Keeping on top of your systems security updates is one important step in a defense in depth strategy for your solution. Security best practices indicate security updates should be applied within 30 days of being released.
While I prefer to test any and all updates in a test environment before deploying to production just in case the updates break existing functionality, some system administrators prefer to have the updates applied automatically nightly or weekly. The school of thought behind this is automatic updates are applied quickly, more often, and generally more consistently than they would be if done manually.
Also, its important to ensure that you are excluding any packages that may be critical to your system, such as the kernel or perhaps MySQL. Configuring the package exclusion list is shown below.
Please keep in mind, in rare cases, system updates have been known to cause problems. So you should be cautious with any type of automatic updates, especially on production systems, and fully understand the risks involved before proceeding.
To enable automatic updates, first install the unattended-upgrades package:
[root@web01 ~]# apt-get install unattended-upgrades
Now run the interactive dialog to configure /etc/apt/apt.conf.d/20auto-upgrades. Be sure to answer ‘Yes’ to automatically download and install stable updates.
[root@web01 ~]# dpkg-reconfigure --priority=low unattended-upgrades
The main configuration files resides in /etc/apt/apt.conf.d/50unattended-upgrades. You have a choice of what types of updates you want. The default are ‘security’ updates only. But your choices are:
security - just security related updates (default) updates - other updates, for example bug fixes that don't affect security proposed - "beta" channel for updates before they are considered final (not recommended) backports - selected feature updates from later Ubuntu releases (not recommended)
So to enable both security updates, and bug fixes, enable them by:
[root@web01 ~]# vim /etc/apt/apt.conf.d/50unattended-upgrades
...
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
...
If you wish to exclude packages from automatic updates, you can add the following to the configuration:
[root@web01 ~]# vim /etc/apt/apt.conf.d/50unattended-upgrades
...
Unattended-Upgrade::Package-Blacklist {
"mysql55*";
"kernel";
};
...
More information on the options available can be found within:
[root@web01 ~]# cat /etc/apt/apt.conf.d/20auto-upgrades [root@web01 ~]# cat /etc/cron.daily/apt