Originally, I planned on using Landscape to handle updating my Linux servers, but it only allows ten servers to be added before you need to upgrade to a paid license. And, after a while, I got tired of logging to my landscape server to reboot servers after updates were installed. So I setup all of my Linux servers to install updates, auto remove unnecessary dependencies and reboot the server automatically.
To enable this on your Linux server, you’ll need to install the unattended-upgrades package.
sudo apt install unattended-upgrades1. Configure Settings
Now that the unattended-upgrades is installed, we need to tell the server what updates we want automatically installed. To do this, we need to edit the configuration file by running the command below.
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesSelect what updates you want automatically applied by uncommenting (removing the \\ characters) the lines below.
Below is the update config section that I use on my servers . The config below will install security and program updates.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};Recommended: Additionally, we want to remove unused and old dependencies as well as auto reboot the server. To enable this scroll through the config file and makes changes to match the settings listed below.
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "01:00";The settings above will auto remove old Kernel packages, unused dependencies, and reboot the server after all of the updates have been applied at 1:00AM.
Certain packages can also be blacklisted and therefore will not be automatically updated. To blacklist a package, add it to the list:
https://help.ubuntu.com/lts/serverguide/automatic-updates.html
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};2. Update Frequency
Now that the server knows what updates we want it to automatically install, we need to configure it to actually check and install updates. To do this, we need to edit another configure file by running the command below.
sudo nano /etc/apt/apt.conf.d/20auto-upgradesEdit the configuration file so it matches the settings listed below.
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";The above configuration updates the package list, downloads, and installs available upgrades every day. The local download archive is cleaned every week. On servers upgraded to newer versions of Ubuntu, depending on your responses, the file listed above may not be there. In this case, creating a new file of this name should also work.
https://help.ubuntu.com/lts/serverguide/automatic-updates.html
3. Test Settings
To test if our configuration changes worked, we can run the following command below.
sudo unattended-upgrades --dry-run --debugIf everything works, you should get an output similar to the one below.
Or, we could check the logs in a few days.
cat /var/log/unattended-upgrades/unattended-upgrades.log