Linux Servers

How to Enable Auto Updates on Ubuntu

Originally, I planned on using Landscape to handle updating my Linux servers, but it only allows ten servers to be added before you need to upgrade to a paid license. And, after a while, I got tired of logging to my landscape server to reboot servers after updates were installed. So I setup all of my Linux servers to install updates, auto remove unnecessary dependencies and reboot the server automatically.

To enable this on your Linux server, you’ll need to install the unattended-upgrades package.

sudo apt install unattended-upgrades

1. Configure Settings

Now that the unattended-upgrades is installed, we need to tell the server what updates we want automatically installed. To do this, we need to edit the configuration file by running the command below.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Select what updates you want automatically applied by uncommenting (removing the \\ characters) the lines below.

Below is the update config section that I use on my servers . The config below will install security and program updates.

Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";

Recommended: Additionally, we want to remove unused and old dependencies as well as auto reboot the server. To enable this scroll through the config file and makes changes to match the settings listed below.

Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "01:00";

The settings above will auto remove old Kernel packages, unused dependencies, and reboot the server after all of the updates have been applied at 1:00AM.

Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist a package, add it to the list:
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";

2. Update Frequency

Now that the server knows what updates we want it to automatically install, we need to configure it to actually check and install updates. To do this, we need to edit another configure file by running the command below.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Edit the configuration file so it matches the settings listed below.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The above configuration updates the package list, downloads, and installs available upgrades every day. The local download archive is cleaned every week. On servers upgraded to newer versions of Ubuntu, depending on your responses, the file listed above may not be there. In this case, creating a new file of this name should also work.

3. Test Settings

To test if our configuration changes worked, we can run the following command below.

sudo unattended-upgrades --dry-run --debug

If everything works, you should get an output similar to the one below.

Or, we could check the logs in a few days.

cat /var/log/unattended-upgrades/unattended-upgrades.log

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.