Third-party unattended upgrades in three steps
by Edward Z. Yang
unattended-upgrades is a nifty little package that will go ahead and automatically install updates for you as they become enabled. No serious system administrator should use this (you are testing updates before pushing them to the servers, right?) but for many personal uses automatic updates are really what you want; if you run sudo aptitude full-upgrade and don't read the changelog, you might as well turn on unattended upgrades. You can do this by adding the line APT::Periodic::Unattended-Upgrade "1" to /etc/apt/apt.conf.d/10periodic (thanks Ken!)
Of course, the default configuration they give you in /etc/apt/apt.conf.d/50unattended-upgrades only pulls updates from their security repository, and they only give you a commented out line for normal updates. People have asked, "well, how do I pull automatic updates from other repositories?" Maybe you have installed Chromium dailies; seeing the "you have updates" icon every day can be kind of tiresome.
Well, here's how you do it:
- Find out what URL the PPA you're interested in points to. You can dig this up by looking at /etc/apt/sources.list or /etc/apt/sources.list.d/ (the former is if you manually added a PPA at some point; the latter is likely if you used add-apt-repository).
- Navigate to that URL in your browser. Navigate to dists, and then navigate to the name of the distribution you're running (for me, it was karmic). Finally, click Release. (For those who want to just enter the whole URL, it's http://example.com/apt/dists/karmic/Release).
- You will see a number of fields Fieldname: Value. Find the field Origin and the field Suite. The two values are the ones to put in Allowed-Origins.
For example, the Ksplice repository has the following Release file:
Origin: Ksplice Label: Ksplice Suite: karmic Codename: karmic Version: 9.10 Date: Sun, 07 Feb 2010 20:51:12 +0000 Architectures: amd64 i386 Components: ksplice Description: Ksplice packages for Ubuntu 9.10 karmic
This translates into the following configuration:
Unattended-Upgrade::Allowed-Origins {
"Ksplice karmic";
};
And that's it! Go forth and make your systems more secure through more timely updates.
Bonus tip. You can turn on unattended kernel updates via Ksplice by editing /etc/uptrack/uptrack.conf and setting autoinstall = yes.
Did you enjoy this post? Please subscribe to my feed!
One should also verify that
APT::Periodic::Unattended-Upgrade “1″;
is in /etc/apt/apt.conf.d/10periodic
I think I had to add it manually for Debian Lenny.
Updated post to include this vital bit of information.
Great post! Question – you said:
This translates into the following configuration:
Unattended-Upgrade::Allowed-Origins {
“Ksplice karmic”;
};
Should “Unattended-Upgrade::Allowed-Origins {” be “APT::Periodic::Unattended-Upgrade::Allowed-Origins {“?
Maybe you assumed we’d know that, but I wasn’t sure.
It worked for me without the namespace qualifier.
Is it also possible to do apt-pinning for unattended upgrades? For instance if several updated packages appear in both the security repository and a third party one, but I only want a particular package to always be updated from the third party repository?
Thanks in advance
My understanding is that apt-pinning works regardless of how the update gets taken (whether it’s unattended or not). You should try and see how it goes.
Thanks for this post, it’s just what I was looking for… Well, almost.
I run Debian Squeeze on several computers and I use some packages from Debian Backports and Debian Multimedia repositories (I have my apt preferences setup so that only the packages already installed from these repos become upgradeable).
Naturally I want to add these repos to the list of Allowed origins. Following your tutorial I get to, for example the Debian multimedia release file: http://www.debian-multimedia.org/dists/squeeze/Release
But you can see that in the field ORIGINS there are the 3 words: Unofficial Multimedia Packages.
I’m hesitant to put these 3 words in my 50unattended-upgrades followed by the SUITE.
Is this going to work at all? what should I do?
There might be some quoting mumble going on, but I suspect the obvious thing probably will work. Try it and report back?
[...] this page how to enable other repositories. Filed under: uncategorized Leave a comment Comments (0) [...]
[...] Here are some instructions on adding third party repositories to the unattended-upgrades list. But rather than pointing your browser at the Release file at each repository (Google’s repository actually seems to disallow this, possibly through some user agent magic), you can look at your apt cache for the cached versions of these files. These are located inĀ /var/lib/apt/lists. The files you want are the ones ending in *_Release. [...]