Tl;dr: Automatic updates on my home server caused 8 hours of downtime of all of renn.es’ docker services including email and public websites

  • ReversalHatchery@beehaw.org
    link
    fedilink
    arrow-up
    5
    ·
    edit-2
    1 year ago

    While we are here: what do you think about unattended updates on Debian and such? (as such being derivatives, including Proxmox VE)

    • tarneo@lemmy.mlOP
      link
      fedilink
      arrow-up
      6
      ·
      1 year ago

      Unattended updates are 10x better because those programs allow you to only do security updates. Plus they are much more stable, and something like this would never happen on a stable distro.

  • thisisawayoflife@lemmy.world
    link
    fedilink
    arrow-up
    2
    ·
    1 year ago

    What is the reason to shy away from Ubuntu? It is pretty solid in terms of automatic updating and rebooting. I used to be hardcore centos but I gave up after all of the hubbub around 8. I just need to server to update, reboot when necessary and keep running all my stuff so I don’t have to touch it. In my old age, I don’t care to tinker anymore - I just want my services running and I want reports given to me about health and status.

    Also, if you’re concerned about privilege escalation, running a MAC is probably a good idea. SELinux saved my hide one a dozen years ago with a php bug where I did not sandbox an app properly. Thankfully, SELinux caught this and prevented anything bad from happening.

    • tarneo@lemmy.mlOP
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      what is the reason you shy away from ubuntu? Canonical. Snaps. Ubuntu is the first server OS I used, and while it was quite good I think I prefer using a base distrobox instead of a derivative. If I’m going to use Debian, I’ll use Debian. Not Debian with corporate stuff on top.

      As for SELinux: I’ve tried around a year ago. But as soon as I started doing stuff with users and tweaking docker permissions things went wrong and I just set it to permissive. Maybe I’ll try that again soon, because other parts of managing servers have become much easier over time as I learned. I agree that having a server without SELinux is quite dumb and not very professional.

      • thisisawayoflife@lemmy.world
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        Permissive mode is definitely a life saver. My path was usually exercising the application in permissive mode for a few days then running the SELinux scanner on the log file to determine what roles needed to be setup. Same with the Debian/Ubuntu equivalent.

        Good luck!

  • Yote.zip@pawb.social
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Blind automatic upgrades are a bad idea even for casual home users. You could run into a Linus Tech Tips “do as I say” scenario where it uninstalls half your system due to a dependency issue. Or it could accidentally uninstall part of your system that you don’t notice.

    I’m not sure how stable Gentoo’s default branch is but I know that daily upgrades on Arch Linux is close to suicide - you have a higher chance of installing a buggy package before it’s fixed if you install every package version as it comes in.

    I’m surprised this strategy was approved for a public server - it’s playing with a loaded revolver and it looks like you were finally shot.