How can I install just security updates from the command line?












307















sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?










share|improve this question




















  • 2





    I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

    – mac9416
    Jul 28 '10 at 22:59






  • 1





    Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

    – mac9416
    Jul 28 '10 at 23:02






  • 7





    You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

    – Kees Cook
    Sep 21 '10 at 18:37






  • 3





    dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

    – chronitis
    Nov 16 '12 at 14:25






  • 3





    Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

    – Karthik T
    Oct 29 '13 at 1:30
















307















sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?










share|improve this question




















  • 2





    I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

    – mac9416
    Jul 28 '10 at 22:59






  • 1





    Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

    – mac9416
    Jul 28 '10 at 23:02






  • 7





    You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

    – Kees Cook
    Sep 21 '10 at 18:37






  • 3





    dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

    – chronitis
    Nov 16 '12 at 14:25






  • 3





    Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

    – Karthik T
    Oct 29 '13 at 1:30














307












307








307


127






sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?










share|improve this question
















sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?







command-line package-management updates security






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Feb 14 '16 at 19:30









muru

1




1










asked Jul 28 '10 at 22:50









mac9416mac9416

16.4k63446




16.4k63446








  • 2





    I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

    – mac9416
    Jul 28 '10 at 22:59






  • 1





    Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

    – mac9416
    Jul 28 '10 at 23:02






  • 7





    You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

    – Kees Cook
    Sep 21 '10 at 18:37






  • 3





    dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

    – chronitis
    Nov 16 '12 at 14:25






  • 3





    Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

    – Karthik T
    Oct 29 '13 at 1:30














  • 2





    I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

    – mac9416
    Jul 28 '10 at 22:59






  • 1





    Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

    – mac9416
    Jul 28 '10 at 23:02






  • 7





    You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

    – Kees Cook
    Sep 21 '10 at 18:37






  • 3





    dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

    – chronitis
    Nov 16 '12 at 14:25






  • 3





    Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

    – Karthik T
    Oct 29 '13 at 1:30








2




2





I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59





I don't think so. dist-upgrade takes the entire system to a new release. I'm talking about day-to-day updates, like the ones you see in Update Manager.

– mac9416
Jul 28 '10 at 22:59




1




1





Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02





Oh, I see what you're saying now. Heh, I run apt-get update so often, I type it without thinking. Thanks for the heads-up!

– mac9416
Jul 28 '10 at 23:02




7




7





You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37





You want "apt-get dist-upgrade", not "apt-get upgrade". "dist-upgrade" isn't for new releases (that's "do-release-upgrade" a separate command). Using "dist-upgrade" means it will handle changing dependencies of the new packages. This can be important.

– Kees Cook
Sep 21 '10 at 18:37




3




3





dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25





dist-upgrade is the normal operation performed by the Update Manager GUI. For packages such as the kernel where there is a linux-image-generic package, depending on the current image, eg linux-image-3.x.y-zz-generic (each version of which is a separate package name), dist-upgrade (which allows new packages to be installed to satisfy dependencies) will perform this upgrade, whereas upgrade will show the kernel package as held-back.

– chronitis
Nov 16 '12 at 14:25




3




3





Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30





Surprising that there are no good apt-get based answers for this, considering how prominently it is listed on each server

– Karthik T
Oct 29 '13 at 1:30










8 Answers
8






active

oldest

votes


















286














The package unattended-upgrades provides functionality to install security updates automatically.



You could use this, but instead of configuring the automatic part you could call it manually:



sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d


If you want to run it quietly instead:



sudo unattended-upgrade


NOTE: When you call unattended-upgrade you leave the "s" off the end.



This assumes that the package is installed by default, which it probably is. If not, just do:



sudo apt-get install unattended-upgrades


See also /usr/share/doc/unattended-upgrades/README.md.






share|improve this answer


























  • For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

    – Jaime Hablutzel
    Oct 23 '14 at 3:33











  • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

    – Raptor
    Apr 22 '15 at 2:41






  • 12





    Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

    – ADTC
    Mar 20 '16 at 9:00













  • i learned a few things about unattended-upgrades today. thanks!

    – the0ther
    May 17 '16 at 18:19











  • "for monitoring how it goes", it is just debug non-interactive messages right?

    – Aquarius Power
    May 14 '17 at 21:12



















111














A Few Tips On How To Manage Updates



This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.





  • Show security updates only :



    apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 


    or



    sudo unattended-upgrade --dry-run -d


    or



    /usr/lib/update-notifier/apt-check -p



  • Show all upgradeable packages



    apt-get -s dist-upgrade | grep "^Inst"



  • Install security updates only



    apt-get -s dist-upgrade | grep "^Inst" | 
    grep -i securi | awk -F " " {'print $2'} |
    xargs apt-get install



Notes:





  • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.



    If that's the case, you can do the following to show security updates only:



    sudo sh -c 'grep ^deb /etc/apt/sources.list | 
    grep security > /etc/apt/sources.security.only.list'


    and



    apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
    grep "^Inst" | awk -F " " {'print $2'}



  • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.



    checkrestart -v


    However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.



    Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233



    It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.



    ps xh -o pid |
    while read PROCID; do
    grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
    if [ $? -eq 0 ]; then
    CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
    echo -e "tPID $PROCID $CMDLINEn"
    fi
    done







share|improve this answer





















  • 1





    I notice only now this post. It is extremely precise. Thanks a lot (+1)

    – Danduk82
    May 13 '16 at 7:59











  • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

    – Ben XO
    Aug 19 '16 at 11:29











  • It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

    – ILIV
    Aug 20 '16 at 3:51











  • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

    – Nathan Hornby
    Sep 30 '16 at 9:53











  • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

    – ILIV
    Oct 1 '16 at 5:00



















46














replace /etc/apt/preferences with the following:



Package: *
Pin: release a=lucid-security
Pin-Priority: 500

Package: *
Pin: release o=Ubuntu
Pin-Priority: 50


now a simple apt-get upgrade will upgrade all security updates only.



Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.



You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.



If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:



apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade


This will make apt look for the preferences file from a non-default location.



The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.






share|improve this answer


























  • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

    – mac9416
    Jul 29 '10 at 13:14






  • 1





    You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

    – Ressu
    Jul 29 '10 at 16:24






  • 1





    I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

    – Shade
    Aug 22 '14 at 8:33



















11














The following is confirmed in Ubuntu 14.04 LTS.



Use the unattended-upgrade package.



Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:



// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};


Note how it has been configured to only allow unattended upgrades for security packages, by default.



Modify the file /etc/apt/apt.conf.d/10periodic similar to:



APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";


This will run automatic unattended security upgrades, once per day.



Now, to run manually: sudo unattended-upgrade.



To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.



Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html






share|improve this answer


























  • Is there a way to make this a monthly schedule?

    – mike.b93
    Feb 1 '17 at 14:30






  • 1





    @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

    – vcardillo
    May 23 '17 at 22:13





















5














Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:



sudo apt-get update && sudo apt-get upgrade


I haven't tested it, but in theory it would only find updates in the security repo and apply them...






share|improve this answer
























  • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

    – mac9416
    Jul 29 '10 at 0:07











  • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

    – mac9416
    Jul 29 '10 at 0:39



















3
















  • apt-get update:
    just read the entries in repository - acording to existing list. Needed to check what is new.


  • apt-get upgrade: all updates for installed packages without kernel modules. No release update.


  • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.


  • apt-get with parameter -s: test only, no changes performed.






share|improve this answer

































    0














    I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:




    Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?




    No reply as to whether that worked however.






    share|improve this answer





















    • 2





      It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

      – mac9416
      Jul 28 '10 at 23:38



















    0














    On Debians I use this command to do only security updates:



    apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )





    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "89"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f194%2fhow-can-i-install-just-security-updates-from-the-command-line%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      8 Answers
      8






      active

      oldest

      votes








      8 Answers
      8






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      286














      The package unattended-upgrades provides functionality to install security updates automatically.



      You could use this, but instead of configuring the automatic part you could call it manually:



      sudo unattended-upgrade -d --dry-run
      sudo unattended-upgrade -d


      If you want to run it quietly instead:



      sudo unattended-upgrade


      NOTE: When you call unattended-upgrade you leave the "s" off the end.



      This assumes that the package is installed by default, which it probably is. If not, just do:



      sudo apt-get install unattended-upgrades


      See also /usr/share/doc/unattended-upgrades/README.md.






      share|improve this answer


























      • For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

        – Jaime Hablutzel
        Oct 23 '14 at 3:33











      • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

        – Raptor
        Apr 22 '15 at 2:41






      • 12





        Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

        – ADTC
        Mar 20 '16 at 9:00













      • i learned a few things about unattended-upgrades today. thanks!

        – the0ther
        May 17 '16 at 18:19











      • "for monitoring how it goes", it is just debug non-interactive messages right?

        – Aquarius Power
        May 14 '17 at 21:12
















      286














      The package unattended-upgrades provides functionality to install security updates automatically.



      You could use this, but instead of configuring the automatic part you could call it manually:



      sudo unattended-upgrade -d --dry-run
      sudo unattended-upgrade -d


      If you want to run it quietly instead:



      sudo unattended-upgrade


      NOTE: When you call unattended-upgrade you leave the "s" off the end.



      This assumes that the package is installed by default, which it probably is. If not, just do:



      sudo apt-get install unattended-upgrades


      See also /usr/share/doc/unattended-upgrades/README.md.






      share|improve this answer


























      • For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

        – Jaime Hablutzel
        Oct 23 '14 at 3:33











      • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

        – Raptor
        Apr 22 '15 at 2:41






      • 12





        Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

        – ADTC
        Mar 20 '16 at 9:00













      • i learned a few things about unattended-upgrades today. thanks!

        – the0ther
        May 17 '16 at 18:19











      • "for monitoring how it goes", it is just debug non-interactive messages right?

        – Aquarius Power
        May 14 '17 at 21:12














      286












      286








      286







      The package unattended-upgrades provides functionality to install security updates automatically.



      You could use this, but instead of configuring the automatic part you could call it manually:



      sudo unattended-upgrade -d --dry-run
      sudo unattended-upgrade -d


      If you want to run it quietly instead:



      sudo unattended-upgrade


      NOTE: When you call unattended-upgrade you leave the "s" off the end.



      This assumes that the package is installed by default, which it probably is. If not, just do:



      sudo apt-get install unattended-upgrades


      See also /usr/share/doc/unattended-upgrades/README.md.






      share|improve this answer















      The package unattended-upgrades provides functionality to install security updates automatically.



      You could use this, but instead of configuring the automatic part you could call it manually:



      sudo unattended-upgrade -d --dry-run
      sudo unattended-upgrade -d


      If you want to run it quietly instead:



      sudo unattended-upgrade


      NOTE: When you call unattended-upgrade you leave the "s" off the end.



      This assumes that the package is installed by default, which it probably is. If not, just do:



      sudo apt-get install unattended-upgrades


      See also /usr/share/doc/unattended-upgrades/README.md.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Jan 28 at 3:23









      Community

      1




      1










      answered Jul 29 '10 at 17:28









      blueyedblueyed

      6,23922231




      6,23922231













      • For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

        – Jaime Hablutzel
        Oct 23 '14 at 3:33











      • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

        – Raptor
        Apr 22 '15 at 2:41






      • 12





        Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

        – ADTC
        Mar 20 '16 at 9:00













      • i learned a few things about unattended-upgrades today. thanks!

        – the0ther
        May 17 '16 at 18:19











      • "for monitoring how it goes", it is just debug non-interactive messages right?

        – Aquarius Power
        May 14 '17 at 21:12



















      • For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

        – Jaime Hablutzel
        Oct 23 '14 at 3:33











      • side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

        – Raptor
        Apr 22 '15 at 2:41






      • 12





        Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

        – ADTC
        Mar 20 '16 at 9:00













      • i learned a few things about unattended-upgrades today. thanks!

        – the0ther
        May 17 '16 at 18:19











      • "for monitoring how it goes", it is just debug non-interactive messages right?

        – Aquarius Power
        May 14 '17 at 21:12

















      For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

      – Jaime Hablutzel
      Oct 23 '14 at 3:33





      For disabling the automatic execution of unattended-upgrade you are probably needing to modify /etc/cron.daily/apt, but not sure it is "correct" to do so

      – Jaime Hablutzel
      Oct 23 '14 at 3:33













      side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

      – Raptor
      Apr 22 '15 at 2:41





      side note: for Ubuntu 12.04.5 LTS server, unattended-upgrades is not installed by default.

      – Raptor
      Apr 22 '15 at 2:41




      12




      12





      Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

      – ADTC
      Mar 20 '16 at 9:00







      Since you're doing this from the command line, use -v for info messages or -d for debug messages. Otherwise the utility will be very silent, in which case you would need to check the logs in /var/log/unattended-upgrades. You can also use --dry-run to simulate but not actually upgrade anything. For more info and other options, use --help to get the help message.

      – ADTC
      Mar 20 '16 at 9:00















      i learned a few things about unattended-upgrades today. thanks!

      – the0ther
      May 17 '16 at 18:19





      i learned a few things about unattended-upgrades today. thanks!

      – the0ther
      May 17 '16 at 18:19













      "for monitoring how it goes", it is just debug non-interactive messages right?

      – Aquarius Power
      May 14 '17 at 21:12





      "for monitoring how it goes", it is just debug non-interactive messages right?

      – Aquarius Power
      May 14 '17 at 21:12













      111














      A Few Tips On How To Manage Updates



      This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.





      • Show security updates only :



        apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 


        or



        sudo unattended-upgrade --dry-run -d


        or



        /usr/lib/update-notifier/apt-check -p



      • Show all upgradeable packages



        apt-get -s dist-upgrade | grep "^Inst"



      • Install security updates only



        apt-get -s dist-upgrade | grep "^Inst" | 
        grep -i securi | awk -F " " {'print $2'} |
        xargs apt-get install



      Notes:





      • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.



        If that's the case, you can do the following to show security updates only:



        sudo sh -c 'grep ^deb /etc/apt/sources.list | 
        grep security > /etc/apt/sources.security.only.list'


        and



        apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
        grep "^Inst" | awk -F " " {'print $2'}



      • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.



        checkrestart -v


        However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.



        Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233



        It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.



        ps xh -o pid |
        while read PROCID; do
        grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
        if [ $? -eq 0 ]; then
        CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
        echo -e "tPID $PROCID $CMDLINEn"
        fi
        done







      share|improve this answer





















      • 1





        I notice only now this post. It is extremely precise. Thanks a lot (+1)

        – Danduk82
        May 13 '16 at 7:59











      • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

        – Ben XO
        Aug 19 '16 at 11:29











      • It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

        – ILIV
        Aug 20 '16 at 3:51











      • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

        – Nathan Hornby
        Sep 30 '16 at 9:53











      • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

        – ILIV
        Oct 1 '16 at 5:00
















      111














      A Few Tips On How To Manage Updates



      This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.





      • Show security updates only :



        apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 


        or



        sudo unattended-upgrade --dry-run -d


        or



        /usr/lib/update-notifier/apt-check -p



      • Show all upgradeable packages



        apt-get -s dist-upgrade | grep "^Inst"



      • Install security updates only



        apt-get -s dist-upgrade | grep "^Inst" | 
        grep -i securi | awk -F " " {'print $2'} |
        xargs apt-get install



      Notes:





      • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.



        If that's the case, you can do the following to show security updates only:



        sudo sh -c 'grep ^deb /etc/apt/sources.list | 
        grep security > /etc/apt/sources.security.only.list'


        and



        apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
        grep "^Inst" | awk -F " " {'print $2'}



      • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.



        checkrestart -v


        However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.



        Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233



        It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.



        ps xh -o pid |
        while read PROCID; do
        grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
        if [ $? -eq 0 ]; then
        CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
        echo -e "tPID $PROCID $CMDLINEn"
        fi
        done







      share|improve this answer





















      • 1





        I notice only now this post. It is extremely precise. Thanks a lot (+1)

        – Danduk82
        May 13 '16 at 7:59











      • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

        – Ben XO
        Aug 19 '16 at 11:29











      • It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

        – ILIV
        Aug 20 '16 at 3:51











      • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

        – Nathan Hornby
        Sep 30 '16 at 9:53











      • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

        – ILIV
        Oct 1 '16 at 5:00














      111












      111








      111







      A Few Tips On How To Manage Updates



      This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.





      • Show security updates only :



        apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 


        or



        sudo unattended-upgrade --dry-run -d


        or



        /usr/lib/update-notifier/apt-check -p



      • Show all upgradeable packages



        apt-get -s dist-upgrade | grep "^Inst"



      • Install security updates only



        apt-get -s dist-upgrade | grep "^Inst" | 
        grep -i securi | awk -F " " {'print $2'} |
        xargs apt-get install



      Notes:





      • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.



        If that's the case, you can do the following to show security updates only:



        sudo sh -c 'grep ^deb /etc/apt/sources.list | 
        grep security > /etc/apt/sources.security.only.list'


        and



        apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
        grep "^Inst" | awk -F " " {'print $2'}



      • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.



        checkrestart -v


        However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.



        Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233



        It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.



        ps xh -o pid |
        while read PROCID; do
        grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
        if [ $? -eq 0 ]; then
        CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
        echo -e "tPID $PROCID $CMDLINEn"
        fi
        done







      share|improve this answer















      A Few Tips On How To Manage Updates



      This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.





      • Show security updates only :



        apt-get -s dist-upgrade |grep "^Inst" |grep -i securi 


        or



        sudo unattended-upgrade --dry-run -d


        or



        /usr/lib/update-notifier/apt-check -p



      • Show all upgradeable packages



        apt-get -s dist-upgrade | grep "^Inst"



      • Install security updates only



        apt-get -s dist-upgrade | grep "^Inst" | 
        grep -i securi | awk -F " " {'print $2'} |
        xargs apt-get install



      Notes:





      • Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.



        If that's the case, you can do the following to show security updates only:



        sudo sh -c 'grep ^deb /etc/apt/sources.list | 
        grep security > /etc/apt/sources.security.only.list'


        and



        apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null  | 
        grep "^Inst" | awk -F " " {'print $2'}



      • Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.



        checkrestart -v


        However, keep in mind that checkrestart may list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.



        Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233



        It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.



        ps xh -o pid |
        while read PROCID; do
        grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null
        if [ $? -eq 0 ]; then
        CMDLINE=$(sed -e 's/x00/ /g' < /proc/$PROCID/cmdline)
        echo -e "tPID $PROCID $CMDLINEn"
        fi
        done








      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Jan 6 '16 at 9:05









      lemonsqueeze

      1,259915




      1,259915










      answered Nov 16 '12 at 11:35









      ILIVILIV

      1,222189




      1,222189








      • 1





        I notice only now this post. It is extremely precise. Thanks a lot (+1)

        – Danduk82
        May 13 '16 at 7:59











      • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

        – Ben XO
        Aug 19 '16 at 11:29











      • It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

        – ILIV
        Aug 20 '16 at 3:51











      • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

        – Nathan Hornby
        Sep 30 '16 at 9:53











      • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

        – ILIV
        Oct 1 '16 at 5:00














      • 1





        I notice only now this post. It is extremely precise. Thanks a lot (+1)

        – Danduk82
        May 13 '16 at 7:59











      • where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

        – Ben XO
        Aug 19 '16 at 11:29











      • It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

        – ILIV
        Aug 20 '16 at 3:51











      • I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

        – Nathan Hornby
        Sep 30 '16 at 9:53











      • Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

        – ILIV
        Oct 1 '16 at 5:00








      1




      1





      I notice only now this post. It is extremely precise. Thanks a lot (+1)

      – Danduk82
      May 13 '16 at 7:59





      I notice only now this post. It is extremely precise. Thanks a lot (+1)

      – Danduk82
      May 13 '16 at 7:59













      where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

      – Ben XO
      Aug 19 '16 at 11:29





      where does 'checkrestart' come from? I can't find it in Ubuntu Trusty. I did find "needrestart" which looks like it would fit in your instructions?

      – Ben XO
      Aug 19 '16 at 11:29













      It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

      – ILIV
      Aug 20 '16 at 3:51





      It can be found in debian-goodies package: packages.debian.org/wheezy/debian-goodies. There's also needrestart. You can find both on Xenial by running: $apt-cache search checkrestart

      – ILIV
      Aug 20 '16 at 3:51













      I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

      – Nathan Hornby
      Sep 30 '16 at 9:53





      I get "E: Could not open lock file /var/lib/dpkg/lock - open (13: Permission denied)" even with sudo. Is this something specific to one of the updates or the commands you've provided?

      – Nathan Hornby
      Sep 30 '16 at 9:53













      Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

      – ILIV
      Oct 1 '16 at 5:00





      Most likely it's about an incorrect/abnormal termination of dpkg that left a lock file uncleared. Doesn't happen normally until, e.g. installation of a package doesn't finish successfully (full disk, etc.) You probably cannot run other apt-get and dpkg commands, can you?

      – ILIV
      Oct 1 '16 at 5:00











      46














      replace /etc/apt/preferences with the following:



      Package: *
      Pin: release a=lucid-security
      Pin-Priority: 500

      Package: *
      Pin: release o=Ubuntu
      Pin-Priority: 50


      now a simple apt-get upgrade will upgrade all security updates only.



      Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.



      You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.



      If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:



      apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade


      This will make apt look for the preferences file from a non-default location.



      The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.






      share|improve this answer


























      • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

        – mac9416
        Jul 29 '10 at 13:14






      • 1





        You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

        – Ressu
        Jul 29 '10 at 16:24






      • 1





        I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

        – Shade
        Aug 22 '14 at 8:33
















      46














      replace /etc/apt/preferences with the following:



      Package: *
      Pin: release a=lucid-security
      Pin-Priority: 500

      Package: *
      Pin: release o=Ubuntu
      Pin-Priority: 50


      now a simple apt-get upgrade will upgrade all security updates only.



      Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.



      You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.



      If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:



      apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade


      This will make apt look for the preferences file from a non-default location.



      The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.






      share|improve this answer


























      • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

        – mac9416
        Jul 29 '10 at 13:14






      • 1





        You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

        – Ressu
        Jul 29 '10 at 16:24






      • 1





        I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

        – Shade
        Aug 22 '14 at 8:33














      46












      46








      46







      replace /etc/apt/preferences with the following:



      Package: *
      Pin: release a=lucid-security
      Pin-Priority: 500

      Package: *
      Pin: release o=Ubuntu
      Pin-Priority: 50


      now a simple apt-get upgrade will upgrade all security updates only.



      Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.



      You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.



      If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:



      apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade


      This will make apt look for the preferences file from a non-default location.



      The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.






      share|improve this answer















      replace /etc/apt/preferences with the following:



      Package: *
      Pin: release a=lucid-security
      Pin-Priority: 500

      Package: *
      Pin: release o=Ubuntu
      Pin-Priority: 50


      now a simple apt-get upgrade will upgrade all security updates only.



      Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.



      You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.



      If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:



      apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade


      This will make apt look for the preferences file from a non-default location.



      The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited Dec 18 '15 at 9:29









      A.B.

      69.2k12172266




      69.2k12172266










      answered Jul 29 '10 at 4:12









      RessuRessu

      8,57013027




      8,57013027













      • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

        – mac9416
        Jul 29 '10 at 13:14






      • 1





        You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

        – Ressu
        Jul 29 '10 at 16:24






      • 1





        I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

        – Shade
        Aug 22 '14 at 8:33



















      • Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

        – mac9416
        Jul 29 '10 at 13:14






      • 1





        You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

        – Ressu
        Jul 29 '10 at 16:24






      • 1





        I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

        – Shade
        Aug 22 '14 at 8:33

















      Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

      – mac9416
      Jul 29 '10 at 13:14





      Thanks for taking time for a thorough answer. I think I understand how it works. But when I create the /etc/apt/preferences file and run apt-get upgrade, it wants to upgrade all packages, not just security updates. The list upgrade before and after are exactly the same, except with /etc/apt/preferences it doesn't want to upgrade Leafpad, which I built from source and installed "by hand" with dpkg. It's very strange to me, but may mean something to you.

      – mac9416
      Jul 29 '10 at 13:14




      1




      1





      You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

      – Ressu
      Jul 29 '10 at 16:24





      You can see what is going on with apt-cache policy command. Pick one of the packages that isn't getting a security fix and run apt-cache policy packagename. This will list the priorities for various versions. You should see various lines and different priorities. If there are no lines with the priority 50, the pinning isn't affecting the packages in question for some reason.

      – Ressu
      Jul 29 '10 at 16:24




      1




      1





      I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

      – Shade
      Aug 22 '14 at 8:33





      I had followed this answer in the past. Today I found out that due to this answer, 68 security update packages were NOT installed on my server and didn't show up as potential install candidates. This is NOT A GOOD ANSWER!

      – Shade
      Aug 22 '14 at 8:33











      11














      The following is confirmed in Ubuntu 14.04 LTS.



      Use the unattended-upgrade package.



      Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:



      // Automatically upgrade packages from these (origin:archive) pairs
      Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}-security";
      // "${distro_id}:${distro_codename}-updates";
      // "${distro_id}:${distro_codename}-proposed";
      // "${distro_id}:${distro_codename}-backports";
      };


      Note how it has been configured to only allow unattended upgrades for security packages, by default.



      Modify the file /etc/apt/apt.conf.d/10periodic similar to:



      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";


      This will run automatic unattended security upgrades, once per day.



      Now, to run manually: sudo unattended-upgrade.



      To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.



      Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html






      share|improve this answer


























      • Is there a way to make this a monthly schedule?

        – mike.b93
        Feb 1 '17 at 14:30






      • 1





        @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

        – vcardillo
        May 23 '17 at 22:13


















      11














      The following is confirmed in Ubuntu 14.04 LTS.



      Use the unattended-upgrade package.



      Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:



      // Automatically upgrade packages from these (origin:archive) pairs
      Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}-security";
      // "${distro_id}:${distro_codename}-updates";
      // "${distro_id}:${distro_codename}-proposed";
      // "${distro_id}:${distro_codename}-backports";
      };


      Note how it has been configured to only allow unattended upgrades for security packages, by default.



      Modify the file /etc/apt/apt.conf.d/10periodic similar to:



      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";


      This will run automatic unattended security upgrades, once per day.



      Now, to run manually: sudo unattended-upgrade.



      To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.



      Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html






      share|improve this answer


























      • Is there a way to make this a monthly schedule?

        – mike.b93
        Feb 1 '17 at 14:30






      • 1





        @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

        – vcardillo
        May 23 '17 at 22:13
















      11












      11








      11







      The following is confirmed in Ubuntu 14.04 LTS.



      Use the unattended-upgrade package.



      Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:



      // Automatically upgrade packages from these (origin:archive) pairs
      Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}-security";
      // "${distro_id}:${distro_codename}-updates";
      // "${distro_id}:${distro_codename}-proposed";
      // "${distro_id}:${distro_codename}-backports";
      };


      Note how it has been configured to only allow unattended upgrades for security packages, by default.



      Modify the file /etc/apt/apt.conf.d/10periodic similar to:



      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";


      This will run automatic unattended security upgrades, once per day.



      Now, to run manually: sudo unattended-upgrade.



      To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.



      Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html






      share|improve this answer















      The following is confirmed in Ubuntu 14.04 LTS.



      Use the unattended-upgrade package.



      Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:



      // Automatically upgrade packages from these (origin:archive) pairs
      Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}-security";
      // "${distro_id}:${distro_codename}-updates";
      // "${distro_id}:${distro_codename}-proposed";
      // "${distro_id}:${distro_codename}-backports";
      };


      Note how it has been configured to only allow unattended upgrades for security packages, by default.



      Modify the file /etc/apt/apt.conf.d/10periodic similar to:



      APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::Unattended-Upgrade "1";


      This will run automatic unattended security upgrades, once per day.



      Now, to run manually: sudo unattended-upgrade.



      To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.



      Source: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html







      share|improve this answer














      share|improve this answer



      share|improve this answer








      edited May 23 '17 at 22:12

























      answered Oct 3 '16 at 17:18









      vcardillovcardillo

      277139




      277139













      • Is there a way to make this a monthly schedule?

        – mike.b93
        Feb 1 '17 at 14:30






      • 1





        @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

        – vcardillo
        May 23 '17 at 22:13





















      • Is there a way to make this a monthly schedule?

        – mike.b93
        Feb 1 '17 at 14:30






      • 1





        @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

        – vcardillo
        May 23 '17 at 22:13



















      Is there a way to make this a monthly schedule?

      – mike.b93
      Feb 1 '17 at 14:30





      Is there a way to make this a monthly schedule?

      – mike.b93
      Feb 1 '17 at 14:30




      1




      1





      @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

      – vcardillo
      May 23 '17 at 22:13







      @mike.b93, I believe setting APT::Periodic::Unattended-Upgrade "30"; Would do this--every 30 days.

      – vcardillo
      May 23 '17 at 22:13













      5














      Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:



      sudo apt-get update && sudo apt-get upgrade


      I haven't tested it, but in theory it would only find updates in the security repo and apply them...






      share|improve this answer
























      • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

        – mac9416
        Jul 29 '10 at 0:07











      • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

        – mac9416
        Jul 29 '10 at 0:39
















      5














      Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:



      sudo apt-get update && sudo apt-get upgrade


      I haven't tested it, but in theory it would only find updates in the security repo and apply them...






      share|improve this answer
























      • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

        – mac9416
        Jul 29 '10 at 0:07











      • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

        – mac9416
        Jul 29 '10 at 0:39














      5












      5








      5







      Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:



      sudo apt-get update && sudo apt-get upgrade


      I haven't tested it, but in theory it would only find updates in the security repo and apply them...






      share|improve this answer













      Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:



      sudo apt-get update && sudo apt-get upgrade


      I haven't tested it, but in theory it would only find updates in the security repo and apply them...







      share|improve this answer












      share|improve this answer



      share|improve this answer










      answered Jul 29 '10 at 0:00









      Stephen RCStephen RC

      2,31162944




      2,31162944













      • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

        – mac9416
        Jul 29 '10 at 0:07











      • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

        – mac9416
        Jul 29 '10 at 0:39



















      • Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

        – mac9416
        Jul 29 '10 at 0:07











      • OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

        – mac9416
        Jul 29 '10 at 0:39

















      Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

      – mac9416
      Jul 29 '10 at 0:07





      Yeah, that's a possibility. I'll look into it. I'm no good at BASH, but I may try to make a script to do it.

      – mac9416
      Jul 29 '10 at 0:07













      OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

      – mac9416
      Jul 29 '10 at 0:39





      OK, I disabled all but the Ubuntu security repos and ran a sudo apt-get update && sudo apt-get upgrade (cancelling before any upgrades were done). Then I re-enabled all my repos, ran sudo apt-get updatee, and opened Update Manager. The packages marked as security updates were not exactly what apt-get upgrade found, but they were very close -- close enough for me. I still wish I knew exactly how Update Manager does it and how to do the same from the command-line, but this will do. Thanks!

      – mac9416
      Jul 29 '10 at 0:39











      3
















      • apt-get update:
        just read the entries in repository - acording to existing list. Needed to check what is new.


      • apt-get upgrade: all updates for installed packages without kernel modules. No release update.


      • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.


      • apt-get with parameter -s: test only, no changes performed.






      share|improve this answer






























        3
















        • apt-get update:
          just read the entries in repository - acording to existing list. Needed to check what is new.


        • apt-get upgrade: all updates for installed packages without kernel modules. No release update.


        • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.


        • apt-get with parameter -s: test only, no changes performed.






        share|improve this answer




























          3












          3








          3









          • apt-get update:
            just read the entries in repository - acording to existing list. Needed to check what is new.


          • apt-get upgrade: all updates for installed packages without kernel modules. No release update.


          • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.


          • apt-get with parameter -s: test only, no changes performed.






          share|improve this answer

















          • apt-get update:
            just read the entries in repository - acording to existing list. Needed to check what is new.


          • apt-get upgrade: all updates for installed packages without kernel modules. No release update.


          • apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.


          • apt-get with parameter -s: test only, no changes performed.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Aug 2 '13 at 10:11









          Eric Carvalho

          41.9k17115147




          41.9k17115147










          answered Aug 2 '13 at 9:49









          fuserfuser

          471




          471























              0














              I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:




              Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?




              No reply as to whether that worked however.






              share|improve this answer





















              • 2





                It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

                – mac9416
                Jul 28 '10 at 23:38
















              0














              I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:




              Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?




              No reply as to whether that worked however.






              share|improve this answer





















              • 2





                It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

                – mac9416
                Jul 28 '10 at 23:38














              0












              0








              0







              I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:




              Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?




              No reply as to whether that worked however.






              share|improve this answer















              I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:




              Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade . Did you replace 'karmic' with the code name of your Ubuntu?




              No reply as to whether that worked however.







              share|improve this answer














              share|improve this answer



              share|improve this answer








              edited Mar 20 '17 at 10:18









              Community

              1




              1










              answered Jul 28 '10 at 23:04









              RossRoss

              89731122




              89731122








              • 2





                It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

                – mac9416
                Jul 28 '10 at 23:38














              • 2





                It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

                – mac9416
                Jul 28 '10 at 23:38








              2




              2





              It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

              – mac9416
              Jul 28 '10 at 23:38





              It appears that the method described in that wiki page depends on setting aptitude's --target-release argument to <release>-security. Like the OP of that question, that method installs all upgrades, not just security upgrades. Reading the apt-get and aptitude man pages, I don't think the --target-release argument is even intended to limit upgrades to just security, though I'm not sure just what it is for.

              – mac9416
              Jul 28 '10 at 23:38











              0














              On Debians I use this command to do only security updates:



              apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )





              share|improve this answer




























                0














                On Debians I use this command to do only security updates:



                apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )





                share|improve this answer


























                  0












                  0








                  0







                  On Debians I use this command to do only security updates:



                  apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )





                  share|improve this answer













                  On Debians I use this command to do only security updates:



                  apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered Jan 18 at 12:41









                  keypresskeypress

                  1112




                  1112






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Ask Ubuntu!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f194%2fhow-can-i-install-just-security-updates-from-the-command-line%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

                      How to change which sound is reproduced for terminal bell?

                      Can I use Tabulator js library in my java Spring + Thymeleaf project?