A unattended-upgrades
package performs automated upgrades installation on Debian/Ubuntu systems.
It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade
(and /usr/bin/unattended-upgrades
is a symlink to the /usr/bin/unattended-upgrade
).
CentsOS/RHEL analog – yum-cron
.
Install it:
[simterm]
$ sudo apt -y install unattended-upgrades
[/simterm]
The main config file is /etc/apt/apt.conf.d/50unattended-upgrades
where upgrade types, email settings etc can be configured.
Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades
file which can be created manually or using dpkg-reconfigure unattended-upgrades
:
Contents
20auto-upgrades
The /etc/apt/apt.conf.d/20auto-upgrades
options:
APT::Periodic::Enable
: enable/disable upgrades, 1 to enable, 0 to disableAPT::Periodic::Update-Package-Lists
: in days – how often to runapt update
, 0 to disable at allAPT::Periodic::Download-Upgradeable-Packages
: in days – how often to runapt-get upgrade --download-only
APT::Periodic::Unattended-Upgrade
: in days – how often to runapt upgrade
APT::Periodic::AutocleanInterval
: in days – how often to runapt-get autoclean
APT::Periodic::Verbose
: emails verbose settings:- 0 – disable at all
- 1 – whole upgrade process
- 2 – same as above + packages stdout
- 3 – same as above + tracing
50unattended-upgrades
Unattended-Upgrade::Origins-Pattern
Unattended-Upgrade::Origins-Pattern
describes repositories to be used for upgrades:
... Unattended-Upgrade::Origins-Pattern { "origin=Debian,codename=${distro_codename},label=Debian-Security"; }; ...
The ${distro_codename}
will be replaced with Debian codename, it’s stretch at this time.
Unattended-Upgrade::Package-Blacklist
Packages list to be ignored during upgrades:
... Unattended-Upgrade::Package-Blacklist { "openjdk-8-jdk"; }; ...
Unattended-Upgrade::Remove-Unused-Dependencies
Delete unused packages with apt-get autoremove
:
... Unattended-Upgrade::Remove-Unused-Dependencies "true"; ...
Unattended-Upgrade::Mail
Most useful option – send an email notification after upgrades. Uses mail
from mailutils
package.
... Unattended-Upgrade::Mail "[email protected]"; ...
Or:
... Unattended-Upgrade::Mail "root"; ...
Unattended-Upgrade::MailOnlyOnError
Send such notifications only if problems was found during upgrade:
... Unattended-Upgrade::MailOnlyOnError "true"; ...
Unattended-Upgrade::Automatic-Reboot
Reboot server automatically if /var/run/reboot-required
found:
... Unattended-Upgrade::Automatic-Reboot "true"; ...
Reboot will be done immediately after upgrade if no Automatic-Reboot-Time
is set.
Unattended-Upgrade::Automatic-Reboot-Time
If Unattended-Upgrade::Automatic-Reboot
is set to true – then Automatic-Reboot-Time
cab be used to set time for reboots:
... Unattended-Upgrade::Automatic-Reboot-Time "02:00"; ...
Running unattended-upgrade
After everything is configured – you can execute it with dry-run to test:
[simterm]
root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security'] pkgs that look like they should be upgraded: Fetched 0 B in 0s (0 B/s) fetch.run() result: 0 blacklist: [] whitelist: [] No packages found that can be upgraded unattended and no pending auto-removals
[/simterm]
And if any upgrades are available – install them:
[simterm]
root@bitwarden-production:/home/admin# unattended-upgrade -v -d
[/simterm]
Email configuration
You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.
To send emails via AWS SES – install local SMTP client, for example ssmtp
:
[simterm]
root@bitwarden-production:/home/admin# apt install mailutils ssmtp
[/simterm]
Edit /etc/ssmtp/ssmtp.conf
:
[email protected] mailhub=email-smtp.us-east-1.amazonaws.com:587 AuthUser=AKI***OAQ AuthPass=BH3***gpM UseTLS=YES UseSTARTTLS=YES hostname=accounts.example.com
Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will recieve “554 Message rejected: Email address is not verified” error.
Edit /etc/ssmtp/revaliases
file:
root: [email protected]
Check email sending:
[simterm]
root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" [email protected]
[/simterm]
Log if any can be found in the /var/log/unattended-upgrades/
directory.
Done.