on the fixes in those releases on when to upgrade.
Since you have a test server, obviously, always test the update before applying them.
answered May 18 '09 at 15:40
WerkkreWWerkkreW
5,18631931
5,18631931
add a comment |
add a comment |
Manual updates are best as mentioned here in the sense that you can see what's happening. However, for very large numbers of servers that might become impractical. Dry run is a standard practice, in fact, most package managers will ask you before proceeding.
Updating regularly tends to be best though it can be a bit of a balancing act. Frequent updates means less in one go and less to go wrong at once. If things do go wrong there are fewer candidates to inspect. Packages are also slightly better at updating in smaller steps, as generally when the programmer updates they're looking at going from the last version to the next, whether they'll give any attention beyond the last version can vary, though this tends to matter mostly for software that's rapidly evolving.
Not all updates are non-disruptive. You'll want to watch out for this. Some will restart services leading to down time.
In an ideal setup you might have the following:
- A means of seemlesly switching servers (A/B or tick tock). This means you update one while it's on the bench, then simply swap the traffic from the current one to the new one. This may be more complicated for services such as databases.
- The ability to test updates. You should have test servers that are practically clones of production (but without connecting to any production services). These would allow you to test updates first.
- A good backup strategy, incremental is ideal. You never know. It's always better to be safe than sorry.
- Be aware of which times have the most activity and what level of downtime is tolerable.
- Know how to rollback an update or a specific package.
- Have your own package mirrors so updates are consistent and predictable across servers. This is the first step towards a decent unattended system that you can trust. It means you can update the mirror, run update on one or more test machine then if that's good let it go out automatically. I had an excellent time with aptly managing around 800 EPOS machines.
- A good level of consistency so that you can know that if something will work here, it'll work there.
Some of these can be overkill to varying degrees for small setups but should be kept in mind.
Generally speaking, updates are usually relatively painless for server distros. This is because they nearly always only stick to bug fixes and security updates. You may however have problems if people have done odd things to the system or you add additional package sources.
Although it's moderately rare, they do occasionally make mistakes and break compatibility between minor package versions.
add a comment |
Manual updates are best as mentioned here in the sense that you can see what's happening. However, for very large numbers of servers that might become impractical. Dry run is a standard practice, in fact, most package managers will ask you before proceeding.
Updating regularly tends to be best though it can be a bit of a balancing act. Frequent updates means less in one go and less to go wrong at once. If things do go wrong there are fewer candidates to inspect. Packages are also slightly better at updating in smaller steps, as generally when the programmer updates they're looking at going from the last version to the next, whether they'll give any attention beyond the last version can vary, though this tends to matter mostly for software that's rapidly evolving.
Not all updates are non-disruptive. You'll want to watch out for this. Some will restart services leading to down time.
In an ideal setup you might have the following:
- A means of seemlesly switching servers (A/B or tick tock). This means you update one while it's on the bench, then simply swap the traffic from the current one to the new one. This may be more complicated for services such as databases.
- The ability to test updates. You should have test servers that are practically clones of production (but without connecting to any production services). These would allow you to test updates first.
- A good backup strategy, incremental is ideal. You never know. It's always better to be safe than sorry.
- Be aware of which times have the most activity and what level of downtime is tolerable.
- Know how to rollback an update or a specific package.
- Have your own package mirrors so updates are consistent and predictable across servers. This is the first step towards a decent unattended system that you can trust. It means you can update the mirror, run update on one or more test machine then if that's good let it go out automatically. I had an excellent time with aptly managing around 800 EPOS machines.
- A good level of consistency so that you can know that if something will work here, it'll work there.
Some of these can be overkill to varying degrees for small setups but should be kept in mind.
Generally speaking, updates are usually relatively painless for server distros. This is because they nearly always only stick to bug fixes and security updates. You may however have problems if people have done odd things to the system or you add additional package sources.
Although it's moderately rare, they do occasionally make mistakes and break compatibility between minor package versions.
add a comment |
Manual updates are best as mentioned here in the sense that you can see what's happening. However, for very large numbers of servers that might become impractical. Dry run is a standard practice, in fact, most package managers will ask you before proceeding.
Updating regularly tends to be best though it can be a bit of a balancing act. Frequent updates means less in one go and less to go wrong at once. If things do go wrong there are fewer candidates to inspect. Packages are also slightly better at updating in smaller steps, as generally when the programmer updates they're looking at going from the last version to the next, whether they'll give any attention beyond the last version can vary, though this tends to matter mostly for software that's rapidly evolving.
Not all updates are non-disruptive. You'll want to watch out for this. Some will restart services leading to down time.
In an ideal setup you might have the following:
- A means of seemlesly switching servers (A/B or tick tock). This means you update one while it's on the bench, then simply swap the traffic from the current one to the new one. This may be more complicated for services such as databases.
- The ability to test updates. You should have test servers that are practically clones of production (but without connecting to any production services). These would allow you to test updates first.
- A good backup strategy, incremental is ideal. You never know. It's always better to be safe than sorry.
- Be aware of which times have the most activity and what level of downtime is tolerable.
- Know how to rollback an update or a specific package.
- Have your own package mirrors so updates are consistent and predictable across servers. This is the first step towards a decent unattended system that you can trust. It means you can update the mirror, run update on one or more test machine then if that's good let it go out automatically. I had an excellent time with aptly managing around 800 EPOS machines.
- A good level of consistency so that you can know that if something will work here, it'll work there.
Some of these can be overkill to varying degrees for small setups but should be kept in mind.
Generally speaking, updates are usually relatively painless for server distros. This is because they nearly always only stick to bug fixes and security updates. You may however have problems if people have done odd things to the system or you add additional package sources.
Although it's moderately rare, they do occasionally make mistakes and break compatibility between minor package versions.
Manual updates are best as mentioned here in the sense that you can see what's happening. However, for very large numbers of servers that might become impractical. Dry run is a standard practice, in fact, most package managers will ask you before proceeding.
Updating regularly tends to be best though it can be a bit of a balancing act. Frequent updates means less in one go and less to go wrong at once. If things do go wrong there are fewer candidates to inspect. Packages are also slightly better at updating in smaller steps, as generally when the programmer updates they're looking at going from the last version to the next, whether they'll give any attention beyond the last version can vary, though this tends to matter mostly for software that's rapidly evolving.
Not all updates are non-disruptive. You'll want to watch out for this. Some will restart services leading to down time.
In an ideal setup you might have the following:
- A means of seemlesly switching servers (A/B or tick tock). This means you update one while it's on the bench, then simply swap the traffic from the current one to the new one. This may be more complicated for services such as databases.
- The ability to test updates. You should have test servers that are practically clones of production (but without connecting to any production services). These would allow you to test updates first.
- A good backup strategy, incremental is ideal. You never know. It's always better to be safe than sorry.
- Be aware of which times have the most activity and what level of downtime is tolerable.
- Know how to rollback an update or a specific package.
- Have your own package mirrors so updates are consistent and predictable across servers. This is the first step towards a decent unattended system that you can trust. It means you can update the mirror, run update on one or more test machine then if that's good let it go out automatically. I had an excellent time with aptly managing around 800 EPOS machines.
- A good level of consistency so that you can know that if something will work here, it'll work there.
Some of these can be overkill to varying degrees for small setups but should be kept in mind.
Generally speaking, updates are usually relatively painless for server distros. This is because they nearly always only stick to bug fixes and security updates. You may however have problems if people have done odd things to the system or you add additional package sources.
Although it's moderately rare, they do occasionally make mistakes and break compatibility between minor package versions.
answered May 10 at 1:59
jgmjgmjgmjgm
1313
1313
add a comment |
add a comment |
I like cron-apt to automate this process, but as @dinomite pointed out on another question regarding updates, configuring it specifically to automate security-related updates is a very smart idea -- you can then manually update what you need. I had been using cron-apt for all updates but actually changed this based on his answer. If you like it, you should probably vote his answer up rather than this one.
add a comment |
I like cron-apt to automate this process, but as @dinomite pointed out on another question regarding updates, configuring it specifically to automate security-related updates is a very smart idea -- you can then manually update what you need. I had been using cron-apt for all updates but actually changed this based on his answer. If you like it, you should probably vote his answer up rather than this one.
add a comment |
I like cron-apt to automate this process, but as @dinomite pointed out on another question regarding updates, configuring it specifically to automate security-related updates is a very smart idea -- you can then manually update what you need. I had been using cron-apt for all updates but actually changed this based on his answer. If you like it, you should probably vote his answer up rather than this one.
I like cron-apt to automate this process, but as @dinomite pointed out on another question regarding updates, configuring it specifically to automate security-related updates is a very smart idea -- you can then manually update what you need. I had been using cron-apt for all updates but actually changed this based on his answer. If you like it, you should probably vote his answer up rather than this one.
edited Apr 13 '17 at 12:14
Community♦
1
1
answered May 18 '09 at 16:21
nedmnedm
4,95052648
4,95052648
add a comment |
add a comment |
On debian i install cron-apt and edit its configuration file to mail me if ther are any changes. this way i get notified if there are updates for my systems and do the updates by hand
add a comment |
On debian i install cron-apt and edit its configuration file to mail me if ther are any changes. this way i get notified if there are updates for my systems and do the updates by hand
add a comment |
On debian i install cron-apt and edit its configuration file to mail me if ther are any changes. this way i get notified if there are updates for my systems and do the updates by hand
On debian i install cron-apt and edit its configuration file to mail me if ther are any changes. this way i get notified if there are updates for my systems and do the updates by hand
answered May 30 '09 at 19:50
lepolelepole
1,64311017
1,64311017
add a comment |
add a comment |
Along the same lines as cron-apt you should take a look at the unattended-upgrades package http://packages.debian.org/lenny/unattended-upgrades.
Its very easy to configure and will enable you to have security updates downloaded and applied automatically but leave other updates for manual upgrading (or at your discretion upgrade everything!).
The Official Ubuntu Server Guide, has a reasonably detailed section covering the use of the unattended-upgrades package https://help.ubuntu.com/9.04/serverguide/C/automatic-updates.html
Note: depending on your level of caution/paranoia you can do a rolling upgrade on a group of test servers first, then if there are not issues, allow your production boxes to update, although I personally have not come across any trouble with security updates wrecking havoc so far (knock on wood)...
There is also a config option to mail you the results of each security update as well, once its applied. Also, if there were any dialog or interactive prompts that were presented during the update, ones that will need manual tweaking by a sysadmin, it will mention these as well.
add a comment |
Along the same lines as cron-apt you should take a look at the unattended-upgrades package http://packages.debian.org/lenny/unattended-upgrades.
Its very easy to configure and will enable you to have security updates downloaded and applied automatically but leave other updates for manual upgrading (or at your discretion upgrade everything!).
The Official Ubuntu Server Guide, has a reasonably detailed section covering the use of the unattended-upgrades package https://help.ubuntu.com/9.04/serverguide/C/automatic-updates.html
Note: depending on your level of caution/paranoia you can do a rolling upgrade on a group of test servers first, then if there are not issues, allow your production boxes to update, although I personally have not come across any trouble with security updates wrecking havoc so far (knock on wood)...
There is also a config option to mail you the results of each security update as well, once its applied. Also, if there were any dialog or interactive prompts that were presented during the update, ones that will need manual tweaking by a sysadmin, it will mention these as well.
add a comment |
Along the same lines as cron-apt you should take a look at the unattended-upgrades package http://packages.debian.org/lenny/unattended-upgrades.
Its very easy to configure and will enable you to have security updates downloaded and applied automatically but leave other updates for manual upgrading (or at your discretion upgrade everything!).
The Official Ubuntu Server Guide, has a reasonably detailed section covering the use of the unattended-upgrades package https://help.ubuntu.com/9.04/serverguide/C/automatic-updates.html
Note: depending on your level of caution/paranoia you can do a rolling upgrade on a group of test servers first, then if there are not issues, allow your production boxes to update, although I personally have not come across any trouble with security updates wrecking havoc so far (knock on wood)...
There is also a config option to mail you the results of each security update as well, once its applied. Also, if there were any dialog or interactive prompts that were presented during the update, ones that will need manual tweaking by a sysadmin, it will mention these as well.
Along the same lines as cron-apt you should take a look at the unattended-upgrades package http://packages.debian.org/lenny/unattended-upgrades.
Its very easy to configure and will enable you to have security updates downloaded and applied automatically but leave other updates for manual upgrading (or at your discretion upgrade everything!).
The Official Ubuntu Server Guide, has a reasonably detailed section covering the use of the unattended-upgrades package https://help.ubuntu.com/9.04/serverguide/C/automatic-updates.html
Note: depending on your level of caution/paranoia you can do a rolling upgrade on a group of test servers first, then if there are not issues, allow your production boxes to update, although I personally have not come across any trouble with security updates wrecking havoc so far (knock on wood)...
There is also a config option to mail you the results of each security update as well, once its applied. Also, if there were any dialog or interactive prompts that were presented during the update, ones that will need manual tweaking by a sysadmin, it will mention these as well.
edited Jun 6 '09 at 22:21
answered Jun 6 '09 at 22:15
faultyserverfaultyserver
1,62911520
1,62911520
add a comment |
add a comment |
I personally turn off automatic updates and do not regularly perform any sort of updating of packages on servers in my environments, unless: (a) there is an important CERT advisory for one of packages on my system; (b) I need to upgrade individual packages for specific reasons; (c) OS or packages are reaching end-of-cycle, they won't be supported any more and we need to continue having support. My reasoning is that upgrading without knowing what's being changed or why leaves too much room for something breaking. I've been doing things like this for going on 14 years and it works well.
add a comment |
I personally turn off automatic updates and do not regularly perform any sort of updating of packages on servers in my environments, unless: (a) there is an important CERT advisory for one of packages on my system; (b) I need to upgrade individual packages for specific reasons; (c) OS or packages are reaching end-of-cycle, they won't be supported any more and we need to continue having support. My reasoning is that upgrading without knowing what's being changed or why leaves too much room for something breaking. I've been doing things like this for going on 14 years and it works well.
add a comment |
I personally turn off automatic updates and do not regularly perform any sort of updating of packages on servers in my environments, unless: (a) there is an important CERT advisory for one of packages on my system; (b) I need to upgrade individual packages for specific reasons; (c) OS or packages are reaching end-of-cycle, they won't be supported any more and we need to continue having support. My reasoning is that upgrading without knowing what's being changed or why leaves too much room for something breaking. I've been doing things like this for going on 14 years and it works well.
I personally turn off automatic updates and do not regularly perform any sort of updating of packages on servers in my environments, unless: (a) there is an important CERT advisory for one of packages on my system; (b) I need to upgrade individual packages for specific reasons; (c) OS or packages are reaching end-of-cycle, they won't be supported any more and we need to continue having support. My reasoning is that upgrading without knowing what's being changed or why leaves too much room for something breaking. I've been doing things like this for going on 14 years and it works well.
answered Jan 29 '15 at 0:08
Michael MartinezMichael Martinez
1,70511025
1,70511025
add a comment |
add a comment |
Besides the stuff that is mentioned you should use some kind of monitoring tool (Nagios or whatever floats your boat) to alert you of updates.
As far as how often goes: As soon as there's an update available!
add a comment |
Besides the stuff that is mentioned you should use some kind of monitoring tool (Nagios or whatever floats your boat) to alert you of updates.
As far as how often goes: As soon as there's an update available!
add a comment |
Besides the stuff that is mentioned you should use some kind of monitoring tool (Nagios or whatever floats your boat) to alert you of updates.
As far as how often goes: As soon as there's an update available!
Besides the stuff that is mentioned you should use some kind of monitoring tool (Nagios or whatever floats your boat) to alert you of updates.
As far as how often goes: As soon as there's an update available!
answered Jun 3 '09 at 20:14
serverhorrorserverhorror
5,88821840
5,88821840
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f9490%2fhow-often-should-i-update-our-linux-server%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown