Warnaud's Wiki

User Tools

Site Tools

You are here: start » os » debian » unattendedupgrades
os:debian:unattendedupgrades

This is an old revision of the document!

Table of Contents

Auto updates

Here's how to setup your debian to update automatically

Install

apt-get install -y unattended-upgrades apt-listchanges mailutils postfix

Config

vi /etc/apt/apt.conf.d/50unattended-upgrades
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        //"${distro_id}ESMApps:${distro_codename}-apps-security";
        //"${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
        //"${distro_id}:${distro_codename}-proposed";
        //"${distro_id}:${distro_codename}-backports";
        "Docker:{distro_codename}";
};
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "arnaud+XXXXXXXXX@fortier-family.com";
 
// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change
Unattended-Upgrade::MailReport "on-change";
 
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

Automate: 

dpkg-reconfigure -plow unattended-upgrades

Mails: 

dpkg-reconfigure postfix
systemctl reload postfix

Test: 

unattended-upgrade -d

Reboot automatic when needed

vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Daily check packages & upgrade 

vi /etc/apt/apt.conf.d/50unattended-upgrades
...
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
...
systemctl restart unattended-upgrades

Mail via msmtp

 apt install msmtp msmtp-mta mailutils
vi /etc/msmtprc
defaults
auth           on
tls            on
tls_starttls   off
tls_trust_file /etc/ssl/certs/ca-certificates.crt
 
# SMTP server config 
account        default
host           mail.fortier-family.com
port           465
from           arnaud+SERV@fortier-family.com
user           arnaud@fortier-family.com
password       *********LOL***********

Test: 

echo "Test mail from $(hostname)" | mail -s "Test subject" arnaud+srv1@fortier-family.com

Kali

Following https://bugs.kali.org/view.php?id=8587
Change in /etc/apt/apt.conf.d/50unattended-upgrades 

//        "origin=Debian,codename=${distro_codename},label=Debian-Security";
//        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
 
        "origin=Kali,codename=${distro_codename}";

Ubuntu

A bug prevent SIGTERM to be sent properly to containers: https://bugs.launchpad.net/ubuntu/+source/docker.io-app/+bug/2079006 Let's make a service for that: 

 vi /etc/systemd/system/docker-graceful-stop.service
[Unit]
Description=Gracefully stop Docker containers before system shutdown or reboot
DefaultDependencies=no
Before=shutdown.target reboot.target halt.target
Requires=docker.service
After=network.target docker.service
 
[Service]
Type=oneshot
ExecStart=/bin/true
ExecStop=/usr/bin/docker stop $(/usr/bin/docker ps -q)
RemainAfterExit=yes
TimeoutStopSec=300
 
[Install]
WantedBy=halt.target reboot.target shutdown.target
systemctl daemon-reload
systemctl enable docker-graceful-stop.service

As always it's not that simple…

apt-daily-upgrade.timer

systemctl list-timers apt-daily-upgrade.timer
systemctl edit apt-daily-upgrade.timer
[Timer]
OnCalendar=
OnCalendar=*-*-* 02:15
RandomizedDelaySec=0
Persistent=true
systemctl daemon-reload
systemctl restart apt-daily-upgrade.timer
systemctl list-timers apt-daily-upgrade.timer

apt-daily.timer

Of course… if you haven't apt-update before… 

systemctl edit apt-daily.timer
[Timer]
OnCalendar=
OnCalendar=*-*-* 01:45
RandomizedDelaySec=0
Persistent=true
systemctl daemon-reload
systemctl restart apt-daily.timer
systemctl list-timers apt-daily.timer

Reference

os/debian/unattendedupgrades.1761541733.txt.gz · Last modified: by warnaud