Linux is a fast-paced operating system that changes every now and then. Depending on how active the involved developers are, there are more or less changes. In addition, software tends to contain errors. Not only malfunctions but also critical security vulnerabilities. As a rule, these errors are eliminated over time. Regular updates are provided for this purpose, which can be downloaded and installed automatically or manually.
However, there is no reason to constantly install any security updates or bug fixes. Especially if you do not know in detail which changes an update brings, then you should be careful.
Availability vs. safety
In general, the motto is: “Never touch a running system.” That is, if you have a system installed, set up and found, it works as it should, then you do not touch it anymore. Unless, functionally, something else is required. Then just change that, test it, and then leave the system alone.
But there is a second guiding principle: “Keep your system up to date and secure.” This contradicts the first principle in principle, and that’s right. Because whoever runs IT systems is always in the area of tension between availability and security. If 100% availability is required, then safety will be lost over time. Who demands 100% security, must give up a piece of availability. Because every update, which is carried out for security reasons, makes a change to the system and can therefore have a negative influence on the availability. In case of doubt, until total failure.
There is a simple resolution of this difficult equation. Both together does not work. Neither 100% availability nor 100% security. Neither together, nor individually. A system designed for availability will jeopardize its availability because it may have vulnerabilities that have not been closed by updates. Then, an attacker can cause a system to fail at some point due to security vulnerabilities, thereby sacrificing availability.
And 100% security is not possible, because every system, somehow always has to be accessible. Otherwise, it works only for itself.
When is an update necessary?
In the context of “update” the security is often preceded. Many computer users learned this from Windows. There updates are installed at least once a month to eliminate errors and security vulnerabilities. In principle, this is also valid for Linux. However, you have to differentiate a bit for what you use for your Windows machine and for what its Raspberry Pi.
That is, in practice you have to find a balance between availability and security. The only question that arises is how often and when to perform the software update and how much time is taken to test the system afterwards.
If availability is important, then you do updates less often and sometimes skip one or the other new version.
A Raspberry Pi that just has to do a job and is not directly connected to the Internet (behind a router) basically does not need an update. In such a case, an update would even be counterproductive, because a malfunction is more likely due to an ill-considered update.
The situation is different with a Raspberry Pi, which serves as a router or gateway. For security reasons, an update is advised promptly. However, Raspberry Pi should then not have more tasks, because otherwise, the probability of failure increases with each application and task.
If you use a Raspberry Pi as a typical client, the risk of an update is rather low, which is why there is nothing against an update, in order to have a secure system.
Update the installed packages, libraries, and programs
Simply put, Linux is a kernel and packages. Packages include programs, libraries, and drivers. Packages can build on each other and often depend on other packages. These dependencies are managed in the package sources. So if you want to update a Linux and installed programs, then you have to include the update of the package sources.
Package management on Raspbian and other Debian-based Linux distributions is typically apt-get. Other distributions have different package administrations.
Each update requires updating the package lists:
sudo apt-get update
“apt-get update” updates the package lists, which indicate which programs are available in which version and which package depends on which.
Then you run the upgrade process, which first determines from the package lists for which packages new versions are available. As a rule, all new versions will be confirmed together. Afterwards, the upgrade process will continue automatically.
sudo apt-get upgrade
“apt-get upgrade” first downloads all new packages. But this will only succeed if the package lists have been updated with “apt-get update”. A successful upgrade depends on current package lists. Therefore, always before an “apt-get update” is required.
As a rule, both commands are executed together or one after the other.
sudo apt-get update
sudo apt-get upgrade
Occasionally it happens that packages are held back. The following message then appears: “The following packages have been retained: (package name)”
sudo apt-get dist-upgrade
Only a “dist-upgrade” is a complete upgrade and should therefore be preferred if you want to upgrade. On a productive system, you should keep your fingers off “dist-upgrade” and at most run “upgrade”. If you want to be sure, you can leave upgrades (“Never touch an running system”).
Difference: “apt-get upgrade” and “apt-get dist-upgrade”
An “upgrade” updates only already installed packages. A “dist-upgrade” also updates already installed packages, but also those for which dependencies on other packages have changed. In detail, this means that “dist-upgrade” installs new packages that depend on updated packages. Conversely, dist-upgrade removes old packages that no longer have dependencies.
In the “apt-get upgrade” man page, the following is stated: Under “no” circumstances, currently installed packages are removed or uninstalled packages are downloaded and installed.
For “apt-get dist-upgrade” then: Under certain circumstances, currently installed packages are removed or uninstalled packages are downloaded and installed.
Updating with “apt-get dist-upgrade” is thus more complete and usually the way to go. You can give yourself an “apt-get upgrade” because “apt-get dist-upgrade” already includes this.
Why does it even need “upgrade” if “dist-upgrade” does the same? Is there a good reason not to use “dist-upgrade”?
A “dist-upgrade” installs packages that depend on other packages and removes packages that are no longer dependent on others. This is decided by the package manager “apt-get” based on the package sources. There are not only new versions, but also the dependencies recorded.
If you now download and / or compile software outside of “apt-get install”, for example from Github, then “apt-get” of course knows nothing about it. Now, if this one software depends on installed packages and removes or replaces a “dist-upgrade”, then your software may not work anymore. In order to avoid this, you should in this case do without “dist-upgrade” and at most perform an “upgrade”.
Another reason to do without dist-upgrade is critical systems where availability is important. Here you really want to avoid changes to the dependencies. With an “upgrade” you still get all the important fixes. Except for packages affected by changed dependencies.
This means that a simple “upgrade” may not bring a system up-to-date because no packages are being installed or removed. A system is only then updated, as error-free and safe, if you have a “dist-upgrade” was performed.
Is there a reason why you should not do an “upgrade”?
The question is, if you should basically do without updates? The answer comes from what you do with the system.
The experience of a typical computer user is that updates, upgrades, and software updates are generally a good and often a compelling thing. Finally, security vulnerabilities have to be eliminated regularly. And now and then a bug fix and new features would not be bad either.
For a typical desktop PC this is correct. Who works with and on his system should keep it up to date. Especially when you’re on the internet with him.
What about systems that do just one job, work in the background or even work independently?
If these systems can not make direct connections “out of the Internet” because they only provide service within a network or have no network connection at all, then you will be able to do without software updates. As a rule, the stability, functionality and availability of these systems will be in the foreground here. Especially in terms of availability, you will avoid updating the software, because a change in the system always brings the availability in danger. Any responsible system administrator will know how to avoid this and update it only if there is an important and urgent reason for doing so. Even vulnerabilities for which a patch is available do not necessarily require an update.
The situation is different with systems that are directly accessible “from” the Internet. These include, for example, web servers, VPN servers and control systems with remote maintenance function. Again, availability plays an important role. But here availability can be jeopardized by security holes. Only because the system is accessible to attackers directly from the Internet. The Internet is generally regarded as hostile. That’s why systems that connect to the internet are updated regularly.
If you operate a web server with PHP then you should regularly inform yourself about security vulnerabilities and patches and then import them in order not to endanger the availability by exploiting security vulnerabilities. The same applies to mail servers and VPN servers.
After updating: Reboot is must
If you have Windows as the operating system on one of your computers, you will surely remember what happens after the automatic update mechanism has brought the Windows up-to-date. Right, a reboot is required. And that’s right. An update will only do something if the updated version of a package, library or program is used. Windows enforces this decision downright. The user can not avoid this.
However, under a Linux operating system that is updated on the command line, it looks different. Here the user guidance assumes that the user knows what he is doing. But that’s not always the case.
There are actually people who are diligently using “apt-get update” and “apt-get upgrade”, but forget that a reboot is required. If Raspberry Pi serves as a gateway or server and runs permanently, the running services will not be aware of the update.
And that’s why Reboot is must
sudo reboot
Refresh without restart
Now it is the case that with a gateway or server a restart of Raspberry Pi is not always desired. During the restart, the services are not available, which you really want to avoid.
An alternative to restarting the system is to restart each service affected by the upgrade one at a time. Only, which are they?
Under Debian (also Raspbian) there is the package “debian-goodies” with the command “checkrestart”. This command determines which processes are still using libraries that have been replaced during an update.
sudo apt-get install debian-goodies
The following command displays the processes that work with stale but updated packages.
sudo checkrestart
What is security-relevant, should be restarted. As a rule, the necessary restart commands are displayed.
sudo service {PACKET} restart
If the last upgrade included packages that use many running services, then the list may be very long. In such a case, then recommends a reboot, because a restart of many individual services may be more complex and takes longer.
Note: Restarting the SSH daemon does NOT terminate a current SSH connection.
Sometimes there are processes that use libraries for which there are no restart commands: “These processes do not seem to have an associated init script to restart them”. Here only helps a restart. You may be able to postpone the restart in the future if it is not a security-related service.
An alternative to “checkrestart” is “needrestart”. The latter starts updated services automatically after “apt-get upgrade”.
sudo apt-get install needrestart
The following command displays the processes that work with stale but updated packages.
sudo needrestart
Remove packages (uninstall programs)
The following commands remove packages that are no longer needed:
sudo apt-get remove {PACKAGE NAME}
or
sudo apt-get autoremove {PACKAGE NAME}
or
sudo apt-get purge {PACKAGE NAME}
Difference: “apt-get remove” and “apt-get purge”
The difference between “apt-get remove” and “apt-get purge” is that the latter also deletes the configuration files associated with the packages. “remove” leaves them for a possible reinstallation. If you want to remove packages completely, then you do that with “purge”.
A general “apt-get remove” is advised, because in such a case, at least the configuration files persist. With an “apt-get install” you could reinstall the accidentally deleted packages. Then everything would be as before.
Only when you are sure that you do not need anything left over from the remnants, you can “clean up and clean up”.
Difference: “apt-get remove” and “apt-get autoremove”
Most users know “autoremove” as a command to remove unused packages. However, you can also use “autoremove” for regular removal of packages instead of “remove”.
An “apt-get autoremove {PACKETNAME}” not only removes the respective package, but also the packages, to which there are then no more dependencies. An “apt-get autoremove” is more thorough when removing packages.
Note: Be careful when using “remove” and “purge” and especially “autoremove”. One must always make sure that when removing packages, not packages are removed, which you really wanted to keep. Therefore, before confirming the removal of packages, look closely at the displayed list. There have been quite a few users who have removed the graphical user interface with “apt-get autremove”. And that completely.
Remove unnecessary packages
After removing packages and repeatedly updating, packages may become obsolete. For example, because they are no longer needed by other packages. This means that, over time, packet corpses remain, unnecessarily taking up memory space.
When you perform updates and install packages from time to time and also remove them with “apt-get remove” or “apt-get purge”, packages that are no longer needed occasionally remain. These parcel corrals can be removed.
sudo apt-get autoremove
“apt-get autoremove” can be used in two ways. Once without and once with the specification of a package name. If you use “apt-get autoremove” like “remove” or “purge”, then it also automatically uninstalls all packages on which the package to be removed depends. To do this, “autoremove” displays a list of packages that it wants to remove. The package manager does not continue until confirmed.
“apt-get autoremove” is helpful when it comes to uninstalling a package that has many dependencies depending only on the one you want to uninstall. If you are not sure, then just use “apt-get remove”.
Clean / empty package cache
“apt-get” saves all downloaded packages in a cache. As a result, packages do not have to be downloaded again and can be installed directly. After several installations and updates, the content of this cache grows quickly.
Every now and then it makes sense to empty the cache.
sudo apt-get clean
sudo apt-get autoclean
“autoclean” only deletes packages that are outdated. “clean” deletes all packets in the cache.
Thereafter, still drive around configuration files in the system whose packages are already uninstalled. You can delete these files as follows:
sudo dpkg -P `dpkg -l | grep "^ rc" | awk -F "" '{print $ 2}' `
Rules for updating Raspberry Pi
- As needed: update and upgrade / dist-upgrade
- Needless: autoremove and autoclean
- Never: rpi-update
Do not forget to restart Raspberry Pi or the services affected by the upgrade.
Kernel update / firmware update with rpi-update
“rpi-update” is an update function that applies only to the Raspberry Pi, and has nothing to do with the mechanisms of “apt-get”. “rpi-update” is a stand-alone script that downloads and imports the current “unstable” kernel that is currently being developed by Github. Generally, there is no reason to use “rpi-update”.
Check and change package sources
Simply put, Linux is a kernel and packages. Packages include programs, libraries, and drivers. Package sources have lists that list the versions and dependencies of the packages. Each Linux distribution may have different and multiple repositories.
It’s not necessarily about changing anything in the repositories, but looking at what’s there and from which sources the packages are being sourced and checking that those sources are trustworthy enough for the purpose and application.
Raspbian Wheezy upgrade to Jessie
If a release change takes place, it will cause a system to become obsolete over time because it will no longer receive updates for the old release. So if you want to continue to enjoy new and updated software, then you have to switch to the new release.
Automatically install security updates
Upgrading a system is an important measure to maintain the security of the system. By default, updates must be done manually. Alternatively, there is the possibility that a system automatically downloads and installs the security updates.
Update / Upgrade from Raspberry Pi (1) to Raspberry Pi 2 and 3
Since Raspberry Pi models 1, 2 and 3 are each based on a different ARM CPU, the old images can not be used on a newer model. If you want to use an older image in a newer Raspberry Pi, you have to boot it in an older Raspberry Pi from a MicroSD card and perform an update. It automatically updates the firmware and kernel to recognize the new model. Then you can use the image in a new Raspberry Pi.
Leave a Reply