On my spare time, I manage a handful of servers. And even if it’s not really my job, I try to do it well
and efficiently. All of them work on Debian because it’s simple to manage. I started using cron-apt a
few years ago. I started by upgrading everything automatically, this was a big mistake. I switched to
only sending mails on available upgrades and doing the upgrade manually. But this is also quite painful
because 95% of the time, it consists in typing “apt-get dist-upgrade -y” and waiting and I have lots
more interestings things to do.
So here is my cron-apt configuration, I like it a lot:
In /etc/apt:
-
I removed the
sources.listfile -
I put the content of my
sources.listintosources.list.d/main.list, it should look something like that:
deb http://http.us.debian.org/debian stable main contrib non-free
deb-src http://http.us.debian.org/debian stable main contrib non-free
-
I created a directory
sources.security.list.d -
I put the following content:
deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free
Then I added the repositories with packages I want to manually upgrade to /etc/apt/sources.list.d/ and the ones that I want to automatically upgrade (which means that they can’t require any user interaction) to /etc/apt/sources.security.list.d/.
The interesting part is here, in /etc/cron-apt/action.d, this what I have:
0-updatefile:
update -o quiet=2
update -o quiet=2 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists"
We launch an update of the two kinds of repositories. For the sources.security.list.d one, we use also a different Dir::State::lists parameter (which is the directory the cache file) so that we don’t to re-download the content of the index files every time.
2-install-securityfile:
dist-upgrade -y -o quiet=1 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"
For the force-conf options, I found the solution on Raphaël Hertzog’s blog.
We launch the upgrade (dist-upgrade actually) only on the repositories defined in /etc/apt/sources.security.list.d.
3-downloadfile:
dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
Then we only download files for the upgrade of the non-security packets.
6-cleanfile:
autoclean -y
And we finally delete all the old packets (the ones that will never be used).
If you want to play with the apt settings yourself, you should use apt-config to see what can change to fit your needs.
This made me save a lot of time. Because Debian produces quite a lot of security updates. Here is the frequency of the updates for one of my servers:
