How do I keep Linux servers and desktops up to date?
This guide shows you how to do it the smart way!
Let’s get started!
Choice of distribution
Linux Server – No half measures in the company
Open source does not mean that running the software is free. If you are serious about using Linux, you need another company or internal specialist for an enterprise version of Linux.
These experts are then available to answer questions and provide the necessary expertise to use Linux seriously. There are a few providers on the market that you should choose depending on the services you need.
You should not simply install your favourite distro on a server and then call it productive.
Ouch!
Linux Desktop – Known is Top
The Linux desktop lives from the community.
The larger the community, the more likely it is that there will be patches and answers to every question. The best-known representatives are Debian and Arch. Instead of choosing a perfectly customised distribution, adapt Debian and Arch in just a few steps.
Stable version instead of Edge
Everyone loves features – except the security nerd.
New features are new code with new holes. Before you send a new feature to production, you should test it well.
No end user needs a product that only works halfway; no one needs security holes.
Be boring. Don’t be hip. Just stick to the stable branch. Test the new bleeding edge stuff in a virtual machine if it interests you.
Computers and software are not an end in themselves, but should do their job robustly and reliably for the real world. This applies to all operating systems!
Steffen Lippke
With a desktop Linux, only 1 person is affected, but you don’t want to suffer data loss or experience other bad things.
Software – But where from?
Where to get software? Can’t see the wood for the package formats?
Software sources and possibilities
Debian comes with a variety of software that you can install with apt.
Keep the software installation as simple as possible. If possible, use only 1 package manager and do not mix the software from AppImage, Flatpak, nix and apt.
I know that you can’t do without it. Choose your package manager wisely. You need to know your package manager in order to patch effectively.
Auto security patching from the manufacturer
Hardly anyone would like to get up in the night just because an engineer in America finds a 10.0 CVE in PHP :-). That’s why you should activate the auto-patching that comes with your operating system. The system eliminates security bugs during operation and at inhuman times.
With Debian it looks like this.
sudo apt update
sudo apt install unattended-upgrades
More about the setup: https://linuxiac.com/how-to-set-up-automatic-updates-on-debian/
The (nightmare) dream of patching
Patch much more efficiently and quickly
Patching is a very time-consuming task that multiplies per server. The work steps can quickly drive you mad if too few staff are responsible for too many servers:
- Do I even need to patch? Is the server affected at all? Is another version affected?
- Am I allowed to patch at all? Are there service level agreements for customers? What are the maintenance windows? How urgent is the patch anyway?
- Can I switch off the part of the software that is affected so that it is not patched immediately?
- How high is the availability of the system? What happens if the update goes wrong? What are the consequences?
Red Hat, Ubuntu or openSUSE are aware of the problem and offer a control centre for patching. Many servers have similar configurations and perform similar tasks – you can save time here. The programmes are often exclusive for companies or are chargeable for X or more (virtual) devices.
The fear of patching – rollback strategies
Nobody likes patching, especially when it disrupts production. A downgrade is not planned or causes even more damage. Bare-metal backups or snapshots are worth their weight in gold if you import them.
With virtual machines, you can simply take a snapshot and save it in your data lake. Autopatching only starts when the backup job is complete and error-free.
Linux Desktop – Maximum convenience
Cron jobs are commands that are executed at a specific time or at a specific time interval. The following update script updates a Debian / Ubuntu system with Flatpaks easily and automatically.
At the same time, the command frees the system from cache and ballast that nobody needs any more.
Caution! In contrast to manufacturer auto-updates, the software also updates features (or everything).
#!/bin/bash
# Update the Debian package, run distro upgrade and delete everything unnecessary
sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get dist-upgrade -y
sudo apt autoremove -y
# Update flatpaks, delete the leftovers
sudo flatpak update -y
sudo flatpak uninstall --unused -y
# Update from the non-root flatpaks (replace user with your user)
sudo -u user flatpak update -y
sudo -u user flatpak uninstall --unused -y
echo "#### Update finished"You can always run the script at the same time each day or after a reboot. In contrast to Windows, you will hardly have to deal with updates once you have set up the script, because they update themselves “magically” in the background.
su
crontab -e
Insert in the last line:
@reboot sleep 30m && /usr/local/bin/update
Such scripts are ok in the desktop area because the damage is often limited. Scaled over several servers, the script is not recommended. Flatpaks are also more important for the Linux desktop.
Keep AppImages up to date
AppImages work very similarly to .exe files; they contain everything they need to run. Most apt programs need other apt programs, which install the installation scripts as required. AppImages contain everything and are not CLI-based like Flatpaks.
The AppImage Pool software helps you to manage and update your AppImages. AppImages have the same problem as .exe files from the Internet. The programmes do not update themselves. Once downloaded from the Internet, the version always remains the same.
Leave a Reply