When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates?
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak a view (2-3) days delay. Many reasons
Supply chain attack
Bad Updates
... -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak Security patches installed immediately on everything. For non-security related updates on critical stuff (email, routers, etc.), I usually wait at least a couple of weeks before installing them manually. Most other things are on auto updates.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak Security -> ASAP
Minor -> I like to wait a few days so I don't deploy buggy/exploited releases, I take my time to properly review the changelog
Major -> I stay on LTS as long as possible so I have time to preare for major releases
Personally I value stability over features (unless I really them)
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak On NixOS and have a service that updates all my desktops/laptops/homeservers daily. Rarely do I have any breakage. If so, a quick search most often finds the solution (either a config change, or a bug that already has a PR merged into nixpkgs). After running Arch for 10+ years and NixOS for 3+, I've come to appreciate more frequently updating as it tends to overall reduce the cognitive load of having to fix multiple issues all at once. -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I've got a two-pronged approach. I'm subscribed to release feeds for most apps running in my Homelab. If something is a security update, it gets updated immediately.
Otherwise, I've got a regular task to update all apps running in my cluster. I then sit down, go through my list of apps, look at new releases' notes and do the update manually. I quite enjoy that as a Friday evening activity.
Infrastructure, like k8s itself or Ceph, get updated less regularly.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak@infosec.exchange everything* is devoted via gitops and I have a renovate CronJob that runs a few times a day so I get emails on updates. A few services auto-update (the automerge step only happens after a few days delay, and never for major versions)
The cluster OS is Talos and I update it when I update k8s, or in theory if they had a critical security update (less likely due to small attack surface)
The small handful of misc services get updated less frequently but I'm not really worried about dnsmasq tbh -
@zak I've got a two-pronged approach. I'm subscribed to release feeds for most apps running in my Homelab. If something is a security update, it gets updated immediately.
Otherwise, I've got a regular task to update all apps running in my cluster. I then sit down, go through my list of apps, look at new releases' notes and do the update manually. I quite enjoy that as a Friday evening activity.
Infrastructure, like k8s itself or Ceph, get updated less regularly.
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
@zak@infosec.exchange @mmeier@social.mei-home.net I am subscribed to a small number of repos when I am also interested in pre-release/beta versions, but normally I just depend on renovate
recently I've been thinking that I should figure out method to check the age of each deployed image so I cam double-check that renovate is tracking everything correctly. A handful of times the project refactored and changed an image/chart name and the applied version ended behind by a few versions.... -
@zak@infosec.exchange @mmeier@social.mei-home.net I am subscribed to a small number of repos when I am also interested in pre-release/beta versions, but normally I just depend on renovate
recently I've been thinking that I should figure out method to check the age of each deployed image so I cam double-check that renovate is tracking everything correctly. A handful of times the project refactored and changed an image/chart name and the applied version ended behind by a few versions.... -
-
@viq@social.hackerspace.pl @mmeier@social.mei-home.net @zak@infosec.exchange yeah but these are upstream images so I don't have that sort of control. Hmmmm,
podman manifest inspect ...doesn't get me a creation date
Ah, butpodman image history ...should do it! now to see how I can do that against every image in the cluster without needing to pull all of them
then any image over a certain age I'll doublecheck, ez ez -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak When I ran Kubernetes I used to manage all updates via a Renovate bot. Now that I‘m back to using a package manager to install most things, I usually just go in and run an update every few weeks, unless I notice that there‘s a particular security vulnerability there, where I will update early or, depending on what it is, temporarily firewall the affected service, etc.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
As mine are just for me and not internet visible, I don't do them right away. I tend to wait until either they *need* it, or I'm at a loose end.
-
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I am on the bleeding edge, basically always.
If something breaks and I can't instantly roll back, it's my fault.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I do it when I'm feeling up for potentially fixing things hah. So usually once or twice a month.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak mostly leave tags to latest and let it update itself regularly (once a week). For services that are crucial to my usage that can’t break I leave on a specific version and keep up-to-date on releases. If a new version appears with improvements I want or need, I update. Otherwise I leave them be. Case in point: my VPN container. I never update it, whereas my Seerr container I keep regularly updated for new changes.
-
@zak mostly leave tags to latest and let it update itself regularly (once a week). For services that are crucial to my usage that can’t break I leave on a specific version and keep up-to-date on releases. If a new version appears with improvements I want or need, I update. Otherwise I leave them be. Case in point: my VPN container. I never update it, whereas my Seerr container I keep regularly updated for new changes.
@rodrcastro What are you using for a VPN that's containerized? Or is this just something basic that you've got on a VPS and you're using that?
