Quick Links

Keeping your server up to date is very important. Linux and Linux software is constantly being patched, both to receive security updates as well as bug fixes. Quickly applying patches helps you avoid falling victim to zero-day bugs.

Patch Management

Patch management refers to your practices for updating servers. Good patch management means all of your servers are updated quickly in response to security patches, both in the Linux kernel and system as well as the software you're using.

Security starts with the sysadmin; you should be performing regular security and update audits, and keeping up to date on security info. Most Linux distributions will have security mailing lists you can subscribe to. These will send you notifications whenever new patches are available. Other software you use may have their own mailing lists or require you to manually keep track, so you can decide when an update is needed.

Uptime is important, but if your network is fault-tolerant (i.e., you have more than one server), restarting them one at a time should be no issue. Most patches to userland software won't require you to restart the whole system, though if a running service needs updating, it will usually have to be restarted. For something like nginx that may be fine, but certain services, like MySQL, take a long time to restart because they have to be shut down and rebooted gracefully. You should avoid restarting them as much as possible, especially if you don't have failover servers.

Regular, Manual Upgrading

For many people, a simple update & upgrade command will do the job of updating the server:

sudo apt-get update && sudo apt-get upgrade

The apt-get update command updates the package list, and fetches the latest information on the newest versions of the packages you have installed. The apt-get upgrade command will install new versions of software you already have installed.

This won't install new dependencies, and it won't install some system updates. For that, you'll need to run:

sudo apt-get dist-upgrade

which will perform a much more thorough upgrade. Either command will install all new updates and print out a list of what's changed. Some services may require a restart of that service to apply changes, but you won't usually have to restart the whole system unless dist-upgrade requires it.

This process is easy to do if you only have a few servers, but manual patch management requires more time as you add more servers. Canonical's own Landscape service will allow you to manage and update your machines through a web interface but is only free for 10 machines, after which it requires an Ubuntu Advantage subscription. If your network is particularly complicated, you might want to look into an orchestration service like Puppet.

Automatic Security Patches with unattended-upgrades

The unattended-upgrades utility will automatically apply certain important security upgrades. It can reboot the server automatically, which can be configured to a certain time so it won't go down in the middle of the day.

Install unattended-upgrades from apt, though it may already be on your system.

sudo apt update

sudo apt install unattended-upgrades

This will create a configuration file in /etc/apt/apt.conf.d/50unattended-upgrades, which you'll want to open in your favorite text editor.

Make sure the configuration is as follows, with the "security" line uncommented:

Unattended-Upgrade::Allowed-Origins {

// "${distro_id}:${distro_codename}";

"${distro_id}:${distro_codename}-security";

// Extended Security Maintenance; doesn't necessarily exist for

// every release and this system may not have it installed, but if

// available, the policy for updates is such that unattended-upgrades

// should also install from here by default.

// "${distro_id}ESM:${distro_codename}";

// "${distro_id}:${distro_codename}-updates";

// "${distro_id}:${distro_codename}-proposed";

// "${distro_id}:${distro_codename}-backports";

};

This turns on automatic updates for security updates, though you can turn it on for everything by uncommenting the first line.

To turn on automatic reboots, uncomment this line and change the value to "true":

Unattended-Upgrade::Automatic-Reboot "true";

To set a time to reboot, uncomment this line and change the value to whatever time you'd like.

Unattended-Upgrade::Automatic-Reboot-Time "02:00";

The default settings will make your server reboot at 2 AM if there are security patches requiring a reboot, though this will be an occasional thing, and you shouldn't see your server rebooting every day. Make sure your running applications are configured to automatically restart on boot.

Alternatively, unattended-upgrades can be configured to send you email notifications telling you to manually reboot the server when it's needed, which will prevent unexpected reboots.

Canonical Livepatch

Canonical Livepatch is a service that automatically patches your kernel without requiring your server to reboot. It's free for up to three machines, after which you'll need an Ubuntu Advantage subscription for each machine.

Make sure your system is up to date and install Livepatch through snap:

sudo snap install canonical-livepatch

Next, you'll need to grab a Livepatch token from their website. Once you have it, you can run:

sudo canonical-livepatch enable TOKEN

Then, check that it is running properly with:

sudo canonical-livepatch status --verbose

Note that the default Ubuntu image on AWS does not currently support livepatch, because AWS uses their own kernel for extra performance. You would have to revert to the old kernel or install a different version of Ubuntu if you wanted to use Livepatch.