Debian and Ubuntu are excellent operating systems with (very) long term support and product updates - making them popular here for some of our internal and externally facing services.

As someone famous probably said: If you have to do something more than once - script it. To that end we are avid users of Debian and Ubuntu's automatic update feature.

To get going first install unattended-upgrades:

sudo apt install unattended-upgrades

Then reconfigure it for installing unattended upgrades:

dpkg-reconfigure --priority=low unattended-upgrades

You'll be asked if you want to enable automatic updates, select Yes.

Next we'll need to configure auto-upgrades:

Edit /etc/apt/apt.conf.d/20auto-upgrades

And add:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
// Runs weekly
APT::Periodic::AutocleanInterval "7";
// Runs "Unattened-Upgrade" daily
APT::Periodic::Unattended-Upgrade "1";

Edit /etc/apt/apt.conf.d/50unattended-upgrades

And set the following properties:

// Reboot your server automatically
Unattended-Upgrade::Automatic-Reboot "true";
// At 2am
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Cleanup old packages
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";

With that configured your Ubuntu install will automatically upgrade system packages with security updates at 2am, cleanup and then reboot - every day.

By default only security updates are installed To upgrade other updates including 3rd party updates we've got a little more work to do.

Enabling updating of 3rd party and other system packages

In /etc/apt/apt.conf.d/50unattended-upgrades under Unattended-Upgrade::Allowed-Origins are defined the types of packages which are auto updated.

They are:

  • Important security updates (distro-security)
  • Recommended updates (distro-updates)
  • Pre-released updates (distro-proposed)
  • Unsupported updates (distro-backports)

By default only security packages are updated. You'll need to uncomment a few more lines to get all the other Ubuntu updates auto installed.

eg. we use:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESM:${distro_codename}";
    "${distro_id}:${distro_codename}-updates";
};

To add 3rd party repositories first discover their unique release name using:

apt-cache policy

An example of MongoDB's repo ID is:

release o=mongodb,a=xenial,n=xenial/mongodb-org,l=mongodb,c=multiverse,b=amd64

Another example of Ubiquiti's repo ID is:

release o=Ubiquiti Networks, Inc.,a=stable,n=unifi-5.12,l=Ubiquiti Networks, Inc.,c=ubiquiti,b=amd64

Find the key origin and the archive. We will use these in Allowed-Origins back in 50unattended-upgrades and add:

Unattended-Upgrade::Allowed-Origins {
"mongodb:xenial";
"Ubiquiti Networks, Inc.:stable";
};

To test your changes perform a dry run with:
sudo unattended-upgrade --debug --dry-run

Enabling e-mail notifications

To enable email notifications first add to /etc/apt/apt.conf.d/50unattended-upgrades where the recipient is of course your email:

Unattended-Upgrade::Mail "user@boxpeg.com";

Next install the necessary mail packages:

sudo apt install bsd-mailx

For Debian:

sudo apt install bsd-mailx postfix

Configure as Satellite for using as pure relay.

In our case we use:

  • boxpeg.com
  • mail.boxpeg.com

Open or create the /etc/postfix/sasl_passwd file and add your destination (SMTP relay host), port, username, and password in the following format:

[mail.boxpeg.com]:587 user@boxpeg.com:mysecretpassword

Create the hash db file for Postfix by running the postmap command:

postmap /etc/postfix/sasl_passwd

You should now see that /etc/postfix/sasl_passwd and the /etc/postfix/sasl_passwd.db hash file were created.

ls -l /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db

You can now delete the plain text file /etc/postfix/sasl_passwd so that your username/password is not visible to others. The /etc/postfix/sasl_passwd.db file is the encrypted file to be read by postfix.

rm /etc/postfix/sasl_passwd

Add to /etc/postfix/main.cf:

smtp_use_tls = yes
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

On some systems we had to change the line below:

mydestination = boxpeg.com, $myhostname, myserver, localhost.localdomain, localhost

To:

mydestination = $myhostname, myserver.boxpeg.com, localhost.boxpeg.com, , localhost

Testing e-mail

To fire a test email simply run from the command line:

echo "This is a test email body." | mail -s "Subject" -a "From: myhost@boxpeg.com" user@boxpeg.com

With all the above done you'll receive a handy email describing what's been updated and if any issues occurred:

Unattended upgrade returned: True

Packages that were upgraded:
 base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd 
 systemd-sysv udev unifi 

Package installation log:
Log started: 2019-08-07  06:30:15
Preparing to unpack .../base-files_10.1ubuntu2.6_amd64.deb ...
...

Unattended-upgrades log:
Initial blacklisted packages: 
Initial whitelisted packages: 
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates, o=mongodb,a=xenial, o=Ubiquiti Networks, Inc.,a=stable
Packages that will be upgraded: base-files libnss-systemd libpam-systemd libsystemd0 libudev1 systemd systemd-sysv udev unifi
Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
All upgrades installed