7

There are some servers that have a task delegated to them. For instance, imagine a scenario where there are web servers, data servers etc. that together provide a service to a client.

Now how should I make sure the servers are up to date with new software package releases without blindly choosing an automatic update option? I may not be able to shut down a server for an update. How can I know that which update will affect what all running processes in the system, so that if the update affects a critical process pertaining to a service, I can deny that particular update or re-schedule it for some other time?

--Edited part-- My main focus is that the running service should not be affected, while the security updates for that service should be informed to the admin PC connected in LAN. Also all those updates that do not affect the running service should be automatically updated.

Vivek Sethi
  • 173
  • See also : http://askubuntu.com/questions/9/how-do-i-enable-automatic-updates – Panther Feb 19 '13 at 19:06
  • The only thing you need to reboot is after kernel update to upgrade to an new kernel. So you can update without rebooting. With that said, server side, updates are fewer and far between, especially with a LTS release and I personally review the information before updating. – Panther Feb 19 '13 at 19:08
  • What about updates to already installed packages? Actually I am concerned about stopping processes/daemons that are providing service to the client. I really can't restart the process or stop it for updating. How to go about it? – Vivek Sethi Feb 19 '13 at 19:16
  • 1
    Depends on the service, it will briefly stop and restart while updating. If that is unacceptable either schedule down time to upgrade (my advice, probably industry standard) or skip updates. – Panther Feb 19 '13 at 19:18
  • Skipping updates is not an option, and neither is stopping the process. I may re-schedule it to some convenient time provided I know that such an update would affect a running process which is involved in providing the service to the client. – Vivek Sethi Feb 19 '13 at 19:23
  • 1
    "Skipping updates is not an option, and neither is stopping the process." sounds unrealistic to me, I would never enter into such a contract. Good luck. – Panther Feb 19 '13 at 19:39
  • So, is there no way of getting to know which running processes will be affected on upgrading a particular package? – Vivek Sethi Feb 19 '13 at 19:44
  • Review the update and see what services are due to be updated. – Panther Feb 19 '13 at 19:50
  • can I automate it somehow? – Vivek Sethi Feb 21 '13 at 09:39
  • see the links I gave you (second) – Panther Feb 21 '13 at 13:24
  • I haven't used it myself, but have heard Ksplice mentioned on a podcast and it seems interesting for your use case - see http://www.ksplice.com/ – Clive van Hilten Feb 26 '13 at 20:34
  • @ClivevanHilten: Thank you for your response. I read about Ksplice. It's for dynamic software update. That's a more tricky business. I am more sort of looking for postponing the updates for the running applications. – Vivek Sethi Mar 05 '13 at 16:08

3 Answers3

4

As far as I understand your question: You want security updates automatically installed and other updates postponed until tested and you want to know if this is called "good practice"

Well, yes. This is indeed good practice.

What you need on your ubuntu-server install is the package: unattended-upgrades

running services will not be affected until restarted.

In the edited part of your question you changed the wishlist a bit: How to update everything except the critical running services.

This one is a bit less straightforward but you could fix their current version so they will not be updated, read here about pinning

thom
  • 7,542
2

If your server is that critical and can never be shutdown for a few seconds to reboot (for a vm) or something around 1-2 minutes for a normal server, it should be redundant (at least to avoid hardware or connection failures for example) and you redirect services to other machines while you are rebooting. If this is not the case, you should modify this because it is result of bad planning and you are offering something you don't have (100% availability).

If delaying the reboot to when service is not used is an option, you can easily do the update and schedule the reboot with cron, with sleep / reboot in a screen session, SSHing in the server at the defined time or using the way you may prefer.

laurent
  • 6,779
0

Vivek if skipping updates is not an option. How about remote accessing the server overnight and run the update? I work in a very busy environment and I schedule all my updates at 3 am. i ssh to the server and upgrade the package needed.

SPeedY
  • 41
  • Actually I am more sort of looking for automating the entire thing. Plus at certain peak times server can't be stopped for even a single second for weeks. – Vivek Sethi Mar 05 '13 at 16:10
  • If it needs to be instantaneous, create second VM based on the first, do the upgrades on the second, then swap the load balancer network IP from the first one to the new one. Finally decommission the first. – Tom Anderson Aug 10 '22 at 06:17