Or asked the other way around: How long do you keep your servers running without installing any software updates?
update means something like
sudo dnf update
or something …
apt-get upgrade
apt-get update
Those apt commands are in a less-good order. It’s usually better to update apt, then upgrade the system.
I upgrade as soon as reasonably possible after the notification appears, if the system isn’t on auto-upgrade.
I do
sudo apt update && sudo apt upgradeIs there any reason to not combine the commands since the output always prompts prior to changes anyway?
I think their point was to make sure they are done in order, i.e. update before upgrade, not the other way around as in OPs example.
Every night at ~ 12-1am
unattended updates / transactional-update are awesome.
Stuff has been running for years, and it’s still up to date.
This guy scares me
This is the way! At least install security upgrades nightly using
unattended-upgradesand reboot from time to time to get the latest Kernel version.Once per week for me. Works really great on openSUSE MicroOS. Had to roll back maybe a couple of times the last few years.
That said, I run basically everything in containers so the OS installed things are lean.
Tell me you’re using nightly builds as well.
I wish I could use unattended-upgrade.
It literally restarts my server even when I disable the option, leaving it hung if the USB boot key isn’t in there.
I had to stop using it, so now I just manually upgrade because that doesn’t auto-restart without my permission…
unattended-upgrades doesn’t do that unless you explicitly specify
Unattended-Upgrade::Automatic-Reboot "true";in the config. Check/usr/share/doc/unattended-upgrades/README.md.gzThe main configuration file is
/etc/apt/apt.conf.d/50unattended-upgrades, maybe you put your config in the wrong place?here is mine
Unattended-upgrade does security-only patching once every 4 hours (in rough sync with my local mirror)
Full upgrades are done weekly, accompanied by a reboot
I find that the split between security patching and feature/bug patching maintains a healthy balance knowing when something is likely to break but never being behind on the latest cve.
For me, unattended-upgrade does it’s thing. Updating other packages happens whenever I think about it. Very few things are not containerized and there’s very little added beyond the base Debian install, so when I do update its maybe a dozen packages.
I would previously reboot during thunderstorms if we lost power, but now that I’ve got a UPS I probably ought to come up with a different plan.
Well, one of the reasons I’m using debian on my server is so I can kinda forget about it…
I’ll update maybe once a month, or every couple months. I don’t always restart though, so my kernel is probably a bit behind :'D
I use Debian stable and subscribe to the debian-security-announce mailing list, so I update each time I get an email from it.
This is the way. (At least for a server)
lol. Same issue for me. I run it for months, and surprisingly (for me) nothing breaks at all.
But fucking ssh shows warnings regarding some “post quantum crypto” stuff; recommending software update, that was not there before lol.
When I remember. About once a month.
Same here. No auto updates, no touching of a stable system without my manual intervention. 😅
Last thing I need in my life is a broken system at home when I don’t have time for it!
Whenever I ssh into it.
Once a week. I have a bash script that does an apt update upgrade and pulls new docker images.
On Windows, almost never since it was a disruptive shitshow. Now that I’ve got everything running Linux it’s weekly. Often sooner if I happen to be remoting in and manually update.
Monthly unless I learn about a vulnerability that would require it sooner.
maybe like once in 3 months. i usually update when i need to setup something new on the server that needs to install new packages.
I do it every 3 to 5 days. I usually do it when I have time to fix things if it goes south.
Gentooer here. Emerge sync &; world daily at night.
Weekly a manual check for stuff that doesn’t autoupdate for reasons.
Monthly / biweekly podman compose pull for containers. Manual, because i don’t trust that kind of autoupdate.
Edit: opnSense updates are manual only when I remember because if it breaks, I must be at home to fix it or i lose remote access and that’s bad.
Only mostly when I want to. Which tends to be on Mondays and Saturdays.
I’m running Sid on servers, so automatic updates are actually a risk. Used to be Debian Stable, but maaan the docker and podman improvements… make me drool.
I run Ubuntu Server 24.04 LTS with k3s. I update my container versions every few months, though not everything I’m running all at once. I update the actual system packages via apt maybe once a year and end up nuking and re-installing everything every couple years on average. I deliberately block all inbound WAN traffic in my firewall and use k8s network policies to aggressively limit egress WAN connections because I’m aware that I’m bad about keeping things up to date.
Probably every 2 months. When I have a day off work with nothing to do. I have a few VMs that are more fragile than I want to admit and if something breaks I want to have time to tinker instead of just restoring a backup.
