Is "unattended-upgrade" package safe to use?

[jsterr]

Hello,

is the package unattended-upgrade safe to use? Are there any conflicts with the pve-repositories or special configuration in /etc/apt/apt.conf.d/50unattended-upgrades that needs to be done? Does someone know if the uanttended-upgrade does a apt upgrade or a apt dist-upgrade in its default setting?

Thanks Jonas

 

[fabian]

by default, unattended upgrades would only pull updates from the Debian repositories, which might cause problems. I am not sure whether it uses "upgrade" or "full-upgrade" semantics or whether that is configurable.

 

[bremme]

I have been looking to an answer to this question, or the more general question "how to keep my Proxmox server secure and up-to-date automatically", but have not found a clear answer. Wondering what the best practice is when using Proxmox? Or is there perhaps some documentation that I missed? I would prefer to have automatic security updates even if there is a small risk of breaking my system.

 

[leesteken]

I have been looking to an answer to this question, or the more general question "how to keep my Proxmox server secure and up-to-date automatically", but have not found a clear answer.

Run this every day (or as often as you want) and reboot if there are actual updates: https://pve.proxmox.com/pve-docs/pve-admin-guide.html#system_software_updates

 

[bremme]

I'm mainly looking for an automated way to keep my system secure. This looks more like a manual process to do a dist-upgrade? Can you elaborate on how the dist-update commands help me achieve my goals, I have the feeling that I'm still missing various pieces of the puzzle.

 

[leesteken]

I'm mainly looking for an automated way to keep my system secure. This looks more like a manual process to do a dist-upgrade? Can you elaborate on how the dist-update commands help me achieve my goals, I have the feeling that I'm still missing various pieces of the puzzle.

You can use cron to run those commands everyday. It just depends on your preferred way to automate command-line programs with standard Linux utilities. Rebooting only when there are actual updates is a bit more involved but now new or specific to Proxmox. Since every GNU/Linux administrator want's to do this differently and one different schedules, it's not built-in to Proxmox (or its web GUI).

 

[LnxBil]

I'm mainly looking for an automated way to keep my system secure. This looks more like a manual process to do a dist-upgrade? Can you elaborate on how the dist-update commands help me achieve my goals, I have the feeling that I'm still missing various pieces of the puzzle.

If you really want automatic upgrades, please see here. In a production PVE cluster, I would not suggest to run this, at least not with a lot of testing and different times to run the actual necessary update with service restart or the reboot.

 

[LnxBil]

by default, unattended upgrades would only pull updates from the Debian repositories, which might cause problems.

You need to allow the PVE origin:

Unattended-Upgrade::Origins-Pattern {
    "origin=Proxmox,label=Proxmox Debian Repository";
};

If there are proposed upgrades in your sources.list, you also need to explicitely enable them.

I am not sure whether it uses "upgrade" or "full-upgrade" semantics or whether that is configurable.

Unfortunately, I was neither able to find out which mode it uses in the manpage nor configure it especially. There are contradictory reports on SO and other sites, so I just tried and unattended-upgrade will install all available updates and afterwards an apt dist-upgrade has nothing to update after that, so I assume, this is equivalent, yet I'm not 100% sure.

In the end, I had a total package upgrade with this configuration file:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,label=Debian";
    "origin=Proxmox,label=Proxmox Debian Repository";
};

Unattended-Upgrade::MinimalSteps "false";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "07:00";

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "truee";

Keep in mind, that unattended-upgrade will run daily, so your daily cron-entry in /etc/crontab will apply, which is per default a random minute in the 7. hour, so 06:xx. If you schedule your automatic reboot time before that, you'll have to wait a whole day for the reboot. You may need to alter the daily cron job in.

 

[gwijsman]

You need to allow the PVE origin:

Unattended-Upgrade::Origins-Pattern {
    "origin=Proxmox,label=Proxmox Debian Repository";
};

If there are proposed upgrades in your sources.list, you also need to explicitely enable them.


Unfortunately, I was neither able to find out which mode it uses in the manpage nor configure it especially. There are contradictory reports on SO and other sites, so I just tried and unattended-upgrade will install all available updates and afterwards an apt dist-upgrade has nothing to update after that, so I assume, this is equivalent, yet I'm not 100% sure.

In the end, I had a total package upgrade with this configuration file:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,label=Debian";
    "origin=Proxmox,label=Proxmox Debian Repository";
};

Unattended-Upgrade::MinimalSteps "false";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "07:00";

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "truee";

Keep in mind, that unattended-upgrade will run daily, so your daily cron-entry in /etc/crontab will apply, which is per default a random minute in the 7. hour, so 06:xx. If you schedule your automatic reboot time before that, you'll have to wait a whole day for the reboot. You may need to alter the daily cron job in.

Indeed and you can find the origines by: (for my home lab
apt-cache policy | grep 'o=[^,]*.a=[^,]*'

release o=Proxmox,a=stable,n=bookworm,l=Proxmox Ceph Debian Repository,c=no-subscription,b=amd64
release o=Proxmox,a=stable,n=bookworm,l=Proxmox Debian Repository,c=pve-no-subscription,b=amd64
release v=12,o=Debian,a=stable-security,n=bookworm-security,l=Debian-Security,c=contrib,b=amd64
release v=12,o=Debian,a=stable-security,n=bookworm-security,l=Debian-Security,c=main,b=amd64
release v=12-updates,o=Debian,a=stable-updates,n=bookworm-updates,l=Debian,c=contrib,b=amd64
release v=12-updates,o=Debian,a=stable-updates,n=bookworm-updates,l=Debian,c=main,b=amd64
release v=12.5,o=Debian,a=stable,n=bookworm,l=Debian,c=contrib,b=amd64
release v=12.5,o=Debian,a=stable,n=bookworm,l=Debian,c=main,b=amd64