Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Keeping kernel and system packages up to date without rebooting
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Keeping kernel and system packages up to date without rebooting

Prompted from a post in another discussion: is there some tool that can keep both the kernel and other system packages up to date without requiring a reboot at each update? Or is the kernel the only thing that can be updated this way? Also is Kernelcare the best option? How does the Canonical version compare if I use Ubuntu? I have used Kernelcare a few years ago but not the Ubuntu one. Any other options?

Thanks

Thanked by 1sonic

Comments

  • EthernetServersEthernetServers Member, Patron Provider

    I remember ksplice being mentioned quite a lot a couple years back but I am not sure where that product stands these days. I know that KernelCare has support for a lot more distributions.

    Interestingly, it appears KernelCare has re-branded and is now known as TuxCare. It appears to cover more than just the kernel too. I see a new "libcare" section has been added: https://patches.kernelcare.com/?type=libcare&feed= which looks to cover the kernel, glibc and openssl.

  • @EthernetServers said:
    I remember ksplice being mentioned quite a lot a couple years back but I am not sure where that product stands these days. I know that KernelCare has support for a lot more distributions.

    Interestingly, it appears KernelCare has re-branded and is now known as TuxCare. It appears to cover more than just the kernel too. I see a new "libcare" section has been added: https://patches.kernelcare.com/?type=libcare&feed= which looks to cover the kernel, glibc and openssl.

    Kernelcare+Libcare looks nice. ksplice seems to only support Oracle Linux.

  • NekkiNekki Veteran

    Son, why you hate to reboot?

  • @Nekki said:
    Son, why you hate to reboot?

    Just to reduce downtime :)

  • NekkiNekki Veteran

    @vitobotta said:

    @Nekki said:
    Son, why you hate to reboot?

    Just to reduce downtime :)

    Why you get downtime? No load balancing?

  • @Nekki said:

    @vitobotta said:

    @Nekki said:
    Son, why you hate to reboot?

    Just to reduce downtime :)

    Why you get downtime? No load balancing?

    This is just for apps for personal use. For serious stuff we use Google Cloud with all the redundancy we can of course.

    Personal stuff is not "critical" but I like to minimize downtime anyway.

  • NekkiNekki Veteran

    @vitobotta said: This is just for apps for personal use. For serious stuff we use Google Cloud with all the redundancy we can of course.

    Personal stuff is not "critical" but I like to minimize downtime anyway.

    O. Nice to reboot personal stuff tho. Keep fresh. Howay the lads.

  • Not_OlesNot_Oles Moderator, Patron Provider

    One nice thing about rebooting is showing that the system can reboot if, for example, there is a power outage.

    Thanked by 2Plioser hostdare
  • ErisaErisa Member
    edited March 2022

    My host boxes run Ubuntu so I rely on Canonical Livepatch and unattended-upgrade.

    Restarting processes for new libraries is based on suggestions and prompts from needrestart, sure there'll be some small downtime when services restart but it's no biggie compared to a full reboot.

    I have found Livepatch and unattended-upgrade to be an efficient pair. The last few times I caught wind of a security vulnerability (Some kernel, one in a package) it turned out that the system had taken care of it by itself. Livepatch inserts kernel patches whenever there is a security patch and unattended-upgrade will apply package security patches by itself.

    You will still need some manual attention (Restarting things with needrestart, applying non-security package upgrades), but generally this setup will keep you a whole bunch safer than without them and the majority of security threats are handled without intervention or reboot. Always stay vigliant however.

    You should also pair this with service monitoring. In cases where a security patch causes a service to go down I would rather have it go down than be insecure but I would also like to know its down so I can bring it up ASAP. This is the pitfall of automating things, in the past 2 years I've been doing this it's happened once.

    I reboot ocassionally, but usually only when it's absolutely necessary and can't be done without a reboot. On a new server or after making major configuration changes that might impact the ability to reboot then I may end up doing one reboot to validate the configuration doesn't break before leaving it up for a long time.

  • @Erisa said:
    My host boxes run Ubuntu so I rely on Canonical Livepatch and unattended-upgrade.

    Restarting processes for new libraries is based on suggestions and prompts from needrestart, sure there'll be some small downtime when services restart but it's no biggie compared to a full reboot.

    I have found Livepatch and unattended-upgrade to be an efficient pair. The last few times I caught wind of a security vulnerability (Some kernel, one in a package) it turned out that the system had taken care of it by itself. Livepatch inserts kernel patches whenever there is a security patch and unattened-upgrade will apply package security patches by itself.

    You will still need some manual attention (Restarting things with needrestart, applying non-security package upgrades), but generally this setup will keep you a whole bunch safer than without them and the majority of security threats are handled without intervention or reboot. Always stay vigliant however.

    I reboot ocassionally, but usually only when it's absolutely necessary and can't be done without a reboot. On a new server or after making major configuration changes that might impact the ability to reboot then I may end up doing one reboot to validate the configuration doesn't break before leaving it up for a long time.

    On the Canonical website it says "Livepatch is included in Ubuntu Pro and Ubuntu Advantage." - so is it not available with regular Ubuntu?

    Thanks for mentioning unattended-upgrades! I used to use it ages ago before I moved everything to Kubernetes stuff. Only recently I have started to use old fashioned server setups for my personal stuff and I had forgotten several things.

  • ErisaErisa Member

    @vitobotta said: On the Canonical website it says "Livepatch is included in Ubuntu Pro and Ubuntu Advantage." - so is it not available with regular Ubuntu?

    Ubuntu Advantage is free for personal use on up to 3 devices. You need to sign up on the website and use your token to activate it.

    Thanked by 1bulbasaur
  • @Erisa said:

    @vitobotta said: On the Canonical website it says "Livepatch is included in Ubuntu Pro and Ubuntu Advantage." - so is it not available with regular Ubuntu?

    Ubuntu Advantage is free for personal use on up to 3 devices. You need to sign up on the website and use your token to activate it.

    Awesome, thanks for mentioning it! I guess I can avoid buying Kernelcare then :p

    Thanked by 2Erisa bulbasaur
  • @Not_Oles said:
    One nice thing about rebooting is showing that the system can reboot if, for example, there is a power outage.

    A controlled reboot does not simulate a power failure at all and this is kind of false confidence.

    Thanked by 2Not_Oles webcraft
  • dfroedfroe Member, Host Rep

    If uptime becomes that important and you are calling a reboot a downtime, then you will most likely need some kind of high availability cluster or hot standby system as there are many other possible incidents that will impact your uptime much more than a quick reboot.

    Depending on your use case, syncing data between two similiar servers is not neccessarily a rocket science. Mysql/mariadb comes with native multi master capabilities and filesystems can be synchronized with tools like unison.

    Then you can simply let your DNS records point to one or the other (or both) systems.
    For scheduled maintenance like kernel upgrades and reboots you can start lowering the TTL of your DNS records upfront to ensure a predictable failover.

    Don't know how difficult this might sounds for you. But for me this is much easier than live kernel patching and especially reduces other risks as well.

  • RazzaRazza Member
    edited March 2022

    The free version of Livepatch get beta patches.

    If you run canonical-livepatch status under tier it says "Free usage; This machine beta tests new patches.", earlier this year release a defective patch edit last year.

    https://ubuntu.com/blog/livepatch-2021-03-24-incident-investigation-report.

    I would rather take the 2 mins to reboot than deal with a potential fault patch.

  • Not_OlesNot_Oles Moderator, Patron Provider

    @TimboJones said:

    @Not_Oles said:
    One nice thing about rebooting is showing that the system can reboot if, for example, there is a power outage.

    A controlled reboot does not simulate a power failure at all and this is kind of false confidence.

    Sure! But a controlled reboot is better than no testing at all, maybe! Come to think of it, are you aware of a well know framework for testing rebooting? Thanks! 🙏

  • @Razza said:
    The free version of Livepatch get beta patches.

    If you run canonical-livepatch status under tier it says "Free usage; This machine beta tests new patches.", earlier this year release a defective patch edit last year.

    https://ubuntu.com/blog/livepatch-2021-03-24-incident-investigation-report.

    I would rather take the 2 mins to reboot than deal with a potential fault patch.

    Ouch. That sucks

  • jason5545jason5545 Member
    edited March 2022

    I know I probably shouldn't do, but what I did is, I literally just apt-mark hold the kernel related upgrade. Since a reboot is required is only(?) when the kernel got updated.

  • @jason5545 said:
    I know i shouldn't do, but what I did is, I literally just apt-mark the kernel related upgrade. Since a reboot is required when the kernel got updated.

    Sounds legit 😂

    Thanked by 1jason5545
  • nfnnfn Veteran

    I schedule updates to the weekend (when I have more spare time) and since I have a mirror server with all websites synced, if things go wrong there won't be any downtime (+-1 min to switch)

Sign In or Register to comment.