Ubuntu (16.04 / 18.04) by default will automatically install security update system daily, but does not automatically install updates. This paper reviews the auto-update mechanism Ubuntu 16.04 / 18.04 systems, and describes how to configure the system to automatically update all of the packages. Note: For simplicity, as used herein, refers to Ubuntu Ubuntu 16.04 / 18.04.
The system needs to be updated
When we log into the system remotely, receive an update message as shown below related to:
The first line of text in the red box system described package 149 needs to be updated. The second line does not security-related packages will be updated. The reason for this is because the default Ubuntu configuration will automatically install security updates every day and ignore the other update package. Then we introduce auto-update mechanism in Ubuntu.
By periodically update task execution
Ubuntu default defines four systemd unit to perform the update task, they are:
/lib/systemd/system/apt-daily-upgrade.service /lib/systemd/system/apt-daily-upgrade.timer /lib/systemd/system/apt-daily.service /lib/systemd/system/apt-daily.timer
And wherein the apt-daily.timer apt-daily-upgrade.timer are two triggers, each trigger apt-daily.service and apt-daily-upgrade.service at a specified time every day. The two service types are oneshot, meaning that after the task is completed when the service process exits. In fact, these two service calls to the same script: /usr/lib/apt/apt.systemd.daily. apt-daily.service arguments passed to the script "update", whose function is to check the system to update and download the corresponding update package. apt-daily-upgrade.service arguments passed to the script "install", whose function is to install the update and delete cached locally update package.
apt-daily.timer default trigger twice daily, respectively 6:00 and 18:00, mainly to alleviate the pressure on the server side download. We can set the appropriate trigger time according to the characteristics of their business.
apt-daily-upgrade.service default triggered once a day, we can also set other times, such as midnight at 6:00.
apt.systemd.daily script
/usr/lib/apt/apt.systemd.daily script is responsible for the completion of a series of work-related updates, the work is divided into two blocks:
- Check for updates and download the update package
- Install the update and clean up the update package
apt.systemd.daily script calls the apt-config command with variable taken from /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/20auto-upgrades file and read in, and in accordance with these the value of the variable to control the system update strategy. Here we introduce some of the more important configuration items.
How many days to perform a compartment apt-get update, default day 1, 0 indicates that the operation is not performed:
APT::Periodic::Update-Package-Lists "1";
How many days is performed once every apt-get upgrade --download-only download the update package, 0 means not to do this:
APT::Periodic::Download-Upgradeable-Packages "0";
Download the updated version is cached in the directory / var / cache / apt / archives / in, read the package files when performing an upgrade directly from the cache directory instead of downloading from the Internet.
How many days to perform a compartment apt-get autoclean to clear unwanted update package, 0 indicates that the operation is not performed:
APT::Periodic::AutocleanInterval "0";
Perform a number of days separated Unattended-Upgrade perform system security update (update package or so), 0 indicates that the operation is not performed:
APT::Periodic::Unattended-Upgrade "1";
With these configurations, we can control the frequency of updates and automatic behavior. Note that your configuration can only install security update system, if it is to install all packages need to update other configurations, relevant content we described in the following sections.
在继续介绍后面的内容前,让我们先来了解一下 apt.systemd.daily 脚本中用到的 apt-config 命令和 apt.systemd.daily 脚本依赖的配置文件。
apt-config 命令
apt-config 是一个被 APT 套件使用的内部命令,使用它可以在脚本中提取 /etc/apt/apt.conf 目录下配置文件中的信息。
比如,如果要在脚本中获取 APT::Periodic::Update-Package-Lists 的设置,可以使用下面的代码:
#!/bin/bash ABC=0 eval $(apt-config shell ABC APT::Periodic::Update-Package-Lists) echo ${ABC}
此时脚本变量 ABC 中保存的就是 APT::Periodic::Update-Package-Lists 的值。
10periodic 和 20auto-upgrades
/etc/apt/apt.conf.d/10periodic 是 update-notifier-common 的配置文件:
$ dpkg-query -S /etc/apt/apt.conf.d/10periodic
update-notifier-common: /etc/apt/apt.conf.d/10periodic
在 ubuntu 16.04 和 18.04 中,这两个文件的默认内容是一样的。apt.systemd.daily 脚本在注释中说我们可以通过 /etc/apt/apt.conf.d/10periodic 文件自定义相关的变量值,它通过 get-config 命令来获得这些变量的值。但是测试的结果是 /etc/apt/apt.conf.d/20auto-upgrades 文件中的变量会覆盖 /etc/apt/apt.conf.d/10periodic 文件中的变量。看来是 get-config 命令根据文件名称的顺序,排在后面的文件中的变量会覆盖前面文件中的变量。
在 desktop 版本中,通过 GUI 程序修改相关的变量,这两个文件都会被修改并保持一致,所以在 server 版中我们最好也同时修改这两个文件并保持其内容一致。
unattended-upgrades
Ubuntu 实际上是通过 unattended-upgrades 命令来自动安装更新的。Ubuntu 16.04/18.04 默认安装了这个包,如果碰到没有安装的情况你还可以通过下面的命令自行安装:
$ sudo apt install unattended-upgrades
unattended-upgrades 的配置文件为 /etc/apt/apt.conf.d/50unattended-upgrades。
注意,unattended-upgrades 不仅能够安装系统的安全更新,还可以安装所有包的更新。但是默认的配置只安装安全更新,我们可以通过配置项让 unattended-upgrades 安装所有的包更新或者只安装安全更新。
unattended-upgrades 命令被设计为通过 cron 定时执行系统更新,但在 Ubuntu 16.04/18.04 中是通过 systemd 的 timer unit 定时触发 service unit 执行的。
unattended-upgrades 命令的日志文件存放在 /var/log/unattended-upgrades 目录下。
unattended-upgrade 命令常见的用法之一是检查系统是否有更新:
$ sudo unattended-upgrade --dry-run
另一种用法是安装更新:
$ sudo unattended-upgrade
在 apt.systemd.daily 脚本中执行 unattended-upgrade 命令时,由于更新包已经提前下载到缓存目录了(/var/cache/apt/archives),所以直接它直接使用缓存中的更新包。
配置文件 50unattended-upgrades
50unattended-upgrades 文件中的默认配置只是安装安全更新:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}ESM:${distro_codename}"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };
如果要自动安装所有包的更新,只要取消下面行的注释就行了:
"${distro_id}:${distro_codename}-updates";
我们还可以通过黑名单的方式指定不更新哪些包:
Unattended-Upgrade::Package-Blacklist { "vim"; "libc6"; "libc6-dev"; "libc6-i686"; };
下面的配置项指定在更新后移除无用的包:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-Unused-Dependencies "true";
有些更新需要重启系统,而默认的配置是不重启系统的。下面的配置允许重启系统(更新完成后,如果需要重启,立即重启系统):
Unattended-Upgrade::Automatic-Reboot "true";
但是多数情况下我们更期望指定一个时间让系统重启(如果需要重启,在下面配置中指定的时间重启系统):
Unattended-Upgrade::Automatic-Reboot-Time "02:38";
在系统更新的过程中发生了错误怎么办?当然是通知管理员啦!下面的配置在发生错误时给管理员发送邮件:
Unattended-Upgrade::Mail "[email protected]"; Unattended-Upgrade::MailOnlyOnError "true";
注意:如果要向外网发送邮件,需要安装 mailx 等工具。
关闭自动更新
如果你的主机运行在封闭的环境中,并且无法连接到有效的更新源,此时可以选择关闭自动更新功能。首选的方法是停止相关的服务:
$ sudo systemctl stop apt-daily.service $ sudo systemctl stop apt-daily.timer $ sudo systemctl stop apt-daily-upgrade.service $ sudo systemctl stop apt-daily-upgrade.timer $ sudo systemctl disable apt-daily.service $ sudo systemctl disable apt-daily.timer $ sudo systemctl disable apt-daily-upgrade.service $ sudo systemctl disable apt-daily-upgrade.timer
或者修改自动更新程序的配置文件也可以,同时更新 /etc/apt/apt.conf.d/10periodic 和 /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
改为
APT::Periodic::Update-Package-Lists "0"; APT::Periodic::Unattended-Upgrade "0";
故障调查
因为 apt.systemd.daily 脚本同时调用了 apt-get 和 unattended-upgrade 等命令,所以相关的日志也分散在不同的地方。apt-get 相关的日志在 /var/log/apt 目录下,unattended-upgrade 命令的日志在 /var/log/unattended-upgrades 目录下。
参考:
unattended-upgrade man page
Automatic Updates
AutomaticSecurityUpdates
apt-config man page
如何在Ubuntu 16.04上安装自动安全更新
How to set up automatic updates on Ubuntu Server 18.04
Ubuntu Enable Automatic Updates Unattended Upgrades
Ubuntu 16.04: Auto apt update and apt upgrade
mvo5/unattended-upgrades