Best practices for updating and patching strategy (PVE + VMs, Ansible, snapshots)

[birt-laguntza]

Hi,

I’m interested in how others manage patching and updates in Proxmox (both PVE hosts and VMs) at scale.

We’re trying to avoid manual work and “forgotten updates”, and move towards a more automated and controlled approach.

Key questions:​

• Do you use unattended-upgrades on:
  • PVE hosts?
  • VMs as well?
• Do you automate apt update / dist-upgrade (Ansible, scripts, etc.) or keep it manual?
• How do you handle application updates (Nextcloud, Moodle, etc.) and Docker containers?
  • In-place updates vs redeploy?
  • Do you auto-update containers or keep it controlled?
• What is your strategy for OS major upgrades (e.g. Debian 12 → 13)?
  • In-place or new VM + redeploy?
• Reboot policy after updates:
  • automatic vs maintenance windows?
• Do you take snapshots automatically before patching?
• How do you get visibility after updates?
  • alerts, reports, monitoring, etc.

Goal​

We are aiming for:

• automatic security updates
• scheduled patching
• better visibility (alerts)
• possibly moving towards a more “immutable” model over time

Would love to hear your setups and lessons learned.

Thanks!

 

[bbgeek17]

Do you use unattended-upgrades on:

The unattended upgrades often lead to these types of posts in a forum:

I had a power outage, all my host rebooted and now something is not working. I have not changed a thing!

Oh there was a Kernel and QEMU and "something" upgrade a month ago and since my host and VMs only restarted now those things came unexpectedely into effect...

Have a QA/Dev environment, even if it is completely virtual, deploy upgrades there with whatever mechanism you prefer, then push to production when ready. This would apply to everything - hypervisor, VM, containers, apps.

---

Blockbridge : Ultra low latency all-NVME shared storage for Proxmox - https://www.blockbridge.com/proxmox