On a desktop version of Ubuntu it’s easy to download and install package updates and security patches using the Update Manager tool, which by default displays an alert at the top right of your desktop every time there are some new updates to install. But when it comes to installing these updates on an Ubuntu server, you have to run the underlying apt-get commands yourself. Here they are:
First, update your package database to get info about any available updates:
apt-get update
Then, install all the available updates by running:
apt-get upgrade
That’s all there is to it!
Automating the process
You may wish to set up your server to periodically install software updates automatically. You could achieve this by simply creating a cron job to periodically run the above commands, giving each command the -y switch to assume a ‘Yes’ response to all prompts. But Apt and Ubuntu have provided a more official method, which overcomes some of the security issues around updating automatically. I recommend the method which apt has provided, outlined below:
First you need to install a special package:
apt-get install unattended-upgrades
Then add configuration to apt to start the daily updates:
cd /etc/apt/apt.conf.d echo 'APT::Periodic::Update-Package-Lists "1";' > 90myconfig echo 'APT::Periodic::Download-Upgradeable-Packages "1";' >> 90myconfig echo 'APT::Periodic::Unattended-Upgrade "1";' >> 90myconfig
Now, your server will be automatically updated once a day. The “1″ in the above config lines means “every day”. You could easily change it to “2″ for “every 2 days” or “7″ for “once a week”, etc.
Why use this method for automatic updates?
Because this method will only update your server from the trusted Ubuntu hardy-security repository. Automatic updating means having changes applied to your server without your knowledge or without you having the opportunity screen the updates and choose precisely which ones to install. This should scare most server administrators! But it is less scary so long as we limit automatic updates to those provided by Ubuntu, who, presumably, most administrators of Ubuntu servers trust.
The second benefit of only updating from the hardy-security repository is that your server will only receive security patches, not major updates to software packages like your web server or mail server. Imagine if you found one day that an automatic software update to the apache or php package had broken a feature of your website. You wouldn’t know how long it had been since the feature broke, and you would be forced to fix it straight away. As long as you limit automatic updates to security patches only, you will not find yourself in this position.
It does mean, of course, that you will have to update your server manually from time to time to install the updates to software packages and less trusted sources. This shouldn’t be too much of a problem for most administrators. After all, manually updating gives you the chance to screen the updates and possibly install them on a test server first to avoid messing up the services you provide with your server.