⬆️ ⬇️

Automating server updates from Debian / Ubuntu

In this article I will try to summarize the existing ways to automate the update of servers with Debian / Ubuntu on board.



And we need it?



Of course, if you have only one “server”, which no one uses except you or a neighbor, then it is quite simple to follow the updates. When it comes to dozens or hundreds of servers, it becomes obvious the problem of keeping them up to date.



Updates with patches in Debian / Ubuntu come out almost every day. Keep track of all this is not very easy. This is where the programs described below can be useful.



apticron



apticron is a simple script that sends emails daily with information about available updates. All that is needed for his work is to specify our e-mail in the settings file /etc/apticron/apticron.conf:

EMAIL="mail@example.com"



A letter from apticron is quite informative and looks like this:

apticron report [Thu, 06 Aug 2009 16:15:24 +0300]

========================================================================



apticron has detected that some packages need upgrading on:



example.com

[ 127.0.1.1 192.168.0.1 ]



The following packages are currently pending an upgrade:



acpid 1.0.4-5etch1

apache2-utils 2.2.3-4+etch10



========================================================================



Package Details:



Reading changelogs...

--- Changes for acpid ---

acpid (1.0.4-5etch1) oldstable-security; urgency=high



* Added upstream's patch to fix CVE-2009-0798



-- Michael Meskes <meskes@debian.org> Wed, 29 Apr 2009 12:26:56 +0200



--- Changes for apache2 (apache2-utils) ---

apache2 (2.2.3-4+etch10) oldstable-security; urgency=low



* Fix regression: A segfault could happen in mod_deflate in conjunction with

mod_php when a client aborts the connection.



-- Stefan Fritsch <sf@debian.org> Wed, 29 Jul 2009 11:39:06 +0200



========================================================================



You can perform the upgrade by issuing the command:



aptitude dist-upgrade



as root on example.com



It is recommended that you simulate the upgrade first to confirm that

the actions that would be taken are reasonable. The upgrade may be

simulated by issuing the command:



aptitude -s -y dist-upgrade



-- apticron



From the letter it is clear that you need to update acpid and apache2-utils. In addition, the letter has a description of the changes. This is very convenient when you do not receive this information from other sources (for example, from the debian-security-announce mailing list).

')

cron-apt



cron-apt is a more advanced utility that, in addition to informing about available updates, can download and install them. By default, cron-apt only downloads updates, but does not install them. To receive letters, in the / etc / cron-apt / config file, specify our e-mail and say under what conditions to send letters:

MAILTO="mail@example.com"

MAILON="always"



Here is an example of a letter from cron-apt:

CRON-APT RUN [/etc/cron-apt/config]: Wed Jul 29 04:00:01 EEST 2009

CRON-APT SLEEP: 1172, Wed Jul 29 04:19:33 EEST 2009

CRON-APT ACTION: 0-update

CRON-APT LINE: /usr/bin/apt-get update -o quiet=2

CRON-APT ACTION: 3-download

CRON-APT LINE: /usr/bin/apt-get autoclean -y

Reading package lists...

Building dependency tree...

Reading state information...

CRON-APT LINE: /usr/bin/apt-get dist-upgrade -d -y -o APT::Get::Show-Upgraded=true

Reading package lists...

Building dependency tree...

Reading state information...

The following packages will be upgraded:

dbus dbus-x11 dhcp3-client dhcp3-common libdbus-1-3

5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Need to get 0B/957kB of archives.

After this operation, 8192B disk space will be freed.

Download complete and in download only mode


It is seen that cron-apt downloaded, but did not install (!) Updates for dbus and dhcp.



unattended-upgrades



unattended-upgrade is an additional script developed by Canonical for working with apt. In contrast to the two previously described utilities, unattended-upgrade can only install updates. To enable automatic system update, first you need to specify in the settings file /etc/apt/apt.conf.d/50unattended-upgrades what exactly we want to update:

// allowed (origin, archive) pairs

Unattended-Upgrade::Allowed-Origins {

"Debian stable Debian-Security";

};



// never update the packages in this list

Unattended-Upgrade::Package-Blacklist {

// "vim";

};



Additionally, in the Unattended-Upgrade :: Package-Blacklist section, you can specify a list of packages that cannot be upgraded. In this example, there is a commented vim.



After that, you need to tell apt that we want to use unattended-upgrade. To do this, create the file /etc/apt/apt.conf.d/10periodic and add the following lines:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "1";

APT::Periodic::Unattended-Upgrade "1";



As a result, we will receive a daily update of the list of packages, download of available updates, removal of deb-files from the cache of already installed packages, and most importantly, automatic installation of packages.



Unattended-upgrade has one small drawback - the utility does not tell anyone (except for the log file) what it actually did. In order to learn about what she has updated, you can use the opportunity of the utility logrotate - sending log files to the mail. To do this, we write the following lines in the /etc/logrotate.d/unattended-upgrades file:

/var/log/unattended-upgrades/unattended-upgrades.log {

rotate 7

daily

mailfirst

mail mail@example.com

compress

missingok

notifempty

}



As a result, we will receive to the e-mail a copy of the log file with information about updates:

2009-08-01 17:50:57,596 INFO Initial blacklisted packages:

2009-08-01 17:50:57,596 INFO Starting unattended upgrades script

2009-08-01 17:50:57,596 INFO Allowed origins are: ["['Debian', 'stable', 'Debian-Security']"]

2009-08-01 17:51:08,294 INFO Packages that are upgraded: libbind9-40 libisc45 libisccfg40 dnsutils libtiff4 liblwres40 bind9-host libisccc40 libdns45

2009-08-01 17:51:08,294 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2009-08-01_17:51:08.294492.log'

2009-08-01 17:51:11,169 INFO All upgrades installed



As can be seen from the log, the details (dpkg output) are recorded in a separate file: unattended-upgrades-dpkg_2009-08-09_17: 51: 08.294492.log.



Conclusion



The utilities described above allow you to organize informing the administrator about the availability of updates in the system. In addition, cron-apt and unattended-upgrades even allow updates to be automatically installed. However, there is no one choice for everyone, since Only the administrator has to decide whether to update this or that server automatically.



PS For myself, I made a choice in favor of cron-apt.

Source: https://habr.com/ru/post/65819/



All Articles