security updates with vestacp Topic is solved

[starase]

hi guys,
I'm running happily 2 servers with vestaCP (1.0.0) onboard
I was wondering if there is or if you've come up with any recommendations on how to handle security updates
I tend to update my servers by getting the security mainstream channel instead of upgrading them
this is how it looks like one of the main vestaCP servers:

Code: Select all

apt list --upgradable | grep "bionic-security"

busybox-initramfs/bionic-updates,bionic-security 1:1.27.2-2ubuntu3.4 amd64 [upgradable from: 1:1.27.2-2ubuntu3.3]
busybox-static/bionic-updates,bionic-security 1:1.27.2-2ubuntu3.4 amd64 [upgradable from: 1:1.27.2-2ubuntu3.3]
imagemagick/bionic-updates,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 amd64 [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
imagemagick-6-common/bionic-updates,bionic-updates,bionic-security,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 all [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
imagemagick-6.q16/bionic-updates,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 amd64 [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
libglib2.0-0/bionic-updates,bionic-security 2.56.4-0ubuntu0.18.04.9 amd64 [upgradable from: 2.56.4-0ubuntu0.18.04.8]
libglib2.0-data/bionic-updates,bionic-updates,bionic-security,bionic-security 2.56.4-0ubuntu0.18.04.9 all [upgradable from: 2.56.4-0ubuntu0.18.04.8]
libmagickcore-6.q16-3/bionic-updates,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 amd64 [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
libmagickcore-6.q16-3-extra/bionic-updates,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 amd64 [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
libmagickwand-6.q16-3/bionic-updates,bionic-security 8:6.9.7.4+dfsg-16ubuntu6.12 amd64 [upgradable from: 8:6.9.7.4+dfsg-16ubuntu6.11]
libpython3.6/bionic-updates,bionic-security 3.6.9-1~18.04ubuntu1.6 amd64 [upgradable from: 3.6.9-1~18.04ubuntu1.4]
libpython3.6-minimal/bionic-updates,bionic-security 3.6.9-1~18.04ubuntu1.6 amd64 [upgradable from: 3.6.9-1~18.04ubuntu1.4]
libpython3.6-stdlib/bionic-updates,bionic-security 3.6.9-1~18.04ubuntu1.6 amd64 [upgradable from: 3.6.9-1~18.04ubuntu1.4]
libseccomp2/bionic-updates,bionic-security 2.5.1-1ubuntu1~18.04.2 amd64 [upgradable from: 2.5.1-1ubuntu1~18.04.1]
linux-generic/bionic-updates,bionic-security 4.15.0.166.155 amd64 [upgradable from: 4.15.0.162.151]
linux-headers-generic/bionic-updates,bionic-security 4.15.0.166.155 amd64 [upgradable from: 4.15.0.162.151]
linux-image-generic/bionic-updates,bionic-security 4.15.0.166.155 amd64 [upgradable from: 4.15.0.162.151]
linux-libc-dev/bionic-updates,bionic-security 4.15.0-166.174 amd64 [upgradable from: 4.15.0-162.170]
python3.6/bionic-updates,bionic-security 3.6.9-1~18.04ubuntu1.6 amd64 [upgradable from: 3.6.9-1~18.04ubuntu1.4]
python3.6-minimal/bionic-updates,bionic-security 3.6.9-1~18.04ubuntu1.6 amd64 [upgradable from: 3.6.9-1~18.04ubuntu1.4]

I do not want to mess vesta packages up and that's why I'm asking if you have gotten the same experience
I was thinking of locking down vesta-* versions or something like that
any thought would be appreciated
thank you

[sandro]

I use CentOS, so OS updates I leave it to the yum-cron service to check and apply the new packages.

When the Kernel is updated, I reboot the server.

In the case of Vesta, I disable auto-update, because I prefer to do tests first - on a test server - before applying to production servers.

The last Vesta update (0.9.8 -> 1.0.0) was very problematic and I am now adopting this policy.

[starase]

hey sandro,
thanks for getting back to me

I will use a combination of our approach in terms of updates
I do like the idea to disable vestaCP updates and I will also make sure that the machine will get only security updates as long as they are going to be available

this balance should give me a good compromise in terms of security and stability
hope this thread will help anyone who is interested in creating efficient ways to handle our vestaCP servers