Skip to content

Instantly share code, notes, and snippets.

@roydq

roydq/ubuntu_unattended_upgrades_gmail.markdown

Forked from dwilkie/ubuntu_unattended_upgrades_gmail.markdown
Last active February 2, 2024 17:01
Show Gist options
  • Star 51 You must be signed in to star a gist
  • Fork 17 You must be signed in to fork a gist
  • Save roydq/b0ec2eda2bc625e19eaf to your computer and use it in GitHub Desktop.
Save roydq/b0ec2eda2bc625e19eaf to your computer and use it in GitHub Desktop.
Download ZIP
Unattended upgrades on Ubuntu 14.04 with email notifications
Raw
ubuntu_unattended_upgrades_gmail.markdown

Getting Started

Do yourself a favor and login as root to save yourself some time and headaches:

$ sudo su -

Install unattended-upgrades:

$ apt-get update
$ apt-get install unattended-upgrades

Frequency Configuration

$ dpkg-reconfigure unattended-upgrades

Select yes when prompted, and it will generate /etc/apt/apt.conf.d/20auto-upgrades:

$ nano /etc/apt/apt.conf.d/20auto-upgrades

I chose the following configuration. The number is the frequency in days:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "3";
APT::Periodic::AutocleanInterval "9";

Explanation:

  • APT::Periodic::Update-Package-Lists "1"
    • Update the package lists daily. This is really important. If you don't update them often enough, unattended-upgrades can fail because it may have outdated sources. If you haven't updated in a long time before running unattended-upgrades, be sure to run an apt-get update before you start.
  • APT::Periodic::Download-Upgradeable-Packages "1"
    • Download updates every day. Even though I didn't choose to install my upgrades every day, I prefer to not download them all at once.
  • APT::Periodic::Unattended-Upgrade "3"
    • Perform installation every 3 days. I'm using this in a production env and didn't feel comfortable with daily installs. Might end up tweaking this some more.
  • APT::Periodic::AutocleanInterval "9"
    • Clean the package cache every 9 days. This overlaps with 3 runs of unattended-upgrades. I just picked this arbitrarily. Read about apt-get autoclean if you want more information on what this does.

unattended-upgrades Configuration

Edit /etc/apt/apt.conf.d/50unattended-upgrades to change what happens when unattended-upgrades is run:

$ nano /etc/apt/apt.conf.d/50unattended-upgrades

Configure the packages you want to automatically upgrade. Security-only is a great way to start:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Add your email address. I would suggest a mailing list or a dedicated email account:

Unattended-Upgrade::Mail "me@example.com";

Configure automatic reboot (optional). This will allow the server to reboot if required. You must have update-notifier-common installed for this to work. More info here. Feel free to omit this step until you're comfortable with the rest of your configuration:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "19:00"; // Optional

Email Notification Configuration

You can send notifications via Gmail (or other SMTP providers) when upgrades are performed. You should do this.

Install mailx. You need heirloom-mailx to use SMTP:

$ apt-get install heirloom-mailx

Configure mailx defaults. Assuming you are still logged in as root:

$ cd ~
$ nano .mailrc

Add the following to .mailrc in root's home directory:

set smtp-use-starttls
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=changeme@gmail.com
set smtp-auth-password=mypassword
set from="changeme@gmail.com"

Replace smtp, smtp-auth-user, smtp-auth-password, and from settings with settings appropriate to your account or email provider. For example, to send mail via outlook.com, set smtp=smtp-mail.outlook.com, update smtp-auth-user and smtp-auth-password, and leave the other settings the same.

Change the permissions of .mailrc:

chmod 400 .mailrc

Send yourself a test email:

echo "Just testing mailx" | mail -s "Yooooo woot" test@example.com

Congratulations, you're finished! Now you should verify your configuration before you leave it running.

Testing Your Configuration

Perform a dry-run to make sure the correct packages are downloaded:

$ unattended-upgrade -v -d --dry-run

If that looks good, do the real thing:

$ unattended-upgrade -v -d

Make sure that the upgrade completed successfully and you received your notification. Now you can leave this to run automatically and wait patiently for the next email notification.

@TR0X
Copy link

TR0X commented Jul 16, 2017

Thanks for the manual, worked very well. But Google blocked the first try, because of "Less secure app", you will be informed via e-mail and you have to allow it.

@Tobi823
Copy link

Tobi823 commented Jul 21, 2017
edited

Is there any alternative to set ssl-verify=ignore? I dont like to be vulnerable to a man-in-the-middle attack.
I tried to leave it out, but I got this message (with Debian 8):
root@vsrv83388:~# Error with certificate at depth: 1 issuer = /C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority subject = /C=US/O=GeoTrust Inc./CN=GeoTrust EV SSL CA - G4 err 20: unable to get local issuer certificate Continue (y/n)? could not initiate SSL/TLS connection: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed "/root/dead.letter" 11/311 . . . message not sent.

@PanagiotisDrakatos
Copy link

In some cases, Gmail might still block connections from what it calls “Less secure apps.” and Notification Configuration will not work. To enable access Enable “Less secure apps” access

@stylemessiah
Copy link

Great guide, working perfectly for me

I use 2 factor authentication everywhere, so my suggestion is to enable this on your google account and then create an app password and put that in place of your normal password in .mailrc

Absolutely works

I would never use Less Secure....

@Fennelly94
Copy link

Hi guys,

Could anyone tell me why I'm getting the following error whilst doing this set up.

ValueError: not enough values to unpack (expected 2, got 1)

Thank you!

@Fennelly94
Copy link

All fixed, sorry about the question! Thanks

@robjweiss
Copy link

Nice guide, but when I change the permission of .mailrc to 400 I am no longer able to send mail, instead I get the error:
cannot start "/usr/sbin/sendmail": executable not found (adjust *sendmail* variable)

Any ideas on what the issue might be?

Copy link

ghost commented Mar 23, 2019

heirloom-mailx is deleted from Ubuntu 18.04 repo

@fractalic
Copy link

fractalic commented May 7, 2019
edited

As an alternative to heirloom-mailx you can use mailutils with ssmtp:

  1. apt install mailutils ssmtp
  2. Configure ssmtp in /etc/ssmtp/ssmtp.conf
root=<someone@somewhere.xyz>
mailhub=<someUrl>:<probably587>

AuthUser=<account>
AuthPass=<password>
UseTLS=YES
UseSTARTTLS=YES

hostname=<some-long-host-name>
  1. Configure mailutils to use ssmtp in /etc/mailutils.conf
mailer {
  url sendmail://ssmtp;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment