7

There are some servers that have a task delegated to them. For instance, imagine a scenario where there are web servers, data servers etc. that together provide a service to a client.

Now how should I make sure the servers are up to date with new software package releases without blindly choosing an automatic update option? I may not be able to shut down a server for an update. How can I know that which update will affect what all running processes in the system, so that if the update affects a critical process pertaining to a service, I can deny that particular update or re-schedule it for some other time?

--Edited part-- My main focus is that the running service should not be affected, while the security updates for that service should be informed to the admin PC connected in LAN. Also all those updates that do not affect the running service should be automatically updated.

Vivek Sethi
  • 173

3 Answers3

4

As far as I understand your question: You want security updates automatically installed and other updates postponed until tested and you want to know if this is called "good practice"

Well, yes. This is indeed good practice.

What you need on your ubuntu-server install is the package: unattended-upgrades

running services will not be affected until restarted.

In the edited part of your question you changed the wishlist a bit: How to update everything except the critical running services.

This one is a bit less straightforward but you could fix their current version so they will not be updated, read here about pinning

thom
  • 7,742
2

If your server is that critical and can never be shutdown for a few seconds to reboot (for a vm) or something around 1-2 minutes for a normal server, it should be redundant (at least to avoid hardware or connection failures for example) and you redirect services to other machines while you are rebooting. If this is not the case, you should modify this because it is result of bad planning and you are offering something you don't have (100% availability).

If delaying the reboot to when service is not used is an option, you can easily do the update and schedule the reboot with cron, with sleep / reboot in a screen session, SSHing in the server at the defined time or using the way you may prefer.

laurent
  • 6,899
0

Vivek if skipping updates is not an option. How about remote accessing the server overnight and run the update? I work in a very busy environment and I schedule all my updates at 3 am. i ssh to the server and upgrade the package needed.

SPeedY
  • 41