Updating Ubuntu Properly

Updating Ubuntu Properly

Running sudo apt update && sudo apt upgrade and calling it done leaves your server in a predictable but incomplete state. Security updates require reboots for kernel patches, some packages get held back, and running updates without checking the output can result in unexpected service restarts. This article covers the full picture of what happens when you update Ubuntu and how to do it safely on production servers.

The difference between update and upgrade

These two commands are often confused because they sound similar:

# Step 1: Always update the package index first
# Without this, apt does not know about new package versions
sudo apt update

# Step 2: Check what will be upgraded BEFORE applying updates
apt list --upgradable

# Step 3: Apply updates
sudo apt upgrade

💡 TIP: On production servers, always run apt list --upgradable before apt upgrade. If nginx, MySQL, or PHP-FPM are being upgraded, you may need to test the new version first or schedule a maintenance window. Surprises during business hours are avoidable.

Running updates safely

# The safe production update sequence
sudo apt update                    # Refresh index
apt list --upgradable              # Review what will change
sudo apt upgrade --dry-run         # Simulate without applying

# Apply updates
sudo apt upgrade

# After upgrade, check if a reboot is needed
cat /var/run/reboot-required 2>/dev/null && echo "REBOOT REQUIRED"

# See which packages required the reboot
cat /var/run/reboot-required.pkgs 2>/dev/null

Example: seeing a kernel update requires reboot

$ cat /var/run/reboot-required.pkgs
linux-image-6.8.0-57-generic
linux-headers-6.8.0-57-generic

Understanding the upgrade output

sudo apt upgrade

Example output with explanations

Reading package lists... Done
Building dependency tree... Done
The following packages have been kept back:
  linux-generic linux-headers-generic linux-image-generic     ← See next section
The following packages will be upgraded:
  libssl3 nginx openssl                                        ← Security updates
3 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.

Lines to pay attention to:

• kept back: Packages not upgraded because upgrading would require installing or removing additional packages. Use apt full-upgrade or apt install <package> to force these.
• to remove: Packages that will be uninstalled as part of the upgrade. Investigate these before proceeding.
• not upgraded: Packages held back for various reasons.

Held packages and why updates are skipped

Sometimes apt refuses to upgrade a package. This happens when:

• The package has been manually held with apt-mark hold
• Upgrading would require removing other packages (use apt full-upgrade)
• A dependency conflict exists between repositories

# See which packages are held
apt-mark showhold

# Hold a package (prevent it from being upgraded)
# Useful when a new version breaks your application
sudo apt-mark hold nginx

# Release a hold (allow upgrading again)
sudo apt-mark unhold nginx

# Force upgrade of a held-back package
sudo apt install nginx    # Installs the latest version even if "kept back"

Automatic security updates

Manually running updates on 50 servers is not practical. Ubuntu includes the unattended-upgrades package, which automatically applies security updates in the background.

# Install unattended-upgrades if not present
sudo apt install -y unattended-upgrades

# Enable automatic updates
sudo dpkg-reconfigure --priority=low unattended-upgrades

# Check the configuration
cat /etc/apt/apt.conf.d/50unattended-upgrades

# Check the unattended-upgrades log
tail -f /var/log/unattended-upgrades/unattended-upgrades.log

# Perform a dry run to see what it would update
sudo unattended-upgrades --dry-run --debug

The default configuration applies only security updates from the -security pocket. Full upgrades (including new feature versions) are not applied automatically by default, which is the safe behaviour for production.

Kernel updates and reboots

Every kernel update requires a reboot to take effect. Running uname -r shows the currently running kernel, not the newest installed one. After a kernel update and reboot:

# Before reboot: check what kernel is running vs installed
uname -r                           # Currently running
dpkg -l | grep linux-image         # All installed kernel versions

# After reboot: confirm the new kernel is active
uname -r

# Clean up old kernel packages (keeps the last 2 by default)
sudo apt autoremove

⚠️ WARNING: Before applying a kernel update on a production server, verify that any third-party kernel modules (DKMS packages like VirtualBox drivers, NVIDIA, or WireGuard on older kernels) will be rebuilt for the new kernel version. A module that fails to load after a kernel update can leave the system partially non-functional until you boot back into the old kernel.

Conclusion

The safe update habit is: apt update to refresh, apt list --upgradable to review, apt upgrade to apply, and then check /var/run/reboot-required. Enable unattended-upgrades for automatic security patches on servers you cannot update manually every day. Always reboot after a kernel update, and always clean up old kernels with apt autoremove.