DEV Community

Arseny Zinchenko
Arseny Zinchenko

Posted on • Originally published at rtfm.co.ua on

2

Debian: unattended-upgrades – automatic upgrades installation with email notifications via AWS SES

A unattended-upgrades package performs automated upgrades installation on Debian/Ubuntu systems.

It’s a Python script (1500 lines) located at /usr/bin/unattended-upgrade (and /usr/bin/unattended-upgrades is a symlink to the /usr/bin/unattended-upgrade).

CentsOS/RHEL analog – yum-cron.

Install it:

$ sudo apt -y install unattended-upgrades

The main config file is /etc/apt/apt.conf.d/50unattended-upgrades where upgrade types, email settings etc can be configured.

Upgrades related schedules are done in the /etc/apt/apt.conf.d/20auto-upgrades file which can be created manually or using dpkg-reconfigure unattended-upgrades:

20auto-upgrades

The /etc/apt/apt.conf.d/20auto-upgrades options:

  • APT::Periodic::Enable: enable/disable upgrades, 1 to enable, 0 to disable
  • APT::Periodic::Update-Package-Lists: in days – how often to run apt update, 0 to disable at all
  • APT::Periodic::Download-Upgradeable-Packages: in days – how often to run apt-get upgrade --download-only
  • APT::Periodic::Unattended-Upgrade: in days – how often to run apt upgrade
  • APT::Periodic::AutocleanInterval: in days – how often to run apt-get autoclean
  • APT::Periodic::Verbose: emails verbose settings:
    • 0 – disable at all
    • 1 – whole upgrade process
    • 2 – same as above + packages stdout
    • 3 – same as above + tracing

50unattended-upgrades

Unattended-Upgrade::Origins-Pattern

Unattended-Upgrade::Origins-Pattern describes repositories to be used for upgrades:

...
Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
};
...

The ${distro_codename} will be replaced with Debian codename, it’s stretch at this time.

Unattended-Upgrade::Package-Blacklist

Packages list to be ignored during upgrades:

...
Unattended-Upgrade::Package-Blacklist {
   "openjdk-8-jdk";
};
...

Unattended-Upgrade::Remove-Unused-Dependencies

Delete unused packages with apt-get autoremove:

...
Unattended-Upgrade::Remove-Unused-Dependencies "true";
...

Unattended-Upgrade::Mail

Most useful option – send an email notification after upgrades. Uses mail from mailutils package.

...
Unattended-Upgrade::Mail "user@example.com";
...

Or:

...
Unattended-Upgrade::Mail "root";
...

Unattended-Upgrade::MailOnlyOnError

Send such notifications only if problems was found during upgrade:

...
Unattended-Upgrade::MailOnlyOnError "true";
...

Unattended-Upgrade::Automatic-Reboot

Reboot server automatically if /var/run/reboot-required found:

...
Unattended-Upgrade::Automatic-Reboot "true";
...

Reboot will be done immediately after upgrade if no Automatic-Reboot-Time is set.

Unattended-Upgrade::Automatic-Reboot-Time

If Unattended-Upgrade::Automatic-Reboot is set to true – then Automatic-Reboot-Time cab be used to set time for reboots:

...
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...

Running unattended-upgrade

After everything is configured – you can execute it with dry-run to test:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['origin=Debian,codename=stretch,label=Debian-Security']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []

No packages found that can be upgraded unattended and no pending auto-removals

And if any upgrades are available – install them:

root@bitwarden-production:/home/admin# unattended-upgrade -v -d

Email configuration

You can use local Exim (see. Exim: Mailing to remote domains not supported), but Gmail blocked IP of this host, so will use AWS SES here.

To send emails via AWS SES – install local SMTP client, for example, ssmtp:

root@bitwarden-production:/home/admin# apt install mailutils ssmtp

Edit /etc/ssmtp/ssmtp.conf:

root=admin@example.com
mailhub=email-smtp.us-east-1.amazonaws.com:587
AuthUser=AKI***OAQ
AuthPass=BH3***gpM
UseTLS=YES
UseSTARTTLS=YES
hostname=accounts.example.com

Configure Mail From for SSMTP – set a mailbox, which is configured in our AWS SES, otherwise will receive “554 Message rejected: Email address is not verified” error.

Edit /etc/ssmtp/revaliases file:

root: no-repy@example.com

Check email sending:

root@bitwarden-production:/home/admin# echo "Test" | mail -s "Test" admin@example.com

Log if any can be found in the /var/log/unattended-upgrades/ directory.

Done.

Similar posts

Image of Datadog

The Essential Toolkit for Front-end Developers

Take a user-centric approach to front-end monitoring that evolves alongside increasingly complex frameworks and single-page applications.

Get The Kit

Top comments (0)

AWS Security LIVE!

Tune in for AWS Security LIVE!

Join AWS Security LIVE! for expert insights and actionable tips to protect your organization and keep security teams prepared.

Learn More

👋 Kindness is contagious

Please leave a ❤️ or a friendly comment on this post if you found it helpful!

Okay