What is the best practice to keep a linux ubuntu server up to date (build packages, dist-upgrade, alt repos...)

Solution 1:

Maintaining your own distribution is a lot of work. Even if you maintain the backports, you will soon be overwhelmed by security issues to fix, and have to pull low-level libraries to keep updating your software, which might break other things (I maintain servers running 6-year-old distros, it's not fun).

Upgrading is generally a good solution. do-release-upgrade is well made, and you should be able to upgrade without issues (especially if you only used official packages).

My favourite solution though might be the reinstall path. More specifically, your servers should be managed using a configuration management system such as Puppet, Cfengine or Chef. If all your configuration/package needs are specified using such a tool and your data are safe on a separate partition, it's much easier to reinstall quickly. You just install a new distribution without erasing the data partitions, and then run the configuration management tool to reset your packages/configurations. I believe this is the cleanest way to do, especially if you have several servers to manage.

If you are using non-official packages, you might want to identify them before you upgrade/reinstall. maintenance-check can help you identify the packages that are not officially maintained by Ubuntu:

$ bzr branch lp:ubuntu-maintenance-check
$ cd ubuntu-maintenance-check
$ ./maintenance-check -f n

If you want to reinstall, you can also export the list of installed packages:

$ dpkg --get-selections > myinstall.txt

and your debconf database:

$ debconf-get-selections > debconf.txt # from the debconf-utils package

As a note, since you're currently using Karmic, it might not be too violent to upgrade to Lucid, which is an LTS release, still supported until 2015 for the main server packages. This should leave you enough time to setup a viable automated installation for the future.

When you ask about Launchpad packages, I suppose you mean PPAs. There are tons of different PPAs. Some are experimental, some are stable. Some are maintained by official Ubuntu developers, some are maintained by people hardly know how to do a package properly. It's hard to say in general if packages you find on PPAs are good, there's no general rule. The best hint in this case might be too look at the owner of the PPAs to get an idea of the possible quality of their packages.

Solution 2:

If the server is not exposed to the world, and you trust your users absolutely (generally that's not a good idea), then if it's working, you could just leave it be.

If it is in any way exposed to the outside world, and/or you entertain the idea of legitimate user playing with it in an illegitimate way, then you absolutely need fixes and patches to your installed software.

In this case, you have two options:

  1. Run a supported distribution, and get updates to your software, or

  2. Backport all fixes to your unsupported distribution, which, frankly speaking, doesn't seem feasible.

I'm not an Ubuntu user, so I cannot comment on completeness of patches you'd get through your option 3, but if you have any doubt, I'd assume you won't have complete coverage.

The best solution is to move to a LTS version of Ubuntu, which will give you support for the given package versions for some time to come. In time, some of the packages will be outdated, but your environment will have security patches and will be stable (no package version bumps). From my experience, stability of a known working environment is usually more valuable than new features.

It seems, that your current position is not maintainable, and you have to move. The only safe way is to get a second machine (or a virtual machine) and to test migrations until you have a repeatable successful procedure, then apply it to the production machine. If you use your backups to do test-migrations you'll have a good opportunity to test your backup procedures too.


Solution 3:

The only real way forward is a distribution upgrade. I can understand you being nervous about that, since by now you will be jumping several releases ahead (11.04 has just been released).

I would recommend to make a clone of the drives in this machine and then use a separate computer to run with the clones, and use that to do a series of test upgrades. Make notes of all the issues encountered and repeat until you have a clear procedure for all of them. Then apply this to your live server.

If you cannot afford any downtime, then migration is your only way out. Forget about the pinning and backports, that will only keep you alive for a limited period of time. And the "roll your own" option is not even worth considering. Just my 2 pennies' worth.