dark
2K
3K
2K
Hand-Picked Top-Read Stories
Trending Tags
2.5K views
4 minute read

How To Configure Automatic Updates On Debian

Ian Tobin
27 February 2023
Debian Logo Header
Total
1
Shares
0
0
1
0
0
0
0
0

Keeping your OS up to date is essential in the fight against attackers. Maintaining updates can be a mundane task, especially where there are a lot of servers to manage. For Debian, updating can be made very simple with the use of automatic updates. By default automatic updates are not enabled unless you are using Gnome, so in this tutorial you will learn how to configure automatic updates on Debian.

The journey of a thousand miles begins with one step.

Lao Tzu
Table of Contents
  1. Requirements
  2. Before You Begin
  3. Step 1: Install Automatic Updates
  4. Step 2: Removing Unused Dependencies
  5. Step 3: Blacklisting Packages
  6. Step 4: Enabling Automatic Updates on Debian
  7. Step 5: Testing Automatic Updates on Debian

Requirements

  • You will need root access to the Debian OS.
  • Your OS should be supported (at least Debian 10)

We always advise keeping to the latest operating system, currently Debian 11. If you miss upgrade paths, i.e from Debian 9 to 11, then sometimes the upgrade process is a lot harder. For purpose of this tutorial we will be using Debian 11.

If you want to try out Debian then you can simply spin up a Virtual Private Server with us, the server will be available within minutes.

For Debian distribution information you can visit the Debian website

Before You Begin

Lets get apt up to date, if we do not do this then the package may not be available when we try to install it. Login to SSH using root and running the following:

apt update && apt upgrade

Step 1: Install Automatic Updates

First of all, we need to download and install the unattended-upgrades package:

apt install unattended-upgrades

During the install process, apt will prompt to continue, if you are happy please enter ‘Y

Once the install has completed, we can now start the unattended-upgrades service by running the following

systemctl enable unattended-upgrades
systemctl start unattended-upgrades

This will make sure the service is running, and will also ensure the service is running after a reboot.

Now lets look at the configuration file /etc/apt/apt.conf.d/50unattended-upgrades

vi /etc/apt/apt.conf.d/50unattended-upgrades

The contents of the file should look like the following, with more available scrolling down within you editor. Anything with // in front of it means its commented out and wont be included in the configuration:

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Debian", "Debian-Security")
//   o,origin        (eg, "Debian", "Unofficial Multimedia Packages")
//   n,codename      (eg, "jessie", "jessie-updates")
//     site          (eg, "http.debian.net")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "buster")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
//      "origin=Debian,codename=${distro_codename}-updates";
//      "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};

...

Step 2: Removing Unused Dependencies

You can configure unattended-upgrades service to remove any unused dependencies by changing the settings in /etc/apt/apt.conf.d/50unattended-upgrades. We simply need to uncomment the lines removing // as follows:

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Step 3: Blacklisting Packages

If you want to block updates for any packages, such as Apache2 then the Unattended-Upgrade::Package-Blacklist section of the configuration file allows you to block these from updating.

To block updates for specific pacakges, then add the pacakage names to the list. In this example we will use Exim4 and Apache2.

Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";
    "apache2";
    "exim4";
    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

...

We do not advise blocking any package updates as this could cause potential dependency problems later on.

Step 4: Enabling Automatic Updates on Debian

To enable automatic updates you need to ensure that the apt configuration file contains to the correct setting. Lets open the config file

vi /etc/apt/apt.conf.d/20auto-upgrades

This file lets you define how often the automatic updates will run:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
  • Update-Package-Lists1 enables auto-update, 0 disables.
  • Unattended-Upgrade1 enables auto-upgrade, 0 disables.

Lets add another line to enable autocleanup of updates:


APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "21";
  • AutocleanInterval: Enables auto cleanup of packages. The above configuration is set for 21 days

Step 5: Testing Automatic Updates on Debian

You can carry out a dry run test on the configuration. The test run an update, but no changes are made to the system.

unattended-upgrades --dry-run --debug

With everything now set, we have learned how to configure automatic updates on Debian. Remember to do this on all your servers, it only takes one server that is insecure to allow attackers into your network.

Total
1
Shares
Share 0
Tweet 0
Pin it 1
Share 0
Share 0
Share 0
Share 0
Share 0
Leave a Reply
Previous Post
CentOS Logo Header

How To Configure Automatic Updates On CentOS

byIan Tobin
27 February 2023
Next Post
Teams Logo Header

Modern Work Superheroes | Viva Learning Video + February News

byJames Dean
28 February 2023
Related Posts