When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates?
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak When I get around to it.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I do updates every Friday and, in the case of security updates, right after them becoming available.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak once a month I set aside a morning to run all my updates. It used to take me a whole day as my Proxmox host was a mess but now my system is much more streamlined I don't dread doing them like I used to! -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak a view (2-3) days delay. Many reasons
Supply chain attack
Bad Updates
... -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak Security patches installed immediately on everything. For non-security related updates on critical stuff (email, routers, etc.), I usually wait at least a couple of weeks before installing them manually. Most other things are on auto updates.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak Security -> ASAP
Minor -> I like to wait a few days so I don't deploy buggy/exploited releases, I take my time to properly review the changelog
Major -> I stay on LTS as long as possible so I have time to preare for major releases
Personally I value stability over features (unless I really them)
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak On NixOS and have a service that updates all my desktops/laptops/homeservers daily. Rarely do I have any breakage. If so, a quick search most often finds the solution (either a config change, or a bug that already has a PR merged into nixpkgs). After running Arch for 10+ years and NixOS for 3+, I've come to appreciate more frequently updating as it tends to overall reduce the cognitive load of having to fix multiple issues all at once. -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I've got a two-pronged approach. I'm subscribed to release feeds for most apps running in my Homelab. If something is a security update, it gets updated immediately.
Otherwise, I've got a regular task to update all apps running in my cluster. I then sit down, go through my list of apps, look at new releases' notes and do the update manually. I quite enjoy that as a Friday evening activity.
Infrastructure, like k8s itself or Ceph, get updated less regularly.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak@infosec.exchange everything* is devoted via gitops and I have a renovate CronJob that runs a few times a day so I get emails on updates. A few services auto-update (the automerge step only happens after a few days delay, and never for major versions)
The cluster OS is Talos and I update it when I update k8s, or in theory if they had a critical security update (less likely due to small attack surface)
The small handful of misc services get updated less frequently but I'm not really worried about dnsmasq tbh -
@zak I've got a two-pronged approach. I'm subscribed to release feeds for most apps running in my Homelab. If something is a security update, it gets updated immediately.
Otherwise, I've got a regular task to update all apps running in my cluster. I then sit down, go through my list of apps, look at new releases' notes and do the update manually. I quite enjoy that as a Friday evening activity.
Infrastructure, like k8s itself or Ceph, get updated less regularly.
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
@zak@infosec.exchange @mmeier@social.mei-home.net I am subscribed to a small number of repos when I am also interested in pre-release/beta versions, but normally I just depend on renovate
recently I've been thinking that I should figure out method to check the age of each deployed image so I cam double-check that renovate is tracking everything correctly. A handful of times the project refactored and changed an image/chart name and the applied version ended behind by a few versions.... -
@zak@infosec.exchange @mmeier@social.mei-home.net I am subscribed to a small number of repos when I am also interested in pre-release/beta versions, but normally I just depend on renovate
recently I've been thinking that I should figure out method to check the age of each deployed image so I cam double-check that renovate is tracking everything correctly. A handful of times the project refactored and changed an image/chart name and the applied version ended behind by a few versions.... -
-
@viq@social.hackerspace.pl @mmeier@social.mei-home.net @zak@infosec.exchange yeah but these are upstream images so I don't have that sort of control. Hmmmm,
podman manifest inspect ...doesn't get me a creation date
Ah, butpodman image history ...should do it! now to see how I can do that against every image in the cluster without needing to pull all of them
then any image over a certain age I'll doublecheck, ez ez -
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak When I ran Kubernetes I used to manage all updates via a Renovate bot. Now that I‘m back to using a package manager to install most things, I usually just go in and run an update every few weeks, unless I notice that there‘s a particular security vulnerability there, where I will update early or, depending on what it is, temporarily firewall the affected service, etc.
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
As mine are just for me and not internet visible, I don't do them right away. I tend to wait until either they *need* it, or I'm at a loose end.
-
@mmeier@social.mei-home.net @zak@infosec.exchange do you manually check each application? Or have a way to track release notes for all of them?
-
When it comes to your self-hosted services, what sort of attitude do you have when it comes to installing updates? Do you install them right away? Wait a week or two? Update only when absolutely necessary? And why?
(I'm typically the sort of person that likes to be using the latest release of everything, but I'm open to opinions)
@zak I am on the bleeding edge, basically always.
If something breaks and I can't instantly roll back, it's my fault.
