Patch management and cautious upgrades

Philip P

6/6/24, 12:39 PM

My company runs a handful of Ubuntu servers which are considered mission critical. We can only take them offline for maintenance on very rare occasions. We have had problems in the past with the unattended upgrades system unexpectedly breaking things, so both this and fwupd have been disabled on all such systems.

These machines sit behind firewalls, only exposing essential services with very limited user access. All they do is run bespoke trading software and talk to a handful of partners.

We would like to update the software on these boxes extremely conservatively, and only when it's absolutely neceessary, e.g. to fix a security issue relating to an exposed service.

Please would someone be able to advise me of the best way to review incoming Ubuntu patches and updates, only applying the occasional unavoidable security update and patches that are relevant to the specific configuration of these machines, while ignoring the rest?

Thanks,

Philip

0 + 4

upgrade

updates

security

patch

partial-upgrade

Artur Meinild

6/6/24, 12:52 PM

If the servers are "mission critical", then I of course assume they are operating in a redundant environment, with load-balancing/failover properly configured, with a backup/snapshot system in place. If you stick to applying security upgrades, you should be good. In this case, disable the `updates` and `backports` repository pockets, and apply only `security` updates to 1 server in each cluster at a time, to make sure everything runs properly.

Philip P

6/6/24, 1:04 PM

Thank you for your answer. I appreciate in an ideal scenario they'd be operating in a redundant configuration however that is not currently possible. Without wanting to get distracted from the question of managing the upgrades, please would you let me know how could I best achieve this within the constraints of our environment?

Artur Meinild

6/6/24, 1:17 PM

Suggestion is the same - only apply `security`. However, using the term "mission critical" about something in a non-redundant setup is something I'll never understand. All in all, managing such infrastructure on a shoestring budget is in my mind purely based on opinions about how to prioritize - there is no clear right or wrong way.

Philip P

6/6/24, 1:45 PM

Thank you, but I'm looking for something more granular than this. Unfortunately it's too much of a risk to simply apply `security`. Is there a way to review incoming Ubuntu patches and updates, only applying the occasional unavoidable security update and patches that are relevant to the specific configuration of these machines, while ignoring the rest?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Patch management and cautious upgrades

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.