August 23, 2009 at 15:06Automating Server Updates with Debian / Ubuntu
In this article, I will try to summarize the existing ways to automate updating servers from Debian / Ubuntu on board.
Of course, if you have only one “server”, which no one uses except you or your neighbor, then keeping track of updates is pretty simple. When it comes to tens to hundreds of servers, the problem of keeping them up to date becomes obvious.
Debian / Ubuntu patch updates come out almost every day. Keeping track of all this is very difficult. Here the programs described below may come in handy.
apticron is a simple script that sends emails daily with information about available updates. All that is needed for its operation is to specify our e-mail in the settings file /etc/apticron/apticron.conf:
The letter from apticron is quite informative and looks something like this:
From the letter it is clear that you need to update acpid and apache2-utils. In addition, the letter contains descriptions of the changes. This is very convenient when you do not receive this information from other sources (for example, from the debian-security-announce mailing list).
cron-apt is a more advanced utility that, in addition to informing about available updates, can download and install them. By default, cron-apt only downloads updates, but does not install them. To receive letters, you need to specify our e-mail in the / etc / cron-apt / config file and say under what conditions to send letters:
Here is an example email from cron-apt:
It can be seen that cron-apt downloaded, but did not install (!) The updates for dbus and dhcp.
unattended-upgrade is an optional script developed by Canonical to work together with apt. Unlike the two previously described utilities, unattended-upgrade can only install updates. To enable automatic system update, first you need to specify in the settings file /etc/apt/apt.conf.d/50unattended-upgrades what exactly we want to update:
Additionally, in the Unattended-Upgrade :: Package-Blacklist section, you can specify a list of packages that cannot be updated. In this example, there is a commented out vim.
After that, you need to tell apt that we want to use unattended-upgrade. To do this, create the file /etc/apt/apt.conf.d/10periodic and add the following lines there:
As a result, we get a daily update of the list of packages, downloading of available updates, removing deb-files from the cache of already installed packages, and most importantly - automatic installation of packages.
Unattended-upgrade has one small drawback - the utility does not tell anyone (except the log file) what it actually did. In order to find out what she updated, you can take advantage of the utility logrotate - sending log files to the mail. To do this, write the following lines in the /etc/logrotate.d/unattended-upgrades file:
As a result, we will receive an e-mail copy of the log file with information about updates:
As you can see from the log, the details (dpkg output) are recorded in a separate file: unattended-upgrades-dpkg_2009-08-09_17: 51: 08.294492.log.
The utilities described above allow you to organize informing the administrator about the availability of updates in the system. In addition, cron-apt and unattended-upgrades even allow automatic updates to be installed. However, there can be no single choice for all, because only the administrator must decide whether it is possible to update this or that server automatically.
PS For myself, I opted for cron-apt.
Do we need it?
Of course, if you have only one “server”, which no one uses except you or your neighbor, then keeping track of updates is pretty simple. When it comes to tens to hundreds of servers, the problem of keeping them up to date becomes obvious.
Debian / Ubuntu patch updates come out almost every day. Keeping track of all this is very difficult. Here the programs described below may come in handy.
apticron
apticron is a simple script that sends emails daily with information about available updates. All that is needed for its operation is to specify our e-mail in the settings file /etc/apticron/apticron.conf:
EMAIL="mail@example.com"
The letter from apticron is quite informative and looks something like this:
apticron report [Thu, 06 Aug 2009 16:15:24 +0300]
========================================================================
apticron has detected that some packages need upgrading on:
example.com
[ 127.0.1.1 192.168.0.1 ]
The following packages are currently pending an upgrade:
acpid 1.0.4-5etch1
apache2-utils 2.2.3-4+etch10
========================================================================
Package Details:
Reading changelogs...
--- Changes for acpid ---
acpid (1.0.4-5etch1) oldstable-security; urgency=high
* Added upstream's patch to fix CVE-2009-0798
-- Michael Meskes Wed, 29 Apr 2009 12:26:56 +0200
--- Changes for apache2 (apache2-utils) ---
apache2 (2.2.3-4+etch10) oldstable-security; urgency=low
* Fix regression: A segfault could happen in mod_deflate in conjunction with
mod_php when a client aborts the connection.
-- Stefan Fritsch Wed, 29 Jul 2009 11:39:06 +0200
========================================================================
You can perform the upgrade by issuing the command:
aptitude dist-upgrade
as root on example.com
It is recommended that you simulate the upgrade first to confirm that
the actions that would be taken are reasonable. The upgrade may be
simulated by issuing the command:
aptitude -s -y dist-upgrade
-- apticron
From the letter it is clear that you need to update acpid and apache2-utils. In addition, the letter contains descriptions of the changes. This is very convenient when you do not receive this information from other sources (for example, from the debian-security-announce mailing list).
cron-apt
cron-apt is a more advanced utility that, in addition to informing about available updates, can download and install them. By default, cron-apt only downloads updates, but does not install them. To receive letters, you need to specify our e-mail in the / etc / cron-apt / config file and say under what conditions to send letters:
MAILTO="mail@example.com"
MAILON="always"
Here is an example email from cron-apt:
CRON-APT RUN [/etc/cron-apt/config]: Wed Jul 29 04:00:01 EEST 2009
CRON-APT SLEEP: 1172, Wed Jul 29 04:19:33 EEST 2009
CRON-APT ACTION: 0-update
CRON-APT LINE: /usr/bin/apt-get update -o quiet=2
CRON-APT ACTION: 3-download
CRON-APT LINE: /usr/bin/apt-get autoclean -y
Reading package lists...
Building dependency tree...
Reading state information...
CRON-APT LINE: /usr/bin/apt-get dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
Reading package lists...
Building dependency tree...
Reading state information...
The following packages will be upgraded:
dbus dbus-x11 dhcp3-client dhcp3-common libdbus-1-3
5 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0B/957kB of archives.
After this operation, 8192B disk space will be freed.
Download complete and in download only modeIt can be seen that cron-apt downloaded, but did not install (!) The updates for dbus and dhcp.
unattended-upgrades
unattended-upgrade is an optional script developed by Canonical to work together with apt. Unlike the two previously described utilities, unattended-upgrade can only install updates. To enable automatic system update, first you need to specify in the settings file /etc/apt/apt.conf.d/50unattended-upgrades what exactly we want to update:
// allowed (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
"Debian stable Debian-Security";
};
// never update the packages in this list
Unattended-Upgrade::Package-Blacklist {
// "vim";
};
Additionally, in the Unattended-Upgrade :: Package-Blacklist section, you can specify a list of packages that cannot be updated. In this example, there is a commented out vim.
After that, you need to tell apt that we want to use unattended-upgrade. To do this, create the file /etc/apt/apt.conf.d/10periodic and add the following lines there:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";
As a result, we get a daily update of the list of packages, downloading of available updates, removing deb-files from the cache of already installed packages, and most importantly - automatic installation of packages.
Unattended-upgrade has one small drawback - the utility does not tell anyone (except the log file) what it actually did. In order to find out what she updated, you can take advantage of the utility logrotate - sending log files to the mail. To do this, write the following lines in the /etc/logrotate.d/unattended-upgrades file:
/var/log/unattended-upgrades/unattended-upgrades.log {
rotate 7
daily
mailfirst
mail mail@example.com
compress
missingok
notifempty
}
As a result, we will receive an e-mail copy of the log file with information about updates:
2009-08-01 17:50:57,596 INFO Initial blacklisted packages:
2009-08-01 17:50:57,596 INFO Starting unattended upgrades script
2009-08-01 17:50:57,596 INFO Allowed origins are: ["['Debian', 'stable', 'Debian-Security']"]
2009-08-01 17:51:08,294 INFO Packages that are upgraded: libbind9-40 libisc45 libisccfg40 dnsutils libtiff4 liblwres40 bind9-host libisccc40 libdns45
2009-08-01 17:51:08,294 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2009-08-01_17:51:08.294492.log'
2009-08-01 17:51:11,169 INFO All upgrades installed
As you can see from the log, the details (dpkg output) are recorded in a separate file: unattended-upgrades-dpkg_2009-08-09_17: 51: 08.294492.log.
Conclusion
The utilities described above allow you to organize informing the administrator about the availability of updates in the system. In addition, cron-apt and unattended-upgrades even allow automatic updates to be installed. However, there can be no single choice for all, because only the administrator must decide whether it is possible to update this or that server automatically.
PS For myself, I opted for cron-apt.