Automatic security update process with unattended-upgrades
Automatic security update process with unattended-upgrades

If you use/administer a Debian/Ubuntu system, you can automate the security update process by using the program unattended-upgrades. This tool provides a simple way to manage this task.
To install it :

apt-get install unattended-upgrades
dpkg-reconfigure unattended-upgrades

After selecting “Yes”, a configuration file will be created ( /etc/apt/apt.conf.d/20auto-upgrades ) with this content :

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The first line of this file do an “apt-get update” command. The “1” at the end of the line is to indicate it is enabled (0 to disable it).
The second line run the “unattended-upgrade” security upgrade script.

The schedule is managed by :

  • the location of the
    apt

    script file. The default is /etc/cron.daily/apt

  • the datetime configured in the file /etc/crontab. For the daily setting, the line is :
    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts –report /etc/cron.daily )

You can update the configuration file /etc/apt/apt.conf.d/50unattended-upgrades to :

  • allow other update types (updates, proposed, backports)
    Unattended-Upgrade::Allowed-Origins {
          "${distro_id}:${distro_codename}-security";
          "${distro_id}:${distro_codename}-updates";
          "${distro_id}:${distro_codename}-proposed";
          "${distro_id}:${distro_codename}-backports";
    };
  • exclude some packages (regex are supported)
    Unattended-Upgrade::Package-Blacklist {
          "vim";
          "libc6";
          "libc6-dev";
          "libc6-i686";
    };
    
  • configure an automatic reboot
    Unattended-Upgrade::Automatic-Reboot "false";
    
  • schedule a reboot
    Unattended-Upgrade::Automatic-Reboot-Time "02:00";
    
  • receive an email
    Unattended-Upgrade::Mail "youremail@local.domain";
    
  • limit the download bandwidth
    Acquire::http::Dl-Limit "70";
    

More options can be configured. It is well-documented.


References

Debian and Ubuntu Automatic Security Updates

AutomaticSecurityUpdates

<>

My Powershell script categories

Automatic security update process with unattended-upgrades

Leave a Reply

Your email address will not be published. Required fields are marked *