cron-apt is a tool that automates package update routines on Debian-based systems (such as Ubuntu). It uses cron to run apt at regular intervals. Its default configuration is very safe: it downloads new package lists and new packages, but neither installs nor upgrades anything without explicit configuration.
Why use cron-apt?
Rather than using a simple cron script that runs apt upgrade -y, cron-apt offers more control and safety:
- Fine-grained configuration: You can define precisely which actions are performed (updating lists, downloading, installing).
- Safe by default: By default, it does nothing dangerous. You have to explicitly enable updates.
- Notifications: It can email you the result of its actions, including the list of packages ready to be upgraded.
Prerequisites
- A Debian or Ubuntu system.
- Root access or sudo privileges.
- (Optional) A mail transport agent (MTA) such as
msmtporpostfixto receive notifications.
Installation
sudo apt-get update
sudo apt-get install -y cron-aptThe installation places a cron job in /etc/cron.d/cron-apt, which generally runs once a night.
Configuration
The configuration is located in /etc/cron-apt/. The two main files are config and the scripts in action.d.
The /etc/cron-apt/config file
This file controls the general options.
# To receive reports by email
MAILON="always"
# Your email address
MAILTO="root" # or [email protected]
By default, cron-apt only runs an apt-get update. To change this behavior, you use the action files.
Action files in /etc/cron-apt/action.d/
The files in this directory define the actions to run, in alphanumeric order.
0-update: Runs `apt-get update`. This is the default action.1-download: Runs `apt-get --download-only upgrade`. Downloads packages without installing them.
By default, only 0-update exists. To download packages, rename 1-download.disabled to 1-download.
Enabling automatic downloading (but not installation)
This is a very safe and recommended configuration. You are notified of updates, they are ready to be installed, but you keep final control.
# The 0-update file already exists. We enable the download.
sudo mv /etc/cron-apt/action.d/1-download.disabled /etc/cron-apt/action.d/1-downloadNow, every night, cron-apt will update the lists and download the packages. You will receive an email with the list of packages. To install them, you simply need to run sudo apt-get upgrade.
Enabling automatic installation (Caution!)
WARNING: Automatic installation can sometimes break a system if an update has a bug or an incompatibility. Only do this if you understand the risks.
Create a new action file:
sudo nano /etc/cron-apt/action.d/2-upgradeAdd this line:
upgrade -yThis configuration will run an apt-get upgrade -y after updating the lists and downloading. To be more cautious, you can use dist-upgrade to handle dependencies more intelligently.
The most popular configuration is to enable only the download and to receive notifications by email. This lets you quickly review the pending updates and install them manually when you are ready.
Filtering updates
You can restrict updates to certain sources, for example only security updates.
sudo nano /etc/cron-apt/action.d/1-downloadModify the line to use the -o option:
# Only download from the security repositories
dist-upgrade -d -o APT::Get::Only-Source-Lists="security"
unattended-upgradesFor even finer-grained management of automatic updates (in particular, to apply only security patches), the
unattended-upgrades tool is now often preferred over cron-apt. It offers more configuration options for package selection.
Conclusion
cron-apt is a reliable, battle-tested tool for automating update management on Debian/Ubuntu systems. Its security-focused default configuration and its notification capabilities make it an excellent choice for administrators who want to stay informed and keep control while automating the repetitive tasks of updating.
Comments