Tech/HowTo/Debian Unattended Upgrades

From lathama
< Tech‎ | HowTo
Jump to navigation Jump to search

About

Debian via its APT packaging system has tool to automatically update, upgrade and reboot itself when required. This is currently impossible on RedHat based systems. I use this method on my cloud systems to automatically reboot. The downtime is often less than ten seconds.

Install

Installing is pretty simple and it is becoming a default install 

apt install unattended-upgrades

Configure

Unattended upgrades may not be setup correctly if silently installed so check the configuration via dpkg to confirm. Here is an example of enabling unattended updates. 

# dpkg-reconfigure unattended-upgrades

Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version
# cat 20auto-upgrades 
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Example Configs

20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
51unattended-upgrades
Unattended-Upgrade::Origins-Pattern {
  "o=*";
};
Unattended-Upgrade::Package-Blacklist {
  "tmux";
  "screen";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Update-Days {"Mon";"Tue";"Wed";"Thu"};
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";
Unattended-Upgrade::Verbose "false";
Origins

Allowed-Origins is legacy and Origins-Pattern is the current method

Options
  • Unattended-Upgrade::Package-Blacklist
  • Unattended-Upgrade::Package-Whitelist
  • Unattended-Upgrade::Package-Whitelist-Strict (false)
  • Unattended-Upgrade::MinimalSteps (true)
  • Unattended-Upgrade::InstallOnShutdown (false)
  • Unattended-Upgrade::Mail "user@example.com";
  • Unattended-Upgrade::Sender (root)
  • Unattended-Upgrade::MailReport (on-change)
  • Unattended-Upgrade::Remove-Unused-Dependencies (false)
  • Unattended-Upgrade::Remove-New-Unused-Dependencies (true)
  • Unattended-Upgrade::Automatic-Reboot (false)
  • Unattended-Upgrade::Automatic-Reboot-WithUsers (true)
  • Unattended-Upgrade::Keep-Debs-After-Install (false)
  • Acquire::http::Dl-Limit (0)
  • Dpkg::Options
  • Unattended-Upgrade::Update-Days
  • Unattended-Upgrade::SyslogEnable
  • Unattended-Upgrade::SyslogFacility
  • Unattended-Upgrade::Automatic-Reboot-Time (now)

Chose when it runs

Create /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf and reset the calendar, then add your desired times. Disable the randomizer to get exact times. 

[Timer]
OnCalendar=
OnCalendar=Tue..Thu 16:30 UTC
RandomizedDelaySec=0

Reload the daemon and check 

systemctl daemon-reload
systemctl list-timers --all apt-daily-upgrade
NEXT                        LEFT     LAST                        PASSED    UNIT                    ACTIVATES
Tue 2021-07-06 10:30:00 MDT 20h left Mon 2021-07-05 13:42:26 MDT 18min ago apt-daily-upgrade.timer apt-daily-upgrade.service

1 timers listed.

Limited Method

Setting up unattened-upgrades on Debian Jessie (maybe others) to enable upgrade of all packages.

  1. apt install unattended-upgrades
  2. apt-cache policy | grep release
  3. vim /etc/apt/apt.conf.d/50unattended-upgrades
    • // Archive or Suite based matching section
    • Match up to sections from apt-cache policy command above
    • note: the \ is important for escaping things like "o=Google\, Inc.,a=stable";
  4. tail -F /var/log/unattended-upgrades/unattended-upgrades.log
  5. manually start by running *unattended-upgrade* if desired

Fun Method

The matching for allowed repos can be simplified to allow all from Debian. The old method while correct is a lot of work to enable each repo. 

sed -i "/Origins-Pattern/a 'origin=Debian';" /etc/apt/apt.conf.d/50unattended-upgrades
systemctl restart unattended-upgrades

or with Google Chrome and Docker installed maybe like 

sed -i "/Origins-Pattern/a 'origin=Debian';\\n'origin=Google\, Inc.';\\n'origin=Docker';\\n" 50unattended-upgrades
systemctl restart unattended-upgrades

Other Settings

Don't try to install one package at a time, normal updates should be small so keep the ball rolling 

Unattended-Upgrade::MinimalSteps "false";

Install updates on shutdown. There could be reasons to do this or not, I would set it true for encrypted drives as the reboot would be an issue. 

Unattended-Upgrade::InstallOnShutdown "true";

Clean up any packaging changes. Rare but clean is good 

Unattended-Upgrade::Remove-Unused-Dependencies "true";

If un-encrypted drives, use this to move the reboot time to when ever. 

Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Retrieved from "https://lathama.net/index.php?title=Tech/HowTo/Debian_Unattended_Upgrades&oldid=254"