Just wondering what tools and techniques people are using to keep on top of updates, particularly security-related updates, for their self-hosting fleet.
I’m not talking about docker containers - that’s relatively easy. I have Watchtower pull (not update) latest images once per week. My Saturday mornings are usually spent combing through Portainer and hitting the recreate button for those containers with updated images. After checking the service is good, I manually delete the old images.
But, I don’t have a centralised, automated solution for all my Linux hosts. I have a few RasPis and a bunch of LXCs on a pair of Proxmox nodes, all running their respective variation of Debian.
Not a lot of this stuff is exposed direct to the internet - less than a handful of services, with the rest only accessible over Wireguard. I’m also running OPNsense with IPS enabled, so this problem isn’t exactly keeping me up at night right now. But, as we all know, security is about layers.
Some time ago, on one of my RasPis, I did setup Unattended Upgrades and it works OK, but there was a little bit of work involved in getting it setup just right. I don’t relish the idea of doing that another 40 or so times for the rest of my fleet.
I also don’t want all of those hosts grabbing updates at around the same time, smashing my internet link (yes, I could randomise the cron job within a time range, but I’d rather not have to).
I have a fledgling Ansible setup that I’m just starting to wrap my head around. Is that the answer? Is there something better?
Would love to hear how others are dealing with this.
Cheers!
automate it! I run unattended-upgrades on dozens of servers without any problems: [1] [2]. Configuration is actually really simple.
I use other methods for things that are not distribution packages [3], but for APT upgrades unattended-upgrades is the only correct™ solution.
Yep, I’m working on a test Ansible playbook now. Thanks for those repo links - very useful stuff in there.