How to keep Ubuntu 22.04 servers updated?

Overview

As with any operating system, keeping Ubuntu 22.04 servers updated is crucial to maintain their security, stability, and functionality. Regular updates are released to fix bugs, address vulnerabilities, and enhance features. Failure to keep servers updated can lead to system crashes, data breaches, and other security risks. It is also essential to keep in mind that outdated software can become incompatible with newer applications, leading to performance issues and other problems. Regular updates ensure that your Ubuntu servers are running the latest versions of software, providing optimal performance, reliability, and security. Therefore, it is essential to keep Ubuntu 22.04 servers updated to ensure they run efficiently and securely.

Here is a step-by-step tutorial on how to keep your Ubuntu 22.04 servers updated.

Prerequisites

There are certain prerequisites that need to be met before you begin.

• Ubuntu 20.04 LTS configured on your system.

• Non-root sudo user privileges.

Get Started

To ensure that your server is able to upgrade automatically, you must make sure that all applications on the server can restart correctly after an unplanned outage or reboot. In addition to ensuring that the services are managed by the init system provided by your operating system, you should consider writing scripts that can restart these services automatically after an outage.

Step 1: Configure Automatic Updates

Using 'apt update' and 'apt upgrade' commands to perform unattended upgrades on your Ubuntu packages is a convenient way to keep your servers up to date with the latest security patches, bug fixes and updates. This automated process will download newer versions of all packages on your server, install them and then begin the upgrade process automatically.

• Update the package index:

sudo apt update

• Install the Ubuntu 'unattended-upgrades' package to automatically configure the security patches and other critical updates for the server:

sudo apt install unattended-upgrades

• Verify the status of the service:

sudo systemctl status unattended-upgrades.service

• For the majority of the packages in the Ubuntu repositories, unattended-upgrades' standard configuration will automatically download security and bug repair updates. You can further customize the unattended-upgrades service to avoid upstream modifications in case there are older versions of packages, or the server operates with third-party package repositories. To do so, modify the configuration stored in its specific file mentioned in the command.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

You will notice in the '/etc/apt/apt.conf.d/50unattended-upgrades' file that are there are certain lines of code that start with (//).

The first configuration block specifies which packages will be updated automatically and follows a template for the names of Ubuntu package repositories. The files in the core and the -security repository are scheduled for default update. Whereas the lines containing the -updates, -backports, and -proposed repositories are disabled by default due to their higher likelihood of containing modifications that could damage your existing packages.

You can remove the (//) symbols from these lines to initiate manual unattended upgrades for them.

Also, there are several options with true/false setting toggles are located in the file. For instance, packages that require a reboot to take effect after installation, a toggle is set up to automatically reboot the system after that. You just need to activate this option by removing the (//) symbol and set the value to 'true' instead of 'false'. The drawback is that this change will make your server inaccessible at random times. Make sure your users or applications can withstand downtime before enabling this option.

Save the changes to the file and close it.

• If you have changed the configuration file as specified above, apply these changes to the service by restarting it using the following command:

sudo systemctl restart unattended-upgrades.service

Step 2: Update the Kernel and Enable Livepatch

The Linux kernel is the core of Linux distributions. It contains the low-level operating system and device drivers, along with support for many high-level system software components. It handles all software functions, including hardware drivers, memory management, and file I/O operations. Kernel updates are one of the most frequent packages you will need to install on a Linux server. If your installation has become outdated or in need of major improvement, it can be problematic. Multiple vulnerabilities have been discovered in the Linux kernel over the years, and these create constant pressure to patch these systems whenever new versions become available.

Most commercial and mission-critical Linux deployments require the ability to automate their kernel updates. There are no standard mechanisms in place, but you can configure your unattended apt systems to automatically install new kernels and reboot for you in a reliable manner.

• Get a Livepatch key by registering at Canonical Livepatch Service Center as an Ubuntu user. Once the registration is successful, fetch the key and begin the installation of canonical-livepatch package using Snap (an Ubuntu package manager).

sudo snap install canonical-livepatch

• Activate canonical-livepatch by running the 'enable' command followed by the key obtained from their website:

sudo canonical-livepatch enable <your-key>

The output will display the message 'Successfully enabled device'.

• You can verify the status of the service, which should now operate automatically in the background without any intrusion:

sudo canonical-livepatch status

Conclusion

By following this tutorial, you can keep your Ubuntu 22.04 servers up-to-date and secure. It is important to regularly check for updates and install them promptly to ensure the security and stability of your server.