Ubuntu Server Security Updates Only
Today’s quick tip is actually a lesser-known way of keeping up your security updates, but doing so without the very buggy unattended-upgrades package for Ubuntu server. Here’s a lesser known way to patch your system that’s less buggy. You’re experiences may vary.
When running updates in an attended state, such as using apt or running the updater, you’ll notice you are prompted to upgrade everything. However, you’ll also notice that in the updates settings that the default is to install security updates automatically. This is awesome…but what about on Ubuntu server – remember, unattended-upgrades doesn’t always work well on all systems.
On my Ubuntu-powered Pi2 for example, unattended-upgrades is a bust. Thankfully, there is a CLI work-around that will allow you to apt upgrade just security updates without unattended-upgrades and without updating everything.
To use apt to manually (or you could script this) install security updates only, try the following:
sudo cp /etc/apt/sources.list /etc/apt/security.sources.list
This creates a special list that, once edited, will be used for security updates only, while leaving sources.list untouched. In security.sources.list, make sure you comment out everything except the security repo. So you’ll make it look something like this:
#deb http://ports.ubuntu.com/ xenial main restricted universe multiverse #deb-src http://ports.ubuntu.com/ xenial main restricted universe multiverse #deb http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse #deb-src http://ports.ubuntu.com/ xenial-updates main restricted universe multiverse deb http://ports.ubuntu.com/ xenial-security main restricted universe multiverse deb-src http://ports.ubuntu.com/ xenial-security main restricted universe multiverse #deb http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse #deb-src http://ports.ubuntu.com/ xenial-backports main restricted universe multiverse
Once you’ve changed the security.sources.list file to look like it does above, then you’re ready to take this for a test drive.
sudo apt update && sudo apt-get upgrade -o Dir::Etc::SourceList=/etc/apt/security.sources.list
The above command will run the usual upgrade command, but it ensures you’re only using the security.sources.list file. There are two things cool about this.
First, you can still run your apt update && apt upgrade like always to upgrade everything. Secondly, you can script this technique out fairly easily to include options like an automatic reboot if you want. Again, this is assuming you’re dealing with non-GUI situations. I found it to be awesome for my Rasp Pi2.