Using Sury packages on Ubuntu 22. Out of the box, they will be ignored by unattended-upgrades. Automating things is good, and breaking websites is bad. As the frequency of updates from Sury is pretty intense, automatically installing them would reduce the manual workload. Can anybody offer any experience on how well unattended-upgrades behaves with the various sury packages?
Using sury myself at some places but no unattended-upgrade package from the distro as its another thing leaving my control when how and where I want updated to be installed, so can't help you on that really, all I know is it caused pain for some people I know. That was because of different packages/reasons though and very specific setups. What I can do provide you as input though. Meet Ansible https://www.cyberciti.biz/faq/ansible-apt-update-all-packages-on-ubuntu-debian-linux/ And keep a backup of your /etc !
The ISPConfig autoinstaller enables this for the sury repo with config in /etc/apt/apt.conf.d/51unattended-upgrades: Code: Unattended-Upgrade::Origins-Pattern { "origin=deb.sury.org"; "origin=Debian,codename=${distro_codename}-updates"; } Unattended-Upgrade::Mail "root";
I have some bad experience with it before so I don't use unattended upgrade anymore but use my own update script with cron instead. I guess it may better now but I simply haven't look back to using it.
Yep, there are some packages misbehaving and overwriting a config or introducing vendor changes you would miss otherwise. Usually have identical setup of your machines ( cold storage vm ) test the update and in case of debian based, read/check the debconf-get-selections
I think that's pretty much a confirmation that this is an OK thing to do. I have recently built a couple of ISPConfig servers, and recently learned about needing to add third-party repos to 50-unattended-upgrades for it to actually be actioned [although using a separate file for custom modifications makes more sense]. The reason I started this thread was that I manually installed a bunch of Sury updates today and was thinking about automating it. So even though it appears to be configured, it didn't want to install any this morning: Code: # grep "that will be upgraded" /var/log/unattended-upgrades/unattended-upgrades.log 2024-03-27 06:59:23,767 INFO Packages that will be upgraded: bash libexpat1 linux-cloud-tools-common linux-tools-common xxd 2024-03-29 06:21:25,898 INFO Packages that will be upgraded: bsdutils curl fdisk libblkid1 libcurl4 libfdisk1 libmount1 libsmartcols1 libuuid1 mount util-linux uuid-runtime 2024-03-30 06:27:24,021 INFO Packages that will be upgraded: linux-azure linux-cloud-tools-azure linux-headers-azure linux-image-azure linux-tools-azure 2024-04-10 06:54:34,298 INFO Packages that will be upgraded: linux-azure linux-cloud-tools-azure linux-cloud-tools-common linux-headers-azure linux-image-azure linux-tools-azure linux-tools-common 2024-04-11 06:05:24,287 INFO Packages that will be upgraded: bsdutils fdisk libblkid1 libfdisk1 libmount1 libsmartcols1 libuuid1 mount util-linux uuid-runtime 2024-04-16 06:23:22,579 INFO Packages that will be upgraded: libgnutls30 python3-update-manager ubuntu-advantage-tools ubuntu-pro-client ubuntu-pro-client-l10n update-manager-core 2024-04-17 06:53:46,160 INFO Packages that will be upgraded: klibc-utils libklibc 2024-04-18 06:32:36,883 INFO Packages that will be upgraded: openssh-client openssh-server openssh-sftp-server ssh 2024-04-19 06:47:37,641 INFO Packages that will be upgraded: libc-bin libc-dev-bin libc-devtools libc6 libc6-dev linux-cloud-tools-common linux-libc-dev linux-tools-common 2024-04-24 06:16:08,365 INFO Packages that will be upgraded: linux-azure linux-cloud-tools-azure linux-headers-azure linux-image-azure linux-tools-azure Yet when I ran apt upgrade manually, it installed them: Code: 2024-04-24 11:36:28 status triggers-pending php8.1-fpm:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 trigproc php8.1-cli:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 <none> 2024-04-24 11:36:28 status half-configured php8.1-cli:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 status installed php8.1-cli:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 trigproc php8.1-cgi:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 <none> 2024-04-24 11:36:28 status half-configured php8.1-cgi:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 status installed php8.1-cgi:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 trigproc php8.1-fpm:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 <none> 2024-04-24 11:36:28 status half-configured php8.1-fpm:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 2024-04-24 11:36:28 status installed php8.1-fpm:amd64 8.1.28-1+ubuntu22.04.1+deb.sury.org+1 This suggests it doesn't work but could it be a timing issue? Ie the updates only became available after 0600-ish and before 1136?
You'll notice when it is not an ok thing to do anymore =) when you run manually, do you see anything unusual? notice? kept back stuff ( not that this should matter ) ? but uhm anything? Also could you please show us what you put in /etc/apt/apt.conf.d/51unattended-upgrades anything in the mail for root?
It's the one created by ISPConfig installer, very similar to what Th0m indicated: Code: # cat /etc/apt/apt.conf.d/51unattended-upgrades Unattended-Upgrade::Origins-Pattern { "origin=Rspamd"; "origin=deb.sury.org"; "origin=GoAccess Repository"; "origin=Debian,codename=${distro_codename}-updates"; } The install was very boring, just applied them immediately without wanting to remove anything else: Code: # apt upgrade Reading package lists... Done Building dependency tree... Done Reading state information... Done Calculating upgrade... Done Get more security updates through Ubuntu Pro with 'esm-apps' enabled: redis-server imagemagick libjs-jquery-ui libopenexr25 libmagickcore-6.q16-6-extra roundcube-plugins libmagickwand-6.q16-6 roundcube-core imagemagick-6.q16 redis-tools libmagickcore-6.q16-6 imagemagick-6-common roundcube ruby-rack roundcube-mysql Learn more about Ubuntu Pro on Azure at https://ubuntu.com/azure/pro The following packages will be upgraded: php8.1 php8.1-cgi php8.1-cli php8.1-common php8.1-curl php8.1-fpm php8.1-gd php8.1-imap php8.1-intl php8.1-mbstring php8.1-mysql php8.1-opcache php8.1-pspell php8.1-readline php8.1-soap php8.1-sqlite3 php8.1-tidy php8.1-xml php8.1-xsl php8.1-zip 20 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. Need to get 7905 kB of archives. After this operation, 3072 B of additional disk space will be used. Do you want to continue? [Y/n]
So the reason could be two things I could think of right now. Either the default Priority is not triggering the Priority of said updates Or it needs more details like the last line For example to only automatically install important updates Code: "origin=deb.sury.org,archive=${distro_codename},codename=${distro_codename},Priority=important"; Test using unattended-upgrade --dry-run
OK...will have to wait until there are some more updates available to test this. As I said, Sury updates come thick and fast, so shouldn't be long.
Maybe you'd need to use "origin=LP-PPA-ondrej-php,archive=${distro_codename}"; https://github.com/oerdnj/deb.sury.org/issues/1774
I can rule this out. The same packages on a different server were installed [manually, by me] yesterday. So they were available when u-u ran this morning
