Or asked the other way around: How long do you keep your servers running without installing any software updates?
update means something like
sudo dnf update
or something …
apt-get upgrade
apt-get update
Every couple of days. I don’t auto-update, but I’ve streamlined the process to the point that I can just open a single web page and see the number of pending updates for every system on my network, docker containers included, each one with a button. Clicking the button applies the update and reboots if necessary. So it takes about 15 seconds of effort to update everything, which is why I don’t mind doing it so often.
Whenever I ssh into it.
Probably every 2 months. When I have a day off work with nothing to do. I have a few VMs that are more fragile than I want to admit and if something breaks I want to have time to tinker instead of just restoring a backup.
Unattended-upgrade does security-only patching once every 4 hours (in rough sync with my local mirror)
Full upgrades are done weekly, accompanied by a reboot
I find that the split between security patching and feature/bug patching maintains a healthy balance knowing when something is likely to break but never being behind on the latest cve.
For me, unattended-upgrade does it’s thing. Updating other packages happens whenever I think about it. Very few things are not containerized and there’s very little added beyond the base Debian install, so when I do update its maybe a dozen packages.
I would previously reboot during thunderstorms if we lost power, but now that I’ve got a UPS I probably ought to come up with a different plan.
I do it every 3 to 5 days. I usually do it when I have time to fix things if it goes south.
All services are dockerized, updated nightly.
Server OS runs a kernel-patch service for real time exploit patching.
All other updates as soon as they appear.
Yeah, sometimes I’ll need to go in a repair - but that’s way better than having to clean up after having been exploited due to not keeping up on security patches.
On Alpine Linux I update my two Pi servers at 2 in the morning daily. It’s simpler compared to Debian which needs unattended-updates. Just add
apk update && apk upgradeto a cron job and you’re good to go.I only have three docker services which is simple enough to update manually.
I like to keep things as simple as possible for my already chaotic brain.
Be careful with unattended upgrades, even on alpine. A recent breaking change in python3 broke my alpine 23 ansible instance. Thankfully I have backups, but if you’re going to automate the upgrade, you should automate tests as well.
My web facing server has just enough packages installed to (kinda securely) host a Caddy and Kiwix docker container to work with my domain name and make a comfortable work environment through SSH. My Pi for my HomeAssistant docker container has less because it’s locked down to just my local network.
I also wrote my own install scripts so reinstalling everything and getting it back to a running state would take about 15 minutes for each device.
And I also wrote my own backup/restore scripts that evolved over 3/4 of a year. I use them often so I have confidence in those scripts.
I personally don’t really care too much. I have multiple ways of dealing with issues for something that’s a hobby to me. Which is why I stick to simplicity.
I’m sure this is a thing for people to worry about when dealing with more complex setups. I just wanna vibe out in my tiny corner of the internet.
To make it even simpler,
apk -U upgradeapkseems to have some tricks in there that aren’t as well known.I managed to catch in the IRC channel that
apk add docwill automatically download any related man pages for packages with any future downloads throughapk. That made life a bit more convenient instead of downloading all those packages separately.
Apt update and upgrade happen automatically.
my nixos containers and the podman containers inside them update nightly around 03:00
First Friday of the month. Easy to remember.
podman quadlets with auto updates running on opensuse microos
im not yet self hosting a ton of services tho
On my ubuntu I use unattended updates but that doesn’t work reliably. I have to update it manually most of the time. Once every other month.
On my fedora server it auto updates every day at 4 reliably.
The next server is going to be atomic such that the server restart is even shorter (not that I would care about it at 4).
Every night at ~ 12-1am
unattended updates / transactional-update are awesome.
Stuff has been running for years, and it’s still up to date.
Tell me you’re using nightly builds as well.
This guy scares me
Once per week for me. Works really great on openSUSE MicroOS. Had to roll back maybe a couple of times the last few years.
That said, I run basically everything in containers so the OS installed things are lean.
This is the way! At least install security upgrades nightly using
unattended-upgradesand reboot from time to time to get the latest Kernel version.I wish I could use unattended-upgrade.
It literally restarts my server even when I disable the option, leaving it hung if the USB boot key isn’t in there.
I had to stop using it, so now I just manually upgrade because that doesn’t auto-restart without my permission…
unattended-upgrades doesn’t do that unless you explicitly specify
Unattended-Upgrade::Automatic-Reboot "true";in the config. Check/usr/share/doc/unattended-upgrades/README.md.gzThe main configuration file is
/etc/apt/apt.conf.d/50unattended-upgrades, maybe you put your config in the wrong place?here is mine
Every day or at least once a week. Should automate it.
I run Ubuntu Server 24.04 LTS with k3s. I update my container versions every few months, though not everything I’m running all at once. I update the actual system packages via apt maybe once a year and end up nuking and re-installing everything every couple years on average. I deliberately block all inbound WAN traffic in my firewall and use k8s network policies to aggressively limit egress WAN connections because I’m aware that I’m bad about keeping things up to date.
