Linux – Should I update the kernel on a Linux machine

aptdebiangnu-screenkernellinux

As I understand it, updating to a new kernel (with the normal linux-image... package, not by rolling my own) requires a server restart.

However, one of our servers (Ubuntu 10.04) is running several extensive screen sessions. Restarting kills those which is always a major hassle to their owners (mostly because of lost session histories).

What should I do? I see several possibilites:

Not doing anything, that is update only non-kernel packages (perhaps use apt-pinning?)
Update the kernel, but not restart. (Is that smart? I seem to remember there might be some problems with loading kernel modules.)
Updating the kernel and restarting.
- Is there perhaps some way to preserve the screen sessions?

I guess it ultimately boils down to this question:
How important is it to update the kernel?

_{I posted this question here instead of askubuntu.com as I think this is not an Ubuntu-specific issue though this server is running Ubuntu.}

Best Answer

You can avoid a reboot after a kernel update with ksplice. Beside that, there is no general rule to answer the question if a update is really necessary, as this depends on many factors:

The nature of the bugs fixed with the patch. Many updates are only specific for certain modules, hardware drivers or platforms or they concern a situation that can not occur in your system.
The kind of system you run: What services does it offer, how is it connected, are your users trustworthy (for the case of a possible user privilege elevation bug)?
What will be the effects of the bug when triggered? Will it destroy files or let everyone become root or will some unused subsystem stop working?

Ultimately, only you can decide if a certain update is important enough to warrant a reboot, but of course their is a rule of thumb: When in doubt, do the update.

Related Solutions

Linux – How Often Should I Update our Linux Server

I run apt-get update -qq; apt-get upgrade -duyq daily. This will check for updates, but not do them automatically.

Then I can run the upgrades manually while I am watching, and can correct anything that might go wrong.

Besides the security concerns of maintaining a patched system, I find that if I leave it too long between patches, I end up with a whole bunch of packages that want to be upgraded, and that scares me a-lot more than just upgrading one or two every week or so. Therefore I tend to run my upgrades weekly, or if they are high priority, daily. This has the added advantage of knowing which package broke your system (ie. if you're only upgrading a couple at a time)

I always upgrade less critical systems first. I also have a "rollback plan" in place in case I can't fix the system. (since most of our servers are virtual, this rollback plan usually consists of taking a snapshot before the upgrade that I can revert to if necessary)

That being said, I think an upgrade has broken something only once or twice in the past 4 years, and that was on a highly customized system - so you don't have to be TOO paranoid :)

Is it Important to Reboot Linux After a Kernel Update?

There is nothing really special about having a long uptime. It is generally better to have a secure system. All systems need updates at some point. You are probably already applying updates, do you schedule outages when you apply those updates? You probably should just in case something goes wrong. A reboot shouldn't that that much time really.

If your system is so sensitive to outages, you probably should be thinking about some kind of clustering setup so you update a single member of the cluster without bringing everything down.

If you are not sure about a particular update it is probably safer to schedule a reboot and apply it (preferably after testing it on another similar system).

If you are interested in learning about if the update is important take time to read the security notice, and follow the links back to the CVE or the posts/lists/blogs describing the issue. This should help you decide if the update directly applies in your case.

Even if you don't think it applies you should still consider updating your system eventually. Security is a layered approach. You should assume at some point in time those other layers may fail. Also, you might forget you have a vulnerable system because you skipped an update when you change the configuration at some later point in time.

Anyway if you want to ignore or wait for a while on update on Debian based systems you can put the package on hold. I personally like to put holds on all the kernel packages just in case.

CLI method to set a hold on a package on Debian-based systems.

dpkg --get-selections | grep 'linux-image' | sed -e 's/install/hold/' | sudo dpkg --set-selections

Best Answer

Related Solutions

Linux – How Often Should I Update our Linux Server

Is it Important to Reboot Linux After a Kernel Update?

Related Topic