In this tutorial, you will learn how to enable automatic updates and upgrades including security updates in Ubuntu.
I will assume that you have SSH access to an Ubuntu server.
1. Install Unattended Upgrades
Installing the following packages will allow for unattended upgrades on your system.
apt install unattended-upgrades apt install update-notifier-common
2. Configure Unattended Upgrades
Set your automatic upgrade preferences in the
/etc/apt/apt.conf.d/50unattended-upgrades file. These are the settings I use on most of my systems.
//Unattended-Upgrade::InstallOnShutdown "false"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "firstname.lastname@example.org" Unattended-Upgrade::Mail "email@example.com"; // Set this value to one of: // "always", "only-on-error" or "on-change" // If this is not set, then any legacy MailOnlyOnError (boolean) value // is used to chose between "only-on-error" and "on-change" Unattended-Upgrade::MailReport "only-on-error"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "true"; // Automatically reboot even if there are users currently logged in // when Unattended-Upgrade::Automatic-Reboot is set to true //Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "03:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70"; // Enable logging to syslog. Default is False // Unattended-Upgrade::SyslogEnable "false"; // Specify syslog facility. Default is daemon // Unattended-Upgrade::SyslogFacility "daemon"; // Download and install upgrades only on AC power // (i.e. skip or gracefully stop updates on battery) // Unattended-Upgrade::OnlyOnACPower "true"; // Download and install upgrades only on non-metered connection // (i.e. skip or gracefully stop updates on a metered connection) // Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true"; // Verbose logging // Unattended-Upgrade::Verbose "false"; // Print debugging information both in unattended-upgrades and // in unattended-upgrade-shutdown // Unattended-Upgrade::Debug "false"; // Allow package downgrade if Pin-Priority exceeds 1000 // Unattended-Upgrade::Allow-downgrade "false";
3. Enable Unattended Upgrades
In order to enable automatic upgrades, execute the following command where the -plow flag mean priority low.
dpkg-reconfigure -plow unattended-upgrades
In the resulting screen with a pink background, you will be asked “Automatically download and install stable updates?” The context for this is:
Applying updates on a frequent basis is an important part of keeping systems secure. By default, updates need to be applied manually using package management tools. Alternatively, you can choose to have this system automatically download and install important updates.
Select the Yes option to continue.
A configuration file will be created at
/etc/apt/apt.conf.d/20auto-upgrades. It will look similar to this where the first line is equivalent to
apt update and the second line is equivalent to
apt upgrade. The “1” values are boolean which indicate if the feature is turned on.
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
4. Test it Out with a Dry Run
You can optionally do a dry run to see what will happen during an unattended upgrade with the following command.
unattended-upgrades --dry-run --debug
5. Look at the Daily Timer
If you look at the
/lib/systemd/system/apt-daily.timer file, you will see the interval that the
apt update command is executed. In this case it is twice a day with a random delay after 6 AM and 6 PM.
[Unit] Description=Daily apt download activities [Timer] OnCalendar=*-*-* 6,18:00 RandomizedDelaySec=12h Persistent=true [Install] WantedBy=timers.target
The corresponding service file at
/lib/systemd/system/apt-daily.service contains the actual command (ExecStart) that will be executed based on that timer interval.
[Unit] Description=Daily apt download activities Documentation=man:apt(8) ConditionACPower=true After=network.target network-online.target systemd-networkd.service NetworkManager.service connman.service [Service] Type=oneshot ExecStartPre=-/usr/lib/apt/apt-helper wait-online ExecStart=/usr/lib/apt/apt.systemd.daily update
Timer and service files also exist for the
apt upgrade command too. The timer file is at
[Unit] Description=Daily apt upgrade and clean activities After=apt-daily.timer [Timer] OnCalendar=*-*-* 6:00 RandomizedDelaySec=60m Persistent=true [Install] WantedBy=timers.target
The service file is at
[Unit] Description=Daily apt upgrade and clean activities Documentation=man:apt(8) ConditionACPower=true After=apt-daily.service network.target network-online.target systemd-networkd.service NetworkManager.service connman.service [Service] Type=oneshot ExecStartPre=-/usr/lib/apt/apt-helper wait-online ExecStart=/usr/lib/apt/apt.systemd.daily install KillMode=process TimeoutStopSec=900