Regularly updating your Virtual Machine (VM) is essential to ensure security, stability, and performance. Operating system vendors release updates to fix vulnerabilities, improve reliability, and provide new features. Keeping your VM current reduces the risk of security incidents and ensures compatibility with EWC services and tools.
This page outlines the general practices for maintaining an up‑to‑date VM, regardless of the operating system or workload running on it.
Security: Patches fix vulnerabilities that could be exploited by attackers.
Stability: Updates improve system reliability and fix known bugs.
Performance: New kernels, drivers, and libraries often bring optimizations.
Supportability: Outdated systems may fall outside support.
Not every VM needs the same update strategy. It depends on how exposed it is and who can access it.
Examples:
Publicly exposed services (SSH, web servers, APIs)
Internet‑facing workloads
Multi‑tenant or externally accessible systems
Recommendation: Enable automatic security updates and patch quickly. Attackers scan continuously for known vulnerabilities.
Examples:
Internal VMs used by several users or teams
Shared internal services
Recommendation: Enable automatic security updates; apply full updates regularly.
Examples:
Internal VMs used only by a trusted team
Stable workloads where uptime is more important than new features
Recommendation: Update regularly, but you may choose to schedule updates during maintenance windows.
Updates improve security, but they can occasionally break applications or dependencies. A practical approach is:
Security updates → apply automatically
Feature updates → apply when you have time to test or roll back
Major upgrades → snapshot first
This balance keeps your VM secure without risking unexpected downtime.
This is the single most effective way to reduce exposure to known vulnerabilities.
Rocky Linux: use dnf-automatic or vendor‑specific tooling
Ubuntu: use unattended-upgrades
Automatic security updates ensure critical patches are applied even if you forget or are unavailable.
Even with automatic security updates enabled, you should still apply full system updates periodically.
Rocky Linux:
sudo dnf update -y |
Ubuntu:
sudo apt update && sudo apt upgrade -y |
Kernel, driver, and low‑level library updates often require a reboot. Plan maintenance windows to reboot safely.
Applications depend on system libraries. Updating them ensures compatibility and reduces vulnerabilities.
Installing software manually (curl | bash scripts, custom installers, random binaries) makes updates harder and increases security risk.
Prefer:
apt / dnf packages
Vendor repositories
Containerized tools
Well‑maintained package managers (pip, conda, uv) inside virtual environments
This keeps your system maintainable and reduces breakage during upgrades.
End‑of‑life operating systems no longer receive security updates. Plan migrations before the vendor support window ends.
Use built‑in tools or configuration management systems to track pending updates. This is especially important for environments where automatic updates are disabled.
Before kernel upgrades, distribution upgrades, or large package updates, take a VM snapshot. This allows quick rollback if something breaks.
In addition to the operating system, certain applications and tools installed on your VM must also be kept up to date to ensure security and compatibility.
Common components in EWC environments requiring regular updates:
Docker / container runtime
Kubernetes CLI tools (kubectl, helm, kustomize)
Python environments (pip, uv, pipenv, conda)
OpenBao CLI (bao / vault)
Ansible and automation tooling
Monitoring agents or exporters