Self Hosted - Self-hosting your services.

11399 readers

2 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

No harassment
crossposts from c/Open Source & c/docker & related may be allowed, depending on context
Video Promoting is allowed if is within the topic.
No spamming.
Stay friendly.
Follow the lemmy.ml instance rules.
Tag your post. (Read under)

Important

Beginning of January 1st 2024 this rule WILL be enforced. Posts that are not tagged will be warned and if not fixed within 24h then removed!

Lemmy doesn't have tags yet, so mark it with [Question], [Help], [Project], [Other], [Promoting] or other you may think is appropriate.

Cross-posting

!everything_git@lemmy.ml is allowed!
!docker@lemmy.ml is allowed!
!portainer@lemmy.ml is allowed!
!fediverse@lemmy.ml is allowed if topic has to do with selfhosting.
!selfhosted@lemmy.ml is allowed!

If you see a rule-breaker please DM the mods!

founded 3 years ago

MODERATORS

dogmuffins@lemmy.ml

Zoe8338@lemmy.ml

testman@lemmy.ml

Automatic updates: a cautionary tale (tarneo.fr)

submitted 1 year ago* (last edited 1 year ago) by tarneo@lemmy.ml to c/selfhost@lemmy.ml

9 comments fedilink hide all child comments

Tl;dr: Automatic updates on my home server caused 8 hours of downtime of all of renn.es' docker services including email and public websites

top 9 comments

sorted by: hot top controversial new old

[–] yote_zip@pawb.social 2 points 1 year ago (2 children)

Blind automatic upgrades are a bad idea even for casual home users. You could run into a Linus Tech Tips "do as I say" scenario where it uninstalls half your system due to a dependency issue. Or it could accidentally uninstall part of your system that you don't notice.

I'm not sure how stable Gentoo's default branch is but I know that daily upgrades on Arch Linux is close to suicide - you have a higher chance of installing a buggy package before it's fixed if you install every package version as it comes in.

I'm surprised this strategy was approved for a public server - it's playing with a loaded revolver and it looks like you were finally shot.

[–] skullgiver@popplesburger.hilciferous.nl 1 points 1 year ago* (last edited 11 months ago) (1 children)

[This comment has been deleted by an automated system]

[–] yote_zip@pawb.social 0 points 1 year ago (1 children)

Right, it was clearly LTT's fault for not reading, but automatic upgrades are the same thing as not reading. I've been using Linux for a very long time now, and I've seen Apt try to do some very stupid things before. Maybe it's better nowadays but I don't know if I'll ever shake the gut instinct to not allow Apt to do whatever it thinks is right.

[–] skullgiver@popplesburger.hilciferous.nl 1 points 1 year ago* (last edited 11 months ago)

[This comment has been deleted by an automated system]

[–] tarneo@lemmy.ml 0 points 1 year ago (1 children)

I'm surprised this strategy was approved for a public server

The goal was to avoid getting hacked on a server that could have many vulnerable services (there are more than 20 services on there). When I set this up I was basically freaked out by the fact I hadn't updated mastodon more than a week after the last critical vulnerability in it was found (arbitrary code execution on the server). The quantity of affected users, compared to the impact it would have if hacked, made me choose the option of auto-updates back then, even if I now agree it wasn't clever (and I ended up shooting myself I'm the foot). These days I just do updates semi-regularly and I am subscribed to mailing lists like oss-security to know there's a vulnerability as early as possible. Plus I am not the only person in charge anymore.

[–] yote_zip@pawb.social 1 points 1 year ago

I'm not a real sysadmin so take it with a grain of salt, but in all reality this is probably why you would choose something like Debian for a server instead a bleeding-edge distro. Debian quickly backports security updates and fixes but otherwise keeps everything else stable and extremely well-tested, which pretty much 100% prevents serious bugs from reaching its Stable branch. You may still need to figure out an appropriate strategy for keeping your Mastodon container updated, but at least the rest of your system isn't at risk of causing catastrophic errors like this. Also, Debian Stable does allow you to auto-upgrade security patches only, if you still want that functionality.

[–] Moonrise2473@feddit.it 1 points 1 year ago

I don't want to seem rude, but in my opinion automated unattended updates on Gentoo is a bad idea.

[–] ReversalHatchery@beehaw.org 0 points 1 year ago* (last edited 1 year ago) (1 children)

While we are here: what do you think about unattended updates on Debian and such? (as such being derivatives, including Proxmox VE)

[–] yote_zip@pawb.social 1 points 1 year ago* (last edited 1 year ago)

I think auto-upgrading Debian Stable is probably the one exception I'd make to "no blind upgrades", though I still don't feel comfortable recommending it due to potential dependency/apt problems that could somehow happen. In the case of Debian Stable it barely ever has package upgrades anyway so I'd just do it manually once a week and it would take like 30 seconds to grab 4 packages. If you're public-facing you might want a tighter system for notifying about security upgrades, or just auto-upgrade security patches.