The thought that a server update itself (and maybe even execute a reboot) is not actually something that makes me feel so confident, but it is certainly better than not applying patches to serious security bugs that could expose services to large risks.
So today we’ll see how to use the package unattended-upgrades, it’s available in Debian and Ubuntu and can help you schedule what and when update automatically on your machines.
Installation
The package it’s available on the repository so you can use your favorite package manager, such as
sudo aptitude install unattended-upgrades |
Configuration
The first thing to set up are your preferences for the apt package, do this creating the file /etc/apt/apt.conf.d/02periodic, that could contain these parameters:
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1"; |
Explanation of these parameters:
# APT::Periodic::Enable “1”;
# – Enable the update/upgrade script (0=disable)
# APT::Periodic::Update-Package-Lists “1”;
# – Do “apt-get update” automatically every n-days (0=disable)
# APT::Periodic::Download-Upgradeable-Packages “1”;
# – Do “apt-get upgrade –download-only” every n-days (0=disable)
# APT::Periodic::AutocleanInterval “0”;
# – Do “apt-get autoclean” every n-days (0=disable)
# APT::Periodic::Unattended-Upgrade “0”;
# – Run the “unattended-upgrade” security upgrade script
# every n-days (0=disabled)
# Requires the package “unattended-upgrades” and will write
# a log in /var/log/unattended-upgrades
Preference for unattended-upgrades
Now take a look at the file /etc/apt/apt.conf.d/50unattended-upgrades, this is the default, that should be fine for most installation:
// Automatically upgrade packages from these (origin, archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id} stable"; "${distro_id} ${distro_codename}-security"; // "${distro_id} ${distro_codename}-updates"; // "${distro_id} ${distro_codename}-proposed-updates"; }; // List of packages to not update Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; }; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. The package 'mailx' // must be installed or anything that provides /usr/bin/mail. //Unattended-Upgrade::Mail "root@localhost"; // Do automatic removal of new unused dependencies after the upgrade // (equivalent to apt-get autoremove) //Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if a // the file /var/run/reboot-required is found after the upgrade //Unattended-Upgrade::Automatic-Reboot "false"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70"; |
To start this setup is good enough, you’ll have security updates automatically installed.
Everything is done, thanks to the cron present in /etc/cron.daily/apt every day your configuration will be read and an update of your system will be done.
References:
Popular Posts:
- None Found
wouldn’t setting up a cron job be easier?
Different for sure, easier i don’t know.
With this setup you use the apt cron that you any debian and ubuntu have already.
[…] Enable automatic security update in Debian/Ubuntu […]
I suggest adding a new file with a higher lexicographically order instead. Ie. 89-my-apt-settings and put your modifications there. That way, you know you’ll know future upgrades will have sane Debian-given defaults while still using your settings.
Also, see http://askubuntu.com/questions/254137/etc-apt-apt-conf-d-priority-overrule-configuration-file