sudo apt-get upgrade installs all updates, not just security updates. I know that I can use Update Manager to select only important security updates, but is there a way to do this from the command line?
Asked
Active
Viewed 4.8e+01k times
409
muru
- 207,228
crenshaw-dev
- 32,852
10 Answers
378
The package unattended-upgrades provides functionality to install security updates automatically.
You could use this, but instead of configuring the automatic part you could call it manually:
sudo unattended-upgrade -d --dry-run
sudo unattended-upgrade -d # Idem --debug
If you want to run it quietly instead:
sudo unattended-upgrade
Note: When you call unattended-upgrade you leave the "s" off the end (on newer versions there is a symlink to avoid this).
This assumes that the package is installed by default, which it probably is. If not, just do:
sudo apt install unattended-upgrades
Pablo Bianchi
- 17,371
blueyed
- 9,125
145
A Few Tips On How To Manage Updates
This applies both to Debian and Ubuntu, but more specific instructions for Ubuntu follow.
Show security updates only :
apt-get -s dist-upgrade |grep "^Inst" |grep -i securior
sudo unattended-upgrade --dry-run -dor
/usr/lib/update-notifier/apt-check -pShow all upgradeable packages
apt-get -s dist-upgrade | grep "^Inst"Install security updates only
apt-get -s dist-upgrade | grep "^Inst" | grep -i securi | awk -F " " {'print $2'} | xargs apt-get install
Notes:
Sometimes Ubuntu shows security updates as if they're coming from $release-updates repository. This is so, I'm told, because Ubuntu developers push security updates to $release-updates repository as well to expedite their availability.
If that's the case, you can do the following to show security updates only:
sudo sh -c 'grep ^deb /etc/apt/sources.list | grep security > /etc/apt/sources.security.only.list'and
apt-get -s dist-upgrade -o Dir::Etc::SourceList=/etc/apt/sources.security.only.list -o Dir::Etc::SourceParts=/dev/null | grep "^Inst" | awk -F " " {'print $2'}Check what services need to be restarted after package upgrades. Figure out what packages you are going to upgrade beforehand and schedule your restarts/reboots. The problem here is that unless you restart a service it still may be using an older version of a library (most common reason) that's been loaded into memory before you installed new package which fixes a security vulnerability or whatever.
checkrestart -vHowever, keep in mind that
checkrestartmay list processes that shouldn't necessarily be restarted. For example, PostgreSQL service may be keeping in its memory reference to an already deleted xlog file, which isn't a valid reason to restart the service.Therefore, another, more reliable, way to check this using standard utils is the following little bash script that I shamelessly stole from https://locallost.net/?p=233
It checks if running processes on a system are still using deleted libraries by virtue of keeping copies of those in active memory.
ps xh -o pid | while read PROCID; do grep 'so.* (deleted)$' /proc/$PROCID/maps 2> /dev/null if [ $? -eq 0 ]; then CMDLINE=$(sed -e 's/\x00/ /g' < /proc/$PROCID/cmdline) echo -e "\tPID $PROCID $CMDLINE\n" fi done
lemonsqueeze
- 1,664
ILIV
- 1,577
49
replace /etc/apt/preferences with the following:
Package: *
Pin: release a=lucid-security
Pin-Priority: 500
Package: *
Pin: release o=Ubuntu
Pin-Priority: 50
now a simple apt-get upgrade will upgrade all security updates only.
Why (and how) this works: The preferences file will pin all packages from Ubuntu distribution to priority 50, which will make them less desirable than already installed packages. Files originating from security repository are given the default (500) priority so they are considered for installation. This means that only packages that are considered more desirable than currently installed ones are security updates. More information about pinning in the apt_preferences manpage.
You can temporarily promote a certain distribution for updates with the --target-release option that works with apt-get and aptitude (at least) which will allow you pin certain releases so that they are eligible for upgrade.
If you wish to use this for scripts only and not make it default for the system, you can place the rules in to some other location and use this instead:
apt-get -o Dir::Etc::Preferences=/path/to/preferences_file upgrade
This will make apt look for the preferences file from a non-default location.
The preferences file given as an example doesn't apply to third party repositories, if you wish to pin those too you can use apt-cache policy to easily determine the required keys for pinning.
14
The following is confirmed in Ubuntu 14.04 LTS.
Use the unattended-upgrade package.
Look at the file /etc/apt/apt.conf.d/50unattended-upgrades. There should be a section at the top that is:
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Note how it has been configured to only allow unattended upgrades for security packages, by default.
Modify the file /etc/apt/apt.conf.d/10periodic similar to:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";
This will run automatic unattended security upgrades, once per day.
Now, to run manually: sudo unattended-upgrade.
To test as a dry-run, without doing anything: sudo unattended-upgrade --dry-run.
Sources: https://help.ubuntu.com/14.04/serverguide/automatic-updates.html and https://help.ubuntu.com/community/AutomaticSecurityUpdates
11
If you wish to install only security updates the following will work. First it lists all upgradeable packages, filter out only the ones coming from a security repo, cut the returned strings at the first field, and then passes them to apt-get install for package update.
sudo apt list --upgradable | grep security |cut -d\/ -f1|xargs sudo apt-get install -y
Micah Butler
- 169
10
On Debians I use this command to do only security updates:
apt-get install -y --only-upgrade $( apt-get --just-print upgrade | awk 'tolower($4) ~ /.*security.*/ || tolower($5) ~ /.*security.*/ {print $2}' | sort | uniq )
keypress
- 211
4
Although its pretty ugly, you could disable all the repositories apart from the security repository and then do:
sudo apt-get update && sudo apt-get upgrade
I haven't tested it, but in theory it would only find updates in the security repo and apply them...
Stephen RC
- 4,920
4
apt-get update: just read the entries in repository - acording to existing list. Needed to check what is new.apt-get upgrade: all updates for installed packages without kernel modules. No release update.apt-get dist-upgrade: all updates for installed packages also with kernel modules. No release update.apt-getwith parameter-s: test only, no changes performed.
Eric Carvalho
- 55,453
fuser
- 57
1
Here's a script that achieves this in a few different ways:
#!/usr/bin/env bash
set -e
# List upgradable packages
apt-get update
apt list --upgradable 2>/dev/null
# List security upgrades
test "$(apt-get upgrade -s -y)" && (apt-get upgrade -s -y)
# List upgradable apt packages then upgrade
apt-get update && apt-get upgrade -y -V | grep '=>' | awk '{print$1}' && test "$(apt-get upgrade -y)"
Seth Bergman
- 336
0
I can't find an option in either apt-get or aptitude, however someone had the same question on SuperUser. The only response is:
Check and adjust /etc/apt/apt.conf.d/50unattended-upgrade.
Did you replace 'karmic' with the code name of your Ubuntu?
No reply as to whether that worked however.
