My estate of servers consisting of VM’s, LXC containers and of course Raspberry Pi’s has grown over the years, but has now grown to a point (especially over the COVID-19 lockdowns) where it takes a significant amount of time to go around and preform manual security and recommended updates to them all. This has prompted me to start running automatic security updates.

Using APT, unattended-upgrades need to be installed to your servers and the below file modified.

vi /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESM:${distro_codename}";
};

If you want security and recommended updates to be installed automatically, this additional line will need to be inserted into the argument in the above file.

"${distro_id}:${distro_codename}-updates";

The above file can also include the following to blacklist certain packages from being automatically upgraded.

Unattended-Upgrade::Package-Blacklist {

        "vim";
        "git";
};

All automatic reboots, if required by upgraded packages.

vi /var/run/reboot-required
Unattended-Upgrade::Automatic-Reboot "true";

The below log files contain info about upgraded packages.

tail -f /var/log/unattended-upgrades/unattended-upgrades.log
tail -f /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
cat /var/log/unattended-upgrades/unattended-upgrades.log | grep linux-image

I also found it useful to preform a dry run to ensure my settings were configured and the correct packages were install or ignored.

unattended-upgrades --dry-run --debug

I have read further articles on the internet which describe that it is also possible to send emails with upgrade details.

https://www.cyberciti.biz/faq/ubuntu-enable-setup-automatic-unattended-security-updates/

---

• Linux, Security
• ubuntu
• 26 August, 2020

Share via Twitter LinkedIn Facebook Email