Home / ubuntu / Questions / 1128433
Accepted
Sqerstet
Asked: 2019-03-25 21:15:44 +0800 CST

How to ensure security upgrades run regularly on intermittent internet connection?

  • 772

Ubuntu seems to have an enduring blind-spot for security upgrades on computers which are not connected permanently to the internet. These days there are surely a ton of them, mostly laptops.

In theory the solution is unattended-upgrades. On Ubuntu this runs by default with a daily systemd timer or cron job. With cron, anacron also runs by default as a protection, and executes any cron jobs which were missed because the computer was turned off. So far so sensible.

BUT!

  1. Default unattended-upgrades config (/etc/apt/apt.conf.d/50unattended-upgrades or similar) requires the following to be set, else upgrades risk being skipped on a roaming laptop:

    Unattended-Upgrade::OnlyOnACPower "false";
Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";

  2. Even worse, anacron, like cron, runs jobs whether or not an internet connection is available! This is clearly a major design bug for non-server Ubuntu, since personal computers are not always connected permanently.

TLDR: With default config, on a roaming laptop, unattended-upgrades will not work much of the time.

(Perhaps there needs to be a separate class of cron job or systemd timer-thing which waits for a network connection until executing. Or failed cron.daily jobs could be switched to cron.hourly until they execute successfully. Perhaps there is one already.)

One practical solution is a systemd unit file to execute unattended-upgrades as a user script after the network comes online. But it will only run once per boot.

What is the optimal solution? Does anyone know if there are plans to fix this with a new package or a config improvement?

security apt unattended-upgrades 18.04 anacron

1 Answers

  1. Best Answer

    If connecting to internet with network-manager, the current default on Ubuntu, then create a dispatcher script to launch unattended-upgrade (unattended-upgrades is a symlink, also works) after connecting to the network:

    sudo touch /etc/NetworkManager/dispatcher.d/20-myconnectionscript
sudo chmod +x /etc/NetworkManager/dispatcher.d/20-myconnectionscript

    In 20-myconnectionscript:

    #!/bin/sh

if [ "$2" = "up" ];
  # only proceed if unattended-upgrades was last run more than a day ago
  ELAPSEDSINCEUU=$(($(date +%s) - $(date +%s -r /var/lib/apt/periodic/unattended-upgrades-stamp)))
  if [ $ELAPSEDSINCEUU -gt 86400 ]; then
    apt update --yes # replace, see below
    /usr/bin/unattended-upgrade # replace, see below
  fi
fi

    Edit. Turns out unattended-upgrades does not trigger an update of the package lists. So if unattended-upgrades has been failing then there is a good chance that apt update has been failing too, in which case the upgrades will continue not to happen! So added manual update to script. Disappointing that ensuring security upgrades has to be so complicated.

    Edit 2. This is what you need in your non-interactive script if you want to be absolutely sure your laptop is up to date. Can confirm it works reliably. Replace the 2 lines above with it.

    DEBIAN_FRONTEND=noninteractive apt-get --yes update
DEBIAN_FRONTEND=noninteractive apt-get --yes --allow-downgrades --allow-remove-essential --allow-change-held-packages -- option Dpkg::Options::=--force-confold --option Dpkg::Options::=--force-confdef dist-upgrade

    It is the full dist-upgrade, not just a security upgrade. If anyone has a suggestion for security-only version, which will always work when run non-interactively and does not involve too much futzing with repo configuration, please suggest it.

    Once again: unattended-upgrades cannot be expected to work for an intermittently connected computer. The Ubuntu security team really need to address this situation.

    • 3