Keeping Things Updated With Apt-Dater
One challenge of running servers, especially if you have more than a few, is keeping all of the software up to date on them. Patches are released constantly, and keeping software updated is a major security concern.
One great tool that can help automate this is
apt-dater, a text based utility
that lets you interactively update packages on systems.
apt-dater is included in the main Debian and Ubuntu repositories, so you just
have to run
apt-get install apt-dater on the host you’ll use to update
apt-get install apt-dater-host on your servers.
You’ll need to also configure your user to be able to run
without a password if you’re not logged in as root. You can also just login as
root, which is easier but is a bit less secure.
There are a number of ways to accomplish this, but the most straightforward is
to just add a rule in
sudoers for your user. You can set up groups to allow
multiple users to run things too.
Create a new file in
/etc/sudoers.d and call it anything you’d like, I call
grumpy-apt. Fill it with these contents:
grumpy ALL= NOPASSWD: /usr/bin/apt, /usr/bin/apt-get
This allows the user
grumpy to run just
apt-get without a
password. This won’t affect your other permissions, so you’ll still be able to
run other commands with sudo with a password. Replace
grumpy with whatever
username you use.
Make sure the file is owned by root and has permissions of
440, otherwise Sudo
won’t load it.
chown root:root /etc/sudoers.d/grumpy-apt chmod 440 /etc/sudoers.d/grumpy-apt
(be sure to replace the file names with what you called your file)
You’ll need to also be able to login to your servers without a password. You
ssh-copy-password to install your key using your existing password
quickly and easily.
Once your servers are setup, you’ll need to tell Apt-Dater which servers to
update. This is done with a configuration file in
Note: My installation uses XML formatted configuration files, which is what I’ll highlight here. Newer versions may use a different format, but refer to the docs for whatever version you happen to install. I believe XML will work with newer versions.
hosts.xml is fairly simple. It just contains a list of hosts and groups it
should look to update. Groups are just used to consolidate things in the UI and
keep things organized. It’s purely cosmetic and you can set them up however
There’s some examples in the file already, but this is the basics of how mine was setup:
<hosts xmlns:xi="http://www.w3.org/2001/XInclude"> <!-- Include global config file if available. --> <xi:include href="file:///etc/apt-dater/hosts.xml" xpointer="xpointer(/hosts/*)"> <xi:fallback /> </xi:include> <group name="KC 1"> <host name="host1.dns" ssh-host="10.0.0.0" /> <host name="host2.dns" ssh-host="10.0.0.0" /> </group> </hosts>
There are also options for things like
ssh-user. These are the comments from
the examples in the file:
The following attributes are known: - name : visible name of the host or group (required) - comment : text shown in 'host details' screen - type : transport type (default: 'generic-ssh') - ssh-user: overwrite SSH username - ssh-host: overwrite SSH host (defaults to @name) - ssh-port: overwrite SSH port - ssh-id : overwrite SSH identification file
Once setup and your hosts are added, you’re ready to use Apt-Dater. Get started
apt-dater on your workstation.
When it first starts, you’ll see a list of statuses, and your hosts will be divided into each one. You’ll use the arrow keys, enter, and space to navigate the list. You’ll also use some letter keys to perform actions, but we’ll get there.
Here are the most important states your server can be in:
- Unknown - Refreshing the needed updates has failed or hasn’t yet been run.
If the refresh did fail, you can use the
ekey to see the output and the potential errors.
- In Refresh -
apt-getare working to get the list of new packages. This can take a moment or two.
- Up to Date - All the packages are up to date, there’s nothing you need to do.
- Updates Pending - There are updated packages ready to be installed.
If you are just starting, you’ll want to refresh all your hosts as their status
can be cached from last time. Navigate (using
down) to the group
you’d like, or drill down to a host by pressing
space to expand groups. Then
g to update the package data.
With all the commands I show here, you can run it on a single host, a group of
hosts, or all the hosts in a given status. For example, you can highlight the
“Unknown” status group and press
g to refresh all of them at the same time.
Once you have some updates to apply, you can navigate to the host or group and
u key to trigger the updates. If you’re asking to update an entire
apt-dater will ask for confirmation.
Once the updates start, you’ll be in an SSH session watching the upgrades take
place. You can sit and watch each host, or you can use
d to go
back to the main screen. The host you were connected to will now be under
Sessions. To go back to the SSH session, navigate to the host and press
n from the main screen. You can have many sessions open at once and
switch between them.
If you have multiple sessions and you disconnect from a host,
ask if you’d like to connect to the next open session or go back to the menu.
After the host is updated, it will automatically refresh and go back to the main
screen. Once everything is updated, you can press
q to exit. If certain
words are detected, like
apt-dater will inform you that
errors were detected and ask what to do. You can ignore these (
i) or view the
full update output by pressing
l to open
less. You can also connect (
to manually sort things out if needed.
If you have many machines, and especially if their publicly available, you’ll want to be subscribed to the security announcements mailing list for your distribution. This will give you fairly quick notification when security updates are available and details on any potential exploits you may need to watch out for. Here are the ones for Debian and Ubuntu:
Both of these lists generate a few messages per day, but the information is worth knowing.
Also, by default
apt-dater-host will install
needrestart. This package
restarts services after running an upgrade and I honestly find it to just be
annoying. It frequently will cause
apt-dater to think an error occurred while
updating and stop the smooth flow, so I’ve just removed it.