Aug 232011
 

The thought that a server update itself (and maybe even execute a reboot) is not actually something that makes me feel so confident, but it is certainly better than not applying patches to serious security bugs that could expose services to large risks.

So today we’ll see how to use the package unattended-upgrades, it’s available in Debian and Ubuntu and can help you schedule what and when update automatically on your machines.



Installation

The package it’s available on the repository so you can use your favorite package manager, such as

sudo aptitude install unattended-upgrades

Configuration

The first thing to set up are your preferences for the apt package, do this creating the file /etc/apt/apt.conf.d/02periodic, that could contain these parameters:

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

Explanation of these parameters:

# APT::Periodic::Enable “1”;
# – Enable the update/upgrade script (0=disable)

# APT::Periodic::Update-Package-Lists “1”;
# – Do “apt-get update” automatically every n-days (0=disable)

# APT::Periodic::Download-Upgradeable-Packages “1”;
# – Do “apt-get upgrade –download-only” every n-days (0=disable)

# APT::Periodic::AutocleanInterval “0”;
# – Do “apt-get autoclean” every n-days (0=disable)

# APT::Periodic::Unattended-Upgrade “0”;
# – Run the “unattended-upgrade” security upgrade script
# every n-days (0=disabled)
# Requires the package “unattended-upgrades” and will write
# a log in /var/log/unattended-upgrades

Preference for unattended-upgrades

Now take a look at the file /etc/apt/apt.conf.d/50unattended-upgrades, this is the default, that should be fine for most installation:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";
};
 
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};
 
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
 
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
 
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
 
 
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

To start this setup is good enough, you’ll have security updates automatically installed.
Everything is done, thanks to the cron present in /etc/cron.daily/apt every day your configuration will be read and an update of your system will be done.


References:

Ubuntu Wiki

Popular Posts:

Flattr this!

  4 Responses to “Enable automatic security update in Debian/Ubuntu”

  1. wouldn’t setting up a cron job be easier?

  2. I suggest adding a new file with a higher lexicographically order instead. Ie. 89-my-apt-settings and put your modifications there. That way, you know you’ll know future upgrades will have sane Debian-given defaults while still using your settings.

    Also, see http://askubuntu.com/questions/254137/etc-apt-apt-conf-d-priority-overrule-configuration-file

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*