You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Regularly updating your Virtual Machine (VM) is essential to ensure security, stability, and performance. Operating system vendors release updates to fix vulnerabilities, improve reliability, and provide new features. Keeping your VM current reduces the risk of security incidents and ensures compatibility with EWC services and tools.

This page outlines the general practices for maintaining an up‑to‑date VM, regardless of the operating system or workload running on it.

Why Updates Matter

  • Security: Patches fix vulnerabilities that could be exploited by attackers.

  • Stability: Updates improve system reliability and fix known bugs.

  • Performance: New kernels, drivers, and libraries often bring optimizations.

  • Supportability: Outdated systems may fall outside support.


Before You Start: Understand Your Risk Profile

Not every VM needs the same update strategy. It depends on how exposed it is and who can access it.

High‑risk environments

Examples:

  • Publicly exposed services (SSH, web servers, APIs)

  • Internet‑facing workloads

  • Multi‑tenant or externally accessible systems

Recommendation: Enable automatic security updates and patch quickly. Attackers scan continuously for known vulnerabilities.

Medium‑risk environments

Examples:

  • Internal VMs used by several users or teams

  • Shared internal services

Recommendation: Enable automatic security updates; apply full updates regularly.

Low‑risk environments

Examples:

  • Internal VMs used only by a trusted team

  • Stable workloads where uptime is more important than new features

Recommendation: Update regularly, but you may choose to schedule updates during maintenance windows.


Balancing Security and Stability

Updates improve security, but they can occasionally break applications or dependencies. A practical approach is:

  • Security updates → apply automatically

  • Feature updates → apply when you have time to test or roll back

  • Major upgrades → snapshot first

This balance keeps your VM secure without risking unexpected downtime.


General Good Practices

1. Enable Automatic Security Updates (Recommended)

This is the single most effective way to reduce exposure to known vulnerabilities.

  • Rocky Linux: use dnf-automatic or vendor‑specific tooling

  • Ubuntu: use unattended-upgrades

Automatic security updates ensure critical patches are applied even if you forget or are unavailable.


2. Apply OS Updates Regularly

Even with automatic security updates enabled, you should still apply full system updates periodically.

  • Rocky Linux: 

    sudo dnf update -y

  • Ubuntu: 

    sudo apt update && sudo apt upgrade -y


3. Reboot When Required

Kernel, driver, and low‑level library updates often require a reboot. Plan maintenance windows to reboot safely.


4. Keep System Packages and Libraries Updated

Applications depend on system libraries. Updating them ensures compatibility and reduces vulnerabilities.


5. Avoid Installing Software Outside the Package Manager

Installing software manually (curl | bash scripts, custom installers, random binaries) makes updates harder and increases security risk.

Prefer:

  • apt / dnf packages

  • Vendor repositories

  • Containerized tools

  • Well‑maintained package managers (pip, conda, uv) inside virtual environments

This keeps your system maintainable and reduces breakage during upgrades.


6. Remove Unsupported or End‑of‑Life OS Versions

End‑of‑life operating systems no longer receive security updates. Plan migrations before the vendor support window ends.


7. Monitor Available Updates

Use built‑in tools or configuration management systems to track pending updates. This is especially important for environments where automatic updates are disabled.


8. Snapshot Before Major Upgrades

Before kernel upgrades, distribution upgrades, or large package updates, take a VM snapshot. This allows quick rollback if something breaks.


Application‑Level Updates

In addition to the operating system, certain applications and tools installed on your VM must also be kept up to date to ensure security and compatibility.

Common components in EWC environments requiring regular updates:

  • Docker / container runtime

  • Kubernetes CLI tools (kubectl, helm, kustomize)

  • Python environments (pip, uv, pipenv, conda)

  • OpenBao CLI (bao / vault)

  • Ansible and automation tooling

  • Monitoring agents or exporters

You can find specific update guides below: 

  • No labels