Switch to “admin” user (enter password from trellis/group_vars/production/vault.yml when prompted)
$ su admin
Update apt cache and perform a dist-upgrade
$ sudo apt-get update
$ sudo apt-get dist-upgrade
Wait a while for the updates to run. A few of my servers prompted when a local file (menu.lst) was modified. I chose the default to keep the modified version; I did NOT overwrite with the package maintainer’s version.
$ sudo reboot
SSH back into the server (see step 1) and check the kernel version
$ uname -r
According to Digital Ocean, Ubuntu kernel version 4.4.0-109-generic is what you want to see here. If you see that, everything went great. Check that there are no errors on your site, and move on to the next server.
This has been my process and it’s worked so far. I have about 30 more droplets to update; wish me luck!
There’s nothing necessarily wrong with dist-upgrade , but I think it will apply more than just security updates. So the safest for now might still be unattended-upgrades -d as mentioned in Is it safe to update remote server packages?.
I figured out something even better though: unattended-upgrades wil automatically keep your server up to date with security upgrades.
Considering how bad we all are keeping up with server maintenance, this is probably a good thing to do. We should look into enabling it in Trellis by default. It can even email you about updates.