rss logo

Debian: Configuring Automatic Updates

Debian Logo

When we (like me 💪) have to manage a bunch of Debian servers, it can be challenging to keep them all up to date. This involves logging into each server individually, running a few commands, and occasionally rebooting the system depending on the updates applied. To automate this process, we can use the unattended-upgrades tool. In this article, I’ll show you how to use this tool to keep a Debian system up to date, and how to configure it to send an email notification at the end of an update.

Prerequisites

  • First, make sure the unattended-upgrades package is installed:
root@host:~# apt update && apt install unattended-upgrades

Configuration

Depending on how sensitive our servers are, we can configure them to reboot automatically, install only security updates, and so on. Personally, I choose to install all updates and reboot the system when necessary.

  • Edit the /etc/apt/apt.conf.d/50unattended-upgrades file:
Unattended-Upgrade::Origins-Pattern {
	// The Recommended Updates are software changes, but not updates that will affect the security of your system. They tend to fix bugs and annoying problems.
        "origin=Debian,codename=${distro_codename}-updates";
	// The proposed updates are updates which are waiting to be moved into the recommended updates queue after some testing. They may never reach recommended or they may be replaced with a more recent update.
        //"origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
};
[…]
// Allow the system to restart automatically if necessary
Unattended-Upgrade::Automatic-Reboot "true";
[…]
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
  • Create or edit the /etc/apt/apt.conf.d/20auto-upgrades file to enable unattended-upgrades:
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
  • Run a debug check to make sure everything is working properly:
root@host:~# unattended-upgrade -d --dry-run

Modifying Download and Upgrade Schedules

By default, updates are scheduled to run twice daily at 6 AM and 6 PM, with upgrades occurring at 6 AM. We can change these settings by editing two systemd timer files.

Modifying the Download Scheduler

  • Edit the /etc/systemd/system/timers.target.wants/apt-daily.timer file and replace the existing time value with the one you prefer:
[Unit]
Description=Daily apt download activities

[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=12h
Persistent=true

[Install]
WantedBy=timers.target

Modifying the Upgrade Scheduler

  • Edit the /etc/systemd/system/timers.target.wants/apt-daily-upgrade.timer file and replace the existing time value with the one you prefer:
[Unit]
Description=Daily apt upgrade and clean activities
After=apt-daily.timer

[Timer]
OnCalendar=*-*-* 6:00
RandomizedDelaySec=60m
Persistent=true

[Install]
WantedBy=timers.target

Apply the Changes

  • Run the following commands to apply the changes:
root@host:~# systemctl daemon-reload && systemctl restart apt-daily-upgrade.timer && systemctl restart apt-daily.timer

Set Up Mail Alerts

It can be useful to receive email reports to ensure that updates are applied correctly and to know when a server has rebooted after installing the latest patches. To do this, we need to configure at least an SMTP client. In this article, I’ll show how to set up msmtp.

  • Install the msmtp package and set restrictive permissions on the /etc/msmtprc file:
root@host:~# apt update && apt install msmtp
root@host:~# chmod 600 /etc/msmtprc
  • Edit the /etc/msmtprc file and adapt it to your mail server. For example, here’s my configuration:
    • Mail server: mail.std.rocks
    • Protocol: smtps / TCP 465
    • Login: srv1@std.rocks
    • Password: MyWeakPassword
account STD
#Mail Server : 
host mail.std.rocks
port 465
from srv1@std.rocks
#LOGIN / PASSWORD 
user srv1@std.rocks
password MyWeakPassword

auth on
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_certcheck off
logfile /var/log/msmtp

account default : STD
  • Make msmtp the default program for sendmail:
root@host:~# ln -fs /usr/bin/msmtp /usr/sbin/sendmail
  • Edit the /etc/apt/apt.conf.d/50unattended-upgrades file to configure email notifications:
// Send email to this address for problems or packages upgrades
Unattended-Upgrade::Mail "srv1-unattended@std.rocks";
[…]
// Replace on-change with always and run unattended-upgrade -d to test wether mail reports work
Unattended-Upgrade::MailReport "on-change";
// Optionnal : Add Unattended-Upgrade value to specify From field
Unattended-Upgrade::Sender "srv1@std.rocks";