Logging into machines and installing security updates periodically isn’t fun but for internet-exposed devices it’s important. Any device that’s on your home network has the possibility of being a stepping stone for attackers if it can be easily breached.
The first thing to do before setting up automatic updates is to ensure your Raspberry Pi can send email. You’ll want to know when updates are being installed (or if they fail). My previous blog post covers how to do this with Postfix.
As always, start off by making sure your apt list and existing packages are up-to-date:
Next we need to install the unattended-upgrades
package and to ensure it sends emails the apt-listchanges
package. apt-listchanges
also requires a mailx
program so if you don’t already have one you can grab bsd-mailx
:
Next we should configure where the updates are allowed to come from.If you choose to stick with Stable then when the next version of Raspbian goes stable (Stretch) it’ll automatically update. I’ve decided to stick with Jessie for now. This config lives in /etc/apt/apt.conf.d/50unattended-upgrades
and you can use this script to uncomment the line for Jessie.
Next we want to instruct the updater to send emails. Again, this is already in the config file so it’s just a case of uncommenting it (you may wish to tweak the user, but I’ve already set root
mail to be forwarded on to my user).
By default your Pi won’t be rebooted if required, so if you want it to (and want to set the time) you can do that like this:
And if if you want unused packages to be removed (like when you run apt-get autoremove
:
Next we must create the /etc/apt/apt.conf.d/20auto-upgrades
file to instruct the updater what to do:
And that’s all there is to it! Every day your Pi will now check for updates and you’ll receive an email like this if there were:
If you want to chek it’s working, you can check the log file tomorrow:
Hope this is helpful. If you have any problems, leave a comment. Bear in mind I’m a Linux noob and what’s written above might not be the best way to achieve this and I take no responsibility if anything breaks :)