Zachary Loeber

The personal website of Zachary Loeber.

Ubuntu Server 8.04 Post Install Tip #1: Auto Updating

2008-07-03 3 min read Linux Networking Ubuntu Zachary Loeber

On a headless server that you have at home or for testing I like to make sure that all security updates and trivial updates are done automatically. A good sys admin will shy away from this practice for a good reason, updates can mess things up. In a production environment or where the server setup is very complex I can understand the need to manually run updates. For me, well I’m lazy when it comes to my home machines and generally don’t have too complex of setups. Also, in my experience, I’ve hardly ever seen an apt security or trivial update cause any harm (desktop linux I have seen issues though). That being said, I like to force security and trivial updates to happen daily.

You have a few ways to do this, you can setup a custom script to run the upgrades or you can use apt-cron. I’ve done both and am now using apt-cron for my needs as it supports syslog logging which is good for logwatch daily updates. The default setup of apt-cron doesn’t do much so I’ll cover a more complex setup in a bit. But if you just want to setup your own script here it is:

sudo nano /usr/local/sbin/

Paste all of this:

#(modified from:

simple script which does automatic security updates!


function warning () {
echo | mail -s “uname -n:$0: error [$1].” [email protected]
apt-get update > /dev/null 2>&1 || warning update
apt-get upgrade -y -t lsb_release -cs-security >> /var/log/apt/security.log 2>&1 || warning
apt-get upgrade -y –trivial-only >> /var/log/apt/trivial.log 2>&1 || warning updade.trivial
apt-get autoclean -y > /dev/null 2>&1

sudo chmod +x /usr/local/sbin/

Test your script:

sudo /usr/local/sbin/<br /> less /var/log/apt/security.log<br />

Now make it run daily

sudo ln -s /usr/local/sbin/ /etc/cron.daily/auto-update<br />

The cron-apt way

Install cron-apt, remove the default cron-apt schedule and set it to run daily instead. Also remove the default download-only action file as we don’t need it, we are going to install stuff instead.

sudo apt-get install cron-apt<br /> ln -s /usr/sbin/cron-apt /etc/cron.daily/cron-apt<br /> sudo mv /etc/cron.d/cron-apt ~/oldffiles/cron-apt<br /> sudo mv /etc/cron-apt/action.d ~/oldfiles/

create your install action file. Note that I have hardy-security in here as I was not able to get lsb_release -cs to work in the config file properly, you may have a different distro and will have to change accordingly. In /etc/apt/sources.list you can see the different types that you can use by looking at the following part of the source line.

deb hardy-security main restricted

sudo nano /etc/cron-apt/action.d/2-install

Insert the following:

upgrade -y -t hardy-security<br /> upgrade -y --trivial-only<br /> autoclean -y<br />

Change the default configuration to do no mailing or debugging. Also error out on errors and always dump all actions to syslog.

nano /etc/cron-apt/config<br />

You will have to uncomment and change the lines noted.

ERROR="/var/log/cron-apt/error"<br /> DEBUG=""<br /> MAILON=""<br /> SYSLOGON="always"

Test by running cron-apt

sudo cron-apt

Then take a look in syslog

less /var/log/syslog

comments powered by Disqus