Skip to content

Instantly share code, notes, and snippets.

@commonquail

commonquail/unattended-upgrades.md

Last active August 29, 2015 14:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save commonquail/454a9512ca50040e891f to your computer and use it in GitHub Desktop.
Save commonquail/454a9512ca50040e891f to your computer and use it in GitHub Desktop.
Download ZIP
Unattended upgrades for Linux Mint 17.1
Raw
unattended-upgrades.md

Based on this guide by Andew Bolster, 2015-02-06; reposted for posterity and to address a minor awk field separator oddity.

Install unattended-upgrades:

$ sudo apt-get install unattended-upgrades -y

unattended-upgrades writes to the log file /var/log/unattended-upgrades/unattended-upgrades.log.

Edit the file /etc/apt/apt.conf.d/20auto-upgrades to include

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "21";

Edit the file /etc/apt/apt.conf.d/50unattended-upgrades to include, in the Unattended-Upgrade::Allowed-Origins section, the following uncommented lines:

"${distro_id} stable";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"Ubuntu stable";
"Ubuntu trusty-security";
"Ubuntu trusty-updates";

On a critical production system, do not proceed after this point; mistakes do happen.

This may not cover all sources but apt-list can be queried to find the correct (not the missing) entries:

$ sudo unattended-upgrade --dry-run --debug | \
        awk --field-separator="'" '/Origin component/{print $11,$9}' | \
        sort -u

This command differs from the one in the guide in two ways:

  • it collapses sort | uniq to sort -u; and
  • it uses the longer --field-separator="'" instead of -F "\'" because the latter consistently trips up Bash and/or awk when I use it.

The --debug flag dumps all output to stdout and allows piping. It is possible to execute only sudo unattended-upgrade --dry-run and run the remainder of the command on the log file afterwards.

The output of the command is very rough. Taken straight from the guide:

For instance, I got a few really long lines that are useless, followed by this list;

Canonical trusty
Google, Inc. stable
Heroku, Inc. stable
isTrusted:True>])  site:
linuxmint qiana
LP-PPA-fkrull-deadsnakes trusty
LP-PPA-stebbins-handbrake-snapshots trusty
LP-PPA-webupd8team-java trusty
now
ROS trusty

We can realistically discard the “isTrusted” and “now” lines, but the rest look relatively accurate. With a little bit of escaping to deal with spaces and special characters in names (looking at you Google and Heroku…), the relevant Allowed Origins entries looks like this:

"linuxmint qiana";
"Canonical trusty";
"jenkins-ci.org binary";
"Google\, Inc.:stable";
"Heroku\, Inc.:stable";
"ROS trusty";
"LP-PPA-fkrull-deadsnakes trusty";
"LP-PPA-stebbins-handbrake-snapshots trusty";
"LP-PPA-webupd8team-java trusty";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment