New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Keeping kernel and system packages up to date without rebooting
Prompted from a post in another discussion: is there some tool that can keep both the kernel and other system packages up to date without requiring a reboot at each update? Or is the kernel the only thing that can be updated this way? Also is Kernelcare the best option? How does the Canonical version compare if I use Ubuntu? I have used Kernelcare a few years ago but not the Ubuntu one. Any other options?
Thanks
Thanked by 1sonic
Comments
I remember ksplice being mentioned quite a lot a couple years back but I am not sure where that product stands these days. I know that KernelCare has support for a lot more distributions.
Interestingly, it appears KernelCare has re-branded and is now known as TuxCare. It appears to cover more than just the kernel too. I see a new "libcare" section has been added: https://patches.kernelcare.com/?type=libcare&feed= which looks to cover the kernel, glibc and openssl.
Kernelcare+Libcare looks nice. ksplice seems to only support Oracle Linux.
Son, why you hate to reboot?
Just to reduce downtime
Why you get downtime? No load balancing?
This is just for apps for personal use. For serious stuff we use Google Cloud with all the redundancy we can of course.
Personal stuff is not "critical" but I like to minimize downtime anyway.
O. Nice to reboot personal stuff tho. Keep fresh. Howay the lads.
One nice thing about rebooting is showing that the system can reboot if, for example, there is a power outage.
My host boxes run Ubuntu so I rely on Canonical Livepatch and
unattended-upgrade
.Restarting processes for new libraries is based on suggestions and prompts from
needrestart
, sure there'll be some small downtime when services restart but it's no biggie compared to a full reboot.I have found Livepatch and
unattended-upgrade
to be an efficient pair. The last few times I caught wind of a security vulnerability (Some kernel, one in a package) it turned out that the system had taken care of it by itself. Livepatch inserts kernel patches whenever there is a security patch andunattended-upgrade
will apply package security patches by itself.You will still need some manual attention (Restarting things with
needrestart
, applying non-security package upgrades), but generally this setup will keep you a whole bunch safer than without them and the majority of security threats are handled without intervention or reboot. Always stay vigliant however.You should also pair this with service monitoring. In cases where a security patch causes a service to go down I would rather have it go down than be insecure but I would also like to know its down so I can bring it up ASAP. This is the pitfall of automating things, in the past 2 years I've been doing this it's happened once.
I reboot ocassionally, but usually only when it's absolutely necessary and can't be done without a reboot. On a new server or after making major configuration changes that might impact the ability to reboot then I may end up doing one reboot to validate the configuration doesn't break before leaving it up for a long time.
On the Canonical website it says "Livepatch is included in Ubuntu Pro and Ubuntu Advantage." - so is it not available with regular Ubuntu?
Thanks for mentioning unattended-upgrades! I used to use it ages ago before I moved everything to Kubernetes stuff. Only recently I have started to use old fashioned server setups for my personal stuff and I had forgotten several things.
Ubuntu Advantage is free for personal use on up to 3 devices. You need to sign up on the website and use your token to activate it.
Awesome, thanks for mentioning it! I guess I can avoid buying Kernelcare then
A controlled reboot does not simulate a power failure at all and this is kind of false confidence.
If uptime becomes that important and you are calling a reboot a downtime, then you will most likely need some kind of high availability cluster or hot standby system as there are many other possible incidents that will impact your uptime much more than a quick reboot.
Depending on your use case, syncing data between two similiar servers is not neccessarily a rocket science. Mysql/mariadb comes with native multi master capabilities and filesystems can be synchronized with tools like unison.
Then you can simply let your DNS records point to one or the other (or both) systems.
For scheduled maintenance like kernel upgrades and reboots you can start lowering the TTL of your DNS records upfront to ensure a predictable failover.
Don't know how difficult this might sounds for you. But for me this is much easier than live kernel patching and especially reduces other risks as well.
The free version of Livepatch get beta patches.
If you run canonical-livepatch status under tier it says "Free usage; This machine beta tests new patches.", earlier this year release a defective patch edit last year.
https://ubuntu.com/blog/livepatch-2021-03-24-incident-investigation-report.
I would rather take the 2 mins to reboot than deal with a potential fault patch.
Sure! But a controlled reboot is better than no testing at all, maybe! Come to think of it, are you aware of a well know framework for testing rebooting? Thanks! 🙏
Ouch. That sucks
I know I probably shouldn't do, but what I did is, I literally just apt-mark hold the kernel related upgrade. Since a reboot is required is only(?) when the kernel got updated.
Sounds legit 😂
I schedule updates to the weekend (when I have more spare time) and since I have a mirror server with all websites synced, if things go wrong there won't be any downtime (+-1 min to switch)