Differences

This shows you the differences between two versions of the page.

--- os:debian:unattendedupgrades [2025/10/03 14:23] – warnaud
+++ os:debian:unattendedupgrades [2026/06/07 11:13] (current) – [7. Minimal checklist] warnaud
@@ Line 1: / Line 1: @@
 ====== Auto updates ======
 Here's how to setup your debian to update automatically
+This page describes how to set up automatic security updates with ''unattended-upgrades'' and email notifications via ''msmtp'' on Debian Linux systems. [std](https://std.rocks/gnulinux_debian_auto_update.html)
+===== 1. Install unattended-upgrades and msmtp =====
+<code bash>
+apt update
+apt install -y unattended-upgrades msmtp msmtp-mta mailutils
+dpkg-reconfigure -plow unattended-upgrades
+</code>
+Notes: [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
+  * ''msmtp-mta'' provides ''/usr/sbin/sendmail'' so system mail (cron, unattended-upgrades, etc.) goes through msmtp.
+  * ''mailutils'' provides the ''mail'' CLI for quick tests.
+Check that ''sendmail'' points to msmtp:
+<code bash>
+readlink -f /usr/sbin/sendmail
+# should be /usr/bin/msmtp or a msmtp-mta symlink
+</code>
+===== 2. Configure msmtp =====
+Create ''/etc/msmtprc'':
+<code bash>
+cat >/etc/msmtprc <<'EOF'
+# Global msmtp config
+defaults
+auth           on
+tls            on
+tls_trust_file /etc/ssl/certs/ca-certificates.crt
+logfile        /var/log/msmtp.log
+account        default
+host           smtp.yourdomain.tld
+port           587
+from           unattended@yourdomain.tld
+user           user@yourdomain.tld
+password       CHANGE_ME
+EOF
+chmod 600 /etc/msmtprc
+touch /var/log/msmtp.log
+chmod 640 /var/log/msmtp.log
+</code>
+Adjust: ''host'', ''port'', ''from'', ''user'', and ''password'' for your SMTP provider. [gist.github](https://gist.github.com/movd/7a9e3db63d076f85d16c7dcde62fe401)
+For providers using SMTPS (465/SSL) instead of STARTTLS on 587, change:
+  * ''port 465''
+  * keep ''tls on''
+  * add ''tls_starttls off''
+==== Optional: aliases for local users ====
+Create ''/etc/msmtp-aliases'':
+<code bash>
+cat >/etc/msmtp-aliases <<'EOF'
+root:    user@yourdomain.tld
+default: user@yourdomain.tld
+EOF
+chmod 600 /etc/msmtp-aliases
+</code>
+Add the aliases line inside ''/etc/msmtprc'' (in the ''account default'' block): [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
+<code>
+aliases /etc/msmtp-aliases
+</code>
+==== (optional) Make the mail(1) command use msmtp ====
+Create ''/etc/mail.rc'':
+<code bash>
+cat >/etc/mail.rc <<'EOF'
+set sendmail="/usr/bin/msmtp -t"
+set from=unattended@fortier.it
+EOF
+</code>
+===== 3. Test msmtp and CLI mail =====
+==== Direct msmtp test ====
+<code bash>
+echo "Hello from $(hostname)" | msmtp -d user@yourdomain.tld
+</code>
+If there is a problem, inspect:
+<code bash>
+tail -n 50 /var/log/msmtp.log
+</code>
+for SMTP / TLS / auth errors. [manpages.debian](https://manpages.debian.org/testing/msmtp/msmtp.1.en.html)
+==== Test via mail(1) (what unattended-upgrades uses) ====
+<code bash>
+echo "Test via mail from $(hostname)" | mail -s "msmtp mail test $(hostname)" arnaud@fortier.it
+</code>
+If this arrives, the system-wide mail path is working.
+===== 4. Configure unattended-upgrades mail and origins =====
+Edit ''/etc/apt/apt.conf.d/50unattended-upgrades'' and make sure the following lines are present and not commented: [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
+<code>
+Unattended-Upgrade::Mail "user@yourdomain.tld";
+Unattended-Upgrade::MailReport "always";
+</code>
+Typical ''Origins-Pattern'' for Debian 13 (adjust for Raspbian or other origins):
+<code>
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=${distro_codename},label=Debian";
+        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
+        "origin=Debian,codename=${distro_codename}-updates,label=Debian";
+};
+</code>
+===== 5. Enable and check apt systemd timers =====
+Enable the standard apt timers: [exampleconfig](https://exampleconfig.com/default/apt/etc-systemd-apt-daily-upgrade-timer)
+<code bash>
+systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
+</code>
+List timers:
+<code bash>
+systemctl list-timers 'apt-daily*'
+</code>
+You should see:
+  * ''apt-daily.timer''
+  * ''apt-daily-upgrade.timer''
+with ''NEXT'' showing future times.
+===== 6. Live tests for unattended-upgrades =====
+==== A. Manual debug run (immediate mail) ====
+<code bash>
+unattended-upgrades --dry-run --debug
+</code>
+At the end you should see lines similar to: [prezu](https://prezu.ca/post/unattended-upgrades-debian/)
+  * ''Sending mail to ...''
+  * ''mail returned: 0''
+A notification email should arrive even if there are:
+  * ''No packages found that can be upgraded unattended and no pending auto-removals''
+==== B. Simulate a real timer run ====
+Trigger the same service that the timer calls:
+<code bash>
+systemctl start apt-daily-upgrade.service
+journalctl -u apt-daily-upgrade.service -n 50
+</code>
+Then check the unattended-upgrades log:
+<code bash>
+tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log
+</code>
+You should see either:
+  * ''Packages that will be upgraded: ... All upgrades installed''
+  * or
+  * ''No packages found that can be upgraded unattended and no pending auto-removals''
+In both cases a mail report should have been sent. [std](https://std.rocks/gnulinux_debian_auto_update.html)
+If something fails:
+  * Mail errors:
+    <code bash>
+    tail -n 50 /var/log/msmtp.log
+    </code>
+  * Apt / unattended-upgrades errors:
+    <code bash>
+    journalctl -u apt-daily-upgrade.service -n 50
+    </code>
+===== 7. Minimal checklist =====
+  - Install:
+    - ''apt install unattended-upgrades msmtp msmtp-mta mailutils''
+  - Configure ''/etc/msmtprc'' (and optional ''/etc/msmtp-aliases'', ''/etc/mail.rc''); test with:
+    - ''echo test | msmtp -d you@example.com''
+    - ''echo test | mail -s "test" you@example.com''
+  - Set in ''/etc/apt/apt.conf.d/50unattended-upgrades'':
+    - ''Unattended-Upgrade::Mail "you@example.com";''
+    - ''Unattended-Upgrade::MailReport "always";''
+  - Enable timers:
+    - ''systemctl enable --now apt-daily.timer apt-daily-upgrade.timer''
+  - Test unattended-upgrades:
+    - ''unattended-upgrades --dry-run --debug''
+    - ''systemctl start apt-daily-upgrade.service''
+ [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
+===== 8. auto-reboot =====
+In this example, timer for upgrade is at 2:00 AM then reboot if needed is at 4:00AM
+<code bash>
+sudo apt install update-notifier-common -y
+sudo vim /etc/apt/apt.conf.d/51unattended-upgrades-local</code>
+add:
+<code perl>
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "04:00";
+# to avoid reboot while people logged in:
+#Unattended-Upgrade::Automatic-Reboot-WithUsers "false";</code>
+<code bash>
+sudo systemctl enable --now unattended-upgrades</code>
+Set time for upgrades ( before?):
+<code bash>
+sudo systemctl edit apt-daily-upgrade.timer</code>
+<code perl>
+### Editing /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
+### Anything between here and the comment below will become the contents of the drop-in file
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* 02:00:00
+RandomizedDelaySec=0
+Persistent=true
+</code>
+Relaunch/check:
+<code bash> sudo systemctl restart apt-daily-upgrade.timer
+sudo systemctl status apt-daily-upgrade.timer</code>
+====== :!: OLD :!: Below ======
 ====== Install ======
@@ Line 54: / Line 316: @@
 Test:
 <code bash>unattended-upgrade -d</code>
+====== Reboot automatic when needed ======
+<code bash>vi /etc/apt/apt.conf.d/20auto-upgrades</code>
+<code perl>
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
+</code>
+Daily check packages & upgrade
+<code bash>vi /etc/apt/apt.conf.d/50unattended-upgrades</code>
+<code perl>
+...
+Unattended-Upgrade::Automatic-Reboot "true";
+Unattended-Upgrade::Automatic-Reboot-Time "02:00";
+...
+</code>
+<code bash>systemctl restart unattended-upgrades</code>
 ====== Mail via msmtp ======
 <code bash> apt install msmtp msmtp-mta mailutils
@@ Line 87: / Line 365: @@
         "origin=Kali,codename=${distro_codename}";
 </code>
+====== Ubuntu ======
+A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006
+Let's make a service for that:
+<code bash> vi /etc/systemd/system/docker-graceful-stop.service</code>
+<code perl>[Unit]
+Description=Gracefully stop Docker containers before system shutdown or reboot
+DefaultDependencies=no
+Before=shutdown.target reboot.target halt.target
+Requires=docker.service
+After=network.target docker.service
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecStop=/usr/bin/docker stop $(/usr/bin/docker ps -q)
+RemainAfterExit=yes
+TimeoutStopSec=300
+[Install]
+WantedBy=halt.target reboot.target shutdown.target
+</code>
+<code bash>systemctl daemon-reload
+systemctl enable docker-graceful-stop.service</code>
+As always it's not that simple...
+====== apt-daily-upgrade.timer ======
+<code bash>systemctl list-timers apt-daily-upgrade.timer</code>
+<code bash>systemctl edit apt-daily-upgrade.timer</code>
+<code perl>
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* 02:15
+RandomizedDelaySec=0
+Persistent=true
+</code>
+<code bash>systemctl daemon-reload
+systemctl restart apt-daily-upgrade.timer
+systemctl list-timers apt-daily-upgrade.timer</code>
+====== apt-daily.timer ======
+Of course... if you haven't apt-update before...
+<code bash>systemctl edit apt-daily.timer</code>
+<code perl>
+[Timer]
+OnCalendar=
+OnCalendar=*-*-* 01:45
+RandomizedDelaySec=0
+Persistent=true
+</code>
+<code bash>systemctl daemon-reload
+systemctl restart apt-daily.timer
+systemctl list-timers apt-daily.timer
+</code>
 ====== Reference ======
   * https://wiki.debian.org/UnattendedUpgrades