Как настроить автоматическое обновление в Debian/Ubuntu

The thought that a server update itself (and maybe even execute a reboot) is not actually something that makes me feel so confident, but it is certainly better than not applying patches to serious security bugs that could expose services to large risks.

So today we’ll see how to use the package unattended-upgrades, it’s available in Debian and Ubuntu and can help you schedule what and when update automatically on your machines.

Installation

The package it’s available on the repository so you can use your favorite package manager, such as
sudo aptitude install unattended-upgrades

Configuration

The first thing to set up are your preferences for the apt package, do this creating the file /etc/apt/apt.conf.d/02periodic, that could contain these parameters:
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

Explanation of these parameters:

# APT::Periodic::Enable “1″;
# – Enable the update/upgrade script (0=disable)

# APT::Periodic::Update-Package-Lists “1″;
# – Do “apt-get update” automatically every n-days (0=disable)

# APT::Periodic::Download-Upgradeable-Packages “1″;
# – Do “apt-get upgrade –download-only” every n-days (0=disable)

# APT::Periodic::AutocleanInterval “0″;
# – Do “apt-get autoclean” every n-days (0=disable)

# APT::Periodic::Unattended-Upgrade “0″;
# – Run the “unattended-upgrade” security upgrade script
# every n-days (0=disabled)
# Requires the package “unattended-upgrades” and will write
# a log in /var/log/unattended-upgrades

Preference for unattended-upgrades

Now take a look at the file /etc/apt/apt.conf.d/50unattended-upgrades, this is the default, that should be fine for most installation:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";
};
 
// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};
 
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";
 
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
 
// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
 
 
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

To start this setup is good enough, you’ll have security updates automatically installed. Everything is done, thanks to the cron present in /etc/cron.daily/apt every day your configuration will be read and an update of your system will be done.

-- VitalyDruzhinin - 2011-08-25
Topic revision: r1 - 2013-08-29, VitalyDruzhinin
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback