Back to Details

auto-updates

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Auto Updates Skill

自动更新Skill

Enable automatic security updates on VPS servers to ensure systems are patched against known vulnerabilities.
在VPS服务器上启用自动安全更新,确保系统针对已知漏洞完成补丁修复。

What This Skill Does

本Skill的功能

This skill helps AI agents configure automatic security updates on Ubuntu/Debian-based VPS servers. Every piece of software has vulnerabilities - patches fix them. If you're not patching, you're running known-vulnerable software that attackers have pre-built exploits for.
Key capabilities:
  • Update package lists and upgrade installed packages
  • Configure unattended-upgrades for automatic security patches
  • Set up automatic reboot schedules when required
  • Verify update configuration and status
本Skill可帮助AI Agent在基于Ubuntu/Debian的VPS服务器上配置自动安全更新。所有软件都存在漏洞——补丁可修复这些漏洞。如果不进行补丁更新,您的服务器将运行已知存在漏洞的软件,而攻击者已经有现成的利用工具。
核心功能:
  • 更新软件包列表并升级已安装的软件包
  • 配置unattended-upgrades以实现自动安全补丁更新
  • 在需要时设置自动重启计划
  • 验证更新配置和状态

When to Use

使用场景

Use this skill when you need to:
  • Set up a new VPS server with automatic updates
  • Harden an existing server against known vulnerabilities
  • Ensure compliance with security patching requirements
  • Reduce manual maintenance overhead
  • Fix security audit findings related to outdated packages
Critical understanding: A server that's been up for 400 days isn't impressive - it's concerning. Regular updates and reboots are essential for security.
在以下场景中使用本Skill:
  • 为新的VPS服务器设置自动更新
  • 加固现有服务器以抵御已知漏洞
  • 确保符合安全补丁更新要求
  • 减少手动维护工作量
  • 修复与过时软件包相关的安全审计问题
重要认知: 一台连续运行400天的服务器并非值得称道——反而令人担忧。定期更新和重启对安全性至关重要。

Prerequisites

前置条件

  • Root or sudo access to the server
  • Ubuntu or Debian-based Linux distribution
  • Internet connectivity for package downloads
  • SSH access to the server
  • 拥有服务器的Root或sudo权限
  • 基于Ubuntu或Debian的Linux发行版
  • 具备下载软件包的网络连接
  • 拥有服务器的SSH访问权限

Installation & Configuration

安装与配置

Step 1: Update System Packages

步骤1:更新系统软件包

First, update the package list and upgrade all installed packages:
bash
sudo apt update && sudo apt upgrade -y
What this does:
  • apt update
    - Refreshes the package index from repositories
  • apt upgrade -y
    - Installs available updates without prompting
首先,更新软件包列表并升级所有已安装的软件包:
bash
sudo apt update && sudo apt upgrade -y
此命令的作用:
  • apt update
    - 从软件源刷新软件包索引
  • apt upgrade -y
    - 无需交互确认,安装所有可用更新

Step 2: Install Unattended Upgrades

步骤2:安装Unattended Upgrades

Install the unattended-upgrades package:
bash
sudo apt install unattended-upgrades -y
安装unattended-upgrades软件包:
bash
sudo apt install unattended-upgrades -y

Step 3: Configure Unattended Upgrades

步骤3:配置Unattended Upgrades

Enable automatic updates using the configuration tool:
bash
sudo dpkg-reconfigure unattended-upgrades
Select "Yes" when prompted to enable automatic updates.
Alternative manual configuration:
Edit 
/etc/apt/apt.conf.d/50unattended-upgrades
to customize:
bash
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Key settings to review:
  • Unattended-Upgrade::Allowed-Origins
    - Which updates to install
  • Unattended-Upgrade::Automatic-Reboot
    - Auto-reboot if required (default: false)
  • Unattended-Upgrade::Automatic-Reboot-Time
    - When to reboot (e.g., "02:00")
  • Unattended-Upgrade::Remove-Unused-Dependencies
    - Clean up old packages
使用配置工具启用自动更新:
bash
sudo dpkg-reconfigure unattended-upgrades
当提示启用自动更新时,选择“Yes”。
手动配置替代方案:
编辑
/etc/apt/apt.conf.d/50unattended-upgrades
进行自定义配置:
bash
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
需要检查的关键设置:
  • Unattended-Upgrade::Allowed-Origins
    - 指定要安装的更新来源
  • Unattended-Upgrade::Automatic-Reboot
    - 若需要则自动重启(默认:false)
  • Unattended-Upgrade::Automatic-Reboot-Time
    - 重启时间(例如:"02:00")
  • Unattended-Upgrade::Remove-Unused-Dependencies
    - 清理未使用的依赖包

Step 4: Verify Configuration

步骤4:验证配置

Check that unattended-upgrades is active:
bash
sudo systemctl status unattended-upgrades
View the automatic upgrade log:
bash
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log
检查unattended-upgrades是否处于活跃状态:
bash
sudo systemctl status unattended-upgrades
查看自动更新日志:
bash
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log

Configuration Options

配置选项

Automatic Reboot Settings

自动重启设置

To enable automatic reboots when kernel updates require them, edit 
/etc/apt/apt.conf.d/50unattended-upgrades
:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
若要在内核更新需要时启用自动重启,请编辑
/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Update Frequency

更新频率

The default update frequency is configured in 
/etc/apt/apt.conf.d/20auto-upgrades
:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
默认更新频率在
/etc/apt/apt.conf.d/20auto-upgrades
中配置:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";

Testing

测试

Perform a dry run to see what would be updated:
bash
sudo unattended-upgrade --dry-run --debug
Manually trigger an update cycle:
bash
sudo unattended-upgrade --debug
执行试运行,查看将更新的内容:
bash
sudo unattended-upgrade --dry-run --debug
手动触发一次更新周期:
bash
sudo unattended-upgrade --debug

Troubleshooting

故障排查

Updates Not Running

更新未运行

Check the systemd timer status:
bash
sudo systemctl status apt-daily.timer
sudo systemctl status apt-daily-upgrade.timer
Enable timers if disabled:
bash
sudo systemctl enable apt-daily.timer
sudo systemctl enable apt-daily-upgrade.timer
检查systemd定时器状态:
bash
sudo systemctl status apt-daily.timer
sudo systemctl status apt-daily-upgrade.timer
若定时器已禁用,则启用它们:
bash
sudo systemctl enable apt-daily.timer
sudo systemctl enable apt-daily-upgrade.timer

Check Logs

检查日志

View recent update activity:
bash
sudo journalctl -u unattended-upgrades
查看近期更新活动:
bash
sudo journalctl -u unattended-upgrades

Held Packages

被固定的软件包

Some packages may be held back. List them:
bash
apt-mark showhold
Unhold if safe:
bash
sudo apt-mark unhold <package-name>
部分软件包可能被固定,列出这些软件包:
bash
apt-mark showhold
若安全则取消固定:
bash
sudo apt-mark unhold <package-name>

Security Best Practices

安全最佳实践

  1. Enable automatic security updates - Don't wait for manual intervention
  2. Monitor update logs - Regularly review 
    /var/log/unattended-upgrades/
  3. Plan for reboots - Some updates require system restart
  4. Test in staging - For production systems, test updates in a staging environment first
  5. Set up monitoring - Alert on failed updates or long uptime without reboots
  1. 启用自动安全更新 - 不要等待手动干预
  2. 监控更新日志 - 定期查看
    /var/log/unattended-upgrades/
  3. 规划重启时间 - 部分更新需要系统重启
  4. 在预发布环境测试 - 对于生产系统,先在预发布环境测试更新
  5. 设置监控 - 当更新失败或服务器长时间未重启时触发告警

Common Mistakes to Avoid

需避免的常见错误

  • ❌ Disabling updates because "they might break something"
  • ❌ Not monitoring update logs for failures
  • ❌ Ignoring reboot notifications for kernel updates
  • ❌ Holding back security packages indefinitely
  • ❌ 因担心“更新可能导致问题”而禁用更新
  • ❌ 不监控更新日志以排查失败情况
  • ❌ 忽略内核更新的重启通知
  • ❌ 无限期固定安全软件包

Additional Resources

额外资源

See references/apt-config.md for detailed APT configuration options.
See scripts/setup-auto-updates.sh for automated setup script.
有关详细的APT配置选项,请参阅references/apt-config.md
有关自动化安装脚本,请参阅scripts/setup-auto-updates.sh

Related Skills

相关Skill

  • ssh-hardening
    - Secure SSH configuration
  • firewall-configuration
    - Set up UFW firewall
  • fail2ban-setup
    - Configure brute-force protection
  • ssh-hardening
    - 安全SSH配置
  • firewall-configuration
    - 配置UFW防火墙
  • fail2ban-setup
    - 配置暴力破解防护