Tuesday, September 25, 2007

Automatic updates in Debian Linux (etch)

UPDATE: I found a better way to do this

I have half a dozen Debian Linux boxes in various places that I administer. Some are file servers, some are meant to do rsync backups, and some have lost their purpose and I simply keep them around because they are on a fast Internet connection. These are not critical in any way, but they are often useful to have around as an entry point into a network or to host some simple service.

I've searched the Internet for a good way to keep these boxes up to date without having to administer them all the time. After all, I don't want to SSH to n boxes once a week (or more) just to run apt-get update && apt-get upgrade. And what if some critical hole is found in SSH and I can't patch the box in a reasonable time? Or, more likely, what if I just don't hear about the critical hole and the box gets exploited days later?

Most Debian administrators seem to think that using a tool like cron-apt is the best way to go about things. Cron-apt downloads all available updates and sticks them in apt's cache, but does not install them. This does make it quicker to manually update since the packages are already present on the system. If I administered these boxes for a living, I would be plenty happy with the way that cron-apt downloads the packages and sends you an email when new packages are ready to install. But since I want the minimal fuss, I chose a different way.

Ideally, Debian would have a tool that did something similar to Synaptic's GUI interface.

Synaptic Auto Update

This automatically installs security updates and leaves the rest to the user. I'm not quite sure what mechanisms it uses, but I've used this shell script to accomplish the same thing for over a year.

/bin/date >> /root/autoupdate
/usr/bin/apt-get update >> /root/autoupdate
/usr/bin/apt-get upgrade -y -t security >> /root/autoupdate
/usr/bin/apt-get autoclean

I drop this script into /etc/cron.daily/autoupdate and forget about it. It logs all actions it takes to /root/autoupdate, so I can look back and see what has automatically been installed. It also only installs security updates, although I usually leave off the "-t security" part and let it install everything. In my experience, the stable version of Debian (currently etch) has very few updates that break anything, especially if you haven't customized your configuration files heavily. I've been running this script in several places over the last year and each box will generally install everything except for kernel upgrades, since they usually require a reboot.

A lot of Debian administrators are nay-sayers to this type of approach. This is probably because they've seen many a non-stable distribution break horribly with something like this. If this were a production level box with many users depending on it, I'd also take the approach of manually installing updates. But when I actually want to do something else with my life than manually run apt-get on boxes I occasionally use, this is the perfect solution.

No comments:

Post a Comment