HOWTO enable automatic security updates in Debian

In installs of the latest Ubuntu Linux you’ve given the option at the end to turn on automatic updates for security updates, which a great option for a server. I’ve always been a big purveyor of autonomous computing, after all, they know how to do their job, so give them enough rope to hang^K^K^K do it themselves. The old way of running cron-apt followed by apt-get upgrade is a big hammer for a small job and will break services, it’s a guarantee. So I knew there had to be a better way, and I’m sure Ubuntu had already formalized it, so it wasn’t that hard to figure out. It starts with the install of a package named unattended-upgrades. Ok, so this was likely available for some time, well as they say, it’s new to me!

apt-get install unattended-upgrades

Next up, we need to setup preferences for the apt package, do this creating a new file /etc/apt/apt.conf.d/02periodic and filling it in with the following:

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

Seems pretty self-explanatory, with some sane options to start with, the 1 tells it how many times to run (once a day) while autoclean will occur every 5. Note that any activity from the program will be logged to /var/log/unattended-upgrades which is helpful, but next we’ll see how to enable email alerts as well. Now we’ll setup the preferences for the unattended-upgrades program. The file that controls this is /etc/apt/apt.conf.d/50unattended-upgrades, and it will look something like this:

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

So there’s some cool options including what to allow to be upgraded, blacklisted apps, email notifications and even an auto-reboot option. So if there’s a security update in the kernel, it will install the new kernel and reboot the system automatically - how cool is that? This is the autonomy I was looking for! Now having said that, I think I’ll throw this in just because, Manchester, England band Buzzcocks doing Autonomy from 1978.

comments powered by Disqus