Automatic updates in Debian
Regularly installing software updates is one of the most basic measures to keep a computer system safe. However, searching for and installing those updates is a tedious job that lends itself to some degree of automation. This article will show you how to configure automatic updates in Debian.
Automatic updates? On my server?
Lots of system administrators caution against automatic updates because any update might break some delicate component or configuration. So you are told to review each update before installing it. But is this really necessary? Well, it depends.
If you are running Debian Sid (aka unstable) you should not be too surprised when an update indeed gets some part of your system into trouble. (Then again, if you are running Debian Sid on an important production system you will probably face a bunch of other problems anyway.) Similarly, if you create some fragile, highly customized setup that depends on a specific version of some package then a “careless” software update might of course damage this setup.
However, if you are running Debian stable with only a handful of
applications installed and a sane configuration then keeping your system
up to date probably consists of nothing more than doing a manual
aptitude update
and aptitude full-upgrade
every day just to accept every update anyway (hey, it’s Debian
stable). Think about it: Have you ever rejected a regular
update on a system like this? If not, why shouldn’t you let your system
do more or less the same thing automatically? The biggest difference is
that your system won’t forget to look for updates like your
poor old brain does from time to time.
So after having justified our cause let’s move on to the technical details of configuring automatic updates in Debian.
Installation
Install and activate the unattended-upgrades package (it’s not activated by default after installation):
# aptitude install unattended-upgrades
# dpkg-reconfigure unattended-upgrades
Answer Yes when asked whether you want updates to be installed automatically.
Configuration
The file /etc/apt/apt.conf.d/50unattended-upgrades
contains a section Unattended-Upgrade::Origins-Pattern
where you configure which packages will be updated automatically. The
default is to install security updates for the current release:
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename},label=Debian-Security"
};
If you want all updates (not only security updates) to be
installed automatically, you should first use the
apt-cache policy
command to find out which software sources
are used on your system. Its output will look something like this (but
may well be shorter if you have less sources activated in your
sources.list
file):
$ apt-cache policy | grep release
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=non-free
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=contrib
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=main
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=non-free
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=contrib
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=main
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=non-free
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=contrib
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=main
Then adapt the configuration file to reflect the information from the
apt-cache policy
command:
Unattended-Upgrade::Origins-Pattern {
"o=Debian,n=jessie";
"o=Debian,n=jessie-updates";
"o=Debian Backports,n=jessie-backports";
};
Instead of a line like o=Debian,n=jessie
you could as
well use o=Debian,a=stable
which means the same as long as
Jessie remains the stable release. When Jessie becomes oldstable
however, n=jessie
will continue tracking Jessie while
a=stable
will automatically switch to Stretch (which then
is the stable release). You have to decide what fits your situation, but
I prefer n=jessie
since it gives me more control over the
upgrade.
Wrap-Up
Start a test run and check the log file
/var/log/unattended-upgrades/unattended-upgrades.log
for
entries that show everything is working correctly (Yes, it’s
unattended-upgrade
in this case, without a trailing
‘s’!):
# unattended-upgrade --debug --dry-run
Now your system will regularly run update and upgrade jobs without any manual interaction needed on your side. This works on server systems running 24/7 (using cron) as well as on desktop systems which are irregularly switched on and off (using anacron, which is installed with most desktops). To verify that everything is working as expected you should every now and then take a look at the abovementioned log file.
A note to laptop users: By default, anacron does not run while on
battery power, so your laptop won’t get updates unless it is plugged in.
You can change this by putting the following line into
/etc/default/anacron
:
ANACRON_RUN_ON_BATTERY_POWER=yes
Further reading
Documentation for the unattended-upgrade package can be found in
/usr/share/doc/unattended-upgrades/README
.