The homelab box you forgot you own is probably 47 updates behind — here’s the safe fix

TL;DR: My homelab monitor flagged my Plex/Pi-hole box 47 packages and a kernel behind — and I'd forgotten the machine existed. Here's the 5-minute non-interactive fix, and the one upgrade I deliberately didn't run.

This is the dev.to short version of the Medium write-up. Same dashboard that caught a service hoarding 16GB of VRAM last week — different, more boring villain.

The signal

The overview wore one small badge: ⚠ 1 host behind. Not my GPU box that I touch daily — cloudy, the Plex / Pi-hole / Samba box that just works and therefore never gets looked at.

The monitor also flags a release upgrade as available — I'm deferring that one regardless of which version it lands on (more below).

UPDATES column: 47 pending · ⬆ 26.04 available.

The diagnosis

$ ssh anakin@cloudy
$ lsb_release -ds && uname -r
Ubuntu 22.04.5 LTS
5.15.0-179-generic          # running — but 5.15.0-181 was already installed, waiting on a reboot

$ apt list --upgradable 2>/dev/null | grep -c upgradable
47
$ cat /var/run/reboot-required
*** System restart required ***

Nothing was broken — Plex streamed, Pi-hole resolved, shares mounted. That's the trap: a box that's 47 behind doesn't tell you. Among the 47: systemd, snapd, apparmor, nftables, cloud-init, linux-firmware, openldap. Plenty of it security-relevant.

The fix (non-interactive, config-preserving)

sudo -i
export DEBIAN_FRONTEND=noninteractive NEEDRESTART_MODE=a
apt-get update
apt-get -o Dpkg::Options::="--force-confold" \
        -o Dpkg::Options::="--force-confdef" \
        -y full-upgrade
apt-get -y autoremove --purge

• --force-confold → keep my existing config files, don't stop to ask.
• NEEDRESTART_MODE=a → let needrestart restart affected services itself instead of showing the blue full-screen menu that hangs an unattended run.
• Result: 45 upgraded, 2 newly installed, 0 removed. Clean.

Then activate the kernel/systemd the box had been holding:

$ reboot              # ~90s of no DNS for the LAN — an on-purpose action, not a background one
$ uname -r
5.15.0-181-generic    # back on the tailnet, now on the staged kernel

Before / after

47 → 0. The package badge cleared.

What I deliberately did NOT run

The monitor also flags a full Ubuntu release upgrade waiting. do-release-upgrade on a remote, headless, house-critical box is a scheduled-window job — with a backup and a console in reach — not an unattended one. The dashboard surfacing it is the win; choosing to defer it is the right call. So I left it flagged, on purpose.

The point

I'm not disciplined about my boring boxes — nobody is. The only reason this got caught is one badge in one dashboard I already look at. The tool is HomeLab Monitor — one container, MIT, no Prometheus/Grafana to stand up:

docker compose up -d --build
# github.com/SikamikanikoBG/homelab-monitor

When did you last log into your most reliable box, and how would you find out it was a month behind? Mine used a badge. What's watching yours — a cron apt list --upgradable, unattended-upgrades mail you actually read, or nothing? Genuinely curious which holds up for people.