dokuwiki

User Tools

Site Tools

Trace: consul diy ubuntu_updates
burim:ubuntu:ubuntu_updates

Step 1 - Install unattended-upgrades on Ubuntu 16.04 The first thing we must do is to install the 'unattended-upgrades' package in the system. It's available in the Ubuntu repository, and we can install it using the apt command.

Login to your server using SSH login.

ssh root@hakase-labs

Update all repositories and install 'unattended-upgrades' using the apt command below. 

sudo apt update
sudo apt install unattended-upgrades
After the installation, we need to edit the configuration in the '/etc/apt/apt.conf.d' configuration directory.
Step 2 - Configure unattended-upgrades
The unattended-upgrades configuration is available in the '/etc/apt/apt.conf.d' directory. We need to edit the 
configuration to define the update/upgrade type, blacklist updates, and configure some additional configuration.

Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '50unattended-upgrades' using the vim editor. 

cd /etc/apt/apt.conf.d/
vim 50unattended-upgrades

Define upgrade type We need to define a type of update/upgrade for the system. The unattended-upgrades package provides some automatic upgrades type, including updating all packages and just security updates. For this guide, we only want to enable the 'security' update for Ubuntu 16.04 system.

On the first block configuration 'Allowed-Origin', comment all lines and leave only the security line, as shown below. 

Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}";
       "${distro_id}:${distro_codename}-security";
       // Extended Security Maintenance; doesn't necessarily exist for
       // every release and this system may not have it installed, but if
       // available, the policy for updates is such that unattended-upgrades
       // should also install from here by default.
//      "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};
Configure unattended-upgrades

Blacklist Packages For the second block, it's blacklisted packages configuration. We can define which packages are allowed for an update and which are not. Sometimes, we do not want some packages to be updated because it's critical to the system for whatever reason.

In this section, we just want to give an example of blacklist packages configuration. So, suppose we do not want 'vim', 'mysql-server' and 'mysql-client' to be upgraded, in that case, our blacklist configuration should similar to the one shown below. 

Unattended-Upgrade::Package-Blacklist {
       "vim";
       "mysql-server";
       "mysql-client";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

Additional Configuration Next, we want to add and enable some features provided by unattended-upgrades. We want an email notification for every update, enable auto remove unused packages (apt autoremove automatically), and enable automatic reboot if needed.

For email notification, uncomment the following line. 

Unattended-Upgrade::Mail "root";

Note:

Make sure mailx or sendmail packages are installed on your system. You can use the following command to install the mail application. 

sudo apt install -y sendmail

To enable auto remove unused packages, uncomment the following line and change the value to 'true'.

Unattended-Upgrade::Remove-Unused-Dependencies “true”; And for an automatic reboot after upgrade (if needed), uncomment the 'Automatic-Reboot' and change value to 'true'. 

Unattended-Upgrade::Automatic-Reboot "true";

After setting up 'Automatic-Reboot', the server will automatically reboot after all updates packages installed. We can, however, configure the reboot time of the server by uncommenting the corresponding configuration line and change the reboot value. Here is my configuration. 

Unattended-Upgrade::Automatic-Reboot-Time "00:00";

Save and exit.

The unattended-upgrades package is installed, and all configuration has been completed.

Step 3 - Enable automatic updates To enable automatic updates of packages, we need to edit the auto-upgrades configuration.

Go to the '/etc/apt/apt.conf.d' directory and edit the configuration file '20auto-upgrades' using vim. 

cd /etc/apt/apt.conf.d/
vim 20auto-upgrades

Make the configuration as below. 

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "1";

Save and exit.

Note:

Update-Package-Lists: 1 enable auto update, 0 for disable.

Download-Upgradeable-Packages: 1 enables auto download package, 0 for disable.

AutocleanInterval: Enable auto clean packages for X days. The configuration shows 3 days auto clean packages.

Unattended-Upgrade: 1 enables auto upgrade, 0 for disable.

At this stage, all of the security updates will be automatically downloaded and then installed in the system.

Step 4 - Check updated packages

Checking unattended-upgrades logs

To identify all updated packages, we need to check unattended-upgrades logs located in the '/var/log/unattended- upgrades' directory.

Go to the '/var/log/unattended-upgrades' directory and check available logs. 

cd /var/log/unattended-upgrades
ls -lah

Check updated packages

You will get 3 log files.

unattended-upgrades-dpkg.log - Unattended-upgrades action logs for updating, upgrading or removing packages. unattended-upgrades.log - Unattended log file. List of update/upgrade packages, list blacklist packages, and the unattended error message (if there is an error). unattended-upgrades-shutdown.log file. Update Notification Another way to identify updated packages is by looking for the update notification on SSH login.

The following screenshot shows server notification before security updates are applied.

Update notification

And when all security packages get updated, the following message is displayed.

Security package update notification

Email Notification For email notifications, we've setup notification to root email.

Go to the '/var/mail' directory and check the root email file.

cd /var/mail/ cat root

Email notification

We can identify things like blacklisted packages, updated packages, and removed packages.

Reboot check For reboot check, you can use the following command.

last reboot

Following is the result before all security packages are upgraded.

Pending security updates

And here's the result after upgrades.

Upgrade result

The unattended-upgrades package has been installed and configured for automatic security updates. And it's working with auto reboot enabled as well as email notification enabled.

https://www.howtoforge.com/tutorial/how-to-setup-automatic-security-updates-on-ubuntu-1604/

burim/ubuntu/ubuntu_updates.txt · Last modified: 2018/08/25 08:02 by burim
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki