Virtual Web Server: Part 3 - Automatic Updates in Debian


The Blog of Tom Webster

  2013-04-23 17:33:00 PDT

The next thing you should do is enable automatic security updates. No sense in having your server get hacked because you were too busy to update it. Luckily, in most systems, this is pretty easy.

First, install unattended-upgrades like this: apt-get install unattended-upgrades Then configure your settings with nano /etc/apt/apt.conf.d/50unattended-upgrades. Depending on the system, I usually only enable automatic security updates, but on development systems, its nice to have everything update as well. Debian Stable doesn't change all that much, but there's always the risk of breaking things. The configuration file below only has security updates enabled.

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

// Automatically upgrade packages from these (origin, archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id} stable";
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed-updates";
};

// List of packages to not update
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. The package 'mailx'
// must be installed or anything that provides /usr/bin/mail.
//Unattended-Upgrade::Mail "root@localhost";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if a
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";


// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Go ahead and run apt-get update and apt-get upgrade to bring your system completely up to date as of this moment. So far, we've just done some system maintainence tasks, nothing really fun, don't have much to show for our work, until next time. In the next article, I'll walk you through Apache configuration and we'll get to hosting real websites.

Other posts in this series:

  1. Getting a Server
  2. Getting a Domain Name
  3. Automatic Updates - You are here
  4. Apache2 Setup
  5. PHP and MySQL Setup
  6. ProFTPd Setup
  7. WordPress Setup
  8. RVM Setup
  9. Git Setup
  10. OctoPress Setup
  11. Rackspace Backups