Published on: Sunday, July 29, 2007

Schedule Automatic Updates on Ubuntu

Authors

Name
Kevin van Zonneveld
Twitter
@kvz

Making sure your system is up to date is a key attribute to its security. Furthermore Ubuntu releases updates pretty often and you probably don't want to miss out on added stability and features. You could run updates manually, but why not schedule the updates in the background to make sure you are always running the latest stable versions, without ever having to worry about it.

Update

This article was written before Ubuntu's unattended-upgrades existed. Consider using that instead.

Crontab

The crontab command, found in Unix and Unix-like operating systems, is used to schedule commands to be executed periodically. To see what crontabs are currently running on your system, you can open a terminal and run:

$ sudo crontab -l

To edit the list of cronjobs you can run:

$ sudo crontab -e

This will open the default editor (could be vi or nano, if you want you can change the default editor) to let us manipulate the crontab. If you save and exit the editor, all your cronjobs are saved into crontab. Cronjobs are written in the following format:

* * * * * /bin/execute/this/script.sh

If you want to know more about crontab, I've written another article: Schedule tasks on Linux using crontab

Updating With Aptitude

I always used apt-get to update systems but I found out that aptitude has better dependency solving capabilities. So lets also use aptitude for this, it comes preinstalled. Normally I would run something like this from a terminal:

$ aptitude update # gets information on the latest packages
$ aptitude dist-upgrade # upgrades every package (kernel too)

Making It Cron-Ready

We need to make some adjustments to the aptitude command to make it suitable to run in the background:

It should not have to wait on user confirmation, because it isn't getting any ; )
It should not automatically update kernels (this is still something you should do manually)
It should log to a file so you can keep track of it
It should not proceed with an upgrade if the update failed
It should be prefixed with a full path. Because cron often works without environment variables

The following command takes on all of these above challenges, in just one line:

(/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

Explained

-y answers yes to all questions so that takes care of the user confirmation
changing dist-upgrade to safe-upgrade will skip kernel updates
2>&1 >> /var/log/auto_update.log forwards all messages (errors (2), and standard (1)) to a logfile
&& links two commands together, but will not execute the second if the first one failed.

Combined: An Aptitude Cronjob

We'll link everything together now. Open your crontab editor:

$ sudo crontab -e

And to execute our upgrade every night at 1AM type:

0 1 * * * (/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

Save and exit your editor, and you are all set! You could check the logfile: /var/log/auto_update.log every once in a while to see if everything is still running smoothly.

Discuss on Twitter

Legacy Comments (25)

These comments were imported from the previous blog system (Disqus).

Ross·Jul 30, 2007

heya -

Sorry to abuse your comment form like this but I couldn\'t find an (obvious) \'contact me\' link.. For your \"Links\" section (http://kevin.vanzonneveld.n... do you use a wordpress plugin for that? If so, which one? Cheers!

Kevin·Jul 30, 2007

Hi Ross, no problem. I don\'t use wordpress, I wrote this blogging tool myself. Cheers!

Ubuwu·Jul 31, 2007

If you only want security updates, it is easier to just install the unattended-upgrades package.

Tim·Aug 8, 2007

This maybe a stupid question, but why do you use aptitude and not apt-get?

Kevin·Aug 8, 2007

Hi Tim, because aptitude has better dependency resolving capabilities.

alex·Aug 18, 2007

You may use \"&>\" to redirect both stdout and stderr.

alex·Aug 18, 2007

P.S. I usually include \"aptitude clean\" as well as all the traffic goes through apt-cacher.

gasull·May 17, 2008

[code]sudo crontab -e[/code]

Kevin·May 17, 2008

@ gasull: You have to specify what language. text or bash would do the trick. But your point is clear, I\'ll update the article! Thanks

Jonas·Jul 1, 2008

Very useful article - thanks.

Note that the \"upgrade\" option has been deprecated in favor of \"safe-upgrade\" (which aptitude was kind enough to let me know when I ran your command).

Kevin·Jul 18, 2008

@ Jonas: Thanks for letting me know. I\'ve updated the article according to your notes.

Tichy·Feb 15, 2009

Very helpful article for a n00b, thank you :)

Mike·Feb 22, 2009

I think I need to amend this to run a script instead as I get the following in my auto_update.log:

dpkg: `ldconfig\' not found on PATH.
dpkg: `start-stop-daemon\' not found on PATH.
dpkg: `install-info\' not found on PATH.
dpkg: `update-rc.d\' not found on PATH.
dpkg: 4 expected program(s) not found on PATH.
NB: root\'s PATH should usually contain /usr/local/sbin, /usr/sbin and /sbin.

Looking around on the net it looks like my solution is a script that begins like this:

#!/bin/bash

PATH=\"$PATH:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/bin:/sbin\"

At least (I am hoping that this will work) ...

Kev van Zonneveld·Feb 25, 2009

@ Mike: Yeah that\'s often true. Full paths to the binaries should work as well

Enrico·Sep 9, 2009

Nice article, it helped me a lot. But shouldn\'t crontab require the user executing the scheduled command? maybe the line should be like this....

0 1 * * * root (/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

In my ubuntu system i also had to \" touch /var/log/auto_update.log\"

Am i on the light side of the Force or maybe too much tired? ;)

Ron·Sep 10, 2009

Great article and just what I need BUT a problem:
System = Ubuntu 9.04

Log shows following:
************* clip *************
Untrusted packages could compromise your system\'s security.
You should only proceed with the installation if you are certain that
this is what you want to do.

wine-gecko

Do you want to ignore this warning and proceed anyway?
To continue, enter \"Yes\"; to abort, enter \"No\": Abort.
********** end clip **************

Problem is that the -y does not answer yes to the last prompt and the update just sits.

I confirmed this by running the commands manually in terminal ... it needs a \" yes \" and does not respond to a \" y \"

Kev van Zonneveld·Sep 17, 2009

@ Enrico: Well I already setup my crontab as root, so for me there was no need, but yeah you could do it that way as well. The user is optional.

@ Ron: For untrusted packages something like this should work:

[CODE=\"BASH\"]
aptitude -o Aptitude::Cmdline::ignore-trust-violations=true -y update
[/CODE]

Sid·Nov 4, 2009

on Ubuntu 9.04 (Jaunty) server, I executed

sudo (/usr/bin/aptitude -y update && /usr/bin/aptitude -y safe-upgrade) 2>&1 >> /var/log/auto_update.log

and getting the following error:

-bash: syntax error near unexpected token `/usr/bin/aptitude\'

Is it because it\'s not meant to be executed like that?

Kev van Zonneveld·Nov 8, 2009

@ Sid: sudo can\'t handle that syntax. leave out either sudo or those parenthesis

Johan Barelds·Dec 9, 2009

Good article Kevin! I stil find it amazing that Ubuntu (who is aiming for enterprise users) don\'t deliver a decent out-of-the-box auto-update mechanisme.
But for that they have Kevin..:-)

Kev van Zonneveld·Dec 13, 2009

@ Johan Barelds: They didn\'t at the time, but do now for security updates: https://help.ubuntu.com/com...

Which I think is great.

Han·Jan 17, 2010

How do you like this solution?
~% cat /etc/cron.daily/automaticUpdates
#!/bin/sh
exec >> /var/log/auto_update.log 2>&1
if /usr/bin/aptitude update; then
/usr/bin/aptitude -y safe-upgrade
fi

Stephen·Jan 17, 2010

I have just tried running this manually with the addition to fire me an email once completed. This particular machine had NEVER been updated since I installed it (Due to laziness) so I figured the automatic approach would be good. However, I got a minor FAIL after updating Samba.

I copy/pasted the cron line (Excluding the times), executed, waited, and waited... Opened another shell the box and noticed that dpkg was still running with high (but varying) CPU use and new PIDs. Excellent. However, after all was done, load dropped, my prompt was not returning, so wondering WTH?

Pressed ENTER a few times in the shell running the script, waited a few seconds, then found in the email:

Package configuration Samba Server

A new version of configuration file /etc/samba/smb.conf is available, but the version installed currently has been locally modified. What would you like to do about smb.conf?

install the package maintainer\'s version
keep the local version currently installed
show the differences between the versions
show a side-by-side difference between the versions
show a 3-way difference between available versions
do a 3-way merge between available versions (experimental)
start a new shell to examine the situation

So really, I don\'t know which option I selected. There was a bunch of extra ANSI cursor control characters in the email as well, so I can only assume that the option was a highlight bar, and I don\'t know what option I selected. ;)

This presents two problems.

First, this will never complete as something in the install script is asking for user input, and from watching TOP, I couldn\'t exactly tell what specifically.

Second, updates won\'t continue because the system will see that there is a lock file and won\'t continue to update.

Ed Weber·Feb 5, 2010

A number of people reported failed updates due to path issues and ldconfig and other programs not being found. Does this article need to be updated accordingly?

Kev van Zonneveld·Feb 21, 2010

Since Jaunty Ubuntu has out of the box solutions for this. You\'ll even get offered automatic security updates during installation nowadays. Please go and use that instead of this manual hack - Remember this article was written in 2007 :)