Retrospective IT

Automatic Updates for Ubuntu

Keeping your Linux servers up-to-date isn’t that hard, but sometimes when you have a server that may not be of huge importance or may be something that you don’t necessary see too often, security and updates may be lacking. Luckily, we have unattended upgrades or, the Linux equivalent of Microsoft’s automatic updates.

It makes updating really simple. You install the package, set it to run, and forget it. This post will cover the installation and configuration of unattended upgrades on Ubuntu.

The first step we’ll take is to update apt and install the unattended upgrades package

apt update
apt install unattended-upgrades

Next we’ll edit the 50unattended-upgrades file located in /etc/apt/apt.conf.d to set our repos and a few other options. The changes I make are uncommenting all Repositories, Mail, MailOnlyOnError, Automatic-Reboot, and Automatic-Reboot-Time. My entire config is listed below:

nano /etc/apt/apt.conf.d/50unattended-upgrades

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
        "${distro_id}:${distro_codename}-proposed";
        "${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "[email protected]"
Unattended-Upgrade::Mail "[email protected]";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
// Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

If you prefer to get emails whenever updates are completed, you can keep MailOnlyOnError commented. There are other options you can change, such as blacklisting a package or limiting bandwidth, just make sure to read the description for each item before uncommenting.

After unattended upgrades is setup, you can check the logs in a day or so, at /var/log/unattended-upgrades/, to ensure everything is working correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *