Here is how you configure automatic (security) updates on Debian:
aptitude install unattended-upgrades
Here you can configure it:
This could look like this:
// add packages here that need manual steps like this:
Now create the following file:
With this content:
// Enable the update/upgrade script (0=disable)
// Do "apt-get update" automatically every n-days (0=disable)
// Do "apt-get upgrade --download-only" every n-days (0=disable)
// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
// Do "apt-get autoclean" every n-days (0=disable)
Of course the server needs to be able to send mails so it can send mails in case of problems.
You can test it like this:
# mail -s test email@example.com
Hope this helps somebody.
Update: Some updates caused dpkg questions about changed config files and therefore failed.
For example php5-fpm did ask this:
Setting up php5-fpm (5.4.4-14+deb7u10) ...
Configuration file `/etc/php5/fpm/pool.d/www.conf'
==> Deleted (by you or by a script) since installation.
==> Package distributor has shipped an updated version.
What would you like to do about it ? Your options are:
Y or I : install the package maintainer's version
N or O : keep your currently-installed version
D : show the differences between the versions
Z : start a shell to examine the situation
The default action is to keep your current version.
*** www.conf (Y/I/N/O/D/Z) [default=N] ? dpkg: error processing php5-fpm (--configure):
EOF on stdin at conffile prompt
This caused PHP5-FPM to stop and all PHP sites to show an Internal Server Errror…
So you don’t run into this problem, create /etc/apt/apt.conf.d/local with this content:
This tells DPKG to keep the old config file. It will create .dpkg-dist files with the package distributer’s version. More information on this can be found here.