Install unattended-upgrades:
$ sudo apt-get update && sudo apt-get install -y unattended-upgrades $ sudo dpkg-reconfigure unattended-upgradesSelect yes when prompted, and it will generate /etc/apt/apt.conf.d/20auto-upgrades:
$ sudo nano /etc/apt/apt.conf.d/20auto-upgradesI chose the following configuration. The number is the frequency in days:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "3";
APT::Periodic::AutocleanInterval "9";
Explanation:
APT::Periodic::Update-Package-Lists "1"- Update the package lists daily. This is really important. If you don't update them often enough, unattended-upgrades can fail because it may have outdated sources. If you haven't updated in a long time before running unattended-upgrades, be sure to run an apt-get update before you start.
APT::Periodic::Download-Upgradeable-Packages "1"- Download updates every day. Even though I didn't choose to install my upgrades every day, I prefer to not download them all at once.
APT::Periodic::Unattended-Upgrade "3"- Perform installation every 3 days. I'm using this in a production env and didn't feel comfortable with daily installs. Might end up tweaking this some more.
APT::Periodic::AutocleanInterval "9"- Clean the package cache every 9 days. This overlaps with 3 runs of unattended-upgrades. I just picked this arbitrarily. Read about apt-get autoclean if you want more information on what this does.
Edit /etc/apt/apt.conf.d/50unattended-upgrades to change what happens when unattended-upgrades is run:
$ sudo nano /etc/apt/apt.conf.d/50unattended-upgradesConfigure the packages you want to automatically upgrade. Security-only is a great way to start:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Add your email address. I would suggest a mailing list or a dedicated email account:
Unattended-Upgrade::Mail "me@example.com";
Configure automatic reboot (optional). This will allow the server to reboot if required. You must have update-notifier-common installed for this to work. More info here. Feel free to omit this step until you're comfortable with the rest of your configuration:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "19:00"; // Optional
You can send notifications via Gmail (or other SMTP providers) when upgrades are performed. You should do this.
Install mailx. You need heirloom-mailx to use SMTP:
$ sudo apt-get install -y heirloom-mailxConfigure mailx defaults. Log as root:
$ sudo su -
# cd ~
# nano .mailrcAdd the following to .mailrc in root's home directory:
set smtp-use-starttls
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=changeme@gmail.com
set smtp-auth-password=mypassword
set from="changeme@gmail.com"
Replace smtp, smtp-auth-user, smtp-auth-password, and from settings with settings appropriate to your account or email provider. For example, to send mail via outlook.com, set smtp=smtp-mail.outlook.com, update smtp-auth-user and smtp-auth-password, and leave the other settings the same.
Change the permissions of .mailrc:
# chmod 400 .mailrcSend yourself a test email:
# echo "Just testing mailx" | mail -s "Yooooo woot" test@example.comCongratulations, you're finished! Now you should verify your configuration before you leave it running.
Perform a dry-run to make sure the correct packages are downloaded:
$ sudo unattended-upgrade -v -d --dry-runIf that looks good, do the real thing:
$ sudo unattended-upgrade -v -dMake sure that the upgrade completed successfully and you received your notification. Now you can leave this to run automatically and wait patiently for the next email notification.
When I issue
sudo unattended-upgrade -v -dI get this: