Automatic updates for linux servers

If you're one of Anchor's customers with an unmanaged dedicated server (or VPS), we enable automatic updates by default. This is a newer (albeit poorly documented) feature on Debian and Ubuntu systems, and a primitive task we've scripted up for Redhat/Fedora systems.

Read on if you'd like to know how this is setup, or you need to modify the functionality. It's assumed you're comfortable with regular package management and maintenance operations on your system.

Debian-type / Ubuntu

Debian systems have a package solution for this in more recent versions (albeit not well documented at all).

  1. Install the package

    aptitude update
    aptitude install unattended-upgrades
  2. This doesn't do anything on its own, contrary to what you might've guessed, so we add a conf fragment in /etc/apt/apt.conf.d/98local (newer Ubuntu install may do this for you already in 20auto-upgrades)

    APT::Periodic::Unattended-Upgrade "1";
  3. Set some periodic options to have downloads and cleaning done automatically
    • If you have the update-notifier-common package installed (more likely on Ubuntu), you can modify /etc/apt/apt.conf.d/10periodic like so:

      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "1";
    • If not, drop those three lines into /etc/apt/apt.conf.d/98local

  4. Activity is logged to /var/log/unattended-upgrades/
  5. You may wish to edit /etc/apt/apt.conf.d/50unattended-upgrades to configure upgrade sources

  6. Depending on your version of the unattended-upgrades package, you can also set a mail recipient for notification about upgrade actions, once again in /etc/apt/apt.conf.d/50unattended-upgrades

    // Send email to this address for problems or packages upgrades
    // If empty or unset then no email is sent, make sure that you
    // have a working mail setup on your system. The package 'mailx'
    // must be installed or anything that provides /usr/bin/mail.
    //Unattended-Upgrade::Mail "root@localhost";
  7. You should be good to go. APT brings its own cronjob to /etc/cron.daily/apt which handles the actual running of maintenance tasks

Redhat-type / Fedora

Things are a little less advanced for Redhat. Drop this shell script into /etc/cron.daily/yumupdate and set it to be executable

#!/bin/sh

YUM=/usr/bin/yum

# -y == assume yes
# -d == debug verbosity
# -e == error-reporting level
# -R == wait 0~n min before running the command (randomise)

# clear all packages, dependency headers, metadata and metadata cache
${YUM} -y -d 0 -e 0 clean all

# update the yum package itself
${YUM} -y -d 0 -e 0 update yum

# update everything
${YUM} -y -R 10 -e 0 -d 0 update