Re: Safety of upgrading packages while running KVM

[Gary Dale <garydale@torfree.net>]

On 17/06/15 09:42 PM, Ross Boylan wrote:
> My host system is running Debian wheezy and qemu-kvm; a number of VM's
> are running on it. I'm running kvm via libvirt.
>
> An update to qemu-kvm and related packages is available for my host
> system.  Is it safe to update the package on the host while the VM's
> are running?   Similarly, is it safe to update the kernel or other
> critical host components like libc while the VM's are running?
>
> On the one hand, I think Debian is designed so updating packages on a
> live system is safe.   On the other hand, doing so seems like asking
> for trouble in this case, and I have read that after a kernel update a
> reboot as soon as practical is advised.
>
> Thanks.
> Ross Boylan
It's generally safe to upgrade the packages. The new ones won't be 
brought into play until the VM is restarted.

The advice about reboots is good because until the kernel or service is 
restarted, you are using the old kernel while new packages might have 
been compiled for a newer kernel or service. Some services will be 
restarted by the package installation (e.g. cups) but unless they need a 
kernel service that has changed, it's still safe to carry on.

The bigger issue is if vulnerabilities were closed by the new kernel or 
service. Not restarting leaves your machine vulnerable.