How to Enable Unattended Upgrades on Ubuntu/Debian

Linux server security is important for sysadmins. A central part of keeping a Linux server secure is installing security updates quickly. Often, servers on the Internet are compromised due to pending security updates while waiting for manual updates. On both Ubuntu and Debian, unattended-upgrades Packages can be configured to perform unattended upgrades to automatically install updated packages and security updates.

In general, on critical servers where you cannot tolerate unplanned downtime very careful With unrecoverable upgrades (or automatic updates). While there are reasons to be cautious, it is also worth considering. With that, let’s jump right in!

to establish unattended-upgrade

As of Debian 9, both unattended-upgrades And apt-listchanges Packages are installed by default. Recent releases of Ubuntu also come with unattended-upgrades installed by default. To install unattended-upgrades package, enter the following in your terminal:

sudo apt update && sudo apt upgrade
sudo apt install unattended-upgrades

Remember, you will want to monitor updates and changes to your Linux server over time. you can monitor through /var/log/dpkg.log or reading log files /var/log/unattended-upgrades/, You can also monitor changes by installing apt list change a packet (Alternative),

sudo apt install apt-listchanges

apt-listchanges Updates can be configured to send emails about changes. apt-listchanges It is a tool to show what has changed in a new version of a Debian package compared to the version currently installed on the system. It does this by extracting the relevant entries from NEWS.Debian and changelog[.Debian] Files, usually found in /usr/share/doc/a packet, from the Debian Package Archives. On both Debian and Ubuntu, Ubuntu is a derivative of Debian.

configure unattended-upgrade

unattended-upgrades config file location is /etc/apt/apt.conf.d/50unattended-upgrades,

lines starting with double slash // There is no effect. So, to “enable” a line, remove the double slash. //,

choose what to update

The section that controls which packages are updated automatically. starts with Unattended-Upgrade::Allowed-Origins {, It will look something like the screenshot above. You can enable only all packages or security updates. By default, it will only install security updates. To enable updates from other repositories, uncomment the repository by removing the double slash // from the beginning of the line. Example:

"${distro_id}:${distro_codename}-updates";

Here are some details about the update types available, As explained by Ubuntu,

“${distro_id}:${distro_codename}-security”; – Auto Update Security updates will patch holes and vulnerabilities on your server.

“${distro_id}:${distro_codename}-update”; – Updates (aka Recommended Updates) contain non-critical updates that can remove major annoyances and broken packages but which do not affect your security. Other than fixing a few, they don’t enable any features. It’s generally a good idea to enable it. The download volume as well as the changes are not huge, but it does improve the stability of your server in various ways.

“${distro_id}:${distro_codename}-proposed”; – Proposed updates are updates that are waiting to be moved to the recommended update queue after some testing. They may never reach the recommended one, or they may be replaced by a recent update. It is advisable to enable it if you want to participate in testing minor updates or know that your specific problem has been solved here, but the package has not yet reached the recommended one. WARNING: Enabling the proposed update repository may break your system. It is not recommended for inexperienced users.

“${distro_id}:${distro_codename}-backports”; Backported updates are pieces of software that come from a new major release. Thus, they may include new features, but they may also break compatibility with their older version. However, they are compiled specifically for your version of Ubuntu. In fact, it saves you the hassle of broken dependencies and major downloads. If you want new features but don’t want to destabilize your system, it is advisable to enable it.

enable email reporting

Next, to enable email reporting. Find this line:

//Unattended-Upgrade::Mail "root";

Change it to:

Unattended-Upgrade::Mail "replacewithyouremail";

You can also leave it set to the default “root” to send email reports to the server’s root account. Here’s an example of an unattended-upgrade mail configuration:

unrecoverable upgrade mail

The rest of the configuration file is self-explanatory. If you have any questions, post below.

Configure update frequency

By default, unattended-upgrades will install available updates daily. To confirm, take a look at the config file: /etc/apt/apt.conf.d/20auto-upgrades, It should look like this:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

apt::periodic::update-package-lists – Allows you to specify the frequency (in days) at which package lists are refreshed.

apt::periodic::unattended-upgrade – When enabled, daily scripts will be executed unattended-upgrade,

APT::Periodic::Download-Upgradable-Packages – Frequency of downloading actual packages (in days).

APT::Periodic::AutocleanInterval – Controls how often obsolete packages are removed from the APT cache. This keeps the apt cache at a reasonable size and means you don’t need to worry about that task.

sample configuration:
auto upgrade

The above configuration will update the package lists, download the packages, and install the available upgrades daily. At the same time, the APT cache will be cleared every 7 days.

testing unattended-upgrade

You can test your configuration with a dry run. Use the following command. See man page for help:

sudo unattended-upgrades --dry-run --debug

conclusion

By turning on Unattended Upgrade (automatic updates) Ubuntu either Debian Servers, you have taken an important step to protect your server from vulnerabilities. Updating the system manually and applying patches can be a very time-consuming process. Unattended upgrades save a lot of time. However, for multiple servers and/or VMs, I would recommend using a bulk automation tool like Ansible, Salt, Chef, puppet, Etcetera. Automatic updates are also available on Red Hat, CentOS and Fedora Linux. I’ll post a how-to article about it next.

Leave a Comment