Ubuntu 14.04 doesn't support auto security update, to keep our servers' security patch we need to install security updates manually time to time.
In this blog series, I am going to demonstrate how to configure unattended security updates for Ubuntu 14.04
Prerequisites-
Step 2- Configure unattended upgrade
Append these two lines if doesn't exist already.
Make sure that the upgrade completed successfully. Now you can leave this to run automatically.
In this blog series, I am going to demonstrate how to configure unattended security updates for Ubuntu 14.04
Prerequisites-
- One Ubuntu 14.04 VM
- A user with sudo access.
Step 1- Install unattended-upgrades package
Run the following commands to install package.
$ apt-get update
$ apt-get install unattended-upgrades
$ dpkg-reconfigure unattended-upgrades
It will generate two configuration files:
1- 20auto-upgrades
2- 50unattended-upgrades
Step 3- modify 20auto-upgrades file.
Open 20auto-upgrades file and append following lines.
$ vi /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Save and exit from the file.
Where :
APT::Periodic::Update-Package-Lists "1";
Update the package list daily, this is really important to keep all the repository up-to-date
APT::Periodic::Unattended-Upgrade "1";
Download updates daily, You can modify it as per your requirement.
Step 4- Modify 50unattended-upgrades file to download and install security updates only.
Open the file in VI editor and modify it as follow
$ vi /etc/apt/apt.conf.d/50unattended-upgrades
Match your file like this
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";
// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION*
// if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
Save and Exit from the file.
You Ubuntu 14.04 is ready to install security updates automatically.
Step 5- Test your configuration
Perform a dry-run to make sure the correct packages are downloaded:$ unattended-upgrade -v -d --dry-run
If it looks good and showing correct packages:
$ unattended-upgrade -v -d
Great insights! I really appreciate how clearly you’ve outlined the topic. Your post has provided some valuable clarity. Thanks for sharing!
ReplyDelete