Auto update Archlinux and user repository

In this post I’m going to describe on how to setup automatic package upgrades / system updates. In the first part, a systemd service script and timer triggers the package manager pacman to automatically sync the repositories and upgrade the packages every hour:

[Unit]
 Description=Automatic Update
 After=network-online.target 

[Service]
 Type=simple
 ExecStart=/usr/bin/pacman -Syuq --noconfirm --needed --noprogressbar 
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
[Unit]
 Description=Automatic Update when booted up after 5 minutes then check the system for updates every 60 minutes

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=autoupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now autoupdate.timer

The last command enables (on boot) and starts the timer. The second part describes on how to setup an extra user, which will automatically fetch and build AUR packages using the helper script aurutils:

cd /tmp
wget "https://aur.archlinux.org/cgit/aur.git/snapshot/aurutils.tar.gz"
tar xvf aurutils.tar.gz
cd aurutils
gpg --recv-keys 6BC26A17B9B7018A
makepkg -i

The following files define the special pacman-repository in which the compiled AUR packages will be placed:

[options]
CacheDir = /var/cache/pacman/pkg
CacheDir = /var/cache/pacman/aur
CleanMethod = KeepCurrent

[aur]
SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur

SigLevel = Optional TrustAll Server = file:///var/cache/pacman/aur

[...]
Include = /etc/pacman.d/aur

The new aur user will have extra permissions to build packages in chroot:

[...]
aur ALL = NOPASSWD: SETENV: /usr/bin/makechrootpkg
aur ALL = NOPASSWD: /usr/bin/arch-nspawn
[...]

Create the user and the repository:

sudo useradd -m aur
sudo install -d /var/cache/pacman/aur -o aur
sudo repo-add /var/cache/pacman/aur/aur.db.tar
sudo chown -R aur:aur /var/cache/pacman/aur
sudo -u aur gpg --recv-keys 6BC26A17B9B7018A
[Unit]
 Description=Automatic update AUR repository.
 After=network-online.target 

[Service]
 Type=simple
 User=aur
 ExecStart=/usr/bin/aur sync --no-view -cu
 TimeoutStopSec=180
 KillMode=process
 KillSignal=SIGINT

[Install]
 WantedBy=multi-user.target
[Unit]
 Description=Automatic update AUR repository when booted up after 5 minutes then check for updates every 60 minutes.

[Timer]
 OnBootSec=5min
 OnUnitActiveSec=60min
 Unit=aurupdate.service

[Install]
 WantedBy=multi-user.target
systemctl enable --now aurupdate.timer

The last command will enable (on boot) and start the AUR auto update service. Please note that this approach on system upgrading is considered bad practice, poses a security risk and could damage your system. It is recommended to test this on experimental development environments.

💬 Are you interested in our work or have some questions? Join us in our public Signal chat pi crew 👋
🪙 If you like our work or want to supprot us, you can donate MobileCoins to our address.

Comments

  1. Running AUR updates unattended (with –noview) is a bad idea. AUR packages may be orphaned at any time, and taken over by someone with less than good intentions. (see for example, acroread.)

    If you want to update AUR packages on a timer, at the very least implement a trust system that checks maintainers. An example: https://github.com/alexheretic/aurto

  2. Furthermore, pacman -Syu on a timer is equally problematic (despite being not warned against in this article). Upgrades from the Arch Linux repositories always assume they are done interactively, so that the user can see post-install messages, merge .pacnew files and do other necessary changes.

    Not to mention an unattended upgrade will make debugging (in particular, pinpointing which packages cause undesired behavior) significantly harder.

Leave a Reply

Your email address will not be published. Required fields are marked *