====== Auto updates ======
Here's how to setup your debian to update automatically
This page describes how to set up automatic security updates with ''unattended-upgrades'' and email notifications via ''msmtp'' on Debian Linux systems. [std](https://std.rocks/gnulinux_debian_auto_update.html)
===== 1. Install unattended-upgrades and msmtp =====
apt update
apt install -y unattended-upgrades msmtp msmtp-mta mailutils
dpkg-reconfigure -plow unattended-upgrades
Notes: [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
* ''msmtp-mta'' provides ''/usr/sbin/sendmail'' so system mail (cron, unattended-upgrades, etc.) goes through msmtp.
* ''mailutils'' provides the ''mail'' CLI for quick tests.
Check that ''sendmail'' points to msmtp:
readlink -f /usr/sbin/sendmail
# should be /usr/bin/msmtp or a msmtp-mta symlink
===== 2. Configure msmtp =====
Create ''/etc/msmtprc'':
cat >/etc/msmtprc <<'EOF'
# Global msmtp config
defaults
auth on
tls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
logfile /var/log/msmtp.log
account default
host smtp.yourdomain.tld
port 587
from unattended@yourdomain.tld
user user@yourdomain.tld
password CHANGE_ME
EOF
chmod 600 /etc/msmtprc
touch /var/log/msmtp.log
chmod 640 /var/log/msmtp.log
Adjust: ''host'', ''port'', ''from'', ''user'', and ''password'' for your SMTP provider. [gist.github](https://gist.github.com/movd/7a9e3db63d076f85d16c7dcde62fe401)
For providers using SMTPS (465/SSL) instead of STARTTLS on 587, change:
* ''port 465''
* keep ''tls on''
* add ''tls_starttls off''
==== Optional: aliases for local users ====
Create ''/etc/msmtp-aliases'':
cat >/etc/msmtp-aliases <<'EOF'
root: user@yourdomain.tld
default: user@yourdomain.tld
EOF
chmod 600 /etc/msmtp-aliases
Add the aliases line inside ''/etc/msmtprc'' (in the ''account default'' block): [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
aliases /etc/msmtp-aliases
==== (optional) Make the mail(1) command use msmtp ====
Create ''/etc/mail.rc'':
cat >/etc/mail.rc <<'EOF'
set sendmail="/usr/bin/msmtp -t"
set from=unattended@fortier.it
EOF
===== 3. Test msmtp and CLI mail =====
==== Direct msmtp test ====
echo "Hello from $(hostname)" | msmtp -d user@yourdomain.tld
If there is a problem, inspect:
tail -n 50 /var/log/msmtp.log
for SMTP / TLS / auth errors. [manpages.debian](https://manpages.debian.org/testing/msmtp/msmtp.1.en.html)
==== Test via mail(1) (what unattended-upgrades uses) ====
echo "Test via mail from $(hostname)" | mail -s "msmtp mail test $(hostname)" arnaud@fortier.it
If this arrives, the system-wide mail path is working.
===== 4. Configure unattended-upgrades mail and origins =====
Edit ''/etc/apt/apt.conf.d/50unattended-upgrades'' and make sure the following lines are present and not commented: [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
Unattended-Upgrade::Mail "user@yourdomain.tld";
Unattended-Upgrade::MailReport "always";
Typical ''Origins-Pattern'' for Debian 13 (adjust for Raspbian or other origins):
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
"origin=Debian,codename=${distro_codename}-updates,label=Debian";
};
===== 5. Enable and check apt systemd timers =====
Enable the standard apt timers: [exampleconfig](https://exampleconfig.com/default/apt/etc-systemd-apt-daily-upgrade-timer)
systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
List timers:
systemctl list-timers 'apt-daily*'
You should see:
* ''apt-daily.timer''
* ''apt-daily-upgrade.timer''
with ''NEXT'' showing future times.
===== 6. Live tests for unattended-upgrades =====
==== A. Manual debug run (immediate mail) ====
unattended-upgrades --dry-run --debug
At the end you should see lines similar to: [prezu](https://prezu.ca/post/unattended-upgrades-debian/)
* ''Sending mail to ...''
* ''mail returned: 0''
A notification email should arrive even if there are:
* ''No packages found that can be upgraded unattended and no pending auto-removals''
==== B. Simulate a real timer run ====
Trigger the same service that the timer calls:
systemctl start apt-daily-upgrade.service
journalctl -u apt-daily-upgrade.service -n 50
Then check the unattended-upgrades log:
tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log
You should see either:
* ''Packages that will be upgraded: ... All upgrades installed''
* or
* ''No packages found that can be upgraded unattended and no pending auto-removals''
In both cases a mail report should have been sent. [std](https://std.rocks/gnulinux_debian_auto_update.html)
If something fails:
* Mail errors:
tail -n 50 /var/log/msmtp.log
* Apt / unattended-upgrades errors:
journalctl -u apt-daily-upgrade.service -n 50
===== 7. Minimal checklist =====
- Install:
- ''apt install unattended-upgrades msmtp msmtp-mta mailutils''
- Configure ''/etc/msmtprc'' (and optional ''/etc/msmtp-aliases'', ''/etc/mail.rc''); test with:
- ''echo test | msmtp -d you@example.com''
- ''echo test | mail -s "test" you@example.com''
- Set in ''/etc/apt/apt.conf.d/50unattended-upgrades'':
- ''Unattended-Upgrade::Mail "you@example.com";''
- ''Unattended-Upgrade::MailReport "always";''
- Enable timers:
- ''systemctl enable --now apt-daily.timer apt-daily-upgrade.timer''
- Test unattended-upgrades:
- ''unattended-upgrades --dry-run --debug''
- ''systemctl start apt-daily-upgrade.service''
[techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
====== :!: OLD :!: Below ======
====== Install ======
apt-get install -y unattended-upgrades apt-listchanges mailutils postfix
====== Config ======
vi /etc/apt/apt.conf.d/50unattended-upgrades
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
//"${distro_id}ESMApps:${distro_codename}-apps-security";
//"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
//"${distro_id}:${distro_codename}-proposed";
//"${distro_id}:${distro_codename}-backports";
"Docker:{distro_codename}";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "arnaud+XXXXXXXXX@fortier-family.com";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change
Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Automate:
dpkg-reconfigure -plow unattended-upgrades
Mails:
dpkg-reconfigure postfix
systemctl reload postfix
Test:
unattended-upgrade -d
====== Reboot automatic when needed ======
vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Daily check packages & upgrade
vi /etc/apt/apt.conf.d/50unattended-upgrades
...
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...
systemctl restart unattended-upgrades
====== Mail via msmtp ======
apt install msmtp msmtp-mta mailutils
vi /etc/msmtprc
defaults
auth on
tls on
tls_starttls off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
# SMTP server config
account default
host mail.fortier-family.com
port 465
from arnaud+SERV@fortier-family.com
user arnaud@fortier-family.com
password *********LOL***********
Test:
echo "Test mail from $(hostname)" | mail -s "Test subject" arnaud+srv1@fortier-family.com
====== Kali ======
Following https://bugs.kali.org/view.php?id=8587\\
Change in /etc/apt/apt.conf.d/50unattended-upgrades
// "origin=Debian,codename=${distro_codename},label=Debian-Security";
// "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
"origin=Kali,codename=${distro_codename}";
====== Ubuntu ======
A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006
Let's make a service for that:
vi /etc/systemd/system/docker-graceful-stop.service
[Unit]
Description=Gracefully stop Docker containers before system shutdown or reboot
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
Requires=docker.service
After=network.target docker.service
[Service]
Type=oneshot
ExecStart=/bin/true
ExecStop=/usr/bin/docker stop $(/usr/bin/docker ps -q)
RemainAfterExit=yes
TimeoutStopSec=300
[Install]
WantedBy=halt.target reboot.target shutdown.target
systemctl daemon-reload
systemctl enable docker-graceful-stop.service
As always it's not that simple...
====== apt-daily-upgrade.timer ======
systemctl list-timers apt-daily-upgrade.timer
systemctl edit apt-daily-upgrade.timer
[Timer]
OnCalendar=
OnCalendar=*-*-* 02:15
RandomizedDelaySec=0
Persistent=true
systemctl daemon-reload
systemctl restart apt-daily-upgrade.timer
systemctl list-timers apt-daily-upgrade.timer
====== apt-daily.timer ======
Of course... if you haven't apt-update before...
systemctl edit apt-daily.timer
[Timer]
OnCalendar=
OnCalendar=*-*-* 01:45
RandomizedDelaySec=0
Persistent=true
systemctl daemon-reload
systemctl restart apt-daily.timer
systemctl list-timers apt-daily.timer
====== Reference ======
* https://wiki.debian.org/UnattendedUpgrades