#haacksnetworking #debian Today, I am sharing a new wiki post that documents how I remotely upgrade servers automatically. I was getting tired of entering the same commands over and over for each server. I scoured online sources and put them together in this fashion for my own use. I have reprinted the first version of the tutorial below for convenience, but as always please refer to the wiki for the latest updates and instructions:

  • remote-upgrades
  • Jonathan Haack
  • Haack’s Networking


Ok, I was looking for an easy secure way to remotely upgrade the servers I manage all at once from my primary server. I found some good online tutorials, and adjusted to my needs as follows. And before you begin, you should only do this after you set up pubkey ssh, disable password authentication, and disable root authentication – see my ssh tutorial for help with setting that up. Once your ssh access is secure, create a small shell script on each target machine that will update and upgrade its OS.

sudo touch /usr/local/bin/apt-remote
sudo chmod 750 /usr/local/bin/apt-remote
sudo chown $USER:$USER /usr/local/bin/apt-remote
sudo nano /usr/local/bin/apt-remote

Enter your desired updating and upgrading parameters. For example, you could optionally enter a “-y” flag on these target machine scripts to additionally not be prompted when running upgrades. I do not advise this, in particular, just making the point that one can customize the update and upgrade script on each machine to whatever that target machine requires. Here is what I use:

apt update
apt dist-upgrade
apt autoremove
apt autoclean
echo "I just finished";
uname -a
echo "If there is another, I will begin that now …";

Edit the sudoers file to allow this command to be executed without a password, thus enabling you to remotely execute this command over secure pubkey authentication without prompting you for additional authentication. Change the “username” parameter to the user on that particular target machine.

sudo nano /etc/sudoers

Add the following to the file, obviously changing “username” to the target machine’s user name.

username ALL=(root) NOPASSWD: /usr/local/bin/apt-remote

Once this is set up, reboot each remote target, and now switch to configuring the primary workstation that you stage your updates from. On the primary workstation, create a small shell script that updates your remote servers by remotely executing the scripts you made on each target from the primary workstation. Here is an example, of a suitable shell script:

sudo touch /usr/local/bin/
sudo chmod 750 /usr/local/bin/
sudo chown $USER:$USER /usr/local/bin/
sudo touch /usr/local/bin/

In the file that opens, use the following script parameters or something similar. This script runs on the primary workstation and then executes the “sudo apt-remote” script on the target machine. Again, none of this will work if your ssh is improperly configured.

#run on each host
for i in $hostsa;
echo $i;
ssh -t -p 60000 $i sudo apt-remote;
#use another set up if the targets have different ssh configs, etc.
#run on each host
for i in $hostsb;
echo $i;
ssh -t -p 222 $i sudo apt-remote;

When you test it, there should be no password prompts to connect to the remote hosts as the sudoer entry on the targets ensure that will not happen. Additionally, since your ssh connection is pubkey only, with no root or password access, this remotely executed command presents limited secruity flaws.

The script above is an example, and might be updated in the future. You can find my latest and most up to date version of this script on my self-hosted Gitlab-CE over here:

If you need to do this with an openvpn connection, here is how:

cd /path/to/vpnconfig/
sudo openvpn config.ovpn &
sleep 10s

for i in $hostsa;
echo “I will now update” $i;
ssh -t -p 222 user@$i sudo apt-remote;

cd ~
sudo killall openvpn
sleep 10s

Need to do this over openvpn, then look here:

Leave a Reply

Your email address will not be published. Required fields are marked *

JavaScript licenses