martin carpenter

contents

contact
blog
2022/01/31
determining password dump origin using n-grams
2015/07/01
escape from ansible
2015/06/24
solaris elfsign vulnerability
2014/10/22
metasploiting nrpe
2014/01/24
readable setuid cores in desktop ubuntu
2014/01/20
enlightenment sysactions vulnerability
most popular
2013/10/22
extracting openssl private keys from core dumps
2013/03/25
john the ripper, cuda, ubuntu
2012/05/05, updated 2012/12/15
ubuntu unity lens for vim
2010/03/11
twofish.rb: pure ruby twofish gem
2010/04/14
ckwtmpx

ubuntu automatic package updates

2012/08/12, updated 2013/10/12

tags: ubuntu

For many situations (desktops, laptops) automatic package upgrades can be a security improvement.

Required packages:

Automatic package updates can then be enabled by running:

root@ubuntu:~# dpkg-reconfigure -plow unattended-upgrades

Programatically (more suitable for automatic use, for example with Puppet), we can use debconf-get-selections(1) and debconf-set-selections(1). To check the current value:

alice@ubuntu:~$ debconf-get-selections | grep '^unattended-upgrades'

This should be set to true to enable this functionality:

root@ubuntu:~# echo 'unattended-upgrades unattended-upgrades/enable_auto_updates boolean true' \
    | debconf-set-selections

The action is performed once per day by /etc/cron.daily/apt by calling unattended-upgrade(8). If you run the apt cronjob by hand note that there's a randomized delay of up to 30 minutes before it does anything (to prevent overloading repository servers at the top of every hour). You can change this delay by editing apt variable APT::Periodic::RandomSleep. See the next section for how to do that.

Configuration

Configuration variables for periodic Advanced Package Tool services are set in the file /etc/apt/apt.conf.d/10periodic. By default only the package lists are updated. At the very least to enable unattended upgrades you will need to set APT::Periodic::Unattended-Upgrade to 1.

My preferred configuration is as follows:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

"Update package lists but only download package when required. Perform unattended upgrades. Automatically remove downloaded packages from the cache once per week". Download-Upgradeable-Packages is useful for packages that must be manually upgraded: this way the .deb should already be waiting for you in the cache when the time comes to upgrade.

Tuning

The unattended-upgrade(8) script in turn can be tuned by editing /etc/apt/apt.conf.d/50unattended-upgrades. By default only security packages are automatically upgraded. For laptops and desktops it may make sense to add to updates to Unattended-Upgrade::Allowed-Origins:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
};

My other favorite (non-default) configuration settings are:

Unattended-Upgrade::Mail "root@localhost";
Unattended-Upgrade::MailOnlyOnError "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Acquire::http::Dl-Limit "255";

"Email root only if there's an error, remove (new) unused dependencies after automatic upgrades and limit package downloads to 255kb/s". The configuration file is well-commented.

Logging

General logging is written to /var/log/unattended-upgrades/unattended-upgrades.log. Updates are performed by dpkg(1) and output from that command is written to /var/log/unattended-upgrades/unattended-upgrades-dpkg_*.log.

No package left behind

It's useful for the admin to know about packages that could be upgraded outside of those archives configured for automatic upgrades. Ubuntu ships with a package called apticron that does most of the work for you and provides a useful changelog listing in its report but it has a few small problems:

Manual upgrades such as the one in the last bullet above can be solved first by doing forced removal of the existing package followed by installation specifying the exact version to be installed:

root@ubuntu:~# dpkg -r --force-depends pkg
root@ubuntu:~# apt-get install pkg=version

You can find all packages that may be updated, including manual updates like the one above, by running:

alice@ubuntu:~$ apt-show-versions -u

So if you want to know about all upgradeable packages then instead of apticron you can put the following script in /etc/cron.daily/upgradeable-versions to send email to root whenever there are any packages that may be upgraded. It runs after the cache updates and automatic upgrades have been performed courtesy of sorting on filenames performed by run-parts(8).

#!/bin/bash -e
# The cache is refreshed by /etc/cron.daily/apt-show-versions.
# Query for upgradeable versions of packages:
upgradeable_versions=`apt-show-versions -u`
# Send mail only if possible upgrades found:
if [[ -n $upgradeable_versions ]] ; then
  echo "$upgradeable_versions" | \
    mailx -s "Upgradeable packages on `hostname`" root
fi
exit 0

Required reboots

Some updates (such as kernel upgrades) may require a system reboot at the earlist opportunity. Typically Ubuntu indicates this either by a desktop notification or Landscape. Unless you are regularly logging in to all of your machines this is not very helpful.

These alerts are triggered by the presence of the file /var/run/reboot-required, and a list of the packages for which the reboot is required is recorded in /var/run/reboot-required.pkgs. Using this information we can drop another short script into /etc/cron.daily to notify us by email:

#!/bin/bash -eu
if [[ -e /var/run/reboot-required ]] ; then
  if [[ -e /var/run/reboot-required.pkgs ]] ; then
    cmd="(cat /var/run/reboot-required ; \
            echo 'The following packages were upgraded:' ; \
            cat /var/run/reboot-required.pkgs)"
  else
    cmd="cat /var/run/reboot-required"
  fi
  eval "$cmd" | mailx -s "`hostname`: reboot required" root
fi
exit 0

Summary: recommended steps