 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
When was the last time you ran an update for Ubuntu Server? Many admins tend to view Linux as a set-it-and-forget-it operating system. Once upon a time, that was a valid stance to take, especially during that period when people were boasting of insanely long uptimes.
But not updating a server simply so you could claim you haven’t rebooted it for three years is no longer an option. Over time, unpatched software becomes vulnerable to attacks. In fact, the longer you go without updating the packages on your server, the more vulnerable it can be. Imagine you have the SSH server installed and it hasn’t been updated for a year. There are probably several CVEs afflicting that software.
And that’s just SSH.
Imagine if just 25% of the software on your machine is out of date. Even if you let that go on for a month, that server is far more vulnerable than it should be.
That is precisely the argument in favor of enabling automatic updates. Yes, there will always be those who firmly believe this is a bad idea. After all, what happens if an update goes awry or a piece of software is upgraded that includes yet another vulnerability?
Even those caveats don’t counter keeping out-of-date software installed on a server.
So, unless you have the time (or the memory capacity) to run daily (or weekly) upgrades, what are you to do?
You can enable automatic updates.
With automatic updates enabled, you can rest assured that critical software on your server is always up-to-date and patched against the latest vulnerabilities (so long as the software maintainers have patched their products). The updated packages are automatically downloaded and applied, without requiring any intervention on your part. And, at no time, will your server automatically restart after an update (so you don’t have to worry about a server going offline after an update is applied).
Canonical (the company behind Ubuntu) is so certain about the unattended upgrades for the server, that they ship the operating system with the necessary package pre-installed.
The first thing you’ll want to do is verify the required software is installed. To be certain the software is installed, issue the command:
which unattended-upgrades
The output should be:
/usr/bin/unattended-upgrades
However, just because the software is installed doesn’t mean it’s configured and working.
Log into your Ubuntu Server. To configure unattended-upgrades, we’re going to use the dpkg-reconfigure tool, like so:
sudo dpkg-reconfigure -plow unattended-upgrades
After running the above command, you’ll be presented with an ncurses window asking you if you want to automatically download and install stable updates (Figure 1).
Figure 1: Selecting Yes will enable the automatic downloading and applying of stable updates.
Tab to Yes and hit Enter on your keyboard.
That’s all there is to enabling the automatic updates. Let’s see what this does.
If you want to see exactly what the unattended-upgrade configuration does, open the configuration file for viewing with:
less /etc/apt/apt.conf.d/20auto-upgrades
What you will see are the following two lines:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
There are no configurations necessary for this file. There is, however, a second file in the same location, that you can configure. Let’s take a look at it with the command:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Much of this file is commented out (each line that starts with //). If you comb through it, however, you’ll find certain lines and/or sections are enabled. For example, we have this section:
The above configuration enables automatic updates for security, which is defined by the line:
“${distro_id}:${distro_codename}-security”;
Take a look at the lines for -updates, -proposed, and -backports, which are all commented out. The reason those lines are disabled is because they could contain updates that cause problems with installed packages.
Let’s say, however, you have a reason to enable to the -updates option. To do that, remove the leading //, so the line reads:
“${distro_id}:${distro_codename}-updates”;
Keep scrolling and you’ll find a section with a number of options that end in either “true”; or “false’;. For example, there’s this line:
//Unattended-Upgrade::Remove-Unused-Dependencies “false”;
If you don’t want to keep unused dependencies on the system, uncomment out the line by removing the leading // and change false to true, so the line reads:
Unattended-Upgrade::Remove-Unused-Dependencies “true”;
Another line is:
//Unattended-Upgrade::Automatic-Reboot “false”
I would not recommend enabling this feature because you never know when the unattended upgrade will start and finish, leading to unpredictable downtimes.
If you do wind up making any changes to the 50unattended-upgrades, you’ll need to reload it with:
sudo systemctl restart unattended-upgrades
Congratulations, you’ve just enabled unattended-upgrades on Ubuntu Server and configured it to meet your needs.
