Making sure your system is up to date is a key attribute to it’s security. Furthermore Ubuntu releases updates pretty often and you probably don’t want to miss out on added stability and features. You could run updated manually, but why not schedule the updates in the background to make sure you are always running the latest stable versions, without ever having to worry about it.
Crontab
The crontab command, found in Unix and Unix-like operating systems, is used to schedule commands to be executed periodically. To see what crontabs are currently running on your system, you can open a terminal and run:
1
| |
To edit the list of cronjobs you can run:
1
| |
This wil open a the default editor (could be vi or pico, if you want you can change the default editor) to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are saved into crontab. Cronjobs are written in the following format:
1
| |
If you want to know more about crontab, I’ve written another article: Schedule tasks on Linux using crontab
Updating with aptitude
I always used apt-get to update systems but I found out that aptitude has better dependency solving capabilities. So lets also use aptitude for this, it comes preinstalled. Normally I would run something like this from a terminal:
1 2 | |
Making it cron-ready
We need to make some adjustments to the aptitude command to make it suitable to run in the background:
- It should not have to wait on user confirmation, because it isn’t getting any ; )
- It should not automatically update kernels (this is still something you should do manually)
- It should log to a file so you can keep track of it li>
- It should not proceed with an upgrade if the update failed
- It should be prefixed with a full path. Because cron often works without environment variables
The following command takes on all of these above challenges, in just one line:
1
| |
Explained
- -y answers yes to all questions so that takes care of the user confirmation
- changing dist-upgrade to safe-upgrade will skip kernel updates
- 2>&1 >> /var/log/auto_update.log forwards all messages (errors (2), and standard (1)) to a logfile
- && links two commands together, but will not execute the second if the first one failed.
Combined: an aptitude cronjob
We’ll link everything together now. Open your crontab editor:
1
| |
And to execute our upgrade every night at 1AM type:
1
| |
Save and exit your editor, and you are all set! You could check the logfile: /var/log/auto_update.log every once in a while to see if everything is still running smoothly.
Imported comments
These were imported from my old blog. Please use disqus below for new comments
Kevin
on 2010-02-21 16:17:28
Since Jaunty Ubuntu has out of the box solutions for this. You'll even get offered automatic security updates during installation nowadays. Please go and use that instead of this manual hack - Remember this article was written in 2007 :)
Ed Weber
on 2010-02-04 21:24:50
A number of people reported failed updates due to path issues and ldconfig and other programs not being found. Does this article need to be updated accordingly?
Stephen
on 2010-01-17 17:43:44
I have just tried running this manually with the addition to fire me an email once completed. This particular machine had NEVER been updated since I installed it (Due to laziness) so I figured the automatic approach would be good. However, I got a minor FAIL after updating Samba.
I copy/pasted the cron line (Excluding the times), executed, waited, and waited… Opened another shell the box and noticed that dpkg was still running with high (but varying) CPU use and new PIDs. Excellent. However, after all was done, load dropped, my prompt was not returning, so wondering WTH?
Pressed ENTER a few times in the shell running the script, waited a few seconds, then found in the email:
Package configuration Samba Server
A new version of configuration file /etc/samba/smb.conf is available, but the version installed currently has been locally modified. What would you like to do about smb.conf?
install the package maintainer's version
keep the local version currently installed
show the differences between the versions
show a side-by-side difference between the versions
show a 3-way difference between available versions
do a 3-way merge between available versions (experimental)
start a new shell to examine the situation
So really, I don't know which option I selected. There was a bunch of extra ANSI cursor control characters in the email as well, so I can only assume that the option was a highlight bar, and I don't know what option I selected. ;)
This presents two problems.
First, this will never complete as something in the install script is asking for user input, and from watching TOP, I couldn't exactly tell what specifically.
Second, updates won't continue because the system will see that there is a lock file and won't continue to update.
Han
on 2010-01-17 13:03:37
How do you like this solution?
~% cat /etc/cron.daily/automaticUpdates
#!/bin/sh
exec &
gt;&
gt; /var/log/auto_update.log 2&
gt;&
amp;1
if /usr/bin/aptitude update; then
/usr/bin/aptitude -y safe-upgrade
fi
Kevin
on 2009-12-13 17:41:39
@ Johan Barelds: They didn't at the time, but do now for security updates: https://help.ubuntu.com/community/AutomaticSecurityUpdates
Which I think is great.
Johan Barelds
on 2009-12-09 10:40:22
Good article Kevin! I stil find it amazing that Ubuntu (who is aiming for enterprise users) don't deliver a decent out-of-the-box auto-update mechanisme.
But for that they have Kevin..:-)
Kevin
on 2009-11-08 14:47:56
@ Sid: sudo can't handle that syntax. leave out either sudo or those parenthesis
Sid
on 2009-11-04 10:30:58
on Ubuntu 9.04 (Jaunty) server, I executed
sudo (/usr/bin/aptitude -y update &
amp;&
amp; /usr/bin/aptitude -y safe-upgrade) 2&
gt;&
amp;1 &
gt;&
gt; /var/log/auto_update.log
and getting the following error:
-bash: syntax error near unexpected token `/usr/bin/aptitude'
Is it because it's not meant to be executed like that?
Kevin
on 2009-09-17 12:13:39
@ Enrico: Well I already setup my crontab as root, so for me there was no need, but yeah you could do it that way as well. The user is optional.
@ Ron: For untrusted packages something like this should work:
aptitude -o Aptitude::Cmdline::ignore-trust-violations=true -y update
Ron
on 2009-09-10 16:10:58
Great article and just what I need BUT a problem:
System = Ubuntu 9.04
Log shows following:
************* clip *************
Untrusted packages could compromise your system's security.
You should only proceed with the installation if you are certain that
this is what you want to do.
wine-gecko
Do you want to ignore this warning and proceed anyway?
To continue, enter \&
quot;Yes\&
quot;; to abort, enter \&
quot;No\&
quot;: Abort.
********** end clip **************
Problem is that the -y does not answer yes to the last prompt and the update just sits.
I confirmed this by running the commands manually in terminal … it needs a \&
quot; yes \&
quot; and does not respond to a \&
quot; y \&
quot;
Enrico
on 2009-09-09 12:53:30
Nice article, it helped me a lot. But shouldn't crontab require the user executing the scheduled command? maybe the line should be like this….
0 1 * * * root (/usr/bin/aptitude -y update &
amp;&
amp; /usr/bin/aptitude -y safe-upgrade) 2&
gt;&
amp;1 &
gt;&
gt; /var/log/auto_update.log
In my ubuntu system i also had to \&
quot; touch /var/log/auto_update.log\&
quot;
Am i on the light side of the Force or maybe too much tired? ;)
Kevin
on 2009-02-25 16:33:51
@ Mike: Yeah that's often true. Full paths to the binaries should work as well
Mike
on 2009-02-22 08:50:24
I think I need to amend this to run a script instead as I get the following in my auto_update.log:
dpkg: `ldconfig' not found on PATH.
dpkg: `start-stop-daemon' not found on PATH.
dpkg: `install-info' not found on PATH.
dpkg: `update-rc.d' not found on PATH.
dpkg: 4 expected program(s) not found on PATH.
NB: root's PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.
Looking around on the net it looks like my solution is a script that begins like this:
#!/bin/bash
PATH=\&
quot;$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin\&
quot;
At least (I am hoping that this will work) …
Tichy
on 2009-02-15 12:46:44
Very helpful article for a n00b, thank you :)
Kevin
on 2008-07-18 08:20:28
@ Jonas: Thanks for letting me know. I've updated the article according to your notes.
Jonas
on 2008-07-01 16:51:40
Very useful article - thanks.
Note that the \&
quot;upgrade\&
quot; option has been deprecated in favor of \&
quot;safe-upgrade\&
quot; (which aptitude was kind enough to let me know when I ran your command).
Kevin
on 2008-05-17 15:18:22
@ gasull: You have to specify what language. text or bash would do the trick. But your point is clear, I'll update the article! Thanks
gasull
on 2008-05-17 01:57:01
sudo crontab -e
alex
on 2007-08-17 20:59:43
P.S. I usually include \&
quot;aptitude clean\&
quot; as well as all the traffic goes through apt-cacher.
alex
on 2007-08-17 20:56:51
You may use \&
quot;&
amp;&
gt;\&
quot; to redirect both stdout and stderr.
Kevin
on 2007-08-08 18:27:45
Hi Tim, because aptitude has better dependency resolving capabilities.
Tim
on 2007-08-08 17:54:59
This maybe a stupid question, but why do you use aptitude and not apt-get?
Ubuwu
on 2007-07-31 00:36:04
If you only want security updates, it is easier to just install the unattended-upgrades package.
Kevin
on 2007-07-30 15:57:36
Hi Ross, no problem. I don't use wordpress, I wrote this blogging tool myself. Cheers!
Ross
on 2007-07-30 13:12:15
heya -
Sorry to abuse your comment form like this but I couldn't find an (obvious) 'contact me' link.. For your \&
quot;Links\&
quot; section (http://kevin.vanzonneveld.net/links/) do you use a wordpress plugin for that? If so, which one? Cheers!