Debian and Ubuntu Automatic Security Updates

Security patches for libraries and tools come out quite frequently. Just subscribe to any Linux distribution security list, and you’ll find that security updates are released with astounding frequency, sometimes even daily. Even kernel security updates are fairly common, with two security patches being released for the kernel used by Ubuntu 12.04 LTS in June. To keep current with security fixes, I often find it useful to configure servers to perform automatic security updates. If properly configured, automatic updates can mitigate risk and keep any service interruptions to a minimum.

Are Automatic Upgrades a Good Choice?

Most servers I work with are good candidates for automatic security updates; they aren’t running applications sensitive to the minor changes introduced by security updates. Additionally, quick service interruptions at off-hours aren’t an issue. For example, a quick restart of Apache or MySQL at 2am will not be a problem. If a server is particularly sensitive, I will only setup notification of security updates, so that I can control the what and when of any update installation.

Installing the Unattended Upgrades Package

The easiest way to get started with automatic updates is with the unattended-upgrades package. It can be installed with apt-get install unattended-upgrades.

After installation, you’ll need to run dpkg-reconfigure unattended-upgrades and select ‘yes’, or manually place a configuration file at /etc/apt/apt.conf.d/20auto-upgrades with the contents:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

This allows the system to run the unattended-upgrades utility regularly. The actual timing is normally determined by cron, which has a daily cron file for doing apt maintenance located at /etc/cron.daily/apt.

Configuring the Unattended Upgrades Package

After installation, you get to configure what operations the unattended-upgrade utility will actually perform. By default, it will simply install updates tagged as ‘security’, but will not automatically reboot the system if any updates require a reboot.

The typical configuration file, located at /etc/apt/apt.conf.d/50unattended-upgrades, is well documented and can be edited to suit your needs.

Here are some configuration highlights:

Allowed-Origins / Origins-Pattern:

Depending on whether your distro is Debian or Ubuntu, the method of filtering origins may differ. On Debian, the section is Unattended-Upgrade::Origins-Pattern, and on Ubuntu, the section is Unattended-Upgrade::Allowed-Origins. This section allows you to determine which origins unattended-upgrades will consult when installing updates. By default, only security updates are allowed. If you’d like to add other updates, uncomment or add the appropriate origins.

Package-Blacklist

This filters specific packages from being considered when installing updates. For example, you may wish to avoid automatically installing any updates for MySQL server to prevent it from being automatically restarted. Add appropriate package names as desired.

Mail

This specifies the e-mail address that unattended-upgrades will send a message to when updates are being installed, or if problems are encountered. A valid mail command will need to be operational on the system for this to work (a simple apt-get install bsd-mailx will provide this).

MailOnlyOnError

By default, unattended-upgrades will send an e-mail when any updates are installed. If you only want to receive a message if there is a problem, you can set this to true.

Automatic-Reboot

By default, unattended-upgrades will not automatically reboot the system if a reboot is required to complete the update (kernel updates, for instance). This could be potentially disruptive, but could be enabled if desired.

Only Notifications

If automatic security updates aren’t a good candidate for your system, you’ll still probably want to be notified when updates are available. apticron is a good package for this. After installing with apt-get install apticron, configure the mailing address in /etc/apticron/apticron.conf. Whenever updates are available for packages on your system, you will receive an e-mail with details.

Conclusion

Keeping servers patched with the latest security updates can be a bit of a hassle. However, in many cases, making use of automatic security updates can save time and mitigate the risk associated with having systems which aren’t patched on a regular basis. If nothing else, notifications of available updates should keep you apprised of any actions that you need to take in keeping your systems secure.

Conversation
  • Colin says:

    Very useful article. Thank you.

  • Marcos says:

    What will happen if I have configure with no reboot option?

    As i see in your post “This could be potentially disruptive,”

    Am I screwed? Can it be undone? Is there any way to debug if the server will successfully reboot?

    • Justin Kulesza Justin Kulesza says:

      Hi Marcos,

      I say that the automatic reboot could be potentially disruptive because some systems need to be highly available. For these systems, having an unattended reboot could disrupt some ongoing operation. Or, for example, if a system is protected with full-disk encryption (FDE), a password may be required to decrypt the boot disk. If the system were to reboot automatically, no one may be present to enter the password, causing the system to remain offline.

      You can tweak the configuration options for this in the APT configuration file, /etc/apt/apt.conf.d/50unattended-upgrades by default, setting the Unattended-Upgrade::Automatic-Reboot "false"; option to be “false”.

      – Justin

  • dtooke says:

    My 12.04 system rebooted itself after installing automatic updates even though the default is not. I have now configured to false.

    • Justin Kulesza Justin Kulesza says:

      Hi dtooke,

      The default for 12.04 server installs should be for the automatic reboot to be disabled. Offhand, I don’t know if this is different for desktop/gui installs.

      If the unattended-upgrades package is installed interactively, it may prompt to ask whether the system should reboot automatically. This could alter the defaults.

      As I’m sure you found, you can check the configuration for this by looking at the Unattended-Upgrade::Automatic-Reboot section of the APT configuration file for unattended-upgrades, usually located at /etc/apt/apt.conf.d/50unattended-upgrades.

      – Justin

  • Tommy says:

    Do you know if it is possible to add some logic to unattended upgrades? For example: if there are security upgrades, before doing them run command ABC, proceed to do upgrades. If reboot is required, run command XYZ, then reboot. I was searching for something like that for a while today and didn’t come across anything.

    • Justin Kulesza Justin Kulesza says:

      Sadly, I’m not aware of any way to add logic to the unattended upgrades.

      If you figure it out, I’d be interested to hear what your solution is.

      – Justin

    • smoneck says:

      On systemd computers it is the file /usr/lib/apt/apt.systemd.daily.
      I think the code from line 421 on is what you are looking for.

  • Evgeny says:

    Hi Justin,

    I’m having both ubuntu and debian systems upgraded this way and what I’ve mentioned that Ubuntu installs new kernel using this procedure, but so far I haven’t seen debian to do it as well. Do you have the same experience and if yes, do you happen to know what’s the reason?

    BR
    Evgeny

  • Comments are closed.