DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at rtfm.co.ua on

2

Debian: unattended-upgrades – automatic upgrades installation with email notifications via AWS SES

A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.

It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).

CentsOS/RHEL analog – yum-cron.

Install it:

$ sudo apt -y install unattended-upgrades

The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.

Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:

20auto-upgrades

The /etc/apt/apt.conf.d/20auto-upgrades options:

  • APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disable
  • APT::Periodic::Update-Package-Lists: in days – how often to run apt update, 0 to disable at all
  • APT::Periodic::Download-Upgradeable-Packages: in days – how often to run apt-get upgrade --download-only
  • APT::Periodic::Unattended-Upgrade: in days – how often to run apt upgrade
  • APT::Periodic::AutocleanInterval: in days – how often to run apt-get autoclean
  • APT::Periodic::Verbose: emails verbose settings:
    • 0 – disable at all
    • 1 – whole upgrade process
    • 2 – same as above + packages stdout
    • 3 – same as above + tracing

50unattended-upgrades

Unattended-Upgrade::Origins-Pattern

Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:

...
Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};
...

The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.

Unattended-Upgrade::Package-Blacklist

Packages list to be ignored during upgrades:

...
Unattended-Upgrade::Package-Blacklist {
   "openjdk-8-jdk";
};
...

Unattended-Upgrade::Remove-Unused-Dependencies

Delete unused packages with apt-get autoremove:

...
Unattended-Upgrade::Remove-Unused-Dependencies "true";
...

Unattended-Upgrade::Mail

Most useful option – send an email notification after upgrades. Uses mail from mailutils package.

...
Unattended-Upgrade::Mail "user@example.com";
...

Or:

...
Unattended-Upgrade::Mail "root";
...

Unattended-Upgrade::MailOnlyOnError

Send such notifications only if problems was found during upgrade:

...
Unattended-Upgrade::MailOnlyOnError "true";
...

Unattended-Upgrade::Automatic-Reboot

Reboot server automatically if /var/run/reboot-required found:

...
Unattended-Upgrade::Automatic-Reboot "true";
...

Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.

Unattended-Upgrade::Automatic-Reboot-Time

If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:

...
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...

Running unattended-upgrade

After everything is configured – you can execute it with dry-run to test:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []

No packages found that can be upgraded unattended and no pending auto-removals

And if any upgrades are available – install them:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d

Email configuration

You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.

To send emails via AWS SES – install local SMTP client, for example, ssmtp:

root@bitwarden-production:/home/admin# apt install mailutils ssmtp

Edit /etc/ssmtp/ssmtp.conf:

root=admin@example.com
mailhub=email-smtp.us-east-1.amazonaws.com:587
AuthUser=AKI***OAQ
AuthPass=BH3***gpM
UseTLS=YES
UseSTARTTLS=YES
hostname=accounts.example.com

Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will receive “554 Message rejected: Email address is not verified” error.

Edit /etc/ssmtp/revaliases file:

root: no-repy@example.com

Check email sending:

root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" admin@example.com

Log if any can be found in the /var/log/unattended-upgrades/ directory.

Done.

Similar posts

Heroku

This site is built on Heroku

Join the ranks of developers at Salesforce, Airbase, DEV, and more who deploy their mission critical applications on Heroku. Sign up today and launch your first app!

Get Started

Top comments (0)

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay