Introduction
If you purchase a Debian server, then you should always have the latest security patches and updates, whether you're asleep or not. This is pretty easy to do. Here's how.
1. Install the unattended-upgrades Package
Run this command to install the "unattended-upgrades" package, along with a package to identify the changes:
apt -y install unattended-upgrades apt-listchanges
2. Configuration
After that is installed, then edit the unattended-upgrade configuration:
nano /etc/apt/apt.conf.d/50unattended-upgrades
Paste the following into this file after emptying it, then modify items with ** **. Remember to remove the asterisks.
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
Unattended-Upgrade::Mail "**YOUR_EMAIL_HERE**";
// Automatically upgrade packages from these
Unattended-Upgrade::Origins-Pattern {
"o=Debian,a=stable";
"o=Debian,a=stable-updates";
"o=Debian,a=proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};
// You can specify your own packages to NOT automatically upgrade here
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Automatic-Reboot "false";
NOTE: To remove the original lines from the file you can hold ( ctrl + k
)
NOTE: You can set Automatic-Reboot
to true
if you want your server to reboot when it's necessary.
Install "apticron" to manage automatic execution of APT updates:
apt -y install apticron
Open /etc/apticron/apticron.conf
and set the EMAIL variable to your email address, so you can receive the list of changes.
EMAIL="**me@example.com**"
DIFF_ONLY="1"
LISTCHANGES_PROFILE="apticron"
SYSTEM="**HOSTNAME.OF.SERVER**"
NOTIFY_HOLDS="0"
NOTIFY_NO_UPDATES="0"
Open /etc/apt/listchanges.conf
to configure APT to save the changes to a database:
[apt]
frontend=pager
email_address=**me@example**
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=news
3. Test
You can run unattended-upgrade
manually with debug mode to see if it works correctly:
unattended-upgrade -d