4

What's the best way to automatically apply security updates? Or any updates for that matter?

Jorge Castro
  • 71,754
reconbot
  • 143
  • 1
    There is a package called unattended-upgrades which by default applies security updates automatically, I think it can also do any kind of updates with the right configuration (as long as the package does not need the user to configure anything upon an upgrade). – Graham Edgecombe Oct 18 '10 at 19:08

2 Answers2

2

This answer to the desktop upgrade question will apply to servers.

Community
  • 1
Jorge Castro
  • 71,754
0

Note that some updates (on a server, it tends to be most updates, from personal experience) require restarting one or more services, or even rebooting the entire server, to take effect. Restarting services, much less rebooting, isn't really a task I feel comfortable automating.

I use cron-apt on my server to automate downloading, but not installing, updates. It does it once a day rather than running as a daemon. It emails me when there are updates waiting to install.

When I receive such an email, I log in when it is convenient and install the updates, then restart whatever services need restarting.

It's not usually obvious which services need to be restarted. For example, an update to libssl usually requires restarting just about every web, mail, SSH etc service there is. Or an update to libpng might require restarting Apache because PHP links to it.

So I use checkrestart to check which services should be restarted after each update. This is provided by the debian-goodies package.

I also know that if the kernel is updated, I always need to reboot.

thomasrutter
  • 36,774