The system needs to be updated
When we log into the system remotely, receive an update message as shown below related to:
The first line of text in the red box system described package 149 needs to be updated. The second line does not security-related packages will be updated. The reason for this is because the default Ubuntu configuration will automatically install security updates every day and ignore the other update package. Then we introduce auto-update mechanism in Ubuntu.
By periodically update task execution
Ubuntu default defines four systemd unit to perform the update task, they are:
/lib/systemd/system/apt-daily-upgrade.service
/lib/systemd/system/apt-daily-upgrade.timer
/lib/systemd/system/apt-daily.service
/lib/systemd/system/apt-daily.timer
And wherein the apt-daily.timer apt-daily-upgrade.timer are two triggers, each trigger apt-daily.service and apt-daily-upgrade.service at a specified time every day. The two service types are oneshot, meaning that after the task is completed when the service process exits. In fact, these two service calls to the same script: /usr/lib/apt/apt.systemd.daily. apt-daily.service arguments passed to the script "update", whose function is to check the system to update and download the corresponding update package. apt-daily-upgrade.service arguments passed to the script "install", whose function is to install the update and delete cached locally update package.
apt-daily.timer default trigger twice daily, respectively 6:00 and 18:00, mainly to alleviate the pressure on the server side download. We can set the appropriate trigger time according to the characteristics of their business.
apt-daily-upgrade.service default triggered once a day, we can also set other times, such as midnight at 6:00.
apt.systemd.daily script
/usr/lib/apt/apt.systemd.daily script is responsible for completing and updating a series of related work, which is divided into two blocks:
• check for updates and download the update package
• install the update and clean up the update package
apt.systemd.daily script calls the apt-config command with variable taken from /etc/apt/apt.conf.d/10periodic /etc/apt/apt.conf.d/20auto-upgrades file and read in, and in accordance with these the value of the variable to control the system update strategy. Here we introduce some of the more important configuration items.
How many days to perform a compartment apt-get update, default day 1, 0 indicates that the operation is not performed:
APT::Periodic::Update-Package-Lists "1";
How many days is performed once every apt-get upgrade --download-only download the update package, 0 means not to do this:
APT::Periodic::Download-Upgradeable-Packages "0";
Download the updated version is cached in the directory / var / cache / apt / archives / in, read the package files when performing an upgrade directly from the cache directory instead of downloading from the Internet.
How many days to perform a compartment apt-get autoclean to clear unwanted update package, 0 indicates that the operation is not performed:
APT::Periodic::AutocleanInterval "0";
Perform a number of days separated Unattended-Upgrade perform system security update (update package or so), 0 indicates that the operation is not performed:
APT::Periodic::Unattended-Upgrade "1";
With these configurations, we can control the frequency of updates and automatic behavior. Note that your configuration can only install security update system, if it is to install all packages need to update other configurations, relevant content we described in the following sections.
Before continuing introduction behind the content, let us first look at apt.systemd.daily script used apt-config command and apt.systemd.daily script dependent configuration file.
apt-config command
apt-config is an internal command used by APT is a package with which you can extract information under /etc/apt/apt.conf directory configuration file in the script.
For example, if you want to get APT :: Periodic :: Update-Package- Lists are set in the script, you can use the following code:
#!/bin/bash
ABC=0
eval $(apt-config shell ABC APT::Periodic::Update-Package-Lists)
echo ${ABC}
Save the script in the variable ABC is the value of APT :: Periodic :: Update-Package-Lists at this time.
10periodic-Upgrades and 20auto
/etc/apt/apt.conf.d/10periodic is update-notifier-common profile:
$ dpkg-query -S /etc/apt/apt.conf.d/10periodic
update-notifier-common: /etc/apt/apt.conf.d/10periodic
In ubuntu 16.04 and 18.04, the default contents of the two documents is the same. apt.systemd.daily script variable values that we can customize by /etc/apt/apt.conf.d/10periodic files related to it to obtain the value of these variables by get-config command in the comments. But the results will be /etc/apt/apt.conf.d/20auto-upgrades variables in the file will overwrite /etc/apt/apt.conf.d/10periodic file variable. Get-config command appears to be the order of the file name, at the back of the variables in the file will overwrite the previous file variable.
In the desktop version, modified by the GUI program related variables, both files will be modified and be consistent, so in the server version we'd also modify these two files and keep its contents consistent.
unattended-upgrades
Ubuntu is actually through unattended-upgrades command to automatically install updates. Ubuntu 16.04 / 18.04 this package installed by default, if you encounter a situation not installed you can install yourself the following command:
$ sudo apt install unattended-upgrades
unattended-upgrades profiles for /etc/apt/apt.conf.d/50unattended-upgrades.
Note, unattended-upgrades can not only install the security update system, you can also update all installed packages. But the default configuration only install the security update, we can make unattended-upgrades package to install all updates or install security updates only by configuration items.
unattended-upgrades command system is designed to perform regular updates through cron, but Ubuntu 16.04 / 18.04 is by the timing unit triggers the timer systemd service unit executed.
Log files unattended-upgrades command stored in / var / log / unattended-upgrades directory.
unattended-upgrade command one common usage is to check whether the system updates:
$ sudo unattended-upgrade --dry-run
Another use is to install the update:
$ sudo unattended-upgrade
When performing unattended-upgrade command apt.systemd.daily script, because the update package has been downloaded in advance to the cache directory (/ var / cache / apt / archives), so direct it directly using the update package cache.
Profile 50unattended-upgrades
default configuration file 50unattended-upgrades just install the security update:
复制代码
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Copy the code
To automatically install updates for all the packages, as long as the bottom row cancel comment on the line:
"$ {distro_id}:} $ {distro_codename -updates";
We can also specify which packages not update the blacklist by the way:
Unattended-Upgrade::Package-Blacklist {
"vim";
"libc6";
"libc6-dev";
"libc6-i686";
};
The following fields specified in the packet after removing unused Update:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Some updates require a reboot, and the default configuration is not reboot the system. The following configuration enables the system restart (after completion of the update, if required to restart immediately after reboot the system):
Unattended-Upgrade::Automatic-Reboot "true";
But in most cases we expect specify a time for the system reboot (restart if needed, specified in the following configuration time to reboot the system):
Unattended-Upgrade::Automatic-Reboot-Time "02:38";
How to do error occurs during system updates in the? Of course, it is to notify the administrator! The following configuration to send mail to the administrator when an error occurs:
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "true";
Note: If you want to send a message outside the network, you need to install the mailx and other tools.
Turn off Automatic Updates
If your host is running in a closed environment, and can not be connected to a valid update source, then you can choose to turn off the automatic update feature. The preferred method is to stop the related services:
复制代码
$ sudo systemctl stop apt-daily.service
$ sudo systemctl stop apt-daily.timer
$ sudo systemctl stop apt-daily-upgrade.service
$ sudo systemctl stop apt-daily-upgrade.timer
$ sudo systemctl disable apt-daily.service
$ sudo systemctl disable apt-daily.timer
$ sudo systemctl disable apt-daily-upgrade.service
$ sudo systemctl disable apt-daily-upgrade.timer
Copy the code
Automatic update or modify configuration files can also be simultaneously updated /etc/apt/apt.conf.d/10periodic and /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Changed
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
Failure investigation
Because apt.systemd.daily script calls while apt-get and unattended-upgrade commands, so the related logs also scattered in different places. apt-get related logs at / var / log / apt directory, unattended-upgrade command log in / var / log / directory under unattended-upgrades.