Keeping your server up to date is very important. Linux and Linux software is constantly updated, both to receive security updates and to fix bugs. Quick patching helps you avoid becoming a victim of zero-day errors.
Patch management
Patch management refers to your practices for updating servers. Good patch management means that all of your servers update quickly in response to security patches, both in the Linux kernel and system as well as in the software you are using.
Security starts with the system administrator; must perform periodic security and update audits, and stay up-to-date on security information. Most Linux distributions will have security mailing lists that you can subscribe to.. These will send you notifications whenever new patches are available. Other software you use may have its own mailing lists or require you to manually follow up, so you can choose when an update is needed.
Uptime is essential, but if your network is fault tolerant (In other words, has more than one server), restarting them one at the same time shouldn't be a hindrance. Most patches for user area software will not require a full system reboot, even if a running service needs to be updated, generally it will have to be restarted. for something like nginx, that may be fine, but certain services, like MySQL, take a long time to reboot due to having to shut down and reboot properly. You should avoid restarting them as much as possible, especially if you don't have failover servers.
Manual and regular update
For many people, a simple update and update command will do the job of updating the server:
sudo apt-get update && sudo apt-get upgrade
the apt-get update The command updates the list of packages and gets the latest information about the latest versions of the packages you have installed. the apt-get upgrade The command will install new versions of the software you have already installed.
This will not install new dependencies and will not install some system updates. For that, will need to run:
sudo apt-get dist-upgrade
which will perform a much more complete update. Either command will install all new updates and print a list of changes. Some services may require a restart of that service to apply changes, but regularly you won't have to reboot the whole system unless dist-upgrade need it.
This procedure is easy to do if you only have a few servers, but manual patch management takes more time as you add more servers. Canonical's own Scenery The service will allow you to manage and update your machines through a web interface, but it is only without costs for 10 machines, after which you need a subscription to Ubuntu Advantage. If your network is particularly complicated, you might want to search for an orchestration service like Puppet.
Automatic security patches with unattended updates
the unattended-upgrades The utility will automatically apply certain important security updates. You can restart the server automatically, that can be set at a certain time so that it does not fall in the middle of the day.
Install on pc unattended-upgrades from apt, even though it may already be on your system.
sudo apt update
sudo apt install unattended-upgrades
Esto creará un archivo de configuración en /etc/apt/apt.conf.d/50unattended-upgrades, que querrá abrir en su editor de texto favorito.
Asegúrese de que la configuración sea la próxima, sin comentar la línea “security”:
Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
// "${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
This enables automatic updates for security updates, even though you can activate it for everything by uncommenting the first line.
To enable automatic restarts, descomente esta línea y cambie el valor a “true”:
Unattended-Upgrade::Automatic-Reboot "true";
To determine a time to restart, uncomment this line and change the value to whatever time you want.
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
The default settings will cause your server to restart at 2 a.m. if there are security patches that require a reboot, even though this will be an occasional thing and you shouldn't see your server restart every day. Make sure your running apps are set to automatically restart on boot.
Alternatively, unattended-upgrades can be configured to send you email notifications telling you to manually restart the server when necessary, which will avoid unexpected reboots.
Canonical Livepatch
Canonical Livepatch is a service that automatically patches your kernel without requiring your server to restart. No cost for up to three machines, after which you will need a Ubuntu Advantage subscription for each machine.
Make sure your system is up to date and install Livepatch via snap:
sudo snap install canonical-livepatch
Next, you will need to get a Livepatch token from your website. Once i have it, can execute:
sudo canonical-livepatch enable TOKEN
Subsequently, verify that it is working properly with:
sudo canonical-livepatch status --verbose
Please note that the default Ubuntu image on AWS is not currently supported by livepatch, because AWS uses its own core for extra performance. You would have to revert to the previous kernel or install a different version of Ubuntu if you wanted to use Livepatch.
