I have a web server running Ubuntu Server 8.04 and I would like to know the proper commands to keep it updated.
I’ve been using apt-get update and apt-get upgrade, but occasionally it tells me that there are packages held back. I’ve been using apt-get dist-upgrade to get the rest of those held back packages. Is that the best way to handle it? I don’t want to upgrade to 8.10 or anything later until 10.04 LTS comes out.
Update: per sparks' comment, I should note that 'aptitude' can be used in place of 'apt-get' in my answer below, with one exception: 'apt-get upgrade' would be replaced by 'aptitude safe-upgrade'. The aptitude front-end to APT has some nice features compared to apt-get, as outlined in this blog post. However, if you've already got a system that you've been managing with apt-get, you can certainly continue using apt-get, and probably should. We don't do a lot of software installation / uninstallation on a server, so I don't find the use of aptitude to be of critical importance, but if I was to fire up a brand new server today I would probably use it.
The latest Ubuntu Server documentation still details using apt-get, and only discusses aptitude as a graphical front end to APT. While this is certainly an oversight, it certainly does imply that there's nothing wrong with using apt-get.
I use Ubuntu's unattended-upgrades package to automatically apply security updates. Here are my notes on setting it up (on an Ubuntu 8.04 LTS server):
$apt-get install unattended-upgrades update-notifier-common
Edit /etc/apt/apt.conf/50unattended-upgrades. Select only security upgrades, and set mail address
Unattended-Upgrade::Allowed-Origins {
"Ubuntu hardy-security";
// "Ubuntu hardy-updates";
};
Unattended-Upgrade::Mail "youremail@yourdomain.com";
Install mailx (required for unattended-upgrades mail to work)
$apt-get install mailx
Edit /etc/apt/apt.conf.d/10periodic :
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "1";
APT::Periodic::Unattended-Upgrade "1";
Using this configuration, security updates will be automatically applied, and the list of updates will be emailed to you. While it may be considered dangerous to automatically apply any update, I believe that keeping up with security updates is a task worthy of the risk... and franky, "keeping up" requires automation.
As far as keeping packages up to date, I asked a question to clarify the meaning of dist-upgrade that you might find applicable. Basically, when you do an apt-get upgrade, installed packages will be upgraded only if the upgrade doesn't require new packages or the removal of a package (e.g. the dependencies don't change). If an upgraded package has new dependencies, then you need to use apt-get dist-upgrade instead. Since apt-get dist-upgrade also does everything that apt-get upgrade does, I typically use it by default. It's important to keep an eye on which packages are going to be modified and take any precautions you may find necessary.
In short:
apt-get update
apt-get dist-upgrade
If I'm nervous about what dist-upgrade wants to do, I'll do:
apt-get update
apt-get upgrade
To at least upgrade packages that don't have new dependencies until I do a little research. There's always a chance that something will break no matter what you do, however, so you just gotta have some faith :)
As a final note, as long as you're applying security updates, and you trust that Canonical is doing a good job keeping things patched, you may find it's not terribly necessary to keep packages up to date. If the server is working without fault, well... it's working.
aptitude update
aptitude safe-upgrade
The Debian team recommends aptitude over apt-get these days. However, I've also seen a few places say if you've been using apt-get on a specific server you should continue to do so and just use aptitude on future boxen.
I usually use aptitude full-upgrade, but it's not contained in the manpage. Strange...
You can configure ubuntu to limit the updates to LTS versions, so that you wouldn't get offered to update to a current newer version that's not LTS. However, the day the next LTS is out, it will offer to update to that. You might or you might not want that on the first day...
As I'm not on an LTS version currently I can't look for the setting as it's not offered. I'll have a look back in the office and edit this entry tomorrow unless somebody points to the relevant settings before I get to it.
I take a hybrid approach. I want upgrades to be applied as soon as possible, but not in an "unattended" fashion, since I have had upgrades break things before.
I run a cron job every night with the following command:
/usr/bin/apt-get update -qq;/usr/bin/apt-get dist-upgrade -duyq
Then if there are any upgrades available, they are downloaded and sitting there waiting for me when i read my email in the morning. Then I simply run
apt-get dist-upgrade
manually and watch for issues. Often I will do a backup or snapshot of a server before performing the upgrade, if the packages appear critical to the functionality of that server.
This solves the problem for me by notifying me immediately (or whenever the cron job was run) of any available upgrades, but still allows me to be there when the actual upgrade takes place.
As for your second question about held-back packages. I don't often see them (perhaps because I use "dist-upgrade" instead of "upgrade"). But when I do, I have found that the problems can usually be resolved by removing and re-installing the package in question.
