Unattended apt-get dist-upgrade

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post read how to get help. Topics in this forum are automatically closed 6 months after creation.
Locked
Jaman42

Unattended apt-get dist-upgrade

Post by Jaman42 »

Hi,
I am new here, I wanted a more minimalistic / snappy version of Ubuntu so I tried Mint and I am SOLD!

I am trying to deploy a unattended upgrade so I run apt-get dist-upgrade -y, but that still gives me the question about configuration files "Package distributor has shipped an updated version...." which I need to answer.

Any ideas on how to make this fully automatic? As a note I am gonna deploy this on a test unit before sending it out, to make sure nothing breaks. Just need it fully automatic.

Thanks for reading
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
PatH57

Re: Unattended apt-get dist-upgrade

Post by PatH57 »

Hi,

witch version of Mint are you using? Debian or ubuntu?
eanfrid

Re: Unattended apt-get dist-upgrade

Post by eanfrid »

deploy a unattended upgrade so I run apt-get dist-upgrade -y
Hope this is really just a test, because it is a very bad idea.

"unattended-upgrades" may be only used safely for security updates and "dist-upgrade" should be avoided since Mint uses a mix of repos and the notion of "upgrade stability levels". MintUpdate is the right way of updating.
Jaman42

Re: Unattended apt-get dist-upgrade

Post by Jaman42 »

I am using the Ubuntu version.

Yeah I know I could potentially break something, but as I said I am gonna run it on a test system first. All systems are exactly the same. Care to elaborate on a safer way to manage updating remotely? Without user interaction? Keep track of the updates available and make scripts installing the safe and tested ones only?

Another question I came to think of regarding security updates, if I set up unattended-upgrades for security updates. Will it ever restart after installing updates like Windows, prompt the user or anything like that?

Still interested in an answer to the initial question thou, however I would probably rather do upgrade then dist-upgrade.
PatH57

Re: Unattended apt-get dist-upgrade

Post by PatH57 »

never really tried it on Mint but on standard Ubuntu I used some of the tips given here
http://askubuntu.com/questions/250733/c ... se-upgrade

depending on the type of the packages being upgraded I had some times to do a dpkg-reconfigure (minor issues)
eanfrid

Re: Unattended apt-get dist-upgrade

Post by eanfrid »

The safest way IMO is to centralize all updates on a local server with these guidelines:

1/ create a local update repo using whichever method is best for you => https://wiki.debian.org/HowToSetupADebianRepository
("my" method is dpkg-scanpackages with a daily cron)

2/ use a test computer connected to the actual Internet repos to download, validate and approve updates/upgrades

3/ copy/move downloaded packages that are approved for updates/upgrades to the local repo

4/ modify the apt sources lists to force all other computers to use this unique offline local (LAN) repository which is only fed with approved updates and install/setup unattended-upgrade on these computers in order to automatically update/ugrade them on schedule (weekly, for example)

5/ this implies that no computer can install software from the Internet, including from official repos, and then that no user is granted admin rights on the computers => only the local sysadmin can temporarily change sources in order to install new software
Another question I came to think of regarding security updates, if I set up unattended-upgrades for security updates. Will it ever restart after installing updates like Windows, prompt the user or anything like that?
No. The default is "no message + no reboot". Basically a reboot may be only useful if you updated/upgraded the kernel, in order to load the new one.
eanfrid

Re: Unattended apt-get dist-upgrade

Post by eanfrid »

On an unmanaged machine, the safest alternate way to update/upgrade whether you use MintUpdate or not is:

1/ "unattended-upgrades" configured for security updates only
2/ "apt-get upgrade" (or "aptitude upgrade") if you prefer to perform manual updates for mundane software instead of using MintUpdate
Jaman42

Re: Unattended apt-get dist-upgrade

Post by Jaman42 »

Thanks for all the info guys, really appreciated!

So if I set up a local repo and configure unattended-upgrades to install everything, removing the online sources and using only the local repo. Would all the updates be truly unattended without any user interaction? Would the updated packages replace any configs automatically or would they end up somewhere else and have to be moved manually?
eanfrid

Re: Unattended apt-get dist-upgrade

Post by eanfrid »

The default Debian behaviour is to not overwrite existing config files (then avoiding to thwart some configs that may have taken much time to set). The new config files will have a ".dpkg-new" suffix, giving you chances to compare the differences in default settings brought with the update/upgrade of the package.

However an automated and scheduled "unattended-upgrade" will not be able to do more than what a manual "apt-get upgrade" would do: it won't install new packages or do nothing if packages conflicts arise. In the context of a local repo for approved updates, overall risks of regressions with other packages than those updated for security fixes should be minimized.

Also, the test machine used for packages approval should have the package apt-listchanges installed. This will automatically fetch the changelog information provided by the devs and the packagers about the major changes that may have been made with a new version of an updated package (aside from which bugs have been fixed).
Jaman42

Re: Unattended apt-get dist-upgrade

Post by Jaman42 »

I see, thanks again for that info.

I think I am gonna set up a local repo, but meanwhile I was planning to configure unattended-upgrades to install security updates.

In 50unattended-upgrades file is "${distro_id} ${distro_codename}-security"; enough or should I add for example "Ubuntu:trusty-security", is this how you would normally do it? Is it somewhat safe to install those security updates or should i fetch some other packages?

I guessed that since "${distro_id} ${distro_codename}-security" didn't return anything on a fresh install there are none released and I should use Ubuntu trusty for security updates?
eanfrid

Re: Unattended apt-get dist-upgrade

Post by eanfrid »

Since there is no "Linuxmint: qiana-security" you must indeed use "Ubuntu: trusty-security" as you already guessed.
Is it somewhat safe to install those security updates ?
It is.
Locked

Return to “Other topics”