first version of the knowledge base :)

2026-03-14 11:41:54 +01:00
commit 27965301ad
47 changed files with 4356 additions and 0 deletions
--- a/Guides/self-hosting/update-management.md
+++ b/Guides/self-hosting/update-management.md
@@ -0,0 +1,124 @@
+---
+title: Update Management
+description: Practical update management for Linux hosts, containers, and self-hosted services
+tags:
+  - updates
+  - patching
+  - self-hosting
+category: self-hosting
+created: 2026-03-14
+updated: 2026-03-14
+---
+
+# Update Management
+
+## Introduction
+
+Update management keeps systems secure and supportable without turning every patch cycle into an outage. In self-hosted environments, the challenge is balancing security, uptime, and limited operator time.
+
+## Purpose
+
+This guide focuses on:
+
+- Operating system updates
+- Container and dependency updates
+- Scheduling, staging, and rollback planning
+
+## Architecture Overview
+
+A practical update process has four layers:
+
+- Inventory: know what you run
+- Detection: know when updates are available
+- Deployment: apply updates in a controlled order
+- Validation: confirm services still work
+
+## Step-by-Step Guide
+
+### 1. Separate systems by risk
+
+Create update rings such as:
+
+- Ring 1: non-critical test systems
+- Ring 2: internal services
+- Ring 3: critical stateful services and edge entry points
+
+### 2. Automate security updates where safe
+
+For Linux hosts, automated security updates can reduce patch delay for low-risk packages. Review distribution guidance and keep reboots controlled.
+
+### 3. Automate update discovery
+
+Use tools that open reviewable pull requests or dashboards for:
+
+- Container image updates
+- Dependency updates
+- Operating system patch reporting
+
+### 4. Validate after rollout
+
+Confirm:
+
+- Service health
+- Reverse proxy reachability
+- Backup jobs
+- Monitoring and alerting
+
+## Configuration Example
+
+Ubuntu unattended upgrades example:
+
+```text
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+```
+
+Dependency update automation example:
+
+```json
+{
+  "extends": ["config:recommended"],
+  "schedule": ["before 5am on monday"],
+  "packageRules": [
+    {
+      "matchUpdateTypes": ["major"],
+      "automerge": false
+    }
+  ]
+}
+```
+
+## Troubleshooting Tips
+
+### Updates are applied but regressions go unnoticed
+
+- Add post-update health checks
+- Review dashboards and key alerts after patch windows
+- Keep rollback or restore steps documented for stateful services
+
+### Too many update notifications create fatigue
+
+- Group low-risk updates into maintenance windows
+- Separate critical security issues from routine version bumps
+- Use labels or dashboards to prioritize by service importance
+
+### Containers stay outdated even though automation exists
+
+- Verify image digests and registry visibility
+- Confirm the deployment process actually recreates containers after image updates
+- Prefer reviewed rebuild and redeploy workflows over blind runtime mutation for important services
+
+## Best Practices
+
+- Patch internet-exposed and admin-facing services first
+- Stage risky or major updates through lower-risk environments
+- Prefer reviewable dependency automation over silent uncontrolled updates
+- Keep maintenance windows small and predictable
+- Document rollback expectations before making large version jumps
+
+## References
+
+- [Ubuntu Community Help Wiki: Automatic Security Updates](https://help.ubuntu.com/community/AutomaticSecurityUpdates)
+- [Debian Wiki: UnattendedUpgrades](https://wiki.debian.org/UnattendedUpgrades)
+- [Renovate documentation](https://docs.renovatebot.com/)
+- [GitHub Docs: Configuring Dependabot version updates](https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates)