Should I update the kernel on a Linux machine?

Question

As I understand it, updating to a new kernel (with the normal linux-image... package, not by rolling my own) requires a server restart.

However, one of our servers (Ubuntu 10.04) is running several extensive screen sessions. Restarting kills those which is always a major hassle to their owners (mostly because of lost session histories).

What should I do? I see several possibilites:

Not doing anything, that is update only non-kernel packages (perhaps use apt-pinning?)
Update the kernel, but not restart. (Is that smart? I seem to remember there might be some problems with loading kernel modules.)
Updating the kernel and restarting.
- Is there perhaps some way to preserve the screen sessions?

I guess it ultimately boils down to this question: How important is it to update the kernel?

_{I posted this question here instead of askubuntu.com as I think this is not an Ubuntu-specific issue though this server is running Ubuntu.}

If lost session histories is a problem, there are various ways to preserve/log those. — Dennis Williamson, Mar 20 '11 at 20:50

score 5 · Answer 1 · answered Mar 20 '11 at 16:11

5

You can avoid a reboot after a kernel update with ksplice. Beside that, there is no general rule to answer the question if a update is really necessary, as this depends on many factors:

The nature of the bugs fixed with the patch. Many updates are only specific for certain modules, hardware drivers or platforms or they concern a situation that can not occur in your system.
The kind of system you run: What services does it offer, how is it connected, are your users trustworthy (for the case of a possible user privilege elevation bug)?
What will be the effects of the bug when triggered? Will it destroy files or let everyone become root or will some unused subsystem stop working?

Ultimately, only you can decide if a certain update is important enough to warrant a reboot, but of course their is a rule of thumb: When in doubt, do the update.

answered Mar 20 '11 at 16:11

Sven

98,649
14
180
226

Not so sure about last sentence but otherwise its good advice. – Sirex Mar 21 '11 at 14:01
1

Why aren't you sure about that? I think that when someone doesn't know/understand the implications of a certain bug, he is better of having a short downtime for a maybe unnecessary update than a big one after getting rooted. If he can't afford the downtime and is not capable of this decision, he is in the wrong place anyway. – Sven Mar 21 '11 at 16:14
I guess it depends if someone doesn't understand the implications of the bug, or those of the fix (and the possible back-out plan). Some of my worst experiences have started by someone running an update blindly just because it was available which fixed a bug that it transpired didn't even apply. My 2 cents would be until you know the scope of the bug and of the fallout from a botched fix, don't update. Maybe I misunderstand the environment / scope, but i wouldn't advise doing anything when in doubt, esp as a "rule of thumb". Mileage may vary. – Sirex Mar 30 '11 at 13:11

Alex · Answer 2 · 2011-03-20T16:23:18.950

I think it is worthwhile to keep a system updated to fix vulnerabilities, but I wouldn't just update a kernel to update it. If you do update the kernel though, I would certainly reboot. When you run the update, it will update the boot loader so the next time it reboots it is going to load the kernel anyway (unless you modify it before-hand). It would not be a good day to have your server reboot due to a power event or someone's misuse of sudo only to find a critical application doesn't run because you needed to recompile something for the new kernel.

I do think that systems need to be run in a way that allows for updates and reboots to happen though. If you have a bunch of applications that require a user to start a service within screen, you do not have a very robust system. I would work to figuring out why those screen sessions exist, and if they really are something that need to be started from init, or if they are because someone is being lazy.

This is especially fun when certain enterprise class database vendors do not ship int scripts and they have to be custom built on site. Quite a PITA to make sure everything works right, but worth it in the end. — Scott Pack, Mar 20 '11 at 17:03

score 3 · Answer 3 · answered Mar 20 '11 at 17:00

When a kernel update comes from a major vendor, one can generally assume that it will include security patches. Sometimes those patches apply do you, sometimes they don't. When deciding whether to install that update, or putting it off, you really need to look at the release notes from your vendor to determine exactly what has changed. Only then can you begin to decide what does or what does not apply to you.

In the general case, I always recommend automatic updates run at regular intervals. To that end, you should take the following measures.

Designate a standing maintenance window, such as every Saturday at 0000-0200 hours.
Perform all your updates during this time.
Reboot system if required by updates.

Granted, how you go through the process of getting a schedule like this setup/approved/whatever will depend on your organization. In any event, make sure to publish your schedule so that all the users will know what to expect, and stick to it. Publishing a schedule and then not following it is even worse than not having one at all.

How you go about installing and rebooting the systems is up to you, however I recommend that it be as automated as possible. That way you won't have to worry about forgetting to do an update, and if a user complains you can always point back and tell them, "No, I did not see you working on the system. This is a standing window that you know reboots may happen automatically."

Just be wary how you present the need, and how you react to the users when that happens. The last thing you want is to appear BOFH-esque.

hakre · Answer 4 · 2011-03-21T13:57:38.180

-4

I think you should / Imagine you just continue to upgrade the kernel. Later on you'll see how many users with screen sessions really complain. I mean are you root or not? Show them who is in control.

edited Mar 21 '11 at 13:57

answered Mar 20 '11 at 15:44

hakre

156
1
14

1

I am lucky that you are not my system administrator... – Lekensteyn Mar 20 '11 at 16:03
1

[BOFH](http://www.theregister.co.uk/odds/bofh/) – hakre Mar 20 '11 at 16:18
1

Please read the FAQ. Especially the part about this site being for professionals. Your attitude is about as unprofessional as it is possible to be. Kind of explains why you're not an admin. – John Gardeniers Mar 21 '11 at 11:31
BOFH was ironic. **When in doubt, do the update.** I don't think that such a response is unprofessional. I read the askers question that he does not know what to do, and I wanted to push on the social side so he can better decide on it. If other users are related to this on his machine, he needs to make such decision the sooner or later anyway. If you don't like the outcome, you must take pre-cautions, and that's all that has been quickly said with my answer. – hakre Mar 21 '11 at 13:56

Should I update the kernel on a Linux machine?

4 Answers4