Get Mozilla Firefox
When we (like me) have to manage a bunch of Debian servers, it can be challenging to keep them all up to date. This involves logging to each server individually, executing a few commands, and occasionally rebooting the system depending on the updates applied. To automate this process, we can use the unattended-upgrades tool. In this article, I will describe the way to use this tool to keep a Debian system up to date and how to configure it to send and email notification at the end of an update.
root@host:~# apt update && apt install unattended-upgrades
Depending on the sensitivity of our servers, we can configure them to reboot automatically, to install only security updates, etc. Personally, I choose to install all updates and reboot the system as necessary.
Unattended-Upgrade::Origins-Pattern {
// The Recommended Updates are software changes, but not updates that will affect the security of your system. They tend to fix bugs and annoying problems.
"origin=Debian,codename=${distro_codename}-updates";
// The proposed updates are updates which are waiting to be moved into the recommended updates queue after some testing. They may never reach recommended or they may be replaced with a more recent update.
//"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
};
[…]
// Allow the system to restart automatically if necessary
Unattended-Upgrade::Automatic-Reboot "true";
[…]
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
root@host:~# unattended-upgrade -d --dry-run
By default, the update will run twice daily at 6 AM and 6 PM, with upgrades scheduled for 6 AM. We can modify these settings by editing two systemd files.
[Unit]
Description=Daily apt download activities
[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=12h
Persistent=true
[Install]
WantedBy=timers.target
[Unit]
Description=Daily apt upgrade and clean activities
After=apt-daily.timer
[Timer]
OnCalendar=*-*-* 6:00
RandomizedDelaySec=60m
Persistent=true
[Install]
WantedBy=timers.target
root@host:~# systemctl daemon-reload && systemctl restart apt-daily-upgrade.timer && systemctl restart apt-daily.timer
It can be useful to receive email reports to ensure that updates are correctly applied and to know when a server has been restarted to apply the latest updates. To achieve this, we must configure at least an SMTP client. In this article, I will show how to configure msmtp.
root@host:~# apt update && apt install msmtp
root@host:~# chmod 600 /etc/msmtprc
account STD
#Mail Server :
host mail.std.rocks
port 465
from srv1@std.rocks
#LOGIN / PASSWORD
user srv1@std.rocks
password MyWeakPassword
auth on
tls on
tls_starttls on
tls_trust_file /etc/ssl/certs/ca-certificates.crt
tls_certcheck off
logfile /var/log/msmtp
account default : STD
root@host:~# ln -fs /usr/bin/msmtp /usr/sbin/sendmail
// Send email to this address for problems or packages upgrades
Unattended-Upgrade::Mail "srv1-unattended@std.rocks";
[…]
// Replace on-change with always and run unattended-upgrade -d to test wether mail reports work
Unattended-Upgrade::MailReport "on-change";
// Optionnal : Add Unattended-Upgrade value to specify From field
Unattended-Upgrade::Sender "srv1@std.rocks";
Contact :
