Ubuntu Server Security Updates Only

Today’s quick tip is actually a lesser-known way of keeping up your security updates, but doing so without the very buggy unattended-upgrades package for Ubuntu server. Here’s a lesser known way to patch your system that’s less buggy. You’re experiences may vary.

When running updates in an attended state, such as using apt or running the updater, you’ll notice you are prompted to upgrade everything. However, you’ll also notice that in the updates settings that the default is to install security updates automatically. This is awesome…but what about on Ubuntu server – remember, unattended-upgrades doesn’t always work well on all systems.

On my Ubuntu-powered Pi2 for example, unattended-upgrades is a bust. Thankfully, there is a CLI work-around that will allow you to apt upgrade just security updates without unattended-upgrades and without updating everything.

To use apt to manually (or you could script this) install security updates only, try the following:

sudo cp /etc/apt/sources.list /etc/apt/security.sources.list

This creates a special list that, once edited, will be used for security updates only, while leaving sources.list untouched. In security.sources.list, make sure you comment out everything except the security repo. So you’ll make it look something like this:

#deb http://ports.ubuntu.com/ xenial main restricted universe multiverse
#deb-src http://ports.ubuntu.com/ xenial main restricted universe multiverse
#deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse
#deb-src http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse
deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse
deb-src http://ports.ubuntu.com/ xenial-security main restricted universe multiverse
#deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse
#deb-src http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse

Once you’ve changed the security.sources.list file to look like it does above, then you’re ready to take this for a test drive.

sudo apt update && sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list

The above command will run the usual upgrade command, but it ensures you’re only using the security.sources.list file. There are two things cool about this.

First, you can still run your apt update && apt upgrade like always to upgrade everything. Secondly, you can script this technique out fairly easily to include options like an automatic reboot if you want. Again, this is assuming you’re dealing with non-GUI situations. I found it to be awesome for my Rasp Pi2.

Also check out...

Matt Hartley
Freedom Penguin’s founder & talking head – Matt has over a decade working with Linux desktops, his operating system experience consists of both Windows and Linux operating platforms. In addition to writing articles on Linux and open source technology for Datamation.com and OpenLogic.com/wazi, Matt also once served as a co-host for a popular Linux-centric podcast.

Matt has written about various software titles, such as Moodle, Joomla, WordPress, openCRX, Alfresco, Liferay and more. He also has additional Linux experience working with Debian based distributions, openSUSE, CentOS, and Arch Linux.

Leave a Reply

Be the First to Comment!

Notify of
wpDiscuz