Auto update Archlinux and user repository

In this post I’m going to describe on how to setup automatic package upgrades / system updates. In the first part, a systemd service script and timer triggers the package manager pacman to automatically sync the repositories and upgrade the packages every hour:

[Unit]
 Description=Automatic Update
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
[Unit]
 Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=autoupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now autoupdate.timer

The last command enables (on boot) and starts the timer. The second part describes on how to setup an extra user, which will automatically fetch and build AUR packages using the helper script aurutils:

cd /tmp
wget "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz"
tar xvf aurutils.tar.gz
cd aurutils
gpg --recv-keys 6BC26A17B9B7018A
makepkg -i

The following files define the special pacman-repository in which the compiled AUR packages will be placed:

[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll
Server = file:///var/cache/pacman/aur
[...]
Include = /etc/pacman.d/aur

The new aur user will have extra permissions to build packages in chroot:

[...]
aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg
aur ALL = NOPASSWD: /usr/bin/arch-nspawn
[...]

Create the user and the repository:

sudo useradd -m aur
sudo install -d /var/cache/pacman/aur -o aur
sudo repo-add /var/cache/pacman/aur/aur.db.tar
sudo chown -R aur:aur /var/cache/pacman/aur
sudo -u aur gpg --recv-keys 6BC26A17B9B7018A
[Unit]
 Description=Automatic update AUR repository.
 After=network-online.target 

[Service]
 Type=simple
 User=aur
 ExecStart=/usr/bin/aur sync --no-view -cu
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
[Unit]
 Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes.

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=aurupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now aurupdate.timer

The last command will enable (on boot) and start the AUR auto update service. Please note that this approach on system upgrading is considered bad practice, poses a security risk and could damage your system. It is recommended to test this on experimental development environments.

Running AUR updates unattended (with –noview) is a bad idea. AUR packages may be orphaned at any time, and taken over by someone with less than good intentions. (see for example, acroread.)

If you want to update AUR packages on a timer, at the very least implement a trust system that checks maintainers. An example: https://github.com/alexheretic/aurto

Furthermore, pacman -Syu on a timer is equally problematic (despite being not warned against in this article). Upgrades from the Arch Linux repositories always assume they are done interactively, so that the user can see post-install messages, merge .pacnew files and do other necessary changes.

Not to mention an unattended upgrade will make debugging (in particular, pinpointing which packages cause undesired behavior) significantly harder.

3 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

* Checkbox GDPR is required

*

I agree

Software
2
Bye bye Play Store! Mirroring Play Store Apks to private F-Droid repo

This small tutorial will show you how to setup your own F-Droid repository containing automatically mirrored Play Store apps. Using this private repo, you don’t have to relay on Google Play Store or third party stores anymore to keep non-free apps up-to-date. All you need to have is a Linux …

Software
Ebook reader app for Nextcloud

Because of lack of altenatives I decided to write a small ebook reader plugin for Nextcloud. The task of creating such an app was quite easy: I just forked the files_pdfviewer extension and replaced PDF.js with the Epub.js library. In the app template file, I used the reference ebook reader …

Software
Hacking replay gain audio normalization into Jellyfin

There is already a feature request for audio normalization in Jellyfin media server. This is important if you want to listen to your music collection while always having the same loudness level. Usually, in different recordings or music genres some tracks are louder and others are more quiet. The standard …