Debian and Ubuntu are excellent operating systems with (very) long term support and product updates - making them popular both at work and in my homelab.
As someone famous probably said: If you have to do something more than once - script it. To that end I am an avid user of Debian and Ubuntu’s automatic update feature.
To get going first install unattended-upgrades:
sudo apt install unattended-upgrades
Then reconfigure it for installing unattended upgrades:
dpkg-reconfigure --priority=low unattended-upgrades
You’ll be asked if you want to enable automatic updates, select Yes.
Next configure auto-upgrades:
Edit /etc/apt/apt.conf.d/20auto-upgrades
And add:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
// Runs weekly
APT::Periodic::AutocleanInterval "7";
// Runs "Unattened-Upgrade" daily
APT::Periodic::Unattended-Upgrade "1";
Edit /etc/apt/apt.conf.d/50unattended-upgrades
And set the following properties:
// Reboot your server automatically
Unattended-Upgrade::Automatic-Reboot "true";
// At 2am
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Cleanup old packages
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
With that configured your Ubuntu install will automatically upgrade system packages with security updates at 2am, cleanup and then reboot - every day.
By default only security updates are installed To upgrade other updates including 3rd party updates we’ve got a little more work to do.
Enabling updating of 3rd party and other system packages
In the same file /etc/apt/apt.conf.d/50unattended-upgrades under Unattended-Upgrade::Allowed-Origins are defined the types of packages which are auto updated.
They are:
- Important security updates (distro-security)
- Recommended updates (distro-updates)
- Pre-released updates (distro-proposed)
- Unsupported updates (distro-backports)
By default only security packages are updated. You’ll need to uncomment a few more lines to get all the other Ubuntu updates auto installed.
eg. we use:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
"${distro_id}:${distro_codename}-updates";
};
To add 3rd party repositories first discover their unique release name using:
apt-cache policy
An example of MongoDB’s repo ID is:
release o=mongodb,a=xenial,n=xenial/mongodb-org,l=mongodb,c=multiverse,b=amd64
An example of Ubiquiti’s repo ID is:
release o=Ubiquiti Networks, Inc.,a=stable,n=unifi-5.12,l=Ubiquiti Networks, Inc.,c=ubiquiti,b=amd64
Find the key origin and the archive. We will use these in Allowed-Origins back in 50unattended-upgrades and add:
Unattended-Upgrade::Allowed-Origins {
"mongodb:xenial";
"Ubiquiti Networks, Inc.:stable";
};
To test your changes perform a dry run with:
sudo unattended-upgrade --debug --dry-run
Enabling e-mail notifications
To enable email notifications edit /etc/apt/apt.conf.d/50unattended-upgrades and add Unattended-Upgrade::Mail "user@boxpeg.com"; below the line Unattended-Upgrade::Remove-Unused-Dependencies "true";. The recipient is of course your email.
Next install the necessary mail packages on Ubuntu:
sudo apt install bsd-mailx
On Debian:
sudo apt install bsd-mailx postfix
Configure as Satellite for using as pure relay or Relay if using an unauthenticated relay mail server configuration.
In our case we use:
- boxpeg.com
- mail.boxpeg.com
Satellite - Authenticated
Open or create the /etc/postfix/sasl_passwd file and add your destination (SMTP relay host), port, username, and password in the following format:
[mail.boxpeg.com]:587 user@boxpeg.com:mysecretpassword
Create the hash db file for Postfix by running the postmap command:
postmap /etc/postfix/sasl_passwd
You should now see that /etc/postfix/sasl_passwd and the /etc/postfix/sasl_passwd.db hash file were created.
ls -l /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
You can now delete the plain text file /etc/postfix/sasl_passwd so that your username/password is not visible to others. The /etc/postfix/sasl_passwd.db file is the encrypted file to be read by postfix.
rm /etc/postfix/sasl_passwd
Add to /etc/postfix/main.cf:
smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
For relay - Unauthenticated
For the configuration in /etc/postfix/main.cf just add:
smtp_tls_security_level = may
Final email configuration step
On some systems we had to change the line below:
mydestination = boxpeg.com, $myhostname, myserver, localhost.localdomain, localhost
To:
mydestination = $myhostname, myserver.boxpeg.com, localhost.boxpeg.com, , localhost
Testing e-mail
To fire a test email simply run from the command line:
echo "This is a test email body." | mail -s "Subject" -a "From: myhost@boxpeg.com" user@boxpeg.com
With all the above done you’ll receive a handy email like below describing what’s been updated and if any issues occurred:
Unattended upgrade returned: True
Packages that were upgraded:
base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd
systemd-sysv udev unifi
Package installation log:
Log started: 2019-08-07 06:30:15
Preparing to unpack .../base-files_10.1ubuntu2.6_amd64.deb ...
...
Unattended-upgrades log:
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates, o=mongodb,a=xenial, o=Ubiquiti Networks\, Inc.,a=stable
Packages that will be upgraded: base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd systemd-sysv udev unifi
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
All upgrades installed