skip to content

System: cron-apt update notification and security upgrades in Wheezy

The cron-apt program in Debian allows you to automate various apt-get commands to either just notify you of updates or to actually download and install updates for you.

Our requirements are to:

  1. update the package list (apt-get update);
  2. run a download and simulated upgrade (apt-get -d dist-upgrade); and
  3. automatically download and install any security updates.

Actually the first two items are enabled by default, as you can see below, so it's only the last requirement that needs our attention.

Obviously it's always good to carry out package mangement manually, but that's not always an option, and the security updates at least are usually safe to install.

WHile this article was written some time ago, for Debian 7, the same cron-apt settings are still working as of Debian 12, with only one small patch added for Sendmail compatibility, which you can find described below.

Configuration files

First make sure that the latest version is installed:

apt-get install cron-apt

In Debian 7.0 "Wheezy" the configuration has been changed from a single file /etc/cron-apt.conf to a confusing array of directories and files. We will focus on just the most important ones:

/etc/cron-apt/config /etc/cron-apt/action.d/* /etc/cron-apt/config.d/*

After a default install the action.d directly contains two files which are numbered to define the execution order. They are run in sequence when cron-apt is executed. All other config files are empty.

/etc/cron-apt/action.d/0-update

update -o quiet=2

/etc/cron-apt/action.d/3-download

autoclean -y upgrade -d -y -o APT::Get::Show-Upgraded=true

Together these scripts will update the local package list and download any new packages ready for installation, but not install them. The list of packages ready to be upgraded is then emailed (to the root user), assuming the script is being called via cron.

To make debugging easier, we've also added to the config file the following lines:

# Configuration for cron-apt. For further information about the possible # configuration settings see /usr/share/doc/cron-apt/README.gz. MAILON="output" DEBUG="verbose"

This means that an email is sent whenever any output is generated, and everything is logged. The default values are "error" and "output" respectively. You can consult the README file to see all possible values.

Logging output appears at /var/log/cron-apt/log.

Enabling security upgrades

Any configuration settings added to the main config file will apply to all 'actions'. That's not useful if we want to use different configurations for different actions, as we do here for installing only security upgrades.

The trick is to create separate configuration files under config.d with filenames matching the respective files in action.d.

To enable automatic security updates we create a new action and matching configuration file:

/etc/cron-apt/action.d/5-security

upgrade -d -y -o APT::Get::Show-Upgraded=true

The -d here is only required for testing (see below).

/etc/cron-apt/config.d/5-security

OPTIONS="-o quiet=1 -o APT::Get::List-Cleanup=false -o Dir::Etc::SourceList=/etc/apt/sources.list.d/security.list -o Dir::Etc::SourceParts=\"/dev/null\""

You'll notice that this specifies an alternative sources.list /etc/apt/sources.list.d/security.list. To create this file take any 'security' references from the default sources.list and move them to this new file. This will look something like:

/etc/apt/sources.list.d/security.list

deb http://security.debian.org/ wheezy/updates main deb-src http://security.debian.org/ wheezy/updates main

Just like cron-apt the configuration for apt has evolved to allow for settings to be split into multiple files. All files under sources.list.d will be read by default during an update or upgrade, but with cron-apt we are able to specify a specific file to use.

Don't forget to update this file when moving to a new distribution!

Running a test

To test that the configuration is correct you can add -d to action.d/5-security and watch for output in the logfile when you call cron-apt from the command line.

Sample output:

CRON-APT RUN [/etc/cron-apt/config] CRON-APT ACTION: 0-update CRON-APT LINE: /usr/bin/apt-get -o quiet=1 update -o quiet=2 CRON-APT ACTION: 3-download CRON-APT LINE: /usr/bin/apt-get -o quiet=1 autoclean -y Reading package lists... Building dependency tree... Reading state information... CRON-APT LINE: /usr/bin/apt-get -o quiet=1 dist-upgrade -d -y -o APT::Get::Show-Upgraded=true Reading package lists... Building dependency tree... Reading state information... 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. CRON-APT ACTION: 5-security CRON-APT LINE: /usr/bin/apt-get -o quiet=1 -o APT::Get::List-Cleanup=false -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts="/dev/null" upgrade -d -y -o APT::Get::Show-Upgraded=true Reading package lists... Building dependency tree... Reading state information... 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

The highlighted sections show the apt-get commands that have been executed. Notice in the last highlighted line -d (--download-only) still appears. That needs to be removed after checking the test output to enable the automatic security upgrades.

Again, it is usually ok to install security updates automatically, but there is always some risk. You should also check the official documentation found at /usr/share/doc/cron-apt/README.gz

CRON scheduling

Like cron-apt, the cron system is also moving to a new structure, with various /etc/cron.d/* files being used now in preference to cron.daily et al.

The default setting for cron-apt is to run nightly at 4:00 AM:

/etc/cron.d/cron-apt

# # Regular cron jobs for the cron-apt package # # Every night at 4 o'clock. 0 4 * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt # Every hour. # 0 * * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /etc/cron-apt/config2 # Every five minutes. # */5 * * * * root test -x /usr/sbin/cron-apt && /usr/sbin/cron-apt /etc/cron-apt/config2

If you have any comments or questions, or if we've missed anything or made a mistake, please get in touch using the Feedback form below.

Seeing the code in action

When an update is available any new package/s are downloaded by the 3-download action and security updates are automatically installed by 5-security as you can see below. In this case it's just the fail2ban package that's receiving a security update:

CRON-APT RUN [/etc/cron-apt/config]: June 17 2013 ... CRON-APT ACTION: 3-download CRON-APT LINE: /usr/bin/apt-get -o quiet=1 autoclean -y ... CRON-APT LINE: /usr/bin/apt-get -o quiet=1 upgrade -d -y -o APT::Get::Show-Upgraded=true ... The following packages will be upgraded: fail2ban 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 104 kB of archives. After this operation, 1024 B of additional disk space will be used. Get:1 http://security.debian.org/ wheezy/updates/main fail2ban [104 kB] Fetched 104 kB in 2s (44.8 kB/s) Download complete and in download only mode CRON-APT ACTION: 5-security CRON-APT LINE: /usr/bin/apt-get -o quiet=1 -o APT::Get::List-Cleanup=false -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts="/dev/null" upgrade -y -o APT::Get::Show-Upgraded=true ... The following packages will be upgraded: fail2ban 1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 0 B/104 kB of archives. After this operation, 1024 B of additional disk space will be used. (Reading database ... 29670 files and directories currently installed.) Preparing to replace fail2ban ... Stopping authentication failure monitor: fail2ban. Unpacking replacement fail2ban ... ... Setting up fail2ban ... ... Starting authentication failure monitor: fail2ban.

expand code box

Any non-security updates are downloaded by 3-download, but not installed. They are more likely to require human intervention and a premature upgrade of one package can break other dependencies.

Patching for "Bare carriage return" error

A recent sendmail patch prevents sendmail from sending or receiving emails with 'bare carriage returns' in the message. These can appear in cron-apt output as shown here:

(Reading database ... ^M(Reading database ... 5%^M(Reading database ... 10%^M(Reading database ... 15%^M(Reading database ... 20%^M(Reading database ..

The fix is to add an extra option to the upgrade actions as follows:

action.d/3-download:

dist-upgrade -d -y -o APT::Get::Show-Upgraded=true -o Dpkg::Use-Pty=0

action.d/5-security:

upgrade -y -o APT::Get::Show-Upgraded=true -o Dpkg::Use-Pty=0

< System

Post your comment or question
top