this post was submitted on 27 Oct 2024
54 points (96.6% liked)

technology

23330 readers
14 users here now

On the road to fully automated luxury gay space communism.

Spreading Linux propaganda since 2020

Rules:

founded 4 years ago
MODERATORS
 

Specifically, a dedicated server running Debian 12.

After a monthly sudo apt upgrade? (Is a monthly upgrade even necessary?)

Never? (unless there is a security update?)

Edit: I may be missing kernel upgrades. Those are probably good... I can't remember if I installed a LTS kernel. I imagine it would be unsecure to post an exact kernel version, however.

all 50 comments
sorted by: hot top controversial new old
[–] [email protected] 16 points 1 month ago (1 children)

When the web app stops responding

[–] [email protected] 14 points 1 month ago* (last edited 1 month ago)

I usually just restart it with systemd.

Edit: Initial D should be a nickname for the systemd init system.

[–] [email protected] 13 points 1 month ago (1 children)

I just go to the lil power strip and flick the the lil removed power button when I go to bed, then flick it back on when I wake up. It keeps the kids off the Wifis when we're supposed to be sleeping.

I was the "tech guy manager" for my regional office, for a major telecommunications company, for a non-trivial amount of time. Meritocracy in action, folks. kris-dance

[–] [email protected] 8 points 1 month ago

I like your style.

[–] [email protected] 13 points 1 month ago (1 children)

when htop shows an exclamation point

[–] [email protected] 11 points 1 month ago (1 children)

(that's after around 100 days IIRC)

[–] [email protected] 6 points 1 month ago

It's exactly around 100 days.

[–] [email protected] 13 points 1 month ago* (last edited 1 month ago) (1 children)

A lot of times I'll run apt-get update / apt-get upgrade on my server and there will be no updates to install. I only reboot if there is a new kernel or something. Otherwise, I can just restart whichever services are directly impacted by the updates.

Debian Stable is a rock. Nothing ever changes. I do recommend subscribing to the debian-announce and debian-security-announce mailing lists though.

[–] [email protected] 6 points 1 month ago

Nothing ever happens (in Debian).

[–] [email protected] 10 points 1 month ago (1 children)
[–] [email protected] 8 points 1 month ago (1 children)

It depends on what you're hosting.

If this is a big site that experiences a lot of traffic, You should already have more than a single Web server anyway. If this is a website for a school or an organization, You really should have a load balancer and a couple web notes. In that situation upgrading and rebooting, draining traffic and bringing it back in, is fairly trivial.

If this is a home server, where you're the only real user, just reboot it.

Some distros like Ubuntu are better about fixing the security issues without requiring rebooting, but if it's a home web server the uptime is really not important.

[–] [email protected] 8 points 1 month ago* (last edited 1 month ago) (2 children)

Video. About 450 registered users. Maybe a couple dozen daily active; I haven't yet setup the monitoring tools to know exactly.

What's a web note?

[–] [email protected] 2 points 1 month ago (1 children)
[–] [email protected] 1 points 1 month ago

Might have meant “nodes”?

[–] [email protected] 8 points 1 month ago (1 children)

If there's a serious security bug, like Heartbleed, you should totally update and reboot the service. That is basically the only "must" for staying atop things. The rest is mostly personal preference.

In my job I maintain publically exposed Linux servers, and many of them don't get rebooted for years. I think our record is about five years.

Yes, if you want your server to be theoretically the rootinest tootinest securest setup ever, you should update about every 6 hours, but even then you're just more vulnerable to repo attacks (which have happened a few times lately). Apt upgrade every month or three is probably good practice to keep on top of bugs.

So really, how frequently do you need to reboot? Eh. So long as it works, there are no critical kernel vulnerabilities, and updates are available, I really would argue you should never "have" to.

Servers are horses for courses, if you're being heavily targeted by hackers, obviously stay on top of updates, but if your server is pootling along without harassment and doesn't contain life-altering stuff if it got leaked, then don't worry too much. A standard, barely-changing, 'stable' build is usually a very secure one.

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago)

Thanks! Very informative.

[–] [email protected] 8 points 1 month ago (1 children)

are you able to move production traffic onto a different webserver?

[–] [email protected] 8 points 1 month ago (1 children)

Like a load balanced situation? Unfortunately, no. The app supports only a single server setup.

[–] [email protected] 5 points 1 month ago (1 children)

Not necessarily load balanced I suppose but say spinning up a new server and switching over using dns or something could work too. Then you keep both running while the first one drains. If thats not possible idk probably put up a notice on your site and do it at like 2am on a weekday

[–] [email protected] 5 points 1 month ago (2 children)

I could do that, but the server reboots faster than DNS records can update.

[–] [email protected] 5 points 1 month ago

The high availability dilemma. Hardly ever need that hot spare. If 0 downtime isn't a requirement w/e

[–] [email protected] 5 points 1 month ago (1 children)

Sure but its less disruptive

[–] [email protected] 4 points 1 month ago* (last edited 1 month ago)

Less dread that it won't come back online. meow-knit

[–] [email protected] 6 points 1 month ago* (last edited 1 month ago) (1 children)

I only really restart if there's a kernel update because I'm too lazy to do all the setup for live patching. If there's an update for something like Nginx, I restart the service after updating it. I try to stay on top of updates, especially security ones for obvious reasons.

server: nginx/1.22.1

I also personally disable this, it's not really too important, but it's a little security by obscurity thing. Makes people scanning the internet for a specific (possibly vulnerable) version of Nginx a little bit harder.

[–] [email protected] 3 points 1 month ago
[–] [email protected] 5 points 1 month ago

On every kernel upgrade

[–] [email protected] 5 points 1 month ago (1 children)

bring back old forums that had a weekly scheduled reboot that was always the same but you would always forget about and panic for 10 seconds and be about to email the webmaster before remembering

[–] [email protected] 4 points 1 month ago (1 children)

(ok it was more about reindexing sql databases than updating the actual server kernel)

[–] [email protected] 4 points 1 month ago

Maintenance is maintenance.

[–] [email protected] 5 points 1 month ago

It really depends. I've seen servers that reboot every 24 hours as well as servers that are constantly up. I would say to reboot every kernel or systemd upgrade

[–] [email protected] 5 points 1 month ago

I just do it whenever my package manager says to do it after the monthly sudo apt upgrade. Which is most months, but sometimes it doesn't, so I don't.

Ten minutes of downtime a month isn't a big deal.

[–] [email protected] 3 points 1 month ago

I restart mine (at least) when I upgrade to a new release, so when Debian 13 comes out I'll give them a reboot there.

[–] [email protected] 3 points 1 month ago (1 children)

You should upgrade for security updates every six hours and reboot on every kernel upgrade

[–] [email protected] 3 points 1 month ago (2 children)

So you have cron handle your reboots?

[–] [email protected] 3 points 1 month ago (1 children)

I use unattended-upgrades on Debian to upgrade and reboot when necessary.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago) (1 children)

is that safe? ever had issues with updating production automatically?

[–] [email protected] 2 points 1 month ago

I never had any issues with that

[–] [email protected] 3 points 1 month ago

whenever theres a kernel update

[–] [email protected] 2 points 1 month ago (6 children)

Some packages managers, including Debian APT, create a /var/run/reboot-requiredfile when an upgrade requires a reboot (like a kernel upgrade). If you have other reasons to reboot, it's up to you to find the best interval between reboots.

load more comments (6 replies)
[–] [email protected] 1 points 1 month ago

are you able to move production traffic onto a different webserver?