Debian and Ubuntu are excellent operating systems with (very) long term support and product updates - making them popular here for some of our internal and externally facing services.
As someone famous probably said: If you have to do something more than once - script it. To that end we are avid users of Debian and Ubuntu's automatic update feature.
To get going first install unattended-upgrades:
sudo apt install unattended-upgrades
Then reconfigure it for installing unattended upgrades:
dpkg-reconfigure --priority=low unattended-upgrades
You'll be asked if you want to enable automatic updates, select Yes.
Next we'll need to configure auto-upgrades:
Edit /etc/apt/apt.conf.d/20auto-upgrades
And add:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; // Runs weekly APT::Periodic::AutocleanInterval "7"; // Runs "Unattened-Upgrade" daily APT::Periodic::Unattended-Upgrade "1";
Edit /etc/apt/apt.conf.d/50unattended-upgrades
And set the following properties:
// Reboot your server automatically Unattended-Upgrade::Automatic-Reboot "true"; // At 2am Unattended-Upgrade::Automatic-Reboot-Time "02:00"; // Cleanup old packages Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true";
With that configured your Ubuntu install will automatically upgrade system packages with security updates at 2am, cleanup and then reboot - every day.
By default only security updates are installed To upgrade other updates including 3rd party updates we've got a little more work to do.
Enabling updating of 3rd party and other system packages
In /etc/apt/apt.conf.d/50unattended-upgrades under Unattended-Upgrade::Allowed-Origins are defined the types of packages which are auto updated.
They are:
- Important security updates (distro-security)
- Recommended updates (distro-updates)
- Pre-released updates (distro-proposed)
- Unsupported updates (distro-backports)
By default only security packages are updated. You'll need to uncomment a few more lines to get all the other Ubuntu updates auto installed.
eg. we use:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
"${distro_id}:${distro_codename}-updates";
};
To add 3rd party repositories first discover their unique release name using:
apt-cache policy
An example of MongoDB's repo ID is:
release o=mongodb,a=xenial,n=xenial/mongodb-org,l=mongodb,c=multiverse,b=amd64
Another example of Ubiquiti's repo ID is:
release o=Ubiquiti Networks, Inc.,a=stable,n=unifi-5.12,l=Ubiquiti Networks, Inc.,c=ubiquiti,b=amd64
Find the key origin and the archive. We will use these in Allowed-Origins back in 50unattended-upgrades and add:
Unattended-Upgrade::Allowed-Origins {
"mongodb:xenial";
"Ubiquiti Networks, Inc.:stable";
};
To test your changes perform a dry run with:
sudo unattended-upgrade --debug --dry-run
Enabling e-mail notifications
To enable email notifications first add to /etc/apt/apt.conf.d/50unattended-upgrades where the recipient is of course your email:
Unattended-Upgrade::Mail "user@boxpeg.com";
Next install the necessary mail packages:
sudo apt install bsd-mailx
For Debian:
sudo apt install bsd-mailx postfix
Configure as Satellite for using as pure relay.
In our case we use:
- boxpeg.com
- mail.boxpeg.com
Open or create the /etc/postfix/sasl_passwd file and add your destination (SMTP relay host), port, username, and password in the following format:
[mail.boxpeg.com]:587 user@boxpeg.com:mysecretpassword
Create the hash db file for Postfix by running the postmap command:
postmap /etc/postfix/sasl_passwd
You should now see that /etc/postfix/sasl_passwd and the /etc/postfix/sasl_passwd.db hash file were created.
ls -l /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
You can now delete the plain text file /etc/postfix/sasl_passwd so that your username/password is not visible to others. The /etc/postfix/sasl_passwd.db file is the encrypted file to be read by postfix.
rm /etc/postfix/sasl_passwd
Add to /etc/postfix/main.cf:
smtp_use_tls = yes smtp_sasl_auth_enable = yes smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd smtp_sasl_security_options = noanonymous
On some systems we had to change the line below:
mydestination = boxpeg.com, $myhostname, myserver, localhost.localdomain, localhost
To:
mydestination = $myhostname, myserver.boxpeg.com, localhost.boxpeg.com, , localhost
Testing e-mail
To fire a test email simply run from the command line:
echo "This is a test email body." | mail -s "Subject" -a "From: myhost@boxpeg.com" user@boxpeg.com
With all the above done you'll receive a handy email describing what's been updated and if any issues occurred:
Unattended upgrade returned: True Packages that were upgraded: base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd systemd-sysv udev unifi Package installation log: Log started: 2019-08-07 06:30:15 Preparing to unpack .../base-files_10.1ubuntu2.6_amd64.deb ... ... Unattended-upgrades log: Initial blacklisted packages: Initial whitelisted packages: Starting unattended upgrades script Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates, o=mongodb,a=xenial, o=Ubiquiti Networks, Inc.,a=stable Packages that will be upgraded: base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd systemd-sysv udev unifi Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log All upgrades installed
