A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.
It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).
CentsOS/RHEL analog – yum-cron.
Install it:
$ sudo apt -y install unattended-upgrades
The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.
Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:
20auto-upgrades
The /etc/apt/apt.conf.d/20auto-upgrades options:
-
APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disable -
APT::Periodic::Update-Package-Lists: in days – how often to runapt update, 0 to disable at all -
APT::Periodic::Download-Upgradeable-Packages: in days – how often to runapt-get upgrade --download-only -
APT::Periodic::Unattended-Upgrade: in days – how often to runapt upgrade -
APT::Periodic::AutocleanInterval: in days – how often to runapt-get autoclean -
APT::Periodic::Verbose: emails verbose settings:- 0 – disable at all
- 1 – whole upgrade process
- 2 – same as above + packages stdout
- 3 – same as above + tracing
50unattended-upgrades
Unattended-Upgrade::Origins-Pattern
Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:
...
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
...
The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.
Unattended-Upgrade::Package-Blacklist
Packages list to be ignored during upgrades:
...
Unattended-Upgrade::Package-Blacklist {
"openjdk-8-jdk";
};
...
Unattended-Upgrade::Remove-Unused-Dependencies
Delete unused packages with apt-get autoremove:
...
Unattended-Upgrade::Remove-Unused-Dependencies "true";
...
Unattended-Upgrade::Mail
Most useful option – send an email notification after upgrades. Uses mail from mailutils package.
...
Unattended-Upgrade::Mail "user@example.com";
...
Or:
...
Unattended-Upgrade::Mail "root";
...
Unattended-Upgrade::MailOnlyOnError
Send such notifications only if problems was found during upgrade:
...
Unattended-Upgrade::MailOnlyOnError "true";
...
Unattended-Upgrade::Automatic-Reboot
Reboot server automatically if /var/run/reboot-required found:
...
Unattended-Upgrade::Automatic-Reboot "true";
...
Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.
Unattended-Upgrade::Automatic-Reboot-Time
If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:
...
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...
Running unattended-upgrade
After everything is configured – you can execute it with dry-run to test:
root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
And if any upgrades are available – install them:
root@bitwarden-production:/home/admin# unattended-upgrade -v -d
Email configuration
You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.
To send emails via AWS SES – install local SMTP client, for example, ssmtp:
root@bitwarden-production:/home/admin# apt install mailutils ssmtp
Edit /etc/ssmtp/ssmtp.conf:
root=admin@example.com
mailhub=email-smtp.us-east-1.amazonaws.com:587
AuthUser=AKI***OAQ
AuthPass=BH3***gpM
UseTLS=YES
UseSTARTTLS=YES
hostname=accounts.example.com
Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will receive “554 Message rejected: Email address is not verified” error.
Edit /etc/ssmtp/revaliases file:
root: no-repy@example.com
Check email sending:
root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" admin@example.com
Log if any can be found in the /var/log/unattended-upgrades/ directory.
Done.
Similar posts
- 01/27/2017 Debian: apt – GPG error: The following signatures were invalid: KEYEXPIRED (0)
- 03/07/2017 Azure: SendGrid – отправка почты из Azure (0)
- 04/02/2013 Debian: настройка и управление IPTABLES (0)
- 10/07/2018 Arch Linux: ssmtp – отправка локальной почты (0)
Top comments (0)