Simple question;
I’ve got an email from my VPS provider regarding the Intel bug and that they will update their servers and that I will have to do that myself too.
If I ssh into the remote server it says:
296 packages can be updated.
131 updates are security updates.
Is it safe to update those packages without breaking any of the packages installed when provisioning withTrellis?
For Spectre and Meltdown bugs, I believe you only need to update the Linux kernel. Hopefully you can avoid all those package updates. That’s literally just updating every single installed package.
After that the Ubuntu System information displayed the message: *** System restart required ***
so I rebooted with sudo reboot and now it only shows 1 security update
199 packages can be updated.
1 update is a security update.
So updating our many, many VPSes to mitigate for Meltdown and Spectre is on my plate today. We use Digital Ocean as our provider, and all of our VPS are provisioned with Trellis.
I’m not as good as I should be about keeping my VPSes updated, so the number of updates varied between servers, but the gist is the same.
Switch to “admin” user (enter password from trellis/group_vars/production/vault.yml when prompted)
$ su admin
Update apt cache and perform a dist-upgrade
$ sudo apt-get update
$ sudo apt-get dist-upgrade
Wait a while for the updates to run. A few of my servers prompted when a local file (menu.lst) was modified. I chose the default to keep the modified version; I did NOT overwrite with the package maintainer’s version.
Reboot
$ sudo reboot
SSH back into the server (see step 1) and check the kernel version
$ uname -r
According to Digital Ocean, Ubuntu kernel version 4.4.0-109-generic is what you want to see here. If you see that, everything went great. Check that there are no errors on your site, and move on to the next server.
This has been my process and it’s worked so far. I have about 30 more droplets to update; wish me luck!
There’s nothing necessarily wrong with dist-upgrade , but I think it will apply more than just security updates. So the safest for now might still be unattended-upgrades -d as mentioned in Is it safe to update remote server packages?.
I figured out something even better though: unattended-upgrades wil automatically keep your server up to date with security upgrades.
Considering how bad we all are keeping up with server maintenance, this is probably a good thing to do. We should look into enabling it in Trellis by default. It can even email you about updates.