APT Upgrade Handling Tweaks

Read time 2 minutes

APT is a great package manager and there are several options to make upgrades more comfortable. Let me introduce you some.

APT Configuration

There are several configuration options for apt using /etc/apt/apt.conf.d/

In my case I enabled the periodic update schedule which will automatically update the package list, download upgrades but does not install them and removes no longer needed packages after 7 days.

cat << 'EOF' > /etc/apt/apt.conf.d/02periodic
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
EOF

This way I won’t have to wait for any downloads on my weekly upgrade schedule.

Automatic Security Upgrades

Security upgrades are important and should be installed as soon as possible.

At work I was confronted with systems that had over hundreds of security upgrades available. Never touch a running system I guess ¯\_(ツ)_/¯

For myself I decided to let security upgrades get installed automatically so even if they are unmaintained they still get patched.

To do so simply install unattended-upgrades

apt install unattended-upgrades

cat << 'EOF' >> /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Mail "user@example.com";
EOF

unattended-upgrades with its default settings will install security upgrades automatically.

You will be notified via mail once the upgrade is finished with details.

I’ve been running unattended-upgrades for over 8 years now and never had a problem with it’s default settings.

Needrestart Detect Outdated Library Use and Restart Services Automatically After an Upgrade

When security upgrades get installed, for example for a library like openssl, the ssh service would not be restarted and thus would still use the old version.

The package needrestart will run after any upgrade and will search for such cases. If it finds outdated libraries that are in use it will restart the service automatically.

When you run upgrades manually you have the choice which services you would like to restart.

apt install needrestart

# enable automatic service restart in non interactive mode for unattended-upgrades
cat << 'EOF' >> /etc/needrestart/needrestart.conf
$nrconf{restart} = 'a';
EOF

Available Upgrade Notification

Security upgrades get installed automatically but normal upgrades won’t.

You could configure unattended-upgrades to also upgrade those but that could easily break things.

I want to get notified whenever upgrades are available so I can take action myself and that’s where apticron comes in handy.

In combination with apt-listchanges you also get a changelog.

apt install apticron apt-listchanges

cat << 'EOF' >> /etc/apticron/apticron.conf
EMAIL="user@example.com"
EOF

Manual Package Installation

In some cases you may need to install deb packages manually for example if you want to install an older version of an application which isn’t in the repositories.

You can browse the content of https://packages.debian.org/search or achives and downloaded the right version using wget.

Once the deb package is downloaded you can simply install it using apt instead of dpkg.

Just keep in my that you have to prepend ./ to the deb package or write the full path otherwise apt looks for a package in the repositories.

apt install ./example.deb