740-206-9624

Blog

Automate Ubuntu system updates

Sep 19, 2019 | DevOps | , , , , , , | 0 comments

Overview

Security is such an important thing these days and one of the best ways that you can protect yourself is by ensuring that your system is always up to date.  A large part of updates that you apply to your system is security patches.  This post is a “quick tip” for those that might be new to Linux, particularly those on Debian based distros like Ubuntu where we will demonstrate an easy way to setup automatic system updates so you never have to wonder if you’re system is up to date again.

Command Line

APT is the software that you use on Debian based systems to install software on your computer.  There are a few commands that you can use to ensure your system is up to date and they are as follows.  Note that because you are using sudo you will likely be prompted for the root password on your system so be sure to have that handy.

update – the command below downloads the package lists from the repositories and updates them to get information on the newest versions of packages and their dependencies.  It’s important here to realize that only the package lists are updated but it does not install or upgrade any of those packages.  You need execute the next command that we talk about in order for your system to actually update.

sudo apt update

upgrade - This command actually upgrades the packages installed on your system.  But, it's important to realize that you should always run the update command before running this upgrade command, otherwise you will likely not be upgrading the packages installed on your system to their latest versions.

sudo apt upgrade

autoremove - This third command is optional but I recommend running it after you've run update and upgrade.  This autoremove command essentially cleans up after your update.  Sometimes packages are left on your system that are no longer used, autoremove ensures that these are cleaned up so that they're not sitting there unnecissarily. 

sudo apt autoremove

Automation

Now I'd like to briefly explain how this can be automated so that you don't have to keep typing in three commands every time you want to ensure your system is updated.  The  first thing I'd like to mention is that when you run the latter 2 commands above you are typically always prompted, if there are updates to be made, to confirm that you want to apply the updates.  This can get kind of annoying.  The great thing is that apt has a parameter you can use to always say yes, just add "-y" to your command and it will update without confirming.

Second, you can also chain these commands together using the "&&" on the command line so that you only have to execute one sequential command on the command line and all three will run.  Here is an example of that:

sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y

Finally, in order to fully automate your system updates, you can add a command similar to the one above as a Cron job on your system that runs however frequently you'd like to ensure that your system is always up to date.  You can follow the steps listed here to setup such a Cron job:

1 - open up the crontab editor

sudo crontab -e

2 - add the job to the crontab configuration as shown in the following example.  This job is setup to run at midnight every day.  If you want to run your job at another time or frequency than you can use a great website called crontab.guru to see what configuration you need to run at the time and frequency that you desire.

Something to note, the "sudo" has been removed from the command because this is the "sudo" cron and therefore everything that is run in this is run as sudo already.  Secondly, if you've never opened up the crontab editor before you may be given the option as to which editor you'd like to use going forward to edit your cron jobs.  I like the vi editor so that is what I've used, feel free to choose whatever option you'd like.  Once you've updated and saved the configuration, it should take immediate effect.


# Edit this file to introduce tasks to be run by cron.
#
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
#
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').#
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
#
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
#
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
#
# For more information see the manual pages of crontab(5) and cron(8)
#
# m h  dom mon dow   command

0 0 * * * apt update && apt upgrade -y && apt autoremove -y

3 - Confirm that the job has run.  After you setup your confirmation and you think that the job has run, it is a good idea to check the logs to make sure that it actually has done so.  As long as you have not changed the default configuration for logging cron jobs all you should have to do is run the following command against the syslog file for the time that you expected the job to run.  If it has run today, you can simply run this command against the syslog file, if it ran yesterday it is possible that the log can be found in the syslog.1 file.  In any case, the following command will lend the following results.  Note the last item in bold, this is what the log shows for the example cron job configuration that we just wen't through and it is confirmed that it ran at one second after midnight: 

grep CRON /var/log/syslog

Sep 18 19:39:01 ris CRON[23952]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 20:09:01 ris CRON[25294]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 20:17:01 ris CRON[25763]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Sep 18 20:39:01 ris CRON[26773]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 21:09:01 ris CRON[28093]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 21:17:01 ris CRON[28521]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Sep 18 21:39:01 ris CRON[29383]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 22:09:01 ris CRON[30677]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 22:17:01 ris CRON[31101]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Sep 18 22:39:02 ris CRON[31960]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 23:09:01 ris CRON[798]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 18 23:17:01 ris CRON[1254]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Sep 18 23:39:01 ris CRON[2229]: (root) CMD (  [ -x /usr/lib/php/sessionclean ] && if [ ! -d /run/systemd/system ]; then /usr/lib/php/sessionclean; fi)
Sep 19 00:00:01 ris CRON[3719]: (root) CMD (apt update && apt upgrade -y && apt autoremove -y)

 

Conclusion

As you can see, it is not very difficult to setup your Debian based system to automatically update at a time and frequency that you would like.  Since it is very important, particularly when talking about security, that your system is running the most current versions for each software package that you have installed, I would encourage you, if you have not already done so, implement some sort of automatic updates on your Linux system.

 

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *