My current favorite is the "unattended-upgrades" package approach.
Although these tutorials are written for Ubuntu, they should apply to Debian pretty much without big changes.
In a nutshell, it should work like this:
1) Install the "unattended-upgrades" package:
Code: Select all
$ sudo apt-get install unattended-upgrades
2) Only security updates:
I want only security packages to be installed (no updates of other packages, even if considered "stable"):
In my setup (Ubuntu Server 12.04.1), that was already the default.Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
3) Mail notification:
Tell it where to send mails to:
This is very useful (=necessary) for you to keep aware of what's happening (or causing trouble) on your system.Unattended-Upgrade::Mail "your_address@example.org";
4) Enable automatic updates:
Code: Select all
$ sudo dpkg-reconfigure -plow unattended-upgrades
Some sources suggest putting this manually in "/etc/apt/apt.conf.d/10periodic", but I think it's cleaner to use the dpkg-reconfigure function.APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
5) Set update interval:
If will find short notes about the "APT::Periodic::Unattended-Upgrade" option (and others) in "/etc/cron.daily/apt".
There it says:
This means, by default unattended-upgrades are run once every day, but if you increase the value above to, for example "3", it will only run every 3 days.# APT::Periodic::Unattended-Upgrade "0";
# - Run the "unattended-upgrade" security upgrade script
# every n-days (0=disabled)
# Requires the package "unattended-upgrades" and will write
# a log in /var/log/unattended-upgrades
6) Verify your configuration:
You can manually execute unattended-upgrades with the argument "--dry-run", to see if everything "would" be the way you want it:
Code: Select all
$ sudo unattended-upgrade -d --dry-run
Output will be stored in "/var/log/unattended-upgrades/unattended-upgrades.log".
Enjoy your new, auto-security-updated system!