Here’s a poll to discuss what steps we go to in order to keep our servers up-to-date and well-maintained. It seems a new major vulnerability or threat is discovered every couple weeks. Even with idle machines, it’s important to stay on top of things, updating packages when necessary, applying kernel updates, disabling some obscure service that sends all your data to the Russians, etc.
My maintenance routine is pretty minimal. I stay on top of security announcements (like the recent PHP FPM one) and apply updates to any servers that may be affected. I typically log in to all my machines once or twice a month to apply patches, updates, etc. I will only reboot to apply kernel updates if something major pops up. I did try out Ubuntu’s livepatch for a bit, but honestly I prefer to do things manually.
What do you guys do to address server security and maintenance? [Select all that apply]
Automatic package updates (at some predefined interval)
Regular manual package updates (every x weeks)
Update only when absolutely necessary (major security patch, etc.)
Install and reboot to apply every kernel update
Install and reboot to apply only MAJOR kernel updates
Regular reboots (every x weeks/months)
Livepatch (or similar)
Run active scans and vulnerability testing on servers
That because unless you use KernelCare or similar products you have to reboot to apply Kernel updates manually.
Thankfully with KernelCare and similar products you no longer have to make choices for business/mission critical applications.
awhile ago? Yea you had to make choices to literally either mitigate the downtime (fail over, doing it in the non peak hour(s) and/or etc) OR secure your machine(s) in a manner where it doesn’t have to undergo rebooting. Just like how some mission critical systems are still on EOL Windows systems.
Ahh I see now, I don’t get it either. I known older applications would hog RAM for example but why reboot the whole system instead of that application is beyond me as well…
For me, I do regular reboots because I don’t reboot every kernel change, but I still want to be running a semi-recent (< 3 months old) kernel if there were any updates. So usually every 2-3 months, I’ll reboot the machine completely. Also helps with clearing out those old processes and cached memory that are no longer being used that I have completely forgotten about.
Also, maybe it’s just a mental thing, but to me it feels like everything simply runs more smoothly after being rebooted. It’s typically only my dedicated servers that I really care about rebooting regularly. My VPSes usually go neglected in that aspect aside from regular package updates.
Power cycles put wear and tear to the hardware. I only reboot for hardware changes. There wasn’t a single kernel update that made me reboot my homeserver. For virtual servers I don’t mind much, but I rarely reboot those either as I simply don’t feel the need.
I’m typically perpetually logged into all of my boxes, idling or not, and I typically check manually every day. Some people play Candy Crush, I play apt/apt-get/yum.
If I’m hit by a bus and/or I’m on holiday, only security advisories are applied autonomously on Sunday at 01:00 CET, restarting services as needed. Boxes don’t ever undergo unattended reboots.
Most setups are built with redundancy in mind and some boxes are behind an IDS or a reverse proxy, so that it’s generally possible to at least take offline one box at a time if really needed. All boxes have a well-tested “plan B” (and a “plan C” if some maintenance is needed).
You may ksplice/kernelcare/livepatch but sometimes you may not feel comfortable relying on systemctl daemon-reexec to fix a systemd bug feature and/or to apply some major updates
Other than that, some people may feel more comfortable in a periodic complete reboot “just in case”
Those people obviously don’t care about vanity uptime and therefore are the scum of the planet (I confess I sometime reboot my idlers too, for the sake of it)
