Is this just a Proxmox thing? I’m running Debian on my server, and as far as I know, the kernel has always upgraded properly when there’s a new one available.

You only need the reboot if a package update masks the retirement.

The system is not lying to you, it holds some critical updates back to be installed separately and manually.

The output shows you which packages have been held back. Just do apt-get install linux-image-amd64 for example, reboot and apt autoremove to remove the old kernel.

from my own experience, apt dist-upgrade removes old kernels, apt upgrade still installed the new kernel, grub updated and booted into the new kernel.

all dist-upgrade did (for me) was delete the old kernels. which is something I would prefer not to do because it removes any ability to rollback should I absolutely need to.

Hmm. Welp. Let’s try. See what happens.

I’ve seen that the patches are only available in the debian-security repository. It’s important to review your repo list in /etc/apt/sources.list.d.

I mean, you could just use the proxmox UI for updates. Single point for all servers, just click in and hit update. It explicitly runs dist-upgrade already.

The nice thing about zypper is the various patch options and reporting. Gives you a good picture of what CVEs, rating, and if installed, needed, not needed etc. Does Apt have something similar?

Ooof, scared me there for a second. Good thing I am using Dist-Upgrade in my ansible scripts.