Warnaud's Wiki

User Tools

Site Tools

You are here: start » os » debian » unattendedupgrades
os:debian:unattendedupgrades

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
os:debian:unattendedupgrades [2025/10/26 09:13] warnaudos:debian:unattendedupgrades [2026/06/07 11:13] (current) – [7. Minimal checklist] warnaud
Line 1: Line 1:
 ====== Auto updates ====== ====== Auto updates ======
 Here's how to setup your debian to update automatically Here's how to setup your debian to update automatically
 +
 +This page describes how to set up automatic security updates with ''unattended-upgrades'' and email notifications via ''msmtp'' on Debian Linux systems. [std](https://std.rocks/gnulinux_debian_auto_update.html)
 +
 +===== 1. Install unattended-upgrades and msmtp =====
 +
 +<code bash>
 +apt update
 +apt install -y unattended-upgrades msmtp msmtp-mta mailutils
 +dpkg-reconfigure -plow unattended-upgrades
 +</code>
 +
 +Notes: [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
 +
 +  * ''msmtp-mta'' provides ''/usr/sbin/sendmail'' so system mail (cron, unattended-upgrades, etc.) goes through msmtp.
 +  * ''mailutils'' provides the ''mail'' CLI for quick tests.
 +
 +Check that ''sendmail'' points to msmtp:
 +
 +<code bash>
 +readlink -f /usr/sbin/sendmail
 +# should be /usr/bin/msmtp or a msmtp-mta symlink
 +</code>
 +
 +===== 2. Configure msmtp =====
 +
 +Create ''/etc/msmtprc'':
 +
 +<code bash>
 +cat >/etc/msmtprc <<'EOF'
 +# Global msmtp config
 +
 +defaults
 +auth           on
 +tls            on
 +tls_trust_file /etc/ssl/certs/ca-certificates.crt
 +logfile        /var/log/msmtp.log
 +
 +account        default
 +host           smtp.yourdomain.tld
 +port           587
 +from           unattended@yourdomain.tld
 +user           user@yourdomain.tld
 +password       CHANGE_ME
 +EOF
 +
 +chmod 600 /etc/msmtprc
 +touch /var/log/msmtp.log
 +chmod 640 /var/log/msmtp.log
 +</code>
 +
 +Adjust: ''host'', ''port'', ''from'', ''user'', and ''password'' for your SMTP provider. [gist.github](https://gist.github.com/movd/7a9e3db63d076f85d16c7dcde62fe401)
 +
 +For providers using SMTPS (465/SSL) instead of STARTTLS on 587, change:
 +
 +  * ''port 465''
 +  * keep ''tls on''
 +  * add ''tls_starttls off''
 +
 +==== Optional: aliases for local users ====
 +
 +Create ''/etc/msmtp-aliases'':
 +
 +<code bash>
 +cat >/etc/msmtp-aliases <<'EOF'
 +root:    user@yourdomain.tld
 +default: user@yourdomain.tld
 +EOF
 +
 +chmod 600 /etc/msmtp-aliases
 +</code>
 +
 +Add the aliases line inside ''/etc/msmtprc'' (in the ''account default'' block): [freundschafter](https://freundschafter.com/how-to-set-up-msmtp-on-debian-to-use-a-mailhoster-with-smtp/)
 +
 +<code>
 +aliases /etc/msmtp-aliases
 +</code>
 +
 +==== (optional) Make the mail(1) command use msmtp ====
 +
 +Create ''/etc/mail.rc'':
 +
 +<code bash>
 +cat >/etc/mail.rc <<'EOF'
 +set sendmail="/usr/bin/msmtp -t"
 +set from=unattended@fortier.it
 +EOF
 +</code>
 +
 +===== 3. Test msmtp and CLI mail =====
 +
 +==== Direct msmtp test ====
 +
 +<code bash>
 +echo "Hello from $(hostname)" | msmtp -d user@yourdomain.tld
 +</code>
 +
 +If there is a problem, inspect:
 +
 +<code bash>
 +tail -n 50 /var/log/msmtp.log
 +</code>
 +
 +for SMTP / TLS / auth errors. [manpages.debian](https://manpages.debian.org/testing/msmtp/msmtp.1.en.html)
 +
 +==== Test via mail(1) (what unattended-upgrades uses) ====
 +
 +<code bash>
 +echo "Test via mail from $(hostname)" | mail -s "msmtp mail test $(hostname)" arnaud@fortier.it
 +</code>
 +
 +If this arrives, the system-wide mail path is working.
 +
 +===== 4. Configure unattended-upgrades mail and origins =====
 +
 +Edit ''/etc/apt/apt.conf.d/50unattended-upgrades'' and make sure the following lines are present and not commented: [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
 +
 +<code>
 +Unattended-Upgrade::Mail "user@yourdomain.tld";
 +Unattended-Upgrade::MailReport "always";
 +</code>
 +
 +Typical ''Origins-Pattern'' for Debian 13 (adjust for Raspbian or other origins):
 +
 +<code>
 +Unattended-Upgrade::Origins-Pattern {
 +        "origin=Debian,codename=${distro_codename},label=Debian";
 +        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 +        "origin=Debian,codename=${distro_codename}-updates,label=Debian";
 +};
 +</code>
 +
 +===== 5. Enable and check apt systemd timers =====
 +
 +Enable the standard apt timers: [exampleconfig](https://exampleconfig.com/default/apt/etc-systemd-apt-daily-upgrade-timer)
 +
 +<code bash>
 +systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
 +</code>
 +
 +List timers:
 +
 +<code bash>
 +systemctl list-timers 'apt-daily*'
 +</code>
 +
 +You should see:
 +
 +  * ''apt-daily.timer''
 +  * ''apt-daily-upgrade.timer''
 +
 +with ''NEXT'' showing future times.
 +
 +===== 6. Live tests for unattended-upgrades =====
 +
 +==== A. Manual debug run (immediate mail) ====
 +
 +<code bash>
 +unattended-upgrades --dry-run --debug
 +</code>
 +
 +At the end you should see lines similar to: [prezu](https://prezu.ca/post/unattended-upgrades-debian/)
 +
 +  * ''Sending mail to ...''
 +  * ''mail returned: 0''
 +
 +A notification email should arrive even if there are:
 +
 +  * ''No packages found that can be upgraded unattended and no pending auto-removals''
 +
 +==== B. Simulate a real timer run ====
 +
 +Trigger the same service that the timer calls:
 +
 +<code bash>
 +systemctl start apt-daily-upgrade.service
 +journalctl -u apt-daily-upgrade.service -n 50
 +</code>
 +
 +Then check the unattended-upgrades log:
 +
 +<code bash>
 +tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log
 +</code>
 +
 +You should see either:
 +
 +  * ''Packages that will be upgraded: ... All upgrades installed''
 +  * or
 +  * ''No packages found that can be upgraded unattended and no pending auto-removals''
 +
 +In both cases a mail report should have been sent. [std](https://std.rocks/gnulinux_debian_auto_update.html)
 +
 +If something fails:
 +
 +  * Mail errors:  
 +    <code bash>
 +    tail -n 50 /var/log/msmtp.log
 +    </code>
 +  * Apt / unattended-upgrades errors:  
 +    <code bash>
 +    journalctl -u apt-daily-upgrade.service -n 50
 +    </code>
 +
 +===== 7. Minimal checklist =====
 +
 +  - Install:
 +    - ''apt install unattended-upgrades msmtp msmtp-mta mailutils''
 +  - Configure ''/etc/msmtprc'' (and optional ''/etc/msmtp-aliases'', ''/etc/mail.rc''); test with:
 +    - ''echo test | msmtp -d you@example.com''
 +    - ''echo test | mail -s "test" you@example.com''
 +  - Set in ''/etc/apt/apt.conf.d/50unattended-upgrades'':
 +    - ''Unattended-Upgrade::Mail "you@example.com";''
 +    - ''Unattended-Upgrade::MailReport "always";''
 +  - Enable timers:
 +    - ''systemctl enable --now apt-daily.timer apt-daily-upgrade.timer''
 +  - Test unattended-upgrades:
 +    - ''unattended-upgrades --dry-run --debug''
 +    - ''systemctl start apt-daily-upgrade.service''
 +
 + [techlabs](https://techlabs.blog/categories/debian-linux/automatically-install-updates-using-unattended-upgrades-on-debian-11)
 +
 +
 +===== 8. auto-reboot =====
 +In this example, timer for upgrade is at 2:00 AM then reboot if needed is at 4:00AM
 +<code bash>
 +sudo apt install update-notifier-common -y
 +sudo vim /etc/apt/apt.conf.d/51unattended-upgrades-local</code>
 +add:
 +<code perl>
 +Unattended-Upgrade::Automatic-Reboot "true";
 +Unattended-Upgrade::Automatic-Reboot-Time "04:00";
 +# to avoid reboot while people logged in:
 +#Unattended-Upgrade::Automatic-Reboot-WithUsers "false";</code>
 +
 +<code bash>
 +sudo systemctl enable --now unattended-upgrades</code>
 +Set time for upgrades ( before?):
 +<code bash>
 +sudo systemctl edit apt-daily-upgrade.timer</code>
 +<code perl>
 +### Editing /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
 +### Anything between here and the comment below will become the contents of the drop-in file
 +
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 02:00:00
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +Relaunch/check:
 +<code bash> sudo systemctl restart apt-daily-upgrade.timer
 +sudo systemctl status apt-daily-upgrade.timer</code>
 +
 +
 +
 +
 +
 +
 +
 +
 +
 +====== :!: OLD :!: Below ======
  
 ====== Install ====== ====== Install ======
Line 104: Line 366:
 </code> </code>
  
-===== Ubuntu ===== +====== Ubuntu ====== 
-A bug prevent SIGTERM to be sent properly to containers, let's make a service for that:+A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006 
 +Let's make a service for that:
 <code bash> vi /etc/systemd/system/docker-graceful-stop.service</code> <code bash> vi /etc/systemd/system/docker-graceful-stop.service</code>
 <code perl>[Unit] <code perl>[Unit]
Line 126: Line 389:
 <code bash>systemctl daemon-reload <code bash>systemctl daemon-reload
 systemctl enable docker-graceful-stop.service</code> systemctl enable docker-graceful-stop.service</code>
 +
 +As always it's not that simple...
 +====== apt-daily-upgrade.timer ======
 +<code bash>systemctl list-timers apt-daily-upgrade.timer</code>
 +<code bash>systemctl edit apt-daily-upgrade.timer</code>
 +<code perl>
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 02:15
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +<code bash>systemctl daemon-reload
 +systemctl restart apt-daily-upgrade.timer
 +systemctl list-timers apt-daily-upgrade.timer</code>
 +====== apt-daily.timer ======
 +Of course... if you haven't apt-update before...
 +<code bash>systemctl edit apt-daily.timer</code>
 +<code perl>
 +[Timer]
 +OnCalendar=
 +OnCalendar=*-*-* 01:45
 +RandomizedDelaySec=0
 +Persistent=true
 +</code>
 +<code bash>systemctl daemon-reload
 +systemctl restart apt-daily.timer
 +systemctl list-timers apt-daily.timer
 +</code>
  
  
os/debian/unattendedupgrades.1761466434.txt.gz · Last modified: by warnaud