Notatypewriter's Blog

Umm… what?

Things I learned today: apt, cron, and unattended-upgrades

leave a comment »

Today, I noticed my dad’s desktop was not updating Flash, Chrome, Java, and other high-risk items, which was odd because I use unattended-upgrades on that computer. The last time I logged in was a few months ago, so… yeah. Pretty bad. For example, Flash version was at and the current version is Chrome was at version 11.0.696.68-r84545 (released 2011 May 13) and the current stable version is 13.0.782.107-r94237 (released 2011 August 2). The installed Java was 6.24 and the current version is 6.26. So, security holes galore.

Checking in the configuration file at /etc/apt/apt.conf.d/50unattended-upgrades, it seems like the default setup is to only update from the official Ubuntu lucid-security and lucid-updates repositories. All of the items that failed to update were from third party repositories.

Here are some instructions on adding third party repositories to the unattended-upgrades list. But rather than pointing your browser at the Release file at each repository (Google’s repository actually seems to disallow this, possibly through some user agent magic), you can look at your apt cache for the cached versions of these files. These are located in /var/lib/apt/lists. The files you want are the ones ending in *_Release.

To keep updated the packages provided by Canonical’s partner repository (eg, Flash, Java, and Skype), add to the Unattended-Upgrade::Allowed-Origins section in /etc/apt/apt.conf.d/50unattended-upgrades:

"Canonical lucid";

But because there are spaces in Google’s repository and Oracle’s repository for Virtualbox, things are broken, at least on unattended-upgrades 0.55 (default version on Lucid and there are no updated PPAs containing this package).

If you’re running Ubuntu Maverick that has version 0.62, you can use a colon as the delimiter. Later versions have even more ways of specifying this parameter. It’s too dangerous to remotely upgrade Lucid to a later version and I’m too lazy to repackage a later version of unattended-changes, so I’m going to just put an apt-get upgrade google-chrome-stable into cron or something.

Testing your changes

I wanted to test changes to this configuration file without having to wait a day. unattended-upgrades is run daily by cron using the script /etc/cron.daily/apt. Before running the unattended-upgrades script, this cron.daily script checks for two things:

  1. The last time the local package database was updated.
  2. The last time the packages were actually upgraded.

This time is kept by /var/lib/apt/periodic/update-stamp and /var/lib/apt/periodic/upgrade-stamp. Delete these files.

To prevent all the Ubuntu installations in a particular time zone from querying the update servers at the same time, the apt cron script will sleep for a random period of time, up to 30 minutes by default, before actually doing any work. To remove this wait, edit /etc/apt/apt.conf/10periodic and change the APT::Periodic::RandomSleep parameter from 1800 to 0. Remember to change it back. I also set APT::Periodic::Verbose to 2 so I could see what’s going on. Going to 3 will trace every call made in the shell script.

Then as root, run /etc/cron.daily/apt. If it says “unattended-upgrade (success)”, then it probably worked. Make sure to check /var/log/unattended-upgrades/unattended-upgrades.log to make sure all the packages you want upgraded were actually upgraded.


Written by notatypewriter

2011 August 4 at 11:36 pm

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: