Schedule Automatic Updates on Ubuntu

Making sure your system is up to date is a key attribute to it's security. Furthermore Ubuntu releases updates pretty often and you probably don't want to miss out on added stability and features. You could run updated manually, but why not schedule the updates in the background to make sure you are always running the latest stable versions, without ever having to worry about it.

Update

This article was written before Ubuntu's unattended-upgrades existed. Consider using that instead.

Crontab

The crontab command, found in Unix and Unix-like operating systems, is used to schedule commands to be executed periodically. To see what crontabs are currently running on your system, you can open a terminal and run:

$ sudo crontab -l

To edit the list of cronjobs you can run:

$ sudo crontab -e

This wil open a the default editor (could be vi or nano, if you want you can change the default editor) to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are saved into crontab. Cronjobs are written in the following format:

* * * * * /bin/execute/this/script.sh

If you want to know more about crontab, I've written another article: Schedule tasks on Linux using crontab

Updating with aptitude

I always used apt-get to update systems but I found out that aptitude has better dependency solving capabilities. So lets also use aptitude for this, it comes preinstalled. Normally I would run something like this from a terminal:

$ aptitude update # gets information on the latest packages
$ aptitude dist-upgrade # upgrades every package (kernel too)

Making it cron-ready

We need to make some adjustments to the aptitude command to make it suitable to run in the background:

  • It should not have to wait on user confirmation, because it isn't getting any ; )
  • It should not automatically update kernels (this is still something you should do manually)
  • It should log to a file so you can keep track of it li>
  • It should not proceed with an `upgrade* if the update failed
  • It should be prefixed with a full path. Because cron often works without environment variables

The following command takes on all of these above challenges, in just one line:

(/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

Explained

  • -y answers yes to all questions so that takes care of the user confirmation
  • changing dist-upgrade to safe-upgrade will skip kernel updates
  • 2>&1 >> /var/log/auto_update.log forwards all messages (errors (2), and standard (1)) to a logfile
  • && links two commands together, but will not execute the second if the first one failed.

Combined: an aptitude cronjob

We'll link everything together now. Open your crontab editor:

$ sudo crontab -e

And to execute our upgrade every night at 1AM type:

0 1 * * * (/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

Save and exit your editor, and you are all set! You could check the logfile: /var/log/auto_update.log every once in a while to see if everything is still running smoothly.