Comment

Fedegenerate@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago

Release: stable

Keep the updates as hands off as possible. Docker compose, TTecks lxc updater.

I come through once a week or so to update the stacks, I come through once a month or so to update the machines. Total time updating is 3hrs a month, I could drop that a lot when I get around to writing some scripts to update docker images.

Minimise attack surface and outsource security. I have nothing at all open to the internet, I use Tailscale to create tunnels. I’m trusting my security to Tailscale but they are much, much, better at it than I am.

source

Sort:hotnew top

sugar_in_your_tea@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
Automatically upgrading docker images sounds like a recipe for disaster because:

could pull down change that requires manual intervention, so things “randomly” break

docker holds on to everything, so you’d need to prune old images or you’ll eventually run out of disk space; if a container is stopped, your prune would make it unbootable (good luck if the newer images are incompatible with when it last ran)

That’s why I refuse to automate updates. I sometimes go weeks or months between using a given service, so I’d rather use vulnerable containers than have to go fix it when I need it.

I run OS updates every month or two, and honestly I’d be okay automating those. I run docker pulls every few months, and there’s no way I’d automate that.
source
- Fedegenerate@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
  I’ve encountered that before with Watchtower updating parts of a serrvice and breaking everything the whole stack. But automating a stack update, as opposed to a service update, should mitigate all of that.
  
  Most of my stacks are stable so aside from breaking changes I should be fine. If I hit a breaking change, I keep backups, I’ll rebuild and update manually. I think that’ll be a net time save over all.
  
  I keep two docker lxcs, one for arrs and one for everything else. I might make a third lxc for things that currently require manual updates. Immich is my only one currently.
  
  source
  - sugar_in_your_tea@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    
    Watchtower
    
    Glad it works for you.
    
    Automatic updates of software with potential breaking changes scares me. I’m not familiar with watchtower, since I don’t use it or anything like it, but I have several services that I don’t use very often, but would suck if they silently stopped working properly.
    
    When I think of a service, I think of something like Nextcloud, Immich, etc, even if they consist of multiple containers. For example, I have a separate containers for libre office online and Nextcloud, but I upgrade them together. I don’t want automated upgrades of either because I never know if future builds will be compatible. So I go update things when I remember, but I make sure everything works after.
    
    That said, it seems watchtower can be used to merely notify, so maybe I’ll use it for that. I certainly want to be around for any automatic updates though.
    
    source
    Fedegenerate@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
    It’s Watchtower that I had problems with because of what you described. Watchtower will drop your microservice, say a database to update it and then not reset the things that are dependent on it. It can be great just not in the ham fisted way I used it.
    
    Uptime Kuma can alert you when a service goes down. I am constantly in my Homarr homepage that tells me if it can’t ping a service, then I go investigating.
    
    I get that it’s scary, and after my Watchtower trauma I was hesitant to go automatic too. But, I’m managing 5 machines now, and scaling by getting more so I have to think about scale.
    
    source
    -> View More Comments