Keeping Ubuntu current is not complicated, but rushing it on a production host is how you learn about kernel upgrades the hard way. Use this as a calm, repeatable habit for Ubuntu Server or Desktop (22.04 / 24.04 and similar apt-based releases).
1. Know what you are about to change
Before you touch packages:
- Note the hostname and role (web, XCP-ng guest, desktop, etc.)
- Confirm you have console or out-of-band access if this is a remote server
- Check whether a reboot window is acceptable
hostnamectl
lsb_release -a
uptime
2. Refresh the package index
sudo apt update
Skim the output for repository errors. If a third-party repo is broken, fix that before you upgrade. Do not ignore “Failed to fetch” lines and hope for the best.
3. See what would change (optional but smart)
apt list --upgradable
On a critical host, glance for kernel, libc, nginx/apache, database, or panel packages so you know whether a reboot or service restart is likely.
4. Apply updates
For a normal maintenance window:
sudo apt upgrade
If you intentionally want package removals when the resolver needs them (use with care on servers):
sudo apt full-upgrade
Answer prompts thoughtfully. Autoremoving suggested packages is usually fine; deleting something you do not recognize is not.
5. Clean up leftover packages
sudo apt autoremove --purge
sudo apt autoclean
6. Reboot if the kernel or core libs require it
Ubuntu often tells you a reboot is needed. You can also check:
# Debian/Ubuntu reboot-required flag
test -f /var/run/reboot-required && cat /var/run/reboot-required
If a new kernel was installed, schedule the reboot. Do not leave “reboot pending” for weeks on a public host.
sudo reboot
7. Validate after the update
- Host comes back on the network
- Critical services are running (
systemctl status …) - Sites or apps respond
- Disk space still looks sane (
df -h)
Unattended upgrades (optional)
Many Ubuntu servers already have unattended-upgrades for security patches. That is good for security updates; it does not replace periodic manual review for app stacks you care about.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
Bottom line
apt update → review → apt upgrade → reboot if needed → verify services. Make it boring and scheduled, not something you only do after a CVE thread hits your timeline.

