Warnaud's Wiki

User Tools

Site Tools

You are here: start » os » debian » unattendedupgrades
os:debian:unattendedupgrades

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
os:debian:unattendedupgrades [2024/01/09 07:25] – [Config] warnaudos:debian:unattendedupgrades [2026/06/07 11:13] (current) – [7. Minimal checklist] warnaud
Line 1: Line 1:
 +====== Auto updates ======
 +Here's how to setup your debian to update automatically
  
 +This page describes how to set up automatic security updates with ''unattended-upgrades'' and email notifications via ''msmtp'' on Debian Linux systems. [std](https://std.rocks/gnulinux_debian_auto_update.html)
 +
 +===== 1. Install unattended-upgrades and msmtp =====
 +
 +<code bash>
 +apt update
 +apt install -y unattended-upgrades msmtp msmtp-mta mailutils
 +dpkg-reconfigure -plow unattended-upgrades
 +</code>
 +
 +Notes: [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
 +
 +  * ''msmtp-mta'' provides ''/usr/sbin/sendmail'' so system mail (cron, unattended-upgrades, etc.) goes through msmtp.
 +  * ''mailutils'' provides the ''mail'' CLI for quick tests.
 +
 +Check that ''sendmail'' points to msmtp:
 +
 +<code bash>
 +readlink -f /usr/sbin/sendmail
 +# should be /usr/bin/msmtp or a msmtp-mta symlink
 +</code>
 +
 +===== 2. Configure msmtp =====
 +
 +Create ''/etc/msmtprc'':
 +
 +<code bash>
 +cat >/etc/msmtprc <<'EOF'
 +# Global msmtp config
 +
 +defaults
 +auth           on
 +tls            on
 +tls_trust_file /etc/ssl/certs/ca-certificates.crt
 +logfile        /var/log/msmtp.log
 +
 +account        default
 +host           smtp.yourdomain.tld
 +port           587
 +from           unattended@yourdomain.tld
 +user           user@yourdomain.tld
 +password       CHANGE_ME
 +EOF
 +
 +chmod 600 /etc/msmtprc
 +touch /var/log/msmtp.log
 +chmod 640 /var/log/msmtp.log
 +</code>
 +
 +Adjust: ''host'', ''port'', ''from'', ''user'', and ''password'' for your SMTP provider. [gist.github](https://gist.github.com/movd/7a9e3db63d076f85d16c7dcde62fe401)
 +
 +For providers using SMTPS (465/SSL) instead of STARTTLS on 587, change:
 +
 +  * ''port 465''
 +  * keep ''tls on''
 +  * add ''tls_starttls off''
 +
 +==== Optional: aliases for local users ====
 +
 +Create ''/etc/msmtp-aliases'':
 +
 +<code bash>
 +cat >/etc/msmtp-aliases <<'EOF'
 +root:    user@yourdomain.tld
 +default: user@yourdomain.tld
 +EOF
 +
 +chmod 600 /etc/msmtp-aliases
 +</code>
 +
 +Add the aliases line inside ''/etc/msmtprc'' (in the ''account default'' block): [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
 +
 +<code>
 +aliases /etc/msmtp-aliases
 +</code>
 +
 +==== (optional) Make the mail(1) command use msmtp ====
 +
 +Create ''/etc/mail.rc'':
 +
 +<code bash>
 +cat >/etc/mail.rc <<'EOF'
 +set sendmail="/usr/bin/msmtp -t"
 +set from=unattended@fortier.it
 +EOF
 +</code>
 +
 +===== 3. Test msmtp and CLI mail =====
 +
 +==== Direct msmtp test ====
 +
 +<code bash>
 +echo "Hello from $(hostname)" | msmtp -d user@yourdomain.tld
 +</code>
 +
 +If there is a problem, inspect:
 +
 +<code bash>
 +tail -n 50 /var/log/msmtp.log
 +</code>
 +
 +for SMTP / TLS / auth errors. [manpages.debian](https://manpages.debian.org/testing/msmtp/msmtp.1.en.html)
 +
 +==== Test via mail(1) (what unattended-upgrades uses) ====
 +
 +<code bash>
 +echo "Test via mail from $(hostname)" | mail -s "msmtp mail test $(hostname)" arnaud@fortier.it
 +</code>
 +
 +If this arrives, the system-wide mail path is working.
 +
 +===== 4. Configure unattended-upgrades mail and origins =====
 +
 +Edit ''/etc/apt/apt.conf.d/50unattended-upgrades'' and make sure the following lines are present and not commented: [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
 +
 +<code>
 +Unattended-Upgrade::Mail "user@yourdomain.tld";
 +Unattended-Upgrade::MailReport "always";
 +</code>
 +
 +Typical ''Origins-Pattern'' for Debian 13 (adjust for Raspbian or other origins):
 +
 +<code>
 +Unattended-Upgrade::Origins-Pattern {
 +        "origin=Debian,codename=${distro_codename},label=Debian";
 +        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 +        "origin=Debian,codename=${distro_codename}-updates,label=Debian";
 +};
 +</code>
 +
 +===== 5. Enable and check apt systemd timers =====
 +
 +Enable the standard apt timers: [exampleconfig](https://exampleconfig.com/default/apt/etc-systemd-apt-daily-upgrade-timer)
 +
 +<code bash>
 +systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
 +</code>
 +
 +List timers:
 +
 +<code bash>
 +systemctl list-timers 'apt-daily*'
 +</code>
 +
 +You should see:
 +
 +  * ''apt-daily.timer''
 +  * ''apt-daily-upgrade.timer''
 +
 +with ''NEXT'' showing future times.
 +
 +===== 6. Live tests for unattended-upgrades =====
 +
 +==== A. Manual debug run (immediate mail) ====
 +
 +<code bash>
 +unattended-upgrades --dry-run --debug
 +</code>
 +
 +At the end you should see lines similar to: [prezu](https://prezu.ca/post/unattended-upgrades-debian/)
 +
 +  * ''Sending mail to ...''
 +  * ''mail returned: 0''
 +
 +A notification email should arrive even if there are:
 +
 +  * ''No packages found that can be upgraded unattended and no pending auto-removals''
 +
 +==== B. Simulate a real timer run ====
 +
 +Trigger the same service that the timer calls:
 +
 +<code bash>
 +systemctl start apt-daily-upgrade.service
 +journalctl -u apt-daily-upgrade.service -n 50
 +</code>
 +
 +Then check the unattended-upgrades log:
 +
 +<code bash>
 +tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log
 +</code>
 +
 +You should see either:
 +
 +  * ''Packages that will be upgraded: ... All upgrades installed''
 +  * or
 +  * ''No packages found that can be upgraded unattended and no pending auto-removals''
 +
 +In both cases a mail report should have been sent. [std](https://std.rocks/gnulinux_debian_auto_update.html)
 +
 +If something fails:
 +
 +  * Mail errors:  
 +    <code bash>
 +    tail -n 50 /var/log/msmtp.log
 +    </code>
 +  * Apt / unattended-upgrades errors:  
 +    <code bash>
 +    journalctl -u apt-daily-upgrade.service -n 50
 +    </code>
 +
 +===== 7. Minimal checklist =====
 +
 +  - Install:
 +    - ''apt install unattended-upgrades msmtp msmtp-mta mailutils''
 +  - Configure ''/etc/msmtprc'' (and optional ''/etc/msmtp-aliases'', ''/etc/mail.rc''); test with:
 +    - ''echo test | msmtp -d you@example.com''
 +    - ''echo test | mail -s "test" you@example.com''
 +  - Set in ''/etc/apt/apt.conf.d/50unattended-upgrades'':
 +    - ''Unattended-Upgrade::Mail "you@example.com";''
 +    - ''Unattended-Upgrade::MailReport "always";''
 +  - Enable timers:
 +    - ''systemctl enable --now apt-daily.timer apt-daily-upgrade.timer''
 +  - Test unattended-upgrades:
 +    - ''unattended-upgrades --dry-run --debug''
 +    - ''systemctl start apt-daily-upgrade.service''
 +
 + [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
 +
 +
 +===== 8. auto-reboot =====
 +In this example, timer for upgrade is at 2:00 AM then reboot if needed is at 4:00AM
 +<code bash>
 +sudo apt install update-notifier-common -y
 +sudo vim /etc/apt/apt.conf.d/51unattended-upgrades-local</code>
 +add:
 +<code perl>
 +Unattended-Upgrade::Automatic-Reboot "true";
 +Unattended-Upgrade::Automatic-Reboot-Time "04:00";
 +# to avoid reboot while people logged in:
 +#Unattended-Upgrade::Automatic-Reboot-WithUsers "false";</code>
 +
 +<code bash>
 +sudo systemctl enable --now unattended-upgrades</code>
 +Set time for upgrades ( before?):
 +<code bash>
 +sudo systemctl edit apt-daily-upgrade.timer</code>
 +<code perl>
 +### Editing /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
 +### Anything between here and the comment below will become the contents of the drop-in file
 +
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 02:00:00
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +Relaunch/check:
 +<code bash> sudo systemctl restart apt-daily-upgrade.timer
 +sudo systemctl status apt-daily-upgrade.timer</code>
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +====== :!: OLD :!: Below ======
 +
 +====== Install ======
 +<code bash>
 +apt-get install -y unattended-upgrades apt-listchanges mailutils postfix
 +</code>
 +
 +====== Config ======
 +<code bash>vi /etc/apt/apt.conf.d/50unattended-upgrades
 +</code>
 +<code perl>
 +// Automatically upgrade packages from these (origin:archive) pairs
 +//
 +// Note that in Ubuntu security updates may pull in new dependencies
 +// from non-security sources (e.g. chromium). By allowing the release
 +// pocket these get automatically pulled in.
 +Unattended-Upgrade::Allowed-Origins {
 +        "${distro_id}:${distro_codename}";
 +        "${distro_id}:${distro_codename}-security";
 +        // Extended Security Maintenance; doesn't necessarily exist for
 +        // every release and this system may not have it installed, but if
 +        // available, the policy for updates is such that unattended-upgrades
 +        // should also install from here by default.
 +        //"${distro_id}ESMApps:${distro_codename}-apps-security";
 +        //"${distro_id}ESM:${distro_codename}-infra-security";
 +        "${distro_id}:${distro_codename}-updates";
 +        //"${distro_id}:${distro_codename}-proposed";
 +        //"${distro_id}:${distro_codename}-backports";
 +        "Docker:{distro_codename}";
 +};
 +// Send email to this address for problems or packages upgrades
 +// If empty or unset then no email is sent, make sure that you
 +// have a working mail setup on your system. A package that provides
 +// 'mailx' must be installed. E.g. "user@example.com"
 +Unattended-Upgrade::Mail "arnaud+XXXXXXXXX@fortier-family.com";
 +
 +// Set this value to one of:
 +//    "always", "only-on-error" or "on-change"
 +// If this is not set, then any legacy MailOnlyOnError (boolean) value
 +// is used to chose between "only-on-error" and "on-change
 +Unattended-Upgrade::MailReport "on-change";
 +
 +// Remove unused automatically installed kernel-related packages
 +// (kernel images, kernel headers and kernel version locked tools).
 +Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
 +</code>
 +Automate:
 +<code bash>dpkg-reconfigure -plow unattended-upgrades</code>
 +Mails:
 +<code bash>dpkg-reconfigure postfix
 +systemctl reload postfix
 +</code>
 +Test:
 +<code bash>unattended-upgrade -d</code>
 +====== Reboot automatic when needed ======
 +<code bash>vi /etc/apt/apt.conf.d/20auto-upgrades</code>
 +<code perl>
 +APT::Periodic::Update-Package-Lists "1";
 +APT::Periodic::Unattended-Upgrade "1";
 +</code>
 +Daily check packages & upgrade
 +<code bash>vi /etc/apt/apt.conf.d/50unattended-upgrades</code>
 +<code perl>
 +...
 +Unattended-Upgrade::Automatic-Reboot "true";
 +Unattended-Upgrade::Automatic-Reboot-Time "02:00";
 +...
 +</code>
 +<code bash>systemctl restart unattended-upgrades</code>
 +
 +====== Mail via msmtp ======
 +<code bash> apt install msmtp msmtp-mta mailutils
 +vi /etc/msmtprc
 +</code>
 +<code perl>
 +defaults
 +auth           on
 +tls            on
 +tls_starttls   off
 +tls_trust_file /etc/ssl/certs/ca-certificates.crt
 +
 +# SMTP server config 
 +account        default
 +host           mail.fortier-family.com
 +port           465
 +from           arnaud+SERV@fortier-family.com
 +user           arnaud@fortier-family.com
 +password       *********LOL***********
 +</code>
 +Test:
 +<code bash>
 +echo "Test mail from $(hostname)" | mail -s "Test subject" arnaud+srv1@fortier-family.com
 +</code>
 +
 +====== Kali ======
 +Following https://bugs.kali.org/view.php?id=8587\\
 +Change in /etc/apt/apt.conf.d/50unattended-upgrades
 +<code perl>
 +//        "origin=Debian,codename=${distro_codename},label=Debian-Security";
 +//        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 +
 +        "origin=Kali,codename=${distro_codename}";
 +</code>
 +
 +====== Ubuntu ======
 +A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006
 +Let's make a service for that:
 +<code bash> vi /etc/systemd/system/docker-graceful-stop.service</code>
 +<code perl>[Unit]
 +Description=Gracefully stop Docker containers before system shutdown or reboot
 +DefaultDependencies=no
 +Before=shutdown.target reboot.target halt.target
 +Requires=docker.service
 +After=network.target docker.service
 +
 +[Service]
 +Type=oneshot
 +ExecStart=/bin/true
 +ExecStop=/usr/bin/docker stop $(/usr/bin/docker ps -q)
 +RemainAfterExit=yes
 +TimeoutStopSec=300
 +
 +[Install]
 +WantedBy=halt.target reboot.target shutdown.target
 +</code>
 +<code bash>systemctl daemon-reload
 +systemctl enable docker-graceful-stop.service</code>
 +
 +As always it's not that simple...
 +====== apt-daily-upgrade.timer ======
 +<code bash>systemctl list-timers apt-daily-upgrade.timer</code>
 +<code bash>systemctl edit apt-daily-upgrade.timer</code>
 +<code perl>
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 02:15
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +<code bash>systemctl daemon-reload
 +systemctl restart apt-daily-upgrade.timer
 +systemctl list-timers apt-daily-upgrade.timer</code>
 +====== apt-daily.timer ======
 +Of course... if you haven't apt-update before...
 +<code bash>systemctl edit apt-daily.timer</code>
 +<code perl>
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 01:45
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +<code bash>systemctl daemon-reload
 +systemctl restart apt-daily.timer
 +systemctl list-timers apt-daily.timer
 +</code>
 +
 +
 +
 +
 +====== Reference ======
 +  * https://wiki.debian.org/UnattendedUpgrades