nihilist - 15 / 02 / 2023

unattendedupgrades Setup

In this tutorial we're going to setup debian unattended upgrades so that packages are automatically updated on the system without needing any external help.

Initial Setup

[ 10.8.0.2/24 ] [ home ] [~]
→ apt install unattended-upgrades apt-listchanges -y

[ 10.8.0.2/24 ] [ home ] [~]
→ dpkg-reconfigure -plow unattended-upgrades

	

Then you can run the following command to run the unattended upgrade manually:

[ 10.8.0.2/24 ] [ home ] [~]
→ unattended-upgrade -d
Starting unattended upgrades script
Allowed origins are: origin=Debian,codename=bullseye,label=Debian, origin=Debian,codename=bullseye,label=Debian-Security, origin=Debian,codename=bullseye-security,label=Debian-Security
Initial blacklist:
Initial whitelist (not strict):
Marking not allowed  with -32768 pin
Marking not allowed  with -32768 pin
Marking not allowed  with -32768 pin
Applying pinning: PkgFilePin(id=6, priority=-32768)
Applying pin -32768 to package_file: 
Applying pinning: PkgFilePin(id=5, priority=-32768)
Applying pin -32768 to package_file: 
Applying pinning: PkgFilePin(id=4, priority=-32768)
Applying pin -32768 to package_file: 
Using (^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^linux-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^kfreebsd-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^gnumach-.*-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-modules-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$|^.*-kernel-[1-9][0-9]*\.[0-9]+\.[0-9]+-[0-9]+(-.+)?$) regexp to find kernel packages
Using (^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$|^linux-.*-5\.10\.0\-20\-amd64$|^linux-.*-5\.10\.0\-20$|^kfreebsd-.*-5\.10\.0\-20\-amd64$|^kfreebsd-.*-5\.10\.0\-20$|^gnumach-.*-5\.10\.0\-20\-amd64$|^gnumach-.*-5\.10\.0\-20$|^.*-modules-5\.10\.0\-20\-amd64$|^.*-modules-5\.10\.0\-20$|^.*-kernel-5\.10\.0\-20\-amd64$|^.*-kernel-5\.10\.0\-20$) regexp to find running kernel packages
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
Packages blacklist due to conffile prompts: []
No packages found that can be upgraded unattended and no pending auto-removals
Extracting content from /var/log/unattended-upgrades/unattended-upgrades-dpkg.log since 2023-02-15 21:00:54
	

Then you can check if it works with apt:

[ 10.8.0.2/24 ] [ home ] [~]
→ apt upgrade -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
	

no packages to be changed, which means the packages are up to date.

OPTIONAL: To make sure your server reboots every day to refresh the services (because the service stays the same even when packages are upgraded, until its restarted) do so with cron:

crontab -e

0 0 * * * reboot												#restart the server everyday at midnight
#0 0 * * * systemctl isolate rescue; systemctl isolate default	#forcefully restart all systemd services (careful it may break services)