Given a 3rd party Debian package repository such as apt.postgresql.org how do you make sure, that the packages respectively the services that are provided by the packages, such as a Postgresql DB server, get automatically updated?
First run apt-cache policy and you should see something like this:
# apt-cache policy
Package files:
[...]
500 http://apt.postgresql.org/pub/repos/apt jammy-pgdg/main amd64 Packages
release o=apt.postgresql.org,a=jammy-pgdg,n=jammy-pgdg,l=PostgreSQL for Debian/Ubuntu repository,c=main,b=amd64
origin apt.postgresql.org
[...]
From this you can see that the “Origin” of packages coming from the
Postgresql Debian package repository is apt.postgresql.org
(o=apt.postgresql.org) and the name of the “Archive” is
jammy-pgd (a=jammy-pgd).
So now we can insert that into /etc/apt/apt.conf.d/50unattended-upgrades:
# cat /etc/apt/apt.conf.d/50unattended-upgrades
[...]
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"apt.postgresql.org:${distro_codename}-pgdg";
[...]
As you see I’ve replaced jammy-pgdg with ${distro_codename}-pgdg.
That way, in case you do-release-upgrade, the “Archive” name
will still match the currently running Ubuntu/Debian release.
Now you can test whether the next unattended-upgrade would
actually upgrade the packages from the 3rd party repo, in our
case postgresql-15:
# unattended-upgrade --dry-run
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/postgresql-15_15.13-1.pgdg22.04+1_amd64.deb
[...]
And indeed it would and it will.
CAVEAT EMPTOR: ATTENTION!!!
I have not been testing doing unattended postgresql updates from
3rd party aka from the apt.postgresql.org repo for a long time!
It has worked for now and I have not seen any breakage yet, however,
due to the short period of testing, services running on servers
might still break in the future due to doing unattended updates.
Please do think about what could go wrong before blindly following
my recipe provided above.
You could maybe for example want to pin certain packages or add update policies/priorities. See f.ex. here. Also dependency meta packages that depend on packages that you do not want to have deinstalled might serve you. See f.ex. here.
Feedback welcome -> tpo_hp at sourcepole.ch