How can I install just security updates from the command line?

307

sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

2

I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59

1

Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02

7

You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37

3

dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25

3

Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30

|
show 4 more comments

307

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

2

I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59

1

Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02

7

You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37

3

dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25

3

Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30

|
show 4 more comments

307

127

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

command-line package-management updates security

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

edited Feb 14 '16 at 19:30

muru

edited Feb 14 '16 at 19:30

muru

edited Feb 14 '16 at 19:30

muru

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

asked Jul 28 '10 at 22:50

mac9416

16.4k63446

2

I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59

1

Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02

7

You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37

3

dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25

3

Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30

|
show 4 more comments

2

I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59

1

Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02

7

You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37

3

dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25

3

Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30

I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59

Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02

You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37

dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25

Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30

|
show 4 more comments

8 Answers
8

active

oldest

votes

286

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run

sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the "s" off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

12

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

add a comment |

111

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

Show security updates only :

apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

sudo unattended-upgrade --dry-run -d

/usr/lib/update-notifier/apt-check -p

Show all upgradeable packages
```
apt-get -s dist-upgrade | grep "^Inst"
```

Install security updates only

apt-get -s dist-upgrade | grep "^Inst" | 

    grep -i securi | awk -F " " {'print $2'} | 

    xargs apt-get install

Notes:

Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

If that's the case, you can do the following to show security updates only:
```
sudo sh -c 'grep ^deb /etc/apt/sources.list | 

    grep security > /etc/apt/sources.security.only.list'
```
and
```
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 

    grep "^Inst" | awk -F " " {'print $2'}
```

Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
```
checkrestart -v
```
However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
```
ps xh -o pid |

while read PROCID; do

       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null

       if [ $? -eq 0 ]; then

               CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)

               echo -e "tPID $PROCID $CMDLINEn"

       fi

done
```

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

1

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

|
show 4 more comments

replace /etc/apt/preferences with the following:

Package: *

Pin: release a=lucid-security

Pin-Priority: 500



Package: *

Pin: release o=Ubuntu

Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.

You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

1

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

1

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

add a comment |

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs

Unattended-Upgrade::Allowed-Origins {

    "${distro_id}:${distro_codename}-security";

//  "${distro_id}:${distro_codename}-updates";

//  "${distro_id}:${distro_codename}-proposed";

//  "${distro_id}:${distro_codename}-backports";

};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

1

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

add a comment |

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

add a comment |

apt-get update:
just read the entries in repository - acording to existing list. Needed to check what is new.

apt-get upgrade: all updates for installed packages without kernel modules. No release update.

apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.

apt-get with parameter -s: test only, no changes performed.

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

add a comment |

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

2

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

add a comment |

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

answered Jan 18 at 12:41

keypress

1112

add a comment |

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});

}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f194%2fhow-can-i-install-just-security-updates-from-the-command-line%23new-answer', 'question_page');
}
);

Post as a guest

Name

Required, but never shown

8 Answers
8

active

oldest

votes

8 Answers
8

active

oldest

votes

286

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run

sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the "s" off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

12

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

add a comment |

286

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run

sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the "s" off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

12

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

add a comment |

286

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run

sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the "s" off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

The package unattended-upgrades provides functionality to install security updates automatically.

You could use this, but instead of configuring the automatic part you could call it manually:

sudo unattended-upgrade -d --dry-run

sudo unattended-upgrade -d

If you want to run it quietly instead:

sudo unattended-upgrade

NOTE: When you call unattended-upgrade you leave the "s" off the end.

This assumes that the package is installed by default, which it probably is. If not, just do:

sudo apt-get install unattended-upgrades

See also /usr/share/doc/unattended-upgrades/README.md.

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

edited Jan 28 at 3:23

Community♦

edited Jan 28 at 3:23

Community♦

edited Jan 28 at 3:23

Community♦

answered Jul 29 '10 at 17:28

blueyed

6,23922231

answered Jul 29 '10 at 17:28

blueyed

6,23922231

answered Jul 29 '10 at 17:28

blueyed

6,23922231

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

12

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

add a comment |

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

12

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

– Jaime Hablutzel
Oct 23 '14 at 3:33

side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

– Raptor
Apr 22 '15 at 2:41

Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

– ADTC
Mar 20 '16 at 9:00

i learned a few things about unattended-upgrades today. thanks!

– the0ther
May 17 '16 at 18:19

"for monitoring how it goes", it is just debug non-interactive messages right?

– Aquarius Power
May 14 '17 at 21:12

add a comment |

111

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

Show security updates only :

apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

sudo unattended-upgrade --dry-run -d

/usr/lib/update-notifier/apt-check -p

Show all upgradeable packages
```
apt-get -s dist-upgrade | grep "^Inst"
```

Install security updates only

apt-get -s dist-upgrade | grep "^Inst" | 

    grep -i securi | awk -F " " {'print $2'} | 

    xargs apt-get install

Notes:

Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

If that's the case, you can do the following to show security updates only:
```
sudo sh -c 'grep ^deb /etc/apt/sources.list | 

    grep security > /etc/apt/sources.security.only.list'
```
and
```
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 

    grep "^Inst" | awk -F " " {'print $2'}
```

Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
```
checkrestart -v
```
However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
```
ps xh -o pid |

while read PROCID; do

       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null

       if [ $? -eq 0 ]; then

               CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)

               echo -e "tPID $PROCID $CMDLINEn"

       fi

done
```

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

1

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

|
show 4 more comments

111

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

Show security updates only :

apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

sudo unattended-upgrade --dry-run -d

/usr/lib/update-notifier/apt-check -p

Show all upgradeable packages
```
apt-get -s dist-upgrade | grep "^Inst"
```

Install security updates only

apt-get -s dist-upgrade | grep "^Inst" | 

    grep -i securi | awk -F " " {'print $2'} | 

    xargs apt-get install

Notes:

Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

If that's the case, you can do the following to show security updates only:
```
sudo sh -c 'grep ^deb /etc/apt/sources.list | 

    grep security > /etc/apt/sources.security.only.list'
```
and
```
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 

    grep "^Inst" | awk -F " " {'print $2'}
```

Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
```
checkrestart -v
```
However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
```
ps xh -o pid |

while read PROCID; do

       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null

       if [ $? -eq 0 ]; then

               CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)

               echo -e "tPID $PROCID $CMDLINEn"

       fi

done
```

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

1

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

|
show 4 more comments

111

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

Show security updates only :

apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

sudo unattended-upgrade --dry-run -d

/usr/lib/update-notifier/apt-check -p

Show all upgradeable packages
```
apt-get -s dist-upgrade | grep "^Inst"
```

Install security updates only

apt-get -s dist-upgrade | grep "^Inst" | 

    grep -i securi | awk -F " " {'print $2'} | 

    xargs apt-get install

Notes:

Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

If that's the case, you can do the following to show security updates only:
```
sudo sh -c 'grep ^deb /etc/apt/sources.list | 

    grep security > /etc/apt/sources.security.only.list'
```
and
```
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 

    grep "^Inst" | awk -F " " {'print $2'}
```

Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
```
checkrestart -v
```
However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
```
ps xh -o pid |

while read PROCID; do

       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null

       if [ $? -eq 0 ]; then

               CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)

               echo -e "tPID $PROCID $CMDLINEn"

       fi

done
```

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

A Few Tips On How To Manage Updates

This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.

Show security updates only :

apt-get -s dist-upgrade |grep "^Inst" |grep -i securi

sudo unattended-upgrade --dry-run -d

/usr/lib/update-notifier/apt-check -p

Show all upgradeable packages
```
apt-get -s dist-upgrade | grep "^Inst"
```

Install security updates only

apt-get -s dist-upgrade | grep "^Inst" | 

    grep -i securi | awk -F " " {'print $2'} | 

    xargs apt-get install

Notes:

Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.

If that's the case, you can do the following to show security updates only:
```
sudo sh -c 'grep ^deb /etc/apt/sources.list | 

    grep security > /etc/apt/sources.security.only.list'
```
and
```
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 

    grep "^Inst" | awk -F " " {'print $2'}
```

Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
```
checkrestart -v
```
However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.

Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233

It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
```
ps xh -o pid |

while read PROCID; do

       grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null

       if [ $? -eq 0 ]; then

               CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)

               echo -e "tPID $PROCID $CMDLINEn"

       fi

done
```

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

edited Jan 6 '16 at 9:05

lemonsqueeze

1,259915

answered Nov 16 '12 at 11:35

ILIV

1,222189

answered Nov 16 '12 at 11:35

ILIV

1,222189

answered Nov 16 '12 at 11:35

ILIV

1,222189

1

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

|
show 4 more comments

1

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

I notice only now this post. It is extremely precise. Thanks a lot (+1)

– Danduk82
May 13 '16 at 7:59

where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

– Ben XO
Aug 19 '16 at 11:29

It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

– ILIV
Aug 20 '16 at 3:51

I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

– Nathan Hornby
Sep 30 '16 at 9:53

Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

– ILIV
Oct 1 '16 at 5:00

|
show 4 more comments

replace /etc/apt/preferences with the following:

Package: *

Pin: release a=lucid-security

Pin-Priority: 500



Package: *

Pin: release o=Ubuntu

Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

1

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

1

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

add a comment |

replace /etc/apt/preferences with the following:

Package: *

Pin: release a=lucid-security

Pin-Priority: 500



Package: *

Pin: release o=Ubuntu

Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

1

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

1

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

add a comment |

replace /etc/apt/preferences with the following:

Package: *

Pin: release a=lucid-security

Pin-Priority: 500



Package: *

Pin: release o=Ubuntu

Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

replace /etc/apt/preferences with the following:

Package: *

Pin: release a=lucid-security

Pin-Priority: 500



Package: *

Pin: release o=Ubuntu

Pin-Priority: 50

now a simple apt-get upgrade will upgrade all security updates only.

If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:

apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade

This will make apt look for the preferences file from a non-default location.

The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

edited Dec 18 '15 at 9:29

A.B.

69.2k12172266

answered Jul 29 '10 at 4:12

Ressu

8,57013027

answered Jul 29 '10 at 4:12

Ressu

8,57013027

answered Jul 29 '10 at 4:12

Ressu

8,57013027

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

1

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

1

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

add a comment |

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

1

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

1

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

– mac9416
Jul 29 '10 at 13:14

You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

– Ressu
Jul 29 '10 at 16:24

I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

– Shade
Aug 22 '14 at 8:33

add a comment |

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs

Unattended-Upgrade::Allowed-Origins {

    "${distro_id}:${distro_codename}-security";

//  "${distro_id}:${distro_codename}-updates";

//  "${distro_id}:${distro_codename}-proposed";

//  "${distro_id}:${distro_codename}-backports";

};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

1

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

add a comment |

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs

Unattended-Upgrade::Allowed-Origins {

    "${distro_id}:${distro_codename}-security";

//  "${distro_id}:${distro_codename}-updates";

//  "${distro_id}:${distro_codename}-proposed";

//  "${distro_id}:${distro_codename}-backports";

};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

1

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

add a comment |

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs

Unattended-Upgrade::Allowed-Origins {

    "${distro_id}:${distro_codename}-security";

//  "${distro_id}:${distro_codename}-updates";

//  "${distro_id}:${distro_codename}-proposed";

//  "${distro_id}:${distro_codename}-backports";

};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

The following is confirmed in Ubuntu 14.04 LTS.

Use the unattended-upgrade package.

Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:

// Automatically upgrade packages from these (origin:archive) pairs

Unattended-Upgrade::Allowed-Origins {

    "${distro_id}:${distro_codename}-security";

//  "${distro_id}:${distro_codename}-updates";

//  "${distro_id}:${distro_codename}-proposed";

//  "${distro_id}:${distro_codename}-backports";

};

Note how it has been configured to only allow unattended upgrades for security packages, by default.

Modify the file /etc/apt/apt.conf.d/10periodic similar to:

APT::Periodic::Update-Package-Lists "1";

APT::Periodic::Download-Upgradeable-Packages "1";

APT::Periodic::AutocleanInterval "7";

APT::Periodic::Unattended-Upgrade "1";

This will run automatic unattended security upgrades, once per day.

Now, to run manually: sudo unattended-upgrade.

To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.

Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

edited May 23 '17 at 22:12

answered Oct 3 '16 at 17:18

vcardillo

277139

answered Oct 3 '16 at 17:18

vcardillo

277139

answered Oct 3 '16 at 17:18

vcardillo

277139

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

1

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

add a comment |

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

1

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

Is there a way to make this a monthly schedule?

– mike.b93
Feb 1 '17 at 14:30

@mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

– vcardillo
May 23 '17 at 22:13

add a comment |

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

add a comment |

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

add a comment |

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:

sudo apt-get update && sudo apt-get upgrade

I haven't tested it, but in theory it would only find updates in the security repo and apply them...

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

answered Jul 29 '10 at 0:00

Stephen RC

2,31162944

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

add a comment |

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

– mac9416
Jul 29 '10 at 0:07

OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

– mac9416
Jul 29 '10 at 0:39

add a comment |

apt-get update:
just read the entries in repository - acording to existing list. Needed to check what is new.

apt-get upgrade: all updates for installed packages without kernel modules. No release update.

apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.

apt-get with parameter -s: test only, no changes performed.

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

add a comment |

apt-get update:
just read the entries in repository - acording to existing list. Needed to check what is new.

apt-get upgrade: all updates for installed packages without kernel modules. No release update.

apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.

apt-get with parameter -s: test only, no changes performed.

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

add a comment |

apt-get update:
just read the entries in repository - acording to existing list. Needed to check what is new.

apt-get upgrade: all updates for installed packages without kernel modules. No release update.

apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.

apt-get with parameter -s: test only, no changes performed.

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

apt-get update:
just read the entries in repository - acording to existing list. Needed to check what is new.

apt-get upgrade: all updates for installed packages without kernel modules. No release update.

apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.

apt-get with parameter -s: test only, no changes performed.

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

edited Aug 2 '13 at 10:11

Eric Carvalho

41.9k17115147

answered Aug 2 '13 at 9:49

fuser

471

answered Aug 2 '13 at 9:49

fuser

471

answered Aug 2 '13 at 9:49

fuser

471

add a comment |

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

2

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

add a comment |

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

2

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

add a comment |

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:

Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?

No reply as to whether that worked however.

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

edited Mar 20 '17 at 10:18

Community♦

edited Mar 20 '17 at 10:18

Community♦

edited Mar 20 '17 at 10:18

Community♦

answered Jul 28 '10 at 23:04

Ross

89731122

answered Jul 28 '10 at 23:04

Ross

89731122

answered Jul 28 '10 at 23:04

Ross

89731122

2

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

add a comment |

2

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

– mac9416
Jul 28 '10 at 23:38

add a comment |

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

answered Jan 18 at 12:41

keypress

1112

add a comment |

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

answered Jan 18 at 12:41

keypress

1112

add a comment |

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

answered Jan 18 at 12:41

keypress

1112

On Debians I use this command to do only security updates:

apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )

answered Jan 18 at 12:41

keypress

1112

answered Jan 18 at 12:41

keypress

1112

answered Jan 18 at 12:41

keypress

1112

answered Jan 18 at 12:41

keypress

1112

add a comment |

draft saved

draft discarded

Thanks for contributing an answer to Ask Ubuntu!

Please be sure to answer the question. Provide details and share your research!

But avoid …

Asking for help, clarification, or responding to other answers.

Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Post as a guest

Name

Required, but never shown

Name

Required, but never shown

Name

Required, but never shown

This page is only for reference, If you need detailed information, please check here

搜尋此網誌

Cfrgtkky