The thought that a server update itself (and maybe even execute a reboot) is not actually something that makes me feel so confident, but it is certainly better than not applying patches to serious security bugs that could expose services to large risks.
So today we’ll see how to use the package unattended-upgrades, it’s available in Debian and Ubuntu and can help you schedule what and when update automatically on your machines.
Installation
The package it’s available on the repository so you can use your favorite package manager, such as
sudo aptitude install unattended-upgrades
Configuration
The first thing to set up are your preferences for the apt package, do this creating the file /etc/apt/apt.conf.d/02periodic, that could contain these parameters:
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1";
Explanation of these parameters:
# APT::Periodic::Enable “1″;
# – Enable the update/upgrade script (0=disable)
# APT::Periodic::Update-Package-Lists “1″;
# – Do “apt-get update” automatically every n-days (0=disable)
# APT::Periodic::Download-Upgradeable-Packages “1″;
# – Do “apt-get upgrade –download-only” every n-days (0=disable)
# APT::Periodic::AutocleanInterval “0″;
# – Do “apt-get autoclean” every n-days (0=disable)
# APT::Periodic::Unattended-Upgrade “0″;
# – Run the “unattended-upgrade” security upgrade script
# every n-days (0=disabled)
# Requires the package “unattended-upgrades” and will write
# a log in /var/log/unattended-upgrades
Preference for unattended-upgrades
Now take a look at the file /etc/apt/apt.conf.d/50unattended-upgrades, this is the default, that should be fine for most installation:
// Automatically upgrade packages from these (origin, archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id} stable"; "${distro_id} ${distro_codename}-security"; // "${distro_id} ${distro_codename}-updates"; // "${distro_id} ${distro_codename}-proposed-updates"; }; // List of packages to not update Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; }; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. The package 'mailx' // must be installed or anything that provides /usr/bin/mail. //Unattended-Upgrade::Mail "root@localhost"; // Do automatic removal of new unused dependencies after the upgrade // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if a // the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70";
To start this setup is good enough, you’ll have security updates automatically installed.
Everything is done, thanks to the cron present in /etc/cron.daily/apt every day your configuration will be read and an update of your system will be done.
References:
Popular Posts:
- 8 Twin-panel file manger for Linux
- How to put Varnish in front of your Webserver without doing any change.
- Tips and Tricks for Nginx
- Too many passwords to keep in your mind? Here is a great solution! Cross-platform and portable!
- Uniq, comm and join 3 Linux command for the CLI
Related posts:
- How to choose the best mirror in Debian, Gentoo and Ubuntu
- Ubuntu, Launchpad and PPA
- Debian 6 is out
- Simple Post Install Tips for Ubuntu
- Release Day for many Linux distributions
wouldn’t setting up a cron job be easier?
Different for sure, easier i don’t know.
With this setup you use the apt cron that you any debian and ubuntu have already.