Roots Discourse

Is it safe to update remote server packages?

Hi there,

Simple question;
I’ve got an email from my VPS provider regarding the Intel bug and that they will update their servers and that I will have to do that myself too.

If I ssh into the remote server it says:

296 packages can be updated.
131 updates are security updates.

Is it safe to update those packages without breaking any of the packages installed when provisioning withTrellis?

Thanks!

Sorry, I just found this topic where @swalkinshaw states :

But I’m not sure if this will be handled when re-provisioning the remote server? Or only when you first update Trellis and then re-provision?

At this point I don’t have a staging server anymore of this particular project to test things first…

For Spectre and Meltdown bugs, I believe you only need to update the Linux kernel. Hopefully you can avoid all those package updates. That’s literally just updating every single installed package.

Try https://askubuntu.com/a/236458

Ok thanks, I ended up running this command:
sudo unattended-upgrades -d

Like suggested here: https://askubuntu.com/a/412
This took a few minutes, but it finished successfully.

After that the Ubuntu System information displayed the message:
*** System restart required ***
so I rebooted with sudo reboot and now it only shows 1 security update :grinning:

199 packages can be updated.
1 update is a security update.
2 Likes

Interesting. Never even knew about unattended-upgrades.

What does uname -r return for you now?

It returns: 4.4.0-21-generic

1 Like

So updating our many, many VPSes to mitigate for Meltdown and Spectre is on my plate today. We use Digital Ocean as our provider, and all of our VPS are provisioned with Trellis.

I’m not as good as I should be about keeping my VPSes updated, so the number of updates varied between servers, but the gist is the same.

DO has an article about Meltdown and Spectre here, which will be updated as more news and patches become available.


Following this article, here’s what I did:

  1. SSHed to my server
$ ssh web@example.com
  1. Switch to “admin” user (enter password from trellis/group_vars/production/vault.yml when prompted)
$ su admin
  1. Update apt cache and perform a dist-upgrade
$ sudo apt-get update
$ sudo apt-get dist-upgrade
  1. Wait a while for the updates to run. A few of my servers prompted when a local file (menu.lst) was modified. I chose the default to keep the modified version; I did NOT overwrite with the package maintainer’s version.

  2. Reboot

$ sudo reboot
  1. SSH back into the server (see step 1) and check the kernel version
$ uname -r

According to Digital Ocean, Ubuntu kernel version 4.4.0-109-generic is what you want to see here. If you see that, everything went great. Check that there are no errors on your site, and move on to the next server.


This has been my process and it’s worked so far. I have about 30 more droplets to update; wish me luck!

4 Likes

Why can’t you directly SSH to your server with:
ssh admin@mydomain.com?

1 Like

Habit?

No good reason, actually.

@MWDelaney prompted me to look into this more.

There’s nothing necessarily wrong with dist-upgrade , but I think it will apply more than just security updates. So the safest for now might still be unattended-upgrades -d as mentioned in Is it safe to update remote server packages?.

I figured out something even better though: unattended-upgrades wil automatically keep your server up to date with security upgrades.

Considering how bad we all are keeping up with server maintenance, this is probably a good thing to do. We should look into enabling it in Trellis by default. It can even email you about updates.

3 Likes

That’s what I read too yes! Not sure if you had to set a cron job for this though?

Apparently it manages itself so you shouldn’t need to do anything further with cron.

Enabling unattended-upgrades by default in trellis would be an excellent call I think.

4 Likes

Is anyone able to confirm if this was implemented in trellis?