注册
客户区
我们关心环境

Enable automatic updates in Linux

It is almost impossible to log in to your server to check and update it every day. However, failing to keep servers up to date can be a potential threat.

There is a better solution to this, automatic updates. Here is how to enable automatic updates in Linux:

Ubuntu/ Debian based servers

Install unattended-upgrades
apt install unattended-upgrades

Edit the unattended upgrade configuration
vi /etc/apt/apt.conf.d/50unattended-upgrades

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
//"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

In this case we will enable the security updates only to avoid potentially messing up the running programs.
To enable security updates, remove the comment on this line "${distro_id}:${distro_codename}-security";

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {

//"${distro_id}:${distro_codename}";

"${distro_id}:${distro_codename}-security";

// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

After this, we will have to enable automatic upgrade. Use this command to enable automatic upgrade.
echo 'APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "3";
APT::Periodic::Unattended-Upgrade "1";' > /etc/apt/apt.conf.d/20auto-upgrades


CentOS/ Fedora based servers

Install dnf-automatic
dnf install dnf-automatic

We will have to make changes to the configuration files before enabling automatic update. Go to the configuration file by using this command
vi /etc/dnf/automatic.conf

[commands]
# What kind of upgrade to perform:
# default = all available upgrades
# security = only the security upgrades
upgrade_type = default
random_sleep = 0

# Maximum time in seconds to wait until the system is on-line and able to
# connect to remote repositories.
network_online_timeout = 60

# To just receive updates use dnf-automatic-notifyonly.timer

# Whether updates should be downloaded when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
download_updates = yes

# Whether updates should be applied when they are available, by
# dnf-automatic.timer. notifyonly.timer, download.timer and
# install.timer override this setting.
apply_updates = no


In this case we will enable the security updates only to avoid potentially messing up the running programs.
  • Enabled security updates
  • Set apply updates to yes to automatic applying the update once downloaded


  • [commands]
    # What kind of upgrade to perform:
    # default = all available upgrades

    security = only the security upgrades


    upgrade_type = default
    random_sleep = 0

    # Maximum time in seconds to wait until the system is on-line and able to
    # connect to remote repositories.
    network_online_timeout = 60

    # To just receive updates use dnf-automatic-notifyonly.timer

    # Whether updates should be downloaded when they are available, by
    # dnf-automatic.timer. notifyonly.timer, download.timer and
    # install.timer override this setting.
    download_updates = yes

    # Whether updates should be applied when they are available, by
    # dnf-automatic.timer. notifyonly.timer, download.timer and
    # install.timer override this setting.

    apply_updates = yes




    Once this is done, start dnf-automatic.timer service
    systemctl start dnf-automatic.timer

    Enable dnf-automatic.timer service to automatic start on reboot
    systemctl enable dnf-automatic.timer

    [root@evoxt ~]# systemctl enable dnf-automatic.timer
    Created symlink /etc/systemd/system/timers.target.wants/dnf-automatic.timer → /usr/lib/systemd/system/dnf-automatic.timer.
    [root@evoxt ~]#


    By following this guide, automatic security update is now enabled on your Linux system.

    Your server will now automatically install the latest security updates, protecting your server.

    Deploy a server with Evoxt now!
    Deploy