this post was submitted on 14 Sep 2023
11 points (100.0% liked)

Debian

847 readers
4 users here now

❤️ Debian

Rules

founded 1 year ago
MODERATORS
 

Hi,

I do believe from time to time there are important updates that need you to reboot your server, but how often? I'm thinking about kernel updates, let's say every month... What are you practices and recommendations?

top 10 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

I have a script that runs nightly via cron, it checks if a reboot is required through needrestart, logs the action and reboots the host if required (kernel update or glibc update): https://github.com/nodiscc/xsrv/blob/master/roles/monitoring_netdata/files/usr_local_bin_needrestart-autorestart

Nightly is a baseline, if requirements dictate that the host should not reboot without warning at 5am, I adjust the cron expression.

[–] [email protected] 1 points 1 year ago

Wow, great... Didn't know about needrestart

[–] [email protected] 3 points 1 year ago

Once a month on patch Tuesday. May as well reboot everything.

[–] [email protected] 2 points 1 year ago

Whenever I update the kernel or low level libraries practically everything uses like glibc.

[–] [email protected] 1 points 1 year ago (1 children)

Depends on the situation - if it's my own server, I'm happy rebooting them (almost) whenever.

If it's a customer's server, then it may be anything from monthly to annually ....

[–] [email protected] 1 points 1 year ago

Own server but with very few things running on it...

[–] [email protected] 1 points 1 year ago (1 children)

I am running a laptop server. Currently reboot once every few weeks, but looking to potentially set up a nightly shutdown/reboot when I'm sleeping since it's just for me.

[–] [email protected] 1 points 1 year ago

Yep, update at night is good

[–] [email protected] 1 points 11 months ago

Only when necessary and my monitoring system detects a need for it (kernel updates e.g.)

[–] [email protected] 1 points 1 year ago* (last edited 1 year ago)

Periodic reboots are useful for a hands-off approach to security patching.

For most use cases, all software should be restarted after it receives a security patch.

If your threat model allows a latency of, say, 14 days between patch release and patch applied, then the simplest solution is to just enable unattended updates to install patches as soon as they are released, and then impose a 14 day uptime limit to periodically restart the patched software.

You could always take a more hands-on approach and pay attention to which software is updated and only restart the specific services that are patched. But that's expensive, and humans are fallible. Almost everyone, from hobbyists to enterprises, is better off with a dumb uptime limit instead.

Of course, if you're just a hobbyists, then your threat model may be so lax that you don't need to bother with any of this. Just reboot when you install kernel updates.