Tag Archives: apt-get

cron-apt and the perfect update system

On my spare time, I manage a handful of servers. And even if it’s not really my job, I try to do it well and efficiently. All of them work on Debian because it’s simple to manage. I started using cron-apt a few years ago. I started by upgrading everything automatically, this was a big mistake. I switched to only sending mails on available upgrades and doing the upgrade manually. But this is also quite painful because 95% of the time, it consists in typing “apt-get dist-upgrade -y” and waiting and I have lots more interestings things to do.

So here is my cron-apt configuration, I like it a lot:

In /etc/apt:
– I removed the sources.list file
– I put the content of my sources.list into sources.list.d/main.list, it should look something like that:

deb http://http.us.debian.org/debian stable main contrib non-free
deb-src http://http.us.debian.org/debian stable main contrib non-free

– I created a directory sources.security.list.d
– I put the following content:

deb http://security.debian.org/ stable/updates main contrib non-free
deb-src http://security.debian.org/ stable/updates main contrib non-free

Then I added the repositories with packages I want to manually upgrade to /etc/apt/sources.list.d/ and the ones that I want to automatically upgrade (which means that they can’t require any user interaction) to /etc/apt/sources.security.list.d/.

The interesting part is here, in /etc/cron-apt/action.d, this what I have:


update -o quiet=2
update -o quiet=2 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists"

We launch an update of the two kinds of repositories. For the sources.security.list.d one, we use also a different Dir::State::lists parameter (which is the directory the cache file) so that we don’t to re-download the content of the index files every time.


dist-upgrade -y -o quiet=1 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"

For the –force-conf* options, I found the solution on RaphaĆ«l Hertzog’s blog.

We launch the upgrade (dist-upgrade actually) only on the repositories defined in /etc/apt/sources.security.list.d.


dist-upgrade -d -y -o APT::Get::Show-Upgraded=true

Then we only download files for the upgrade of the non-security packets.


autoclean -y

And we finally delete all the old packets (the ones that will never be used).

If you want to play with the apt settings yourself, you should use apt-config to see what can change to fit your needs.

This made me save a lot of time. Because Debian produces quite a lot of security updates. Here is the frequency of the updates for one of my servers:

Server moved

I’ve switched from my two three years old dedicated servers to one brand new virtual server. Reasons are : These servers costed me too much and they were becoming old (risk of failure increases). It wasn’t worth it.

I spent last night doing that because I didn’t want to interrupt anybody using these servers.

My two servers were running some Debian and I’m now switching to a CentOS virtual server. I was a little bit worried at first that CentOS would have a crappy package management system, but its yum is in fact working the same way as Debian’s apt-get and OpenSuse’s zypper. The oool thing is that these three package management systems roughly work the same way : install , you don’t have to learn a new “ultimate” way to upgrade your software (like on FreeBSD). By the way, the faster package management system is yum, and the slowest one is zypper.

The biggest problem I had so far was to move all the databases. Previously, I was always using some Debian hosts, I was using exactly the same version of MySQL, so I just had to copy the MySQL datadir and logs files. Here, I had to export/import everything.

CentOS has an antique 1.2.4 version of Mono (when the current version is 2.4). I couldn’t manage to compile from the tarball but compiling from the SVN worked fine.

]# /usr/local/bin/mono --version
Mono JIT compiler version 2.5 (/trunk/mono r140917 Sat Aug 29 05:29:19 CEST 2009)
Copyright (C) 2002-2008 Novell, Inc and Contributors. www.mono-project.com
        TLS:           __thread
        GC:            Included Boehm (with typed GC and Parallel Mark)
        SIGSEGV:       altstack
        Notifications: epoll
        Architecture:  amd64
        Disabled:      none