On my spare time, I manage a handful of servers. And even if it’s not really my job, I try to do it well and efficiently. All of them work on Debian because it’s simple to manage. I started using cron-apt a few years ago. I started by upgrading everything automatically, this was a big mistake. I switched to only sending mails on available upgrades and doing the upgrade manually. But this is also quite painful because 95% of the time, it consists in typing “
apt-get dist-upgrade -y” and waiting and I have lots more interestings things to do.
So here is my cron-apt configuration, I like it a lot:
- I removed the
- I put the content of my
sources.list into sources.list.d/main.list, it should look something like that:
deb http://http.us.debian.org/debian stable main contrib non-free deb-src http://http.us.debian.org/debian stable main contrib non-free
- I created a directory sources.security.list.d
- I put the following content:
deb http://security.debian.org/ stable/updates main contrib non-free deb-src http://security.debian.org/ stable/updates main contrib non-free
Then I added the repositories with packages I want to manually upgrade to
/etc/apt/sources.list.d/ and the ones that I want to automatically upgrade (which means that they can’t require any user interaction) to
The interesting part is here, in
/etc/cron-apt/action.d, this what I have:
update -o quiet=2 update -o quiet=2 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists"
We launch an update of the two kinds of repositories. For the
sources.security.list.d one, we use also a different
Dir::State::lists parameter (which is the directory the cache file) so that we don’t to re-download the content of the index files every time.
dist-upgrade -y -o quiet=1 -o Dir::Etc::sourceparts=/etc/apt/sources.security.list.d -o Dir::State::lists="security-lists" -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold"
For the –force-conf* options, I found the solution on Raphaël Hertzog’s blog.
We launch the upgrade (dist-upgrade actually) only on the repositories defined in
dist-upgrade -d -y -o APT::Get::Show-Upgraded=true
Then we only download files for the upgrade of the non-security packets.
And we finally delete all the old packets (the ones that will never be used).
If you want to play with the
apt settings yourself, you should use
apt-config to see what can change to fit your needs.
This made me save a lot of time. Because Debian produces quite a lot of security updates. Here is the frequency of the updates for one of my servers: