A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.
It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).
CentsOS/RHEL analog – yum-cron.
Install it:
[simterm]
$ sudo apt -y install unattended-upgrades
[/simterm]
The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.
Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:
Contents
20auto-upgrades
The /etc/apt/apt.conf.d/20auto-upgrades options:
APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disableAPT::Periodic::Update-Package-Lists: in days – how often to runapt update, 0 to disable at allAPT::Periodic::Download-Upgradeable-Packages: in days – how often to runapt-get upgrade --download-onlyAPT::Periodic::Unattended-Upgrade: in days – how often to runapt upgradeAPT::Periodic::AutocleanInterval: in days – how often to runapt-get autocleanAPT::Periodic::Verbose: emails verbose settings:- 0 – disable at all
- 1 – whole upgrade process
- 2 – same as above + packages stdout
- 3 – same as above + tracing
50unattended-upgrades
Unattended-Upgrade::Origins-Pattern
Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:
...
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
...
The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.
Unattended-Upgrade::Package-Blacklist
Packages list to be ignored during upgrades:
...
Unattended-Upgrade::Package-Blacklist {
"openjdk-8-jdk";
};
...
Unattended-Upgrade::Remove-Unused-Dependencies
Delete unused packages with apt-get autoremove:
... Unattended-Upgrade::Remove-Unused-Dependencies "true"; ...
Unattended-Upgrade::Mail
Most useful option – send an email notification after upgrades. Uses mail from mailutils package.
... Unattended-Upgrade::Mail "[email protected]"; ...
Or:
... Unattended-Upgrade::Mail "root"; ...
Unattended-Upgrade::MailOnlyOnError
Send such notifications only if problems was found during upgrade:
... Unattended-Upgrade::MailOnlyOnError "true"; ...
Unattended-Upgrade::Automatic-Reboot
Reboot server automatically if /var/run/reboot-required found:
... Unattended-Upgrade::Automatic-Reboot "true"; ...
Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.
Unattended-Upgrade::Automatic-Reboot-Time
If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:
... Unattended-Upgrade::Automatic-Reboot-Time "02:00"; ...
Running unattended-upgrade
After everything is configured – you can execute it with dry-run to test:
[simterm]
root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security'] pkgs that look like they should be upgraded: Fetched 0 B in 0s (0 B/s) fetch.run() result: 0 blacklist: [] whitelist: [] No packages found that can be upgraded unattended and no pending auto-removals
[/simterm]
And if any upgrades are available – install them:
[simterm]
root@bitwarden-production:/home/admin# unattended-upgrade -v -d
[/simterm]
Email configuration
You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.
To send emails via AWS SES – install local SMTP client, for example ssmtp:
[simterm]
root@bitwarden-production:/home/admin# apt install mailutils ssmtp
[/simterm]
Edit /etc/ssmtp/ssmtp.conf:
[email protected] mailhub=email-smtp.us-east-1.amazonaws.com:587 AuthUser=AKI***OAQ AuthPass=BH3***gpM UseTLS=YES UseSTARTTLS=YES hostname=accounts.example.com
Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will recieve “554 Message rejected: Email address is not verified” error.
Edit /etc/ssmtp/revaliases file:
root: [email protected]
Check email sending:
[simterm]
root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" [email protected]
[/simterm]
Log if any can be found in the /var/log/unattended-upgrades/ directory.
Done.