Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. To keep current with security fixes, I often find it useful to configure servers to perform automatic security updates. If properly configured, automatic updates can mitigate risk and keep any service interruptions to a minimum.
Are Automatic Upgrades a Good Choice?
Most servers I work with are good candidates for automatic security updates; they aren’t running applications sensitive to the minor changes introduced by security updates. Additionally, quick service interruptions at off-hours aren’t an issue. For example, a quick restart of Apache or MySQL at 2am will not be a problem. If a server is particularly sensitive, I will only setup notification of security updates, so that I can control the what and when of any update installation.
Installing the Unattended Upgrades Package
The easiest way to get started with automatic updates is with the
unattended-upgrades package. It can be installed with
apt-get install unattended-upgrades.
After installation, you’ll need to run
dpkg-reconfigure unattended-upgrades and select ‘yes’, or manually place a configuration file at
/etc/apt/apt.conf.d/20auto-upgrades with the contents:
This allows the system to run the
unattended-upgrades utility regularly. The actual timing is normally determined by
cron, which has a daily cron file for doing
apt maintenance located at
Configuring the Unattended Upgrades Package
After installation, you get to configure what operations the
unattended-upgrade utility will actually perform. By default, it will simply install updates tagged as ‘security’, but will not automatically reboot the system if any updates require a reboot.
The typical configuration file, located at
/etc/apt/apt.conf.d/50unattended-upgrades, is well documented and can be edited to suit your needs.
Here are some configuration highlights:
Allowed-Origins / Origins-Pattern:
Depending on whether your distro is Debian or Ubuntu, the method of filtering origins may differ. On Debian, the section is
Unattended-Upgrade::Origins-Pattern, and on Ubuntu, the section is
Unattended-Upgrade::Allowed-Origins. This section allows you to determine which origins
unattended-upgrades will consult when installing updates. By default, only security updates are allowed. If you’d like to add other updates, uncomment or add the appropriate origins.
This filters specific packages from being considered when installing updates. For example, you may wish to avoid automatically installing any updates for MySQL server to prevent it from being automatically restarted. Add appropriate package names as desired.
This specifies the e-mail address that
unattended-upgrades will send a message to when updates are being installed, or if problems are encountered. A valid
apt-get install bsd-mailx will provide this).
unattended-upgrades will send an e-mail when any updates are installed. If you only want to receive a message if there is a problem, you can set this to true.
unattended-upgrades will not automatically reboot the system if a reboot is required to complete the update (kernel updates, for instance). This could be potentially disruptive, but could be enabled if desired.
If automatic security updates aren’t a good candidate for your system, you’ll still probably want to be notified when updates are available.
apticron is a good package for this. After installing with
apt-get install apticron, configure the mailing address in
/etc/apticron/apticron.conf. Whenever updates are available for packages on your system, you will receive an e-mail with details.
Keeping servers patched with the latest security updates can be a bit of a hassle. However, in many cases, making use of automatic security updates can save time and mitigate the risk associated with having systems which aren’t patched on a regular basis. If nothing else, notifications of available updates should keep you apprised of any actions that you need to take in keeping your systems secure.