Those apt commands are in a less-good order. It's usually better to update apt, then upgrade the system.
I upgrade as soon as reasonably possible after the notification appears, if the system isn't on auto-upgrade.
this post was submitted on 29 Oct 2025
103 points (99.0% liked)
Selfhosted
52888 readers
910 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
I do sudo apt update && sudo apt upgrade
Is there any reason to not combine the commands since the output always prompts prior to changes anyway?
I think their point was to make sure they are done in order, i.e. update before upgrade, not the other way around as in OPs example.
Every night at ~ 12-1am
unattended updates / transactional-update are awesome.
Stuff has been running for years, and it's still up to date.
This guy scares me
This is the way! At least install security upgrades nightly using unattended-upgrades and reboot from time to time to get the latest Kernel version.
Once per week for me. Works really great on openSUSE MicroOS. Had to roll back maybe a couple of times the last few years.
That said, I run basically everything in containers so the OS installed things are lean.
load more comments
(3 replies)
Unattended-upgrade does security-only patching once every 4 hours (in rough sync with my local mirror)
Full upgrades are done weekly, accompanied by a reboot
I find that the split between security patching and feature/bug patching maintains a healthy balance knowing when something is likely to break but never being behind on the latest cve.
For me, unattended-upgrade does it's thing. Updating other packages happens whenever I think about it. Very few things are not containerized and there's very little added beyond the base Debian install, so when I do update its maybe a dozen packages.
I would previously reboot during thunderstorms if we lost power, but now that I've got a UPS I probably ought to come up with a different plan.
Well, one of the reasons I'm using debian on my server is so I can kinda forget about it...
I'll update maybe once a month, or every couple months. I don't always restart though, so my kernel is probably a bit behind :'D
I use Debian stable and subscribe to the debian-security-announce mailing list, so I update each time I get an email from it.
load more comments
(1 replies)
lol. Same issue for me. I run it for months, and surprisingly (for me) nothing breaks at all.
But fucking ssh shows warnings regarding some "post quantum crypto" stuff; recommending software update, that was not there before lol.
That's... Not how it works.. Debian is "stable" not "secure". You use Debian so that is easier to run updates frequently since they'll be unlikely to break things.
load more comments
(7 replies)
When I remember. About once a month.
Same here. No auto updates, no touching of a stable system without my manual intervention. 😅
Last thing I need in my life is a broken system at home when I don’t have time for it!
Whenever I ssh into it.
Once a week. I have a bash script that does an apt update upgrade and pulls new docker images.
Monthly unless I learn about a vulnerability that would require it sooner.
On Windows, almost never since it was a disruptive shitshow. Now that I've got everything running Linux it's weekly. Often sooner if I happen to be remoting in and manually update.
maybe like once in 3 months. i usually update when i need to setup something new on the server that needs to install new packages.
Weekly. Cronjob.
I do it every 3 to 5 days. I usually do it when I have time to fix things if it goes south.
Only mostly when I want to. Which tends to be on Mondays and Saturdays.
I'm running Sid on servers, so automatic updates are actually a risk. Used to be Debian Stable, but maaan the docker and podman improvements.... make me drool.
I run Ubuntu Server 24.04 LTS with k3s. I update my container versions every few months, though not everything I’m running all at once. I update the actual system packages via apt maybe once a year and end up nuking and re-installing everything every couple years on average. I deliberately block all inbound WAN traffic in my firewall and use k8s network policies to aggressively limit egress WAN connections because I’m aware that I’m bad about keeping things up to date.
I SSH in and run an update manually, once a week.
I'm not knowledgable and comfortable enough to let updates happen automatically and feel like I could trust it to keep running. Not yet, anyway.
Edit: But at some point I might do what another commenter said and make sure security updates run automatically and check other updates weekly.
Automatic daily updates for system packages. Automatic daily container updates with watchtower. I normally have things pinned to a reasonable major or minor release, so I do manual upgrades for new OS release branches and usually pin to a major version for Docker containers but depends on the container.
@PlanterTree Systems facing public internet, security updates are applied daily automatically.
up to now I install all my updates manually, maybe I should look into this: how to auto-update.
Can I ask how you do that? I have some debian and fedora boxes I should configure for that
Probably every 2 months. When I have a day off work with nothing to do. I have a few VMs that are more fragile than I want to admit and if something breaks I want to have time to tinker instead of just restoring a backup.
Gentooer here. Emerge sync &; world daily at night.
Weekly a manual check for stuff that doesn't autoupdate for reasons.
Monthly / biweekly podman compose pull for containers. Manual, because i don't trust that kind of autoupdate.
Edit: opnSense updates are manual only when I remember because if it breaks, I must be at home to fix it or i lose remote access and that's bad.
On Alpine Linux I update my two Pi servers at 2 in the morning daily. It's simpler compared to Debian which needs unattended-updates. Just add apk update && apk upgrade to a cron job and you're good to go.
I only have three docker services which is simple enough to update manually.
I like to keep things as simple as possible for my already chaotic brain.
Be careful with unattended upgrades, even on alpine. A recent breaking change in python3 broke my alpine 23 ansible instance. Thankfully I have backups, but if you're going to automate the upgrade, you should automate tests as well.
My web facing server has just enough packages installed to (kinda securely) host a Caddy and Kiwix docker container to work with my domain name and make a comfortable work environment through SSH. My Pi for my HomeAssistant docker container has less because it's locked down to just my local network.
I also wrote my own install scripts so reinstalling everything and getting it back to a running state would take about 15 minutes for each device.
And I also wrote my own backup/restore scripts that evolved over 3/4 of a year. I use them often so I have confidence in those scripts.
I personally don't really care too much. I have multiple ways of dealing with issues for something that's a hobby to me. Which is why I stick to simplicity.
I'm sure this is a thing for people to worry about when dealing with more complex setups. I just wanna vibe out in my tiny corner of the internet.
Using nix :P
I update the flake every now and then via nix flake updated and then do a rebuild
Mine is set to update all the stuff I use, and the OS, automatically whenever an update is available. 🤷♂️
All services are dockerized, updated nightly.
Server OS runs a kernel-patch service for real time exploit patching.
All other updates as soon as they appear.
Yeah, sometimes I'll need to go in a repair - but that's way better than having to clean up after having been exploited due to not keeping up on security patches.
On my ubuntu I use unattended updates but that doesn't work reliably. I have to update it manually most of the time. Once every other month.
On my fedora server it auto updates every day at 4 reliably.
The next server is going to be atomic such that the server restart is even shorter (not that I would care about it at 4).
Automatic upgrades handle the security patches. Everything else maybe once a month. My big services like Nextcloud auto update as well.
Almost everything I have runs Debian or NixOS, so…….. once a month? Except for VMs I’m playing around with, which usually get updated every time I log into them, or instal stuff.
everyday to once a month, depending how often I use the server
IME usually waiting longer to apply larger updates causes more issues than smaller and more frequent ones
Every couple of days. I don't auto-update, but I've streamlined the process to the point that I can just open a single web page and see the number of pending updates for every system on my network, docker containers included, each one with a button. Clicking the button applies the update and reboots if necessary. So it takes about 15 seconds of effort to update everything, which is why I don't mind doing it so often.
podman quadlets with auto updates running on opensuse microos
im not yet self hosting a ton of services tho
view more: next ›