قالب وردپرس درنا توس
Home / Tips and Tricks / How to ensure that your Ubuntu servers are always fixed – CloudSavvy IT

How to ensure that your Ubuntu servers are always fixed – CloudSavvy IT



Keeping your server updated is very important. Linux and Linux software are constantly being repeated, both to receive security updates as well as bug fixes. By quickly applying patches you can avoid becoming victims of zero-day bugs.

Patch Management

Patch management refers to your methods for updating servers. Good patch management means that all of your servers are updated quickly in response to security updates, both in the Linux kernel and the system as well as the software you use.

Security starts with sysadmin; you should perform regular security and update audits and keep up to date on security information. Most Linux distributions have security mailing lists that you can subscribe to. These will send messages when new patches are available. Other software you use may have its own mailing lists or require that you manually keep track of, so you can decide when an update is needed.

Uptime is important, but if your network is fault-tolerant (ie, you have more than one server), restarting them one at a time should not be a problem. Most user country correction programs do not require you to restart the entire system, but if a running service needs updating, it usually needs to be restarted. For something like nginx that may be good, but some services, such as MySQL, take a long time to restart because they have to shut down and restart gracefully. You should avoid restarting them as much as possible, especially if you do not have failover servers.

Regular, manual upgrade

For many people, a simple update and upgrade command does the job of updating the server: [1

9659008] sudo apt-get update && sudo apt-get upgrade

The command apt-get update updates the package list and retrieves the latest information on the latest versions of the packages you have installed. The command apt-get upgrade will install new versions of software that you have already installed.

This will not install new dependencies and it will not install any system updates. For that you need to run:

  sudo apt-get dist-upgrade 

which will perform a much more thorough upgrade. Both commands will install all new updates and print a list of what has changed. Some services may require a restart of that service to apply changes, but you generally do not need to restart the entire system unless dist-upgrade requires it.

This process is easy to do if you only have a few servers, but manual patch management requires more time when you add more servers. Canonical's own Landscape service allows you to manage and update your machines via a web interface but is only free for 10 machines, after which it requires a Ubuntu Advantage subscription. If your network is particularly complicated, you may want to look into an orchestration service like Puppet.

Automatic security updates with unattended upgrades

unattended upgrades will automatically use some important security upgrades. . It can restart the server automatically, which can be configured at a certain time so that it does not crash in the middle of the day.

Install unattended upgrades from apt although it may already be on your system.

  sudo apt update
sudo apt install unattended upgrades 

This creates a configuration file in /etc/apt/apt.conf.d/50unattended-upgrades that you want to open in your favorite text editor.

Make sure the configuration that follows the "security" row is uncommented:

  Unattended-Upgrade :: Allowed-Origins {
// "$ {distro_id}: $ {distro_codename}";
"$ {Distro_id}: $ {distro_codename} Security";
// Extended security maintenance; are not necessarily available for
// every issue and system may not have it installed, but if
// available, the update policy is such that upgrades are performed without monitoring
// should also be installed from here by default.
// "$ {distro_id} ESM: $ {distro_codename}";
// "$ {distro_id}: $ {distro_codename} updates";
// "$ {distro_id}: $ {distro_codename} -proposed";
// "$ {distro_id}: $ {distro_codename} -backports";
}; 

This enables automatic security update updates, but you can enable it for everything by removing the first line.

To enable automatic restarts, deselect this line and change the value to "true": [19659008] Unattended-Upgrade :: Automatic-Reboot "true";

To set a time to restart, deselect this line and change the value to whatever time you want.

  Unattended-Upgrade :: Automatic-Reboot -Time "02:00"; 

By default, your server will restart at 2 am if there are security updates that require a restart, even if this is one thing and another, and you should not see your server restart every day. Make sure your running applications are configured to automatically restart at startup.

Alternatively, unattended upgrades can be configured to send e-mails that say to manually restart the server when needed, preventing unexpected restarts.

Canonical Livepatch

Canonical Livepatch is a service that automatically patches your kernel without your server having to restart. It's free for up to three machines, after which you'll need an Ubuntu Advantage subscription for each machine.

Make sure your system is up to date and install Livepatch through snap :

  sudo snap install canonical-livepatch 

Then you must take a Livepatch token from their site. When you have, you can run:

  sudo canonical-livepatch enable TOKEN 

Then check that it works correctly with:

  sudo canonical-livepatch status --verbose 

Note that the standard Ubuntu image on AWS supports currently not a live patch, as AWS uses its own kernel for extra performance. You need to revert to the old kernel or install another version of Ubuntu if you wanted to use Livepatch.


Source link