unattended-upgrades is a script that automatically installs security updates (and others, if configured) on a Debian/Ubuntu system. It keeps a server up to date without any manual intervention.
apt-listchanges integrates with apt to display the latest news or important changes for a package before it is installed.
Why use them together?
Automating security updates is a fundamental best practice. However, some updates may introduce unwanted changes in behavior. Combining the two tools offers the best of both worlds:
- Your system receives security patches automatically.
- You are notified by email if one of these updates contains important changes, allowing you to verify that everything works as expected.
Prerequisites
- A Debian or Ubuntu system.
- Root access or sudo privileges.
- A working mail transport agent (MTA) (such as
msmtporpostfix) to receive notifications.
Installation
sudo apt-get update
sudo apt-get install unattended-upgrades apt-listchanges
Configuration
Step 1: Enable automatic updates
Run the unattended-upgrades reconfiguration tool. This is the simplest way to create the initial configuration file.
sudo dpkg-reconfigure -plow unattended-upgradesAn ncurses interface will open. Answer "Yes" to the question "Automatically download and install stable updates?". This will create the file /etc/apt/apt.conf.d/20auto-upgrades.
Step 2: Customize the behavior
The main configuration file is /etc/apt/apt.conf.d/50unattended-upgrades. Open it for editing.
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesHere are the most important sections:
// Uncomment the lines for the repositories you want to update automatically.
// By default, only "security" is enabled, which is the safest choice.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
//"${distro_id}:${distro_codename}-updates";
//"${distro_id}:${distro_codename}-proposed";
//"${distro_id}:${distro_codename}-backports";
};
// Blacklist packages that you NEVER want to update automatically.
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
};
// Uncomment to receive an email in case of a problem or an update.
Unattended-Upgrade::Mail "[email protected]";
// Uncomment to be notified only in case of an error.
//Unattended-Upgrade::MailOnlyOnError "true";
// Uncomment to automatically remove unnecessary dependencies.
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Uncomment and set to "true" to allow automatic reboot if necessary
// (dangerous on a production server!).
//Unattended-Upgrade::Automatic-Reboot "false";
Step 3: Configure apt-listchanges
Configure apt-listchanges so that it sends you emails instead of interrupting you on the command line.
sudo dpkg-reconfigure apt-listchanges- What type of changes should be displayed? `news` is a good choice.
- Do you want apt-listchanges to ask you questions? `no`.
- How should apt-listchanges present itself? `mail`.
- Email address to send the messages to: Enter your address.
Test and verify
Test the configuration
You can run a simulation to see what unattended-upgrades would do.
sudo unattended-upgrade --dry-run --debugThis command will not modify anything but will show you the packages that would be updated.
Check the logs
The logs of the runs are located in /var/log/unattended-upgrades/. That is where you should look if you suspect a problem.
ls -l /var/log/unattended-upgrades/The `Automatic-Reboot` option is very handy for workstations, but it can cause service interruptions on a server. Only enable it knowingly. It is often preferable to receive a notification and schedule the reboot manually. The `needrestart` tool can help you find out whether a reboot is required.
Conclusion
Setting up unattended-upgrades is a fundamental security measure for any Debian or Ubuntu server. It ensures that critical security flaws are patched quickly, without you having to intervene manually every day. By combining it with apt-listchanges, you keep an eye on important changes, allowing you to step in only when necessary.
Comments