Automating Debian updates

by Juliet Kemp

I have cron-apt set up on all my machines -- you can get it to install any updates automatically but that sounds like Bad News to me, so instead it's set to download and email me. I had a script that took names-of-machines-to-upgrade as arguments and did the rest for me, but that involved typing up to 50 machine names. And I am lazy.

So I finally got around to writing a script that parses a local mailbox, grabs the machine names from the subject lines, and does the rest from there. My involvement now is:

  1. Get Thunderbird to show me only the cron-apt emails (via tag filter — tags are automatically applied).
  2. Quick check of the emails to make sure nothing outrageous is going to happen.
  3. Select all, hit Ctrl-6 to move them to the special mailbox (TB QuickMove Extension allows you to allocate up to 10 mailboxes to key combinations).
  4. Find terminal window, run script.

Note that in an ideal world I'd be using Net::SSH::Perl to check for the root ssh key, but I was having problems with CPAN when I wrote this.

#!/usr/bin/perl -w

use strict;

my $homedir = "/home/user";
my $file    = "$homedir/mail/aptget";
my $sshkey  = "$homedir/.ssh/key";
my $cmd     = "apt-get -y upgrade";
my @hosts;

sub runcommand();

open FILE,"+<$file";

# Subject line looks like:
# Subject: CRON-APT completed on machinename [/etc/cron-apt/config]
while (<FILE>) {
    next unless /CRON-APT completed/;
    my @line = split;
    my $hostname = $line[4];
    push @hosts, $hostname;

# Check if sshkey is in ssh list & add it if not
if (`ssh-add -l` =~ /.* $sshkey/) {
else {
    `ssh-add $sshkey`;
    `ssh-add -d $sshkey`;

print FILE "";
close FILE;

sub runcommand() {
    foreach my $host (@hosts) {
        print "Host is: $host\n";
        system("ssh root\@$host -i $sshkey $cmd");


Carla Schroder
2008-01-18 10:14:00
heh, that's pretty slick. You should write a Hacks book!
2008-01-18 14:26:10
for those of us who dont like machines to email us dean wrote a nagios plugin to check for packages which need upgrading.

with the added advantage that making your nagios all messy prompts you to actually fix it :)

Admir Trakic
2008-01-23 04:36:23
I'm not sure if the "apt-get -y upgrade" is real deal for your production servers. What about bugs handling, your script certainly do not care of that. Take a look at apt-doc apt-hosto packages for more info about apt. ;-)
Juliet Kemp
2008-01-24 03:15:15
Carla: thanks! I would be very happy to do so, maybe I should give it some thought :)

Admir: as per above, I do check the cron-apt emails before running this, so I know what I'm installing. (It's possible that something could have snuck in betweentimes, it's true; if this concerns you, use the --no-download switch.)

I'm not sure what you mean about bug-handling. This script doesn't look for options on the commandline or strange input or anything like that, no.

Depending on your environment, this may indeed be unsuitable for production servers. Use appropriate discretion, of course! Under the system as above, you have control over which emails go into the file used as input by the script; so don't put anything in there that you're uncertain about.