Technitium DNS server zone high-availability

on
0

Ubuntu Unattended System Upgrade

on

It is always best practice to install latest update for your Ubuntu instance no matter it is located at cloud or on-premise.
With Apt and the unattended-upgrades package, it is possible to configure your system to automatically install security updates.

1. Double check unattended-upgrades package is installed and the service is running at boot.

ubuntu@ubuntu:~$ apt search unattended-upgrades
Sorting... Done
Full Text Search... Done
apt-config-auto-update/jammy,jammy 2.1+nmu1 all
  APT configuration for automatic cache updates

unattended-upgrades/jammy,jammy,now 2.8ubuntu1 all [installed,automatic]
  automatic installation of security upgrades

ubuntu@ubuntu:~$ systemctl status unattended-upgrades
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2023-01-29 17:10:24 +08; 5h 50min ago
       Docs: man:unattended-upgrade(8)
   Main PID: 1025 (unattended-upgr)
      Tasks: 2 (limit: 18956)
     Memory: 13.0M
        CPU: 90ms
     CGroup: /system.slice/unattended-upgrades.service
             └─1025 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Jan 29 17:10:24 amd-ryzen-pc systemd[1]: Started Unattended Upgrades Shutdown.

2. Edit /etc/apt/apt.conf.d/50unattended-upgrades to allow automatically reboot (if needed).

Unattended-Upgrade::Automatic-Reboot "true";

3. To enable email notification in unattended-upgrade, enable mail and mailreport option.

Unattended-Upgrade::Mail "username@domain.com";
Unattended-Upgrade::MailReport "on-change";

4. Check out below 2 additional configuration file on customizing unattended-upgrades service.

/etc/apt/apt.conf.d/10periodic
/etc/apt/apt.conf.d/20auto-upgrades

5. Install Postfix mail server with Gmail's SMTP relay tfor unattended-upgrades service to send out email. MSMTP work too and can be consider an alternative.

sudo apt-get install postfix

6. Configure /etc/postfix/main.cf with below settings.

# Relay host
relayhost = [smtp.gmail.com]:587
# Enable SASL authentication
smtp_sasl_auth_enable = yes
# Disallow methods that allow anonymous authentication
smtp_sasl_security_options = noanonymous
# Location of sasl_passwd
smtp_sasl_password_maps = hash:/etc/postfix/sasl/sasl_passwd
# Enable STARTTLS encryption
smtp_tls_security_level = encrypt
# Location of CA certificates
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

7. Create /etc/postfix/sasl/sasl_passwd with your Google's App password credential.

sudo chown root:root /etc/postfix/sasl/sasl_passwd*
sudo chmod 0600 /etc/postfix/sasl/sasl_passwd*

8. Create postfix hash database file using the postmap utility.

sudo postmap /etc/postfix/sasl/sasl_passwd

9. Secure the password map and database file.

sudo chown root:root /etc/postfix/sasl/sasl_passwd*
sudo chmod 0600 /etc/postfix/sasl/sasl_passwd*

10. Restart both unattended-upgrade and postfix service.

sudo systemctl restart unattended-upgrades
sudo systemctl restart postfix

11. Run below command to manual start the unattended-upgrade service.

# dry-run test with verbose and debug mode
sudo unattended-upgrade -v -d --dry-run
# run with verbose and debug mode
sudo unattended-upgrade -v -d

 

Comments

Post a Comment