Scheduling raspbian OS updates & upgrades

I've been using a simple script to update my pi, which I manually start (whenever I remember!!)
Would it be safe to add a cron job to run it weekly automatically in the middle of the night, or should the update/upgrade/clean commands always be monitored in the console?

#!/bin/bash
apt update && apt -yq full-upgrade && apt -yq autoremove && apt -yq clean

To be honest, I never do upgrades on my pi's if the system is running well. I think this stems from not having used windows for almost 20 years and not feeling the need to upgrade that windows users have instilled in them.

[edit] This is not a criticism of anyone who needs to upgrade often due to frequent changes of their environment!

On my Pi3, I run webmin which auto-updates everything, never had an issue.

On my older Pi2, I just occasionally log in and manually update, no real reason why I couldn't do a script, just never got round to it.

So I'd say that, unless you have something exotic installed, an auto-update would be fine. Rasbian is based on Debian anyway which is renown for stability and slow, steady updates.

I agree with @ghayne that this is probably not a good idea on a 'production' system as you can never be 100% certain that an upgrade will not break things. For example an unexpected power failure in the middle of updates can make the system unbootable.
However, if you do want automatic updates then I suggest using the tool designed for this purpose. I believe it works correctly on raspbian
https://wiki.debian.org/UnattendedUpgrades

I don't actually think that the decision is as clear-cut any more. You have to balance the risk of breaking something against the risk of compromise due to slow patching. Indeed some organisations have started auto-updating even servers, auto-updates on end user devices is certainly getting very common.

Ideally, in production, you would have a pre-prod system that gets updates a short while before production and do some base regression tests. But of course, this requires suitable operational resources (e.g. people).

That is always a worry, but surely that would still occur even if the upgrade was being monitored?

Possible, certainly, but for example if there were a threat of thunderstorms then one would probably not start the updates running, whereas automatic updates would run regardless. Also one might make sure not to run kit that might be more prone to trip the power whilst doing updates.

@TotallyInformation good points.

Upon balance, I've decided to add the script to a cron job to run it 2.10am every Tuesday, and direct the output to /var/log/syslog so I can log & review it's actions.

10 2 * * 2 root /home/pi/scripts/update_pi.sh 2>&1 | logger -t update_pi_script

I think @TotallyInformation put forward a convincing argument, and I'll try to mitigate the words of caution by creating regular system backups, so if it all goes wrong, I can quickly restore the system. Fortunately, no data is stored on the pi, as I'm running Influx in a cloud instance.

Thanks for the replies.

Out of interest, why did you reject UnattendedUpgrades which is supposedly designed for the task?

I certainly haven't discounted Unattended Upgrades, but was initially off-put by it's size & complexity.
It's much more comprehensive, and handles 'reboot requests', 'files not available', and many more edge cases.
I will probably progress from using the bash script to use Unattended Upgrades, but that will be after my next scheduled system backup, and after I return from a family break.

OK, I am interested in it myself on a different system which is why I was asking.

Colin, I've just installed Unattended Upgrades on a friends Pi to see how it performs.
(that's what friends are for... )

I'll let you know how it goes.

OK, thanks.

I've created a new thread especialy for unattended-upgrades

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.