Based on this guide by Andew Bolster, 2015-02-06;
reposted for posterity and to address a minor awk
field separator oddity.
Install unattended-upgrades
:
$ sudo apt-get install unattended-upgrades -y
unattended-upgrades
writes to the log file
/var/log/unattended-upgrades/unattended-upgrades.log
.
Edit the file /etc/apt/apt.conf.d/20auto-upgrades
to include
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "21";
Edit the file /etc/apt/apt.conf.d/50unattended-upgrades
to include,
in the Unattended-Upgrade::Allowed-Origins
section,
the following uncommented lines:
"${distro_id} stable";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"Ubuntu stable";
"Ubuntu trusty-security";
"Ubuntu trusty-updates";
On a critical production system, do not proceed after this point; mistakes do happen.
This may not cover all sources but apt-list can be queried to find the correct (not the missing) entries:
$ sudo unattended-upgrade --dry-run --debug | \
awk --field-separator="'" '/Origin component/{print $11,$9}' | \
sort -u
This command differs from the one in the guide in two ways:
- it collapses
sort | uniq
tosort -u
; and - it uses the longer
--field-separator="'"
instead of-F "\'"
because the latter consistently trips up Bash and/orawk
when I use it.
The --debug
flag dumps all output to stdout
and allows piping.
It is possible to execute only sudo unattended-upgrade --dry-run
and run the remainder of the command on the log file afterwards.
The output of the command is very rough. Taken straight from the guide:
For instance, I got a few really long lines that are useless, followed by this list;
Canonical trusty Google, Inc. stable Heroku, Inc. stable isTrusted:True>]) site: linuxmint qiana LP-PPA-fkrull-deadsnakes trusty LP-PPA-stebbins-handbrake-snapshots trusty LP-PPA-webupd8team-java trusty now ROS trusty
We can realistically discard the “isTrusted” and “now” lines, but the rest look relatively accurate. With a little bit of escaping to deal with spaces and special characters in names (looking at you Google and Heroku…), the relevant
Allowed Origins
entries looks like this:"linuxmint qiana"; "Canonical trusty"; "jenkins-ci.org binary"; "Google\, Inc.:stable"; "Heroku\, Inc.:stable"; "ROS trusty"; "LP-PPA-fkrull-deadsnakes trusty"; "LP-PPA-stebbins-handbrake-snapshots trusty"; "LP-PPA-webupd8team-java trusty";