Unattended Upgrades

Aus Foxwiki

Unattended Upgrades

The purpose of unattended-upgrades is to keep the computer current with the latest security (and other) updates automatically

If you plan to use it, you should have some means to monitor your systems, such as installing the apt-listchanges package and configuring it to send you emails about updates. And there is always /var/log/dpkg.log, or the files in /var/log/unattended-upgrades/

As of Debian 9 (Stretch) both the unattended-upgrades and apt-listchanges packages are installed by default and upgrades are enabled with the GNOME desktop. Rudimentary configuration is accessible via the "Software & Updates" application (software-properties-gtk)

To install these packages, run the following command as root 

apt-get install unattended-upgrades apt-listchanges

The default configuration file for the unattended-upgrades package is at /etc/apt/apt.conf.d/50unattended-upgrades. Any local customizations should be in /etc/apt/apt.conf.d/52unattended-upgrades-local (see package README for details) 

editor /etc/apt/apt.conf.d/52unattended-upgrades-local

This section controls which packages are upgraded 

Unattended-Upgrade::Origins-Pattern {
   // ..
};

You should at least uncomment the following line 

Unattended-Upgrade::Mail "root";

Automatic call via /etc/apt/apt.conf.d/20auto-upgrades

To activate unattended-upgrades, you need to ensure that the apt configuration stub /etc/apt/apt.conf.d/20auto-upgrades contains at least the following lines 

editor /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The file /etc/apt/apt.conf.d/20auto-upgrades can be created manually or by running the following command as root 

dpkg-reconfigure unattended-upgrades

Or non-interactively by running 

echo unattended-upgrades unattended-upgrades/enable_auto_updates boolean true | debconf-set-selections
dpkg-reconfigure -f noninteractive unattended-upgrades

Automatic call via /etc/apt/apt.conf.d/02periodic

Alternatively, you can also create the apt configuration file /etc/apt/apt.conf.d/02periodic to activate unattended-upgrades 

editor /etc/apt/apt.conf.d/02periodic

Below is an example /etc/apt/apt.conf.d/02periodic 

// Control parameters for cron jobs by /etc/cron.daily/apt-compat 
//
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "21";

// Send report mail to root
//     0:  no report             (or null string)
//     1:  progress report       (actually any string)
//     2:  + command outputs     (remove -qq, remove 2>/dev/null, add -d)
//     3:  + trace on
APT::Periodic::Verbose "2";

Manual run (for debugging)

To aid debugging you may need to run unattended-upgrades manually thus 

sudo unattended-upgrade -d

See Also

  • /usr/share/doc/unattended-upgrades/README.md.gz
  • /usr/share/doc/apt/examples/configure-index
  • /etc/cron.daily/apt
  • man apt.conf(5)
  • man unattended-upgrade(8)
  • needrestart* packages, to identify additional running processes which must be restarted to apply (previously installed security) updates without rebooting

apt-listchanges

Below is an example configuration file for apt-listchanges, /etc/apt/listchanges.conf 

$EDITOR /etc/apt/listchanges.conf
[apt]
frontend=pager
email_address=root
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=both

Modifying download and upgrade schedules (on systemd)

Because Debian is using systemd, it uses systemd timers to run periodic APT maintenance tasks. These files are provided by the apt package

The relevant files are: * Used for downloads: /lib/systemd/system/apt-daily.timer

    • gets overridden by /etc/systemd/system/apt-daily.timer.d/override.conf
  • Used for upgrades: /lib/systemd/system/apt-daily-upgrade.timer
    • gets overridden by /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf

The canonical steps to create and edit these overrides for these settings are for downloads * sudo systemctl edit apt-daily.timer 

sudo systemctl restart apt-daily.timer
sudo systemctl status apt-daily.timer (optional, you can check the next trigger time with this)
or for upgrades
sudo systemctl edit apt-daily-upgrade.timer
sudo systemctl restart apt-daily-upgrade.timer
sudo systemctl status apt-daily-upgrade.timer (optional, you can check the next trigger time with this)

Here is an example of how to override the download time to 1AM by adding the following via sudo systemctl edit apt-daily.timer 

[Timer]
OnCalendar==
OnCalendar=01:00
RandomizedDelaySec=0

Line #2 above is needed to reset (empty) the default value shown below in line #5.Line #4 above is needed to prevent any random delays coming from the defaults

The current default values for downloads are /lib/systemd/system/apt-daily.timer is (at moment of this writing) 

[Unit]
Description=Daily apt download activities

[Timer]
OnCalendar=*-*-* 6,18:00
RandomizedDelaySec=12h
Persistent=true

[Install]
WantedBy=timers.target

CategoryPackageManagement CategorySystemAdministration

Abgerufen von „https://wiki.foxtom.de/index.php?title=Unattended_Upgrades&oldid=109362