There is a new version of this tutorial available for Debian 7 (Wheezy).

How To Configure Automatic Updates On Debian Squeeze

Version 1.0
Author: Falko Timme
Follow me on Twitter

This tutorial shows how to configure a Debian Squeeze system to have package updates installed automatically without user interaction. In addition to that I will show you what needs to be done to have the system email you about available updates on a daily basis.

I do not issue any guarantee that this will work for you!

 

1 Configure The System For Unattended Upgrades

To make the system install upgrades automatically, we need to install the package unattended-upgrades. It is also good to have the /usr/bin/mail command on the system in case you want to configure the unattended-upgrades package to send email notifications, therefore we install the package bsd-mailx as well:

apt-get install unattended-upgrades bsd-mailx

You can configure the unattended-upgrades package by modifying the file /etc/apt/apt.conf.d/50unattended-upgrades:

vi /etc/apt/apt.conf.d/50unattended-upgrades

Normally the default configuration should be ok; if you want to change anything, please read the comments in the file which make the configuration self-explaining. For example, you can specify the upgrade origins (default: stable and security), you can blacklist packages that should not be updated, you can have the system email you if there are problems, you can have the system remove unused dependencies after an update, or you can make the system do an automatic reboot if this is needed after an update. Please note: The double slashes // serve as a comment; anything that follows a comment in the same line will not be evaluated.

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";


// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Next create the file /etc/apt/apt.conf.d/02periodic to enable unattended upgrates (again, the file is self-explaining because of the comments):

vi /etc/apt/apt.conf.d/02periodic
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

// Do "apt-get autoclean" every n-days (0=disable)
APT::Periodic::AutocleanInterval "7";

That's it! Unattended upgrades will be run once per day from the cron job script /etc/cron.daily/apt. The script will log to the file /var/log/unattended-upgrades/unattended-upgrades.log. The log file could have entries similar to these after a successful upgrade:

2011-07-13 16:49:30,878 INFO Initial blacklisted packages:
2011-07-13 16:49:30,880 INFO Starting unattended upgrades script
2011-07-13 16:49:30,880 INFO Allowed origins are: ["('Debian', 'stable')", "('Debian', 'squeeze-security')"]
2011-07-13 16:50:05,222 INFO Packages that are upgraded: apt apt-listchanges apt-utils base-files bind9-host
console-setup dnsutils dpkg e2fslibs e2fsprogs host isc-dhcp-client isc-dhcp-common keyboard-configuration
klibc-utils libbind9-60 libcomerr2 libdns69 libgssapi-krb5-2 libgssrpc4 libisc62 libisccc60 libisccfg62
libk5crypto3 libkadm5clnt-mit7 libkadm5srv-mit7 libkdb5-4 libklibc libkrb5-3 libkrb5support0 libldap-2.4-2
liblwres60 libperl5.10 libruby1.8 libss2 libxml2 linux-base linux-image-2.6.32-5-amd64 login openssl passwd
perl perl-base perl-modules python python-apt python-apt-common python-minimal tzdata
2011-07-13 16:50:05,225 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2011-07-13_16:50:05.224836.log'
2011-07-13 16:51:51,290 INFO All upgrades installed

 

2 Make The System Send Notifications About Available Updates

There's another useful package called apticron which can email notifications about packages that have updates available, together with a list of changes in each update package.

To install apticron, simply run:

apt-get install apticron

To configure apticron, please edit /etc/apticron/apticron.conf:

vi /etc/apticron/apticron.conf

All that needs to be changed is the EMAIL directive - please specify one or more email addresses (separated by a space) to be notified about available updates:

[...]
# set EMAIL to a space separated list of addresses which will be notified of
# impending updates
#
EMAIL="root@localhost [email protected]"
[...]

Apart from that, the default configuration should suit most cases.

 

3 Links

Share this page:

2 Comment(s)