I have a Linux Debian Jessie host whose sole purpose is running 2 NT4 VMs. It's been extremely stable since going live several months ago. Uptime is currently 77days!
I haven't applied any updates to the server and starting to wonder whether I should be doing this. I'd hate the thought that an update could break something on the server or something in VMware. These are critical systems and can't afford any downtime.
I thought about applying security only updates, but there's still a risk that any update could cause a problem.
I don't have the luxury of a test server to test updates (but I may need to get one it if looks like updating is essential).
Seeing as the guests (and in-fact host) are only accessed from our internal network, should I be concerned about keeping the server updated?
Yes you should update the host. Your NT4 guests are already a security issue, but having them run on top of a vulnerable host as well, increases the risk quite a bit and also endangers your stabillity (if the host gets rooted a bad guy can do anything and you might have no way to recourse)
Note that updating the kernel might break your kernel modules and thus endanger your stability.
There are two ways to mitigate that:
- don't update the kernel
- if after updating a kernel module cannot be compiled properly, reboot the host with the older kernel (from the boot menu) and set the older kernel as default.
Been running VMware Workstation for many years on linux and kernel updates is where it breaks (the move with open-vmware-tools on this is promising, but not exactly there yet)
hope this helps,
But how would a bad guy even get access to the server when it isn't publicly accessible? This is my point. The server is on our local network with no external access. No one else in the organisation uses the server other than me. I would think that under these circumstances, the threat from external hacking is almost zero.
The risk would need to come from within, for example, by me accessing a bad website or running bad software. But otherwise, I can't see how hackers could get in.
My priority is keeping VMware stable. I do very little on this server other than VMware. The only others that I can think of are CrashPlan for backups, Webmin for system maintenance, CyberPower Power Panel Business Edition for the UPS and LibreOffice. That's about all I have installed on the server.
I am seriously thinking of buying an identical 2nd server to test updates and VMware stability prior to applying them to the production server. Is this overkill or necessary?
Is running unattended-updates with a regular cron job a bad idea?
If the LAN has a gateway to the internet, then there is a risk and you should try to protect that risk in layers.
If the host is not directly accessible then sure the risk is maybe not that big, but if one machine gets infected or if attackers get past the router somehow then they can analyze what else is in your LAN. It is not that weird really.
Running unattended-updates on debian (which sets a cron job itself) isn't bad, but beware that it by default also updates the kernel, so rebooting your host might give you an unexpected surprise.
In addition one other side effect on unattended upgrades is that it doesn't clean up kernels, so if you have a boot partition of normal size it might come full and you can end up with a broken apt-get database. Which would also stop the automatic upgrades. Unattended updates not deleting old kernels is also a good thing when running as vmware host as you can go back to the older kernel.
I think it is possible to exclude kernel updates on that, but you will have to look up why as I don't have the configuration changes for that handy.
edit: on your question, probably overkill if you stick with security updates and no automatic kernel updates. I've got unattended-updates configured on all my ubuntu and debian machines. Only breakage so far was due to what I mentioned.
Am I right in thinking that kernel updates are those prefixed with "linux"? So these pending security updates do indeed include some kernel ones:
Inst linux-compiler-gcc-4.8-x86 [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64])
Inst linux-headers-3.16.0-4-amd64 [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64]) 
Inst linux-headers-3.16.0-4-common [3.16.7-ckt11-1+deb8u6] (3.16.7-ckt20-1+deb8u3 Debian-Security:8/stable [amd64])
I used this command which I found somewhere to identify security only updates:
sudo apt-get -s dist-upgrade |grep "^Inst" |grep -i securi
I think a second dev/test server is the easiest solution. I will update it regularly. If everything is stable, then do the same updates on the production server.
Not sure how else to deal with this problem.
I would hate to be in the situation where after an update reboot, Workstation Pro stopped working and I need some patch from VMware to be released to resolve it.