How to Enable Unattended Upgrades on Ubuntu/Debian
Linux server security is of critical importance to sysadmins. One central part of keeping Linux servers secure is by installing security updates promptly. Too often, there are compromised servers on the internet due to pending security updates waiting for a manual update. On both Ubuntu and Debian, the unattended-upgrades package can be configured to perform unattended-upgrades to install updated packages and security updates automatically.
In general, on critical servers where you cannot afford unplanned downtime should be very careful with unattended-upgrades (or automatic updates). While there are reasons to be cautious, it is also worth considering. With that said, let’s jump right in!
Table of Contents
Install unattended-upgrades
As of Debian 9, both the unattended-upgrades and apt-listchanges packages are installed by default. Recent releases of Ubuntu also come with unattended-upgrades installed by default. To install the unattended-upgrades package, enter the following in your terminal:
sudo apt update && sudo apt upgrade sudo apt install unattended-upgrades
Remember, you’ll want to monitor updates and changes to your Linux server over time. You can monitor via /var/log/dpkg.log or read the log files in /var/log/unattended-upgrades/. You can also monitor changes by installing the apt-listchanges package (optional).
sudo apt install apt-listchanges
The apt-listchanges can be configured to send emails about update changes. apt-listchanges is a tool to show what has been changed in a new version of a Debian package compared to the version currently installed on the system. It does this by extracting the relevant entries from the NEWS.Debian and changelog[.Debian] files, usually found in /usr/share/doc/package, from Debian package archives. On both Debian and Ubuntu, as Ubuntu is a derivative of Debian.
Configure unattended-upgrades
The unattended-upgrades config file location is /etc/apt/apt.conf.d/50unattended-upgrades.
Lines starting with a double slash // have no effect. Therefore, to “enable” a line, remove the double slash //.
Selecting what to update
The section that controls what packages are updated automatically starts with Unattended-Upgrade::Allowed-Origins {. It will look something like the above screenshot. You can enable all packages or security updates only. By default, it will only install security updates. To enable updates from other repositories, uncomment the repository by removing the double slash // from the start of the line. Example:
"${distro_id}:${distro_codename}-updates";
Here are some details on the update types available, as explained by Ubuntu:
“${distro_id}:${distro_codename}-security”; – Auto updating security updates will patch holes and vulnerabilities on your server.
“${distro_id}:${distro_codename}-updates”; – Updates (aka Recommended Updates) contain non-critical updates which can remove major annoyances and broken packages but which do not affect your security. Other than fixing some, they do not enable any features. Enabling this is generally a good idea. The amount to download as well as the changes are not too big, but it improves your server stability in various ways.
“${distro_id}:${distro_codename}-proposed”; – The proposed updates are updates that are waiting to be moved into the recommended updates queue after some testing. They may never reach recommended, or they may be replaced with a more recent update. Enabling this is reasonable if you want to participate in testing minor updates or know that your specific problem has been solved here, but the package hasn’t reached recommended yet. WARNING: Enabling the proposed updates repository can break your system. It is not recommended for inexperienced users.
“${distro_id}:${distro_codename}-backports”; – Backported updates are pieces of software that come from a newer major release. Thus, they can contain new features but may also break compatibility with their older version. However, they are compiled specifically for your version of Ubuntu. In effect, it saves you the hassle of broken dependencies and major downloads. Enabling this is reasonable if you want new features but don’t want your system to be unstable.
Enabling email reporting
Next, to enable email reporting. Find this line:
//Unattended-Upgrade::Mail "root";
Change it to:
Unattended-Upgrade::Mail "replacewithyouremail";
You can also leave it set to the default “root” to send email reports to the server’s root account. Here’s an example of unattended-upgrades mail config:
The remainder of the config file is self-explanatory. If you have any questions, post them below.
Configure update frequency
By default, unattended upgrades will install available updates daily. To confirm, take a look at the config file: /etc/apt/apt.conf.d/20auto-upgrades. It should look like this:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Update-Package-Lists – allows you to specify the frequency (in days) at which the package lists are refreshed.
APT::Periodic::Unattended-Upgrade – When enabled, the daily script will execute unattended-upgrade.
APT::Periodic::Download-Upgradeable-Packages – Frequency (in days) for the downloading of the actual packages.
APT::Periodic::AutocleanInterval – It controls how often obsolete packages are removed from the APT cache. This keeps the APT cache at a reasonable size and means that you don’t need to worry about that task.
Sample config:
The above configuration will update package lists, download packages, and install available upgrades daily. At the same time, APT cache will be cleaned every 7 days.
Test unattended-upgrades
You can test your config with a dry run. Use the following command. Refer to the man page for help:
sudo unattended-upgrades --dry-run --debug
Conclusion
By enabling Unattended Upgrades (Automatic Updates) on Ubuntu or Debian servers, you’ve taken an important step to protect your server from vulnerabilities. Manually updating the system and applying patches can be a very time-consuming process. Unattended Upgrades save a lot of time. However, for many servers and/or VMs, I would recommend using bulk automation tools such as Ansible, Salt, Chef, Puppet, etc. Automatic updates are also available on Red Hat, CentOS and Fedora Linux. I will post a how-to article about this next.
I have been in the process of looking into Linux servers so knowing this right out the gate is extremely useful. I am always looking for ways to run a more secure system both on and offline.
So using a bulk auto update system is still a better option? I am asking from a beginner’s level.
There’s a couple of things Hayden missed. One is apticron, it sends an email advising you of updates and runs nightly as a Cron job. apt-listdiffences will tell you the changes made in those packages, apt-listchanges tells the changes made from one version to the next.There’s also a program that’s called needsrestart which will advise you of any services or processes that needs restarting after an upgrade. There’s also line in unattended-upgrades to auto restart the listed services if needsrestart shows a restart of those is needed. It’s also important to note that upgrade and dist-upgrade (or full-upgrade) do different things. From the man page for apt upgrade:
upgrade (apt-get(8))
upgrade is used to install available upgrades of all packages
currently installed on the system from the sources configured via
sources.list(5). New packages will be installed if required to
satisfy dependencies, but existing packages will never be removed.
If an upgrade for a package requires the removal of an installed
package the upgrade for this package isn’t performed.
From the man page of full-upgrade (apt-get(8))
full-upgrade performs the function of upgrade but will remove
currently installed packages if this is needed to upgrade the
system as a whole.
From the man page of dist-upgrade (apt-get(8)
dist-upgrade in addition to performing the function of upgrade,
also intelligently handles changing dependencies with new versions
of packages; apt-get has a “smart” conflict resolution system, and
it will attempt to upgrade the most important packages at the
expense of less important ones if necessary. The dist-upgrade
command may therefore remove some packages. The
/etc/apt/sources.list file contains a list of locations from which
to retrieve desired package files. See also apt_preferences(5) for
a mechanism for overriding the general settings for individual
packages.
So unattended upgrades is a handy tool but don’t expect it to completely upgrade your system, you will still need to do a full or dist-upgrade occasionally.
Thanks for this @tmick
I usually don’t like automatic updates because I like to review what the updates are first - But when it comes to security patches, it just seems like a good idea.
I’ll test this on my Ubuntu server this weekend.
I am the same way. I prefer to see what is being changed right in front of me. Auto-updates seem to gloss over things or not mention everything. It is still convenient to have things running on their own for security reasons as well as time management. Not that Linux updates are every a major issues.