Submitted 5 months ago by PlanterTree@discuss.tchncs.de to selfhosted@lemmy.world
Or asked the other way around: How long do you keep your servers running without installing any software updates?
update means something like
sudo dnf update
or something …
apt-get upgrade apt-get update
Automatic updated for system packages. Automatic container updates with docker. I normally have things pinned to a reasonable major or minor release, so I do manual upgrades for new OS release branches and usually pin to a major version for Docker containers but depends on the container.
Only mostly when I want to. Which tends to be on Mondays and Saturdays.
I’m running Sid on servers, so automatic updates are actually a risk. Used to be Debian Stable, but maaan the docker and podman improvements… make me drool.
When something doesn’t work. I.e. when an app update causes incompatibility with a service. I think I have one server that’s a few years without an update (distro version may actually be EOL for all I know).
Why probably so may unpatched issues.
Ain’t broke and I can’t be bothered to update. Not accessible publicly either. It also runs some software with very specific and brittle dependencies and I don’t care to risk breaking it. If distro is EOL (probably is) then it’d be a pretty time consuming getting everything set up again.
my nixos containers and the podman containers inside them update nightly around 03:00
Monthly unless I learn about a vulnerability that would require it sooner.
Apt update and upgrade happen automatically.
If I have something serious, I will set up automatic upgrades. If short downtimes are ok, also with automatic reboots when the kernel updates.
If it’s not anything serious, whenever I remember to.
Yum-cron. Daily. Rolling bounce on a schedule.
It has been rock-solid for 20 years, but lennart’s cancer and the growing amount of shite they’re shoveling into EL has caused a few issues here and there with 7, 9 and 10. (Skipped 8 because f that)
But, today, it works. So that’s year 23 and 8 months.
Daily on my Gentoo server, through a Cronjob every morning. It’s a custom script though, so there’s more than just doing an emerge update. It’ll send me ntfy notifications for the update results, if there are new news items, and if there are any time config merge updates to make. A few other things as well but that’s the main stuff.
Other servers, typically weekly or only manually when I ssh into them (for the ones I don’t really feel the need to update frequently).
Whenever I ssh into it.
podman quadlets with auto updates running on opensuse microos
im not yet self hosting a ton of services tho
Anything exposed to the internet gets a daily / weekly update, depending on how exposed it is, how stable the updates are and how critical a breach would be. For example nginx would be a daily update.
Anything behind a vpn gets a more random update schedule mostly based on when I feel like it (probably around once a month or every other month)
I run Ubuntu Server 24.04 LTS with k3s. I update my container versions every few months, though not everything I’m running all at once. I update the actual system packages via apt maybe once a year and end up nuking and re-installing everything every couple years on average. I deliberately block all inbound WAN traffic in my firewall and use k8s network policies to aggressively limit egress WAN connections because I’m aware that I’m bad about keeping things up to date.
Weekly. Cronjob.
Usely every 3/4 months roughly. I try to remeber to update. The base. Server. And docker based things! /webserices. I update. Sparingly. Every few new versions. As I am the only user of my server. I don’t have a high need to update. So I update only if a new future. Is added or a mayor bug /security patch.
maybe like once in 3 months. i usually update when i need to setup something new on the server that needs to install new packages.
First Friday of the month. Easy to remember.
On Windows, almost never since it was a disruptive shitshow. Now that I’ve got everything running Linux it’s weekly. Often sooner if I happen to be remoting in and manually update.
Every couple of days. I don’t auto-update, but I’ve streamlined the process to the point that I can just open a single web page and see the number of pending updates for every system on my network, docker containers included, each one with a button. Clicking the button applies the update and reboots if necessary. So it takes about 15 seconds of effort to update everything, which is why I don’t mind doing it so often.
everyday to once a month, depending how often I use the server
IME usually waiting longer to update causes more issues than updating frequently
Depends, on how critical something is…since we deal with servers / customers at work that often are purposely not adjusted for years…because introducing a different behaviour (even if better) would grind production to a halt, I take a not careful approach.
I was using OpenSUSE Leap, and with zypper you can review which patches are available, whether they are critical or run recommended or not needed. You can then apply which specific patch you want be CVE if necessary.
But with Leap’s path seaming messy at the moment, I moved to Tumbleweed, since you have snapshotying built in. If an update did mess something up you just rollback to the previous snapshot and in less than a minute it is fixed
Got apticron set up on my servers or similar solutions to get notified when updates are available. Then usually, from time of notification +1 or 2 days.
And for containers auto updates once every day.
On Alpine Linux I update my two Pi servers at 2 in the morning daily. It’s simpler compared to Debian which needs unattended-updates. Just add apk update && apk upgrade to a cron job and you’re good to go.
I only have three docker services which is simple enough to update manually.
I like to keep things as simple as possible for my already chaotic brain.
To make it even simpler, apk -U upgrade
apk seems to have some tricks in there that aren’t as well known.
I managed to catch in the IRC channel that apk add doc will automatically download any related man pages for packages with any future downloads through apk. That made life a bit more convenient instead of downloading all those packages separately.
Be careful with unattended upgrades, even on alpine. A recent breaking change in python3 broke my alpine 23 ansible instance. Thankfully I have backups, but if you’re going to automate the upgrade, you should automate tests as well.
My web facing server has just enough packages installed to (kinda securely) host a Caddy and Kiwix docker container to work with my domain name and make a comfortable work environment through SSH. My Pi for my HomeAssistant docker container has less because it’s locked down to just my local network.
I also wrote my own install scripts so reinstalling everything and getting it back to a running state would take about 15 minutes for each device.
And I also wrote my own backup/restore scripts that evolved over 3/4 of a year. I use them often so I have confidence in those scripts.
I personally don’t really care too much. I have multiple ways of dealing with issues for something that’s a hobby to me. Which is why I stick to simplicity.
I’m sure this is a thing for people to worry about when dealing with more complex setups. I just wanna vibe out in my tiny corner of the internet.
When I remember. About once a month.
Same here. No auto updates, nothing without my manual intervention. 😅
Last thing I need in my life is a broken system at home when I don’t have time for it!
Almost everything I have runs Debian or NixOS, so……… once a month? Except for VMs I’m playing around with, which usually get updated every time I log into them, or instal stuff.
All services are dockerized, updated nightly.
Server OS runs a kernel-patch service for real time exploit patching.
All other updates as soon as they appear.
Yeah, sometimes I'll need to go in a repair - but that's way better than having to clean up after having been exploited due to not keeping up on security patches.
On my ubuntu I use unattended updates but that doesn’t work reliably. I have to update it manually most of the time. Once every other month.
On my fedora server it auto updates every day at 4 reliably.
The next server is going to be atomic such that the server restart is even shorter (not that I would care about it at 4).
Automatic upgrades handle the security patches. Everything else maybe once a month. My big services like Nextcloud auto update as well.
I do it every 3 to 5 days. I usually do it when I have time to fix things if it goes south.
Auli@lemmy.ca 5 months ago
Every day or at least once a week. Should automate it.
PlanterTree@discuss.tchncs.de 5 months ago
Should; Could; How high of a priority is this update automation for you? This is also how I run my server. Configuration possibilities are infinite.