Debian: unattended-upgrades – automatic upgrades installation with email notifications via AWS SES

By | 05/23/2019
 

A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.

It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).

CentsOS/RHEL analog – yum-cron.

Install it:

sudo apt -y install unattended-upgrades

The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.

Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:

20auto-upgrades

The /etc/apt/apt.conf.d/20auto-upgrades options:

  • APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disable
  • APT::Periodic::Update-Package-Lists: in days – how often to run apt update, 0 to disable at all
  • APT::Periodic::Download-Upgradeable-Packages: in days – how often to run apt-get upgrade --download-only
  • APT::Periodic::Unattended-Upgrade: in days – how often to run apt upgrade
  • APT::Periodic::AutocleanInterval: in days – how often to run apt-get autoclean
  • APT::Periodic::Verbose: emails verbose settings:
    • 0 – disable at all
    • 1 – whole upgrade process
    • 2 – same as above + packages stdout
    • 3 – same as above + tracing

50unattended-upgrades

Unattended-Upgrade::Origins-Pattern

Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:

...
Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};
...

The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.

Unattended-Upgrade::Package-Blacklist

Packages list to be ignored during upgrades:

...
Unattended-Upgrade::Package-Blacklist {
   "openjdk-8-jdk";
};
...

Unattended-Upgrade::Remove-Unused-Dependencies

Delete unused packages with apt-get autoremove:

...
Unattended-Upgrade::Remove-Unused-Dependencies "true";
...

Unattended-Upgrade::Mail

Most useful option – send an email notification after upgrades. Uses mail from mailutils package.

...
Unattended-Upgrade::Mail "user@example.com";
...

Or:

...
Unattended-Upgrade::Mail "root";
...

Unattended-Upgrade::MailOnlyOnError

Send such notifications only if problems was found during upgrade:

...
Unattended-Upgrade::MailOnlyOnError "true";
...

Unattended-Upgrade::Automatic-Reboot

Reboot server automatically if /var/run/reboot-required found:

...
Unattended-Upgrade::Automatic-Reboot "true";
...

Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.

Unattended-Upgrade::Automatic-Reboot-Time

If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:

...
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...

Running unattended-upgrade

After everything is configured – you can execute it with dry-run to test:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals

And if any upgrades are available – install them:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d

Email configuration

You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.

To send emails via AWS SES – install local SMTP client, for example ssmtp:

root@bitwarden-production:/home/admin# apt install mailutils ssmtp

Edit /etc/ssmtp/ssmtp.conf:

root=admin@example.com
mailhub=email-smtp.us-east-1.amazonaws.com:587

AuthUser=AKI***OAQ
AuthPass=BH3***gpM
UseTLS=YES
UseSTARTTLS=YES

hostname=accounts.example.com

Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will recieve “554 Message rejected: Email address is not verified” error.

Edit /etc/ssmtp/revaliases file:

root: no-repy@example.com

Check email sending:

root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" admin@example.com

Log if any can be found in the /var/log/unattended-upgrades/ directory.

Done.