Ubuntu Enable Automatic Updates Unattended Upgrades

From richud.com
Jump to navigation Jump to search


Enable Automatic Updates

This is pretty much the same from at least 14.04 to 18.10 and beyond...

50unattended-upgrades

To stop the annoying update manager pestering to install updates, which everyone ignores [as in all updates, not just security which is all you can change in the GUI],

  • Not modifying the original will stop getting nags about overwriting the package maintainers version on upgrade of the unattended-upgrade package !!

Create /etc/apt/apt.conf.d/51unattended-upgrades_on containing the below, which supersede contents of 50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
	"${distro_id}ESM:${distro_codename}";
	"${distro_id}:${distro_codename}-backports";
};
Unattended-Upgrade::Remove-Unused-Dependencies "true";


One-liner

sed '/-updates\|-backports\|Remove-/s#^//##; /Remove-/s#false#true#; /\/\//d; /^$/d; /Black/,/};/d' "/etc/apt/apt.conf.d/50unattended-upgrades" | sudo tee "/etc/apt/apt.conf.d/51unattended-upgrades_on"

10periodic , 20auto-upgrades

Depending on version you may have one or other or both of /etc/apt/apt.conf.d/10periodic or /etc/apt/apt.conf.d/20auto-upgrades

  • Not modifying the original will stop getting nags about overwriting the package maintainers version on upgrade of the unattended-upgrade package !!

Create /etc/apt/apt.conf.d/21periodic-auto-upgrades_on which will supersede either /etc/apt/apt.conf.d/10periodic or /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

Other useful options;

RandomSleep makes it pretty much start when anacron starts it up rather than waiting around pointlessly.

APT::Periodic::RandomSleep "1";

More logging add

APT::Periodic::Verbose "2";

One-liner

cat "/etc/apt/apt.conf.d/10periodic" "/etc/apt/apt.conf.d/20auto-upgrades" 2>/dev/null | sed "s/0/1/" | sort -u | sudo tee  "/etc/apt/apt.conf.d/21periodic-auto-upgrades_on"

Resetting 10periodic 20auto--upgrades 50unattended-upgrades

Remove purge will remove all three, reinstall should set to defaults.

sudo apt-get remove --purge  update-notifier-common unattended-upgrades
sudo apt-get install --reinstall update-notifier-common unattended-upgrades update-manager

Deleting old kernels

With 16.04 and earlier there is/was a tendancy for kernels to not get deleted automatically. This is because they get tagged as 'manual' (due to bug or being manual updated) and only ones tagged 'auto' get removed by unattended-upgrades.

These two will show you how they are tagged currently.

apt-mark showauto 'linux-.*'
apt-mark showmanual 'linux-.*'

To fix and tag all as auto (you will get a lot of errors from ones not installed etc)

sudo apt-mark auto '^linux-.*'

These will then get removed on update cycle or can be immediately removed by a 'sudo apt-get autoremove'

Older and specialised info below for reference

Permissions

Check apt entry in /etc/cron.daily is executable, mine somehow became not and it must be (i.e. chmod 755 /etc/cron.daily/apt !)

This has happened at least twice for unknown reasons.

$ ls -la /etc/cron.daily
total 108
drwxr-xr-x   2 root root  4096 Nov 19 21:40 .
drwxr-xr-x 199 root root 12288 Dec  1 13:43 ..
-rwxr-xr-x   1 root root   311 Mar  5  2010 0anacron
-rwxr-xr-x   1 root root   219 Apr 10  2012 apport
-rw-r--r--   1 root root 15466 Sep  6 23:14 apt
-rwxr-xr-x   1 root root   314 Apr  9  2010 aptitude

Should be

$ sudo chmod a+x /etc/cron.daily/apt
[sudo] password for xxxxx: 
$ ls -la /etc/cron.daily
total 108
drwxr-xr-x   2 root root  4096 Nov 19 21:40 .
drwxr-xr-x 199 root root 12288 Dec  1 13:43 ..
-rwxr-xr-x   1 root root   311 Mar  5  2010 0anacron
-rwxr-xr-x   1 root root   219 Apr 10  2012 apport
-rwxr-xr-x   1 root root 15466 Sep  6 23:14 apt
-rwxr-xr-x   1 root root   314 Apr  9  2010 aptitude

Adding other repositories

Check out /var/lib/apt/lists, looking for files ending 'Release' You need to find the origin (o=) and archive (a=) pair of the repository you want.

Adding Virtualbox to unattended-upgrade

$ head /var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_oneiric_Release
Origin: Oracle Corporation
Label: Oracle Corporation
Codename: oneiric
Date: Tue, 03 Apr 2012 16:52:39 +0000
Architectures: i386 amd64
Components: non-free contrib

so, origin=Oracle Corporation but no archive mentioned.

They are separated in the config file by spaces or a colon, (info in the /etc/cron.daily/apt file)

$ head /etc/apt/apt.conf.d/50unattended-upgrades 
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id} ${distro_codename}-security";
	"${distro_id} ${distro_codename}-updates";
//	"${distro_id} ${distro_codename}-proposed";
	"${distro_id} ${distro_codename}-backports";
	"Oracle Corporation:";
};

It turns out the archive is an empty field so this works, (without the colon it thinks 'Oracle' is the origin and 'Corporation' is the archive, as it drops to using s space delimiter)


To test without causing problems do --dry-run (note mine was up to date, usually you get slew of output here)

$ sudo unattended-upgrade --debug --dry-run
Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=oneiric-security', 'o=Ubuntu,a=oneiric-updates', 'o=Oracle Corporation,a=']
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                                                  
blacklist: []
Packages that are auto removed: ''
InstCount=0 DelCount=0 BrokenCout=0
No packages found that can be upgraded unattended
  • Note if you are running /var/log from /tmp you will get errors as it assumes the /var/log/unattended-upgrades folder is there (that isnt) - however when its running normally from cron this folder gets created. You can get around this by specifying alternate log file with this is 50unattended-upgrades.
Unattended-Upgrade::LogDir "/tmp/";

Adding xbmc to unattended-upgrade

Using same method as above...

$ head /var/lib/apt/lists/ppa.launchpad.net_team-xbmc_unstable_ubuntu_dists_oneiric_Release
Origin: LP-PPA-team-xbmc-unstable
Label: XBMC Unstable
Suite: oneiric
Version: 11.10
Codename: oneiric
Date: Fri, 23 Mar 2012 23:23:05 UTC
Architectures: amd64 armel i386 powerpc
Components: main
Description: Ubuntu Oneiric 11.10

Generally speaking, if it doesn't tell you the archive name try just omitting it "LP-PPA-team-xbmc-unstable:" , otherwise try appending the distro name, "LP-PPA-team-xbmc-unstable:${distro_codename}". (perhaps if you see the 'Suite:' present it means this is what needs setting as the archive name??)

Running "sudo unattended-upgrade --debug --dry-run" , from the output you should be able to see the archive value it is using, if you dont see this and it isnt working then the problem probably lies with using the wrong one.

2012-04-06 16:55:45,032 DEBUG Checking: xbmc (["<Origin component:'main' archive:'oneiric' origin:'LP-PPA-team-xbmc-unstable' label:'XBMC Unstable' site:'ppa.launchpad.net' isTrusted:True>"])


$ head /etc/apt/apt.conf.d/50unattended-upgrades 
// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id} ${distro_codename}-security";
	"${distro_id} ${distro_codename}-updates";
//	"${distro_id} ${distro_codename}-proposed";
	"${distro_id} ${distro_codename}-backports";
	"LP-PPA-team-xbmc-unstable:${distro_codename}";
};

Forcing a rerun to test cron working

#stop
sudo service stop anacron
sudo service stop cron
sudo rm -rf /var/run/unattend* /var/run/cron* /var/run/anacron*
sudo rm -rf /var/lib/apt/periodic/*
#restart
sudo service start cron
sudo anacron -fn

12.10 onwards (checked to 13.10 at time of writing)

#stop
sudo service anacron stop
sudo service cron stop
sudo rm -rf /var/run/unattend* /var/run/cron* /var/run/anacron*
sudo rm -rf /var/lib/apt/periodic/*
#restart
sudo service cron start
sudo anacron -fn

How it works

Several things will trigger it to run.

a) It is fired off from the running of /etc/cron.daily by cron, specifically /etc/cron.daily/apt. Cron runs /etc/cron.daily at 6.25 am (see /etc/crontab)

b) Anacron runs from upstart? and it will fire off /etc/cron.daily after 5 minutes of uptime (see /etc/anacrontab)

  • Note APT::Periodic::RandomSleep can be set in /etc/apt/apt.conf.d/10periodic, but defaults to 1800s (30 mins) so no updates may happen till 30 mins after /etc/cron.daily/apt runs.

Log

If it works things should get logged in this folder, /var/log/unattended-upgrades

Fixing Key errors

W:GPG error: http://extras.ubuntu.com precise Release: The following signatures were invalid: BADSIG 16126D3A3E5C1192 Ubuntu Extras Archive Automatic Signing Key 

Run this to add the key, replacing BADSIG code with one on error

$ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192

Should then see all yours keys (snipped out others) - as you can see the last bit of the 'Key fingerprint' is the same code.

$ sudo apt-key finger
/etc/apt/trusted.gpg
--------------------
<SNIP>
pub   1024D/3E5C1192 2010-09-20
      Key fingerprint = C474 15DF F48C 0964 5B78  6094 1612 6D3A 3E5C 1192
uid                  Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>

Still a problem try

$ sudo apt-key del 16126D3A3E5C1192
$ sudo apt-get clean            # Remove cached packages
$ sudo mv /var/lib/apt/lists /tmp/       # Move existing mirror info
$ sudo mkdir -p /var/lib/apt/lists/partial   # Recreate directory structure
$ sudo apt-get clean
$ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192
$ sudo apt-get update           # Fetch mirror info

Making your own apt sources.list

Use this great online maker!


Update: Ubuntu >= 12.04

  • TO KEEP PRE-RELEASE (BETA) VERSIONS UPDATED also add just "${distro_id}:${distro_codename}" , i.e. without -security or -updates
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
	"${distro_id}:${distro_codename}-backports";
};


  • "Oracle Corporation:" does virtualbox, assuming "deb http://download.virtualbox.org/virtualbox/debian precise contrib" PPA is added to /etc/apt/sources.list);
  • "LP-PPA-app-review-board:${distro_codename}" does the ubuntu extras, viz "unsupported packages from this untrusted PPA", see /var/lib/apt/lists/extras.ubuntu.com_ubuntu_dists_precise_Release
  • "LP-PPA-libreoffice:${distro_codename}" does LibreOffice, see /var/lib/apt/lists/ppa.launchpad.net_libreoffice_ppa_ubuntu_dists_precise_Release
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	"${distro_id}:${distro_codename}-updates";
	"LP-PPA-app-review-board:${distro_codename}";
        "LP-PPA-libreoffice:${distro_codename}";
	"Oracle Corporation:";
//	"${distro_id}:${distro_codename}-proposed";
	"${distro_id}:${distro_codename}-backports";
};

Other useful Allowed-Origins

        "Google LLC:stable";
        "LP-PPA-linuxgndu-sqlitebrowser:focal";
        "TeamViewer GmbH:stable";

Trouble shooting

running the unattended-upgrade shows this in the output, but doesn't do anything or error or say anything else helpful, then think archive settings on the 'allowed origins' section above.

e.g.

adjusting candidate version: '<Version: package:'libreoffice-calc' version:'1:3.5.3-0ubuntu1'>'
adjusting candidate version: '<Version: package:'libreoffice-common' version:'1:3.5.3-0ubuntu1'>'
adjusting candidate version: '<Version: package:'libreoffice-core' version:'1:3.5.3-0ubuntu1'>'
adjusting candidate version: '<Version: package:'libreoffice-draw' version:'1:3.5.3-0ubuntu1'>'

If it doesn't update from a source you added yourself and it doesn't mention the archive name in the '_Release' file, try using ${distro_codename}. This fixed the above for libreoffice updates not working. Note the above log shows the current version, the version it could update to was 1:3.5.4~rc2.

Running this should show you the install candidate (1:3.5.4~rc2) and the current version (1:3.5.3-0)

apt-cache show libreoffice-common


You should then see something like the below (haven't got to bottom of "conffile prompt and needs to be upgraded manually", because running update manually doesn't trigger this. This was a fixed bug from ages ago.)

$ cat unattended-upgrades.log 
2012-04-17 07:35:44,245 INFO Initial blacklisted packages: 
2012-04-17 07:35:44,245 INFO Starting unattended upgrades script
2012-04-17 07:35:44,245 INFO Allowed origins are: ['o=Ubuntu,a=precise', 'o=Ubuntu,a=precise-security', 'o=Ubuntu,a=precise-updates', 'o=LP-PPA-app-review-board,a=precise', 'o=Oracle Corporation,a=']
2012-04-17 07:37:23,228 WARNING Package 'libgtk-3-0' has conffile prompt and needs to be upgraded manually
2012-04-17 07:37:42,214 INFO package 'gir1.2-gtk-3.0' not upgraded
2012-04-17 07:37:56,185 INFO package 'gvfs' not upgraded
2012-04-17 07:37:58,019 INFO package 'gvfs-backends' not upgraded
2012-04-17 07:38:15,499 INFO package 'libgail-3-0' not upgraded
2012-04-17 07:38:30,845 INFO package 'libgtk-3-0' not upgraded
2012-04-17 07:38:33,210 INFO package 'libgtk-3-bin' not upgraded
2012-04-17 07:38:35,580 INFO package 'libgtk-3-common' not upgraded
2012-04-17 07:38:37,939 INFO package 'libgtk-3-dev' not upgraded
2012-04-17 07:39:08,353 INFO Packages that are upgraded: aisleriot apport apport-gtk apport-retrace cpp-4.6 empathy empathy-common example-content file-roller g++-4.6 gcc-4.6 gcc-4.6-base gcc-4.6-base:i386 gcc-4.6-multilib gedit gedit-common gir1.2-dbusmenu-glib-0.4 gir1.2-dbusmenu-gtk-0.4 gir1.2-gdesktopenums-3.0 gir1.2-gdkpixbuf-2.0 gir1.2-gnomedesktop-3.0 gir1.2-gtksource-3.0 gir1.2-panelapplet-4.0 gir1.2-pango-1.0 gnome-control-center gnome-control-center-data gnome-desktop3-data gnome-panel gnome-panel-data gnome-screenshot gnome-settings-daemon gnome-system-log gnome-system-monitor gnome-terminal gnome-terminal-data gsettings-desktop-schemas gsettings-desktop-schemas-dev gvfs-bin gvfs-common gvfs-daemons:i386 gvfs-fuse gvfs-libs gvfs-libs:i386 gvfs:i386 lib32gcc1 lib32gomp1 lib32quadmath0 libc-bin libc-dev-bin libc6 libc6-dev libc6-dev-i386 libc6-i386 libc6:i386 libdbusmenu-glib4 libdbusmenu-gtk3-4 libdbusmenu-gtk4 libgcc1 libgcc1:i386 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-0:i386 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgfortran3 libglib2.0-0 libglib2.0-0:i386 libglib2.0-bin libglib2.0-data libglib2.0-dev libgnome-control-center1 libgnome-desktop-3-2 libgnome-desktop-3-dev libgomp1 libgomp1:i386 libgtksourceview-3.0-0 libgtksourceview-3.0-common libmusicbrainz3-6 libnautilus-extension1a libobjc3 libpanel-applet-4-0 libpango1.0-0 libpango1.0-0:i386 libpango1.0-dev libquadmath0 librsvg2-2 librsvg2-2:i386 librsvg2-common librsvg2-common:i386 libstdc++6 libstdc++6-4.6-dev libstdc++6:i386 mousetweaks multiarch-support nautilus nautilus-data nautilus-sendto-empathy nscd python-apport python-problem-report python-qt4 python-qt4-dbus tomboy transmission-common transmission-gtk ttf-wqy-microhei upstart usb-creator-common usb-creator-gtk vinagre vino yelp-xsl
2012-04-17 07:39:08,353 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2012-04-17_07:39:08.353666.log'
2012-04-17 07:40:52,196 INFO All upgrades installed

Comments

blog comments powered by Disqus