"Have you updated lately?" is the second-most-asked diagnostic question on the SKYLINE bridge, right behind "is it plugged in?" This guide explains how to update Ubuntu 24.04 correctly — including the moving parts that the typical apt upgrade one-liner misses.
Prerequisites
- Ubuntu 24.04 LTS Server or Desktop.
- A user in the
sudogroup. - An out-of-band console (IPMI, DRAC, or hypervisor console) for production hosts.
Step 1: Refresh package metadata
apt update only refreshes the cached lists. It does not install anything. Run it first; investigate any W: warning lines before moving on.
sudo apt update
Common warnings:
Conflicting distribution— usually a stale third-party PPA. Runls /etc/apt/sources.list.d/and remove what you don't need.Could not resolve— DNS or IPv6 reachability. Test withdig +short archive.ubuntu.comandcurl -fI https://archive.ubuntu.com.
Step 2: Standard upgrade
For the routine case — security and bug-fix updates within the running release:
sudo apt upgrade -y
apt upgrade will hold back any package that needs a new dependency it cannot install without removing something. For those, prefer full-upgrade:
sudo apt full-upgrade -y
Production rule of thumb: run
apt upgradeweekly via unattended-upgrades. Reservefull-upgradefor planned maintenance windows.
Step 3: Snap and Flatpak refreshes
Many desktop and even some server packages now ship as snaps. Refresh them explicitly so a reboot is not required to pick up urgent fixes:
sudo snap refresh
For Flatpak packages on desktops:
flatpak update -y
Step 4: Configure unattended security upgrades
Auto-applying security updates is the single highest-leverage habit on a production host. Install once, configure once, and never wake at 3 AM for an unpatched CVE again.
sudo apt install -y unattended-upgrades apt-listchanges
sudo dpkg-reconfigure --priority=low unattended-upgrades
Edit /etc/apt/apt.conf.d/50unattended-upgrades to keep at least these origins enabled:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:30";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Reload and test:
sudo systemctl enable --now unattended-upgrades
sudo unattended-upgrade --dry-run --debug | tail -20
Step 5: Kernel updates and reboots
A new kernel will not be active until you reboot. Check whether you owe the system a reboot:
cat /var/run/reboot-required 2>/dev/null && echo "Reboot required" || echo "Clean"
The needrestart utility tells you which services need restarting after a library upgrade so you can avoid full reboots:
sudo apt install -y needrestart
sudo needrestart -r a
Step 6: Release-to-release upgrades
To jump from one LTS release to the next (for example 22.04 → 24.04), let do-release-upgrade do the bookkeeping:
sudo apt update && sudo apt full-upgrade -y
sudo apt autoremove --purge -y
sudo do-release-upgrade
Always test the release upgrade on a staging clone first. PPAs are disabled mid-upgrade; budget time to re-enable and reinstall after the reboot.
Step 7: Audit what changed
After a non-trivial upgrade, ask the system what was touched:
zgrep -h "upgrade " /var/log/dpkg.log* | sort | tail -50
zgrep -h "remove " /var/log/dpkg.log* | sort | tail -50
Pin those to a tracking issue along with the host name and date.
Conclusion
Updates are not a chore; they are how Linux earns its long-tail reliability. A weekly apt update && apt upgrade, a quarterly apt autoremove, and an annual planned do-release-upgrade is the cheapest insurance policy you will ever buy.
Next steps
- Layer on SSH hardening, UFW, and Fail2ban.
- Audit your stack with the LAMP install guide or the Docker guide.
- Re-run the post-install checklist after release upgrades.
Comments
0 total · 0 threads