Skip to content

Instantly share code, notes, and snippets.

@roydq

roydq/ubuntu_unattended_upgrades_gmail.markdown

Forked from dwilkie/ubuntu_unattended_upgrades_gmail.markdown
Last active February 2, 2024 17:01
Show Gist options
  • Star 51 You must be signed in to star a gist
  • Fork 17 You must be signed in to fork a gist
  • Save roydq/b0ec2eda2bc625e19eaf to your computer and use it in GitHub Desktop.
Save roydq/b0ec2eda2bc625e19eaf to your computer and use it in GitHub Desktop.
Download ZIP
Unattended upgrades on Ubuntu 14.04 with email notifications
Raw
ubuntu_unattended_upgrades_gmail.markdown

Getting Started

Do yourself a favor and login as root to save yourself some time and headaches:

$ sudo su -

Install unattended-upgrades:

$ apt-get update
$ apt-get install unattended-upgrades

Frequency Configuration

$ dpkg-reconfigure unattended-upgrades

Select yes when prompted, and it will generate /etc/apt/apt.conf.d/20auto-upgrades:

$ nano /etc/apt/apt.conf.d/20auto-upgrades

I chose the following configuration. The number is the frequency in days:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "3";
APT::Periodic::AutocleanInterval "9";

Explanation:

  • APT::Periodic::Update-Package-Lists "1"
    • Update the package lists daily. This is really important. If you don't update them often enough, unattended-upgrades can fail because it may have outdated sources. If you haven't updated in a long time before running unattended-upgrades, be sure to run an apt-get update before you start.
  • APT::Periodic::Download-Upgradeable-Packages "1"
    • Download updates every day. Even though I didn't choose to install my upgrades every day, I prefer to not download them all at once.
  • APT::Periodic::Unattended-Upgrade "3"
    • Perform installation every 3 days. I'm using this in a production env and didn't feel comfortable with daily installs. Might end up tweaking this some more.
  • APT::Periodic::AutocleanInterval "9"
    • Clean the package cache every 9 days. This overlaps with 3 runs of unattended-upgrades. I just picked this arbitrarily. Read about apt-get autoclean if you want more information on what this does.

unattended-upgrades Configuration

Edit /etc/apt/apt.conf.d/50unattended-upgrades to change what happens when unattended-upgrades is run:

$ nano /etc/apt/apt.conf.d/50unattended-upgrades

Configure the packages you want to automatically upgrade. Security-only is a great way to start:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Add your email address. I would suggest a mailing list or a dedicated email account:

Unattended-Upgrade::Mail "me@example.com";

Configure automatic reboot (optional). This will allow the server to reboot if required. You must have update-notifier-common installed for this to work. More info here. Feel free to omit this step until you're comfortable with the rest of your configuration:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "19:00"; // Optional

Email Notification Configuration

You can send notifications via Gmail (or other SMTP providers) when upgrades are performed. You should do this.

Install mailx. You need heirloom-mailx to use SMTP:

$ apt-get install heirloom-mailx

Configure mailx defaults. Assuming you are still logged in as root:

$ cd ~
$ nano .mailrc

Add the following to .mailrc in root's home directory:

set smtp-use-starttls
set ssl-verify=ignore
set smtp=smtp://smtp.gmail.com:587
set smtp-auth=login
set smtp-auth-user=changeme@gmail.com
set smtp-auth-password=mypassword
set from="changeme@gmail.com"

Replace smtp, smtp-auth-user, smtp-auth-password, and from settings with settings appropriate to your account or email provider. For example, to send mail via outlook.com, set smtp=smtp-mail.outlook.com, update smtp-auth-user and smtp-auth-password, and leave the other settings the same.

Change the permissions of .mailrc:

chmod 400 .mailrc

Send yourself a test email:

echo "Just testing mailx" | mail -s "Yooooo woot" test@example.com

Congratulations, you're finished! Now you should verify your configuration before you leave it running.

Testing Your Configuration

Perform a dry-run to make sure the correct packages are downloaded:

$ unattended-upgrade -v -d --dry-run

If that looks good, do the real thing:

$ unattended-upgrade -v -d

Make sure that the upgrade completed successfully and you received your notification. Now you can leave this to run automatically and wait patiently for the next email notification.

@fractalic
Copy link

fractalic commented May 7, 2019
edited

As an alternative to heirloom-mailx you can use mailutils with ssmtp:

  1. apt install mailutils ssmtp
  2. Configure ssmtp in /etc/ssmtp/ssmtp.conf
root=<someone@somewhere.xyz>
mailhub=<someUrl>:<probably587>

AuthUser=<account>
AuthPass=<password>
UseTLS=YES
UseSTARTTLS=YES

hostname=<some-long-host-name>
  1. Configure mailutils to use ssmtp in /etc/mailutils.conf
mailer {
  url sendmail://ssmtp;
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment