Still using docker so you can upgrade most of it on every deployment. As far as the host, modern Linux distros handle security updates automatically and unattended. I do recommend having a backup replica server in standby. If you need to upgrade the kernel on the host you just change the DNS to point to your backup, wait for some time for connections to finish on your primary then restart the primary, ensure it is stable, change DNS back. It’s standard A/B deployment. Nothing special about it.
Technically no different than what you’d do in the cloud - have multiple of each resource so you can update them one by one while the others keep serving traffic.
Additionally, not every update needs to be applied, you need to understand your threat model and only apply updates when they actually patch something that would affect you - this cuts down on the actual number of updates that you need.
If you can't simply upgrade while your program is running, you would fire up a redundant server containing the latest version and take the one you are upgrading offline.
elwebmaster|1 year ago
Nextgrid|1 year ago
Additionally, not every update needs to be applied, you need to understand your threat model and only apply updates when they actually patch something that would affect you - this cuts down on the actual number of updates that you need.
nurettin|1 year ago
sevagh|1 year ago
Same security industry convinces you to upgrade every 15 seconds and then sells you solutions for when those upgrades fuck you over.
metaltyphoon|1 year ago
lakomen|1 year ago