Originally published at: How to Enable Unattended Upgrades on Ubuntu/Debian
Linux server security is of critical importance to sysadmins. One central part of keeping Linux servers secure is by installing security updates promptly. Too often, there are compromised servers on the internet due to pending security updates waiting for a manual update. On both Ubuntu and Debian, the unattended-upgrades package can be configured to perform…
I have been in the process of looking into Linux servers so knowing this right out the gate is extremely useful. I am always looking for ways to run a more secure system both on and offline.
So using a bulk auto update system is still a better option? I am asking from a beginner’s level.
There’s a couple of things Hayden missed. One is apticron, it sends an email advising you of updates and runs nightly as a Cron job. apt-listdiffences will tell you the changes made in those packages, apt-listchanges tells the changes made from one version to the next.There’s also a program that’s called needsrestart which will advise you of any services or processes that needs restarting after an upgrade. There’s also line in unattended-upgrades to auto restart the listed services if needsrestart shows a restart of those is needed. It’s also important to note that upgrade and dist-upgrade (or full-upgrade) do different things. From the man page for apt upgrade:
upgrade (apt-get(8))
upgrade is used to install available upgrades of all packages
currently installed on the system from the sources configured via
sources.list(5). New packages will be installed if required to
satisfy dependencies, but existing packages will never be removed.
If an upgrade for a package requires the removal of an installed
package the upgrade for this package isn’t performed.
From the man page of full-upgrade (apt-get(8))
full-upgrade performs the function of upgrade but will remove
currently installed packages if this is needed to upgrade the
system as a whole.
From the man page of dist-upgrade (apt-get(8)
dist-upgrade in addition to performing the function of upgrade,
also intelligently handles changing dependencies with new versions
of packages; apt-get has a “smart” conflict resolution system, and
it will attempt to upgrade the most important packages at the
expense of less important ones if necessary. The dist-upgrade
command may therefore remove some packages. The
/etc/apt/sources.list file contains a list of locations from which
to retrieve desired package files. See also apt_preferences(5) for
a mechanism for overriding the general settings for individual
packages.
So unattended upgrades is a handy tool but don’t expect it to completely upgrade your system, you will still need to do a full or dist-upgrade occasionally.
Thanks for this @tmick
I usually don’t like automatic updates because I like to review what the updates are first - But when it comes to security patches, it just seems like a good idea.
I’ll test this on my Ubuntu server this weekend.
I am the same way. I prefer to see what is being changed right in front of me. Auto-updates seem to gloss over things or not mention everything. It is still convenient to have things running on their own for security reasons as well as time management. Not that Linux updates are every a major issues.
You can get a report from a program called apticron. It’s a daily email that looks like this
apticron report [Thu, 10 Nov 2022 00:26:14 -0600]
========================================================================
apticron has detected that some packages need upgrading on:
DebianTim.midcoip.net
[ 10.162.132.125 192.168.0.91 fd7d:76ee:e68f:a993:6c33:1401:f02c:98a8 ]
The following packages are currently pending an upgrade:
brave-browser 1.45.123
libdbusmenu-glib4 18.10.20180917~bzr492+repack1-3
libdbusmenu-gtk3-4 18.10.20180917~bzr492+repack1-3
libdbusmenu-gtk4 18.10.20180917~bzr492+repack1-3
libspiro1 1:20221101-1
pristine-tar 1.50
python3-multidict 6.0.2-1
========================================================================
Package Details:
apt-listchanges: Reading changelogs...
apt-listchanges: Changelogs
---------------------------
--- Changes for libdbusmenu (libdbusmenu-glib4 libdbusmenu-gtk3-4 libdbusmenu-gtk4) ---
libdbusmenu (18.10.20180917~bzr492+repack1-3) unstable; urgency=medium
* debian/control:
+ Switch to B-D valgrind-if-vailable.
+ Bump Standards-Version: to 4.6.1. No changes needed.
* debian/patches:
+ Add 0004_prevent-test-json-from-failing.patch. Prevent test-json from
failing due to 'Using cross-namespace EXTERNAL authentication' warning.
(Closes: #1020076).
-- Mike Gabriel <[[email protected]](mailto:[email protected])> Sat, 05 Nov 2022 11:04:11 +0100
--- Changes for libspiro (libspiro1) ---
libspiro (1:20221101-1) unstable; urgency=medium
* New upstream version 20221101
-- Hideki Yamane <[[email protected]](mailto:[email protected])> Sat, 05 Nov 2022 19:52:12 +0900
--- Changes for pristine-tar ---
pristine-tar (1.50) unstable; urgency=medium
[ Kevin Locke ]
* Handle octal escapes in quoted paths
* Use a single substitution to correctly unquote paths
[ Matthew Vernon ]
* Quote manifests and use tar --null (Closes: #1010024, #784635,
#736201, #719078 )
* Add a couple more test cases
-- Matthew Vernon <[[email protected]](mailto:[email protected])> Fri, 04 Nov 2022 11:23:44 +0000
--- Changes for python-multidict (python3-multidict) ---
python-multidict (6.0.2-1) unstable; urgency=medium
* New upstream release
-- Piotr Ożarowski <[[email protected]](mailto:[email protected])> Fri, 04 Nov 2022 16:09:31 +0100
--- Changes for brave-browser ---
brave-browser (1.45.123) stable; urgency=low
* Build spec: https://github.com/brave/brave-browser/releases/tag/v1.45.123
* Release Notes: https://brave.com/latest/
-- Brave Software <[[email protected]](mailto:[email protected])> Wed, 09 Nov 2022 05:56:25 +0000
========================================================================
You can perform the upgrade by issuing the command:
apt-get dist-upgrade
as root on DebianTim.midcoip.net
--
apticron
I did not know that was a thing. That is a really nice feature and a handy one to have. Going to get this set up asap, thanks!
Apticron does the set up for you, all you need to do is install it. debhelper configures everything, just don’t forget to exit any program that uses apt or apt-get or it will throw an error email at you.