Linux server security is of critical importance to sysadmins. One central part of keeping Linux servers secure, is by installing security updates in a timely manner. Too often there are compromised servers on the internet due to pending security updates waiting for a manual update. On both Ubuntu and Debian, the unattended-upgrades package can be configured to perform unattended upgrades to automatically install updated packages and/or security updates.

In general, for critical servers where you cannot afford unplanned downtime should be very careful with unattended upgrades (or automatic updates). While there are reasons to be cautious, it is also worth considering. With that said, let’s jump right in!

Install unattended-upgrades

As of Debian 9, both the unattended-upgrades and apt-listchanges packages are installed by default. Recent releases of Ubuntu also come with unattended-upgrades installed by default. To install the unattended-upgrades package, enter the following in your terminal:

sudo apt update && sudo apt upgrade sudo apt install unattended-upgrades

Remember, you’ll want to monitor updates and changes to your Linux server over time. You can monitor via /var/log/dpkg.log or reading the log files in /var/log/unattended-upgrades/. You can also monitor changes by installing the apt-listchanges package (optional).

sudo apt install apt-listchanges

The apt-listchanges can be configured to send emails about update changes. apt-listchanges is a tool to show what has been changed in a new version of a Debian package, as compared to the version currently installed on the system. It does this by extracting the relevant entries from the NEWS.Debian and changelog[.Debian] files, usually found in /usr/share/doc/package, from Debian package archives. On both Debian and Ubuntu, as Ubuntu is a derivative of Debian.

Configure unattended-upgrades

The unattended-upgrades config file location is /etc/apt/apt.conf.d/50unattended-upgrades.

Lines starting with a double slash // have no effect. Therefore, to “enable” a line, remove the double slash // .

Selecting what to update

The section that controls what packages are updated automatically starts with Unattended-Upgrade::Allowed-Origins { . It will look something like the above screenshot. You can enable all packages or security updates only. By default, it will only install security updates. To enable updates from other repositories, uncomment the repository by removing the double slash // from the start of the line. Example:

"${distro_id}:${distro_codename}-updates";

Here’s some details on the update types available, as explained by Ubuntu:

“${distro_id}:${distro_codename}-security”; – Auto updating security updates will patch hole and vulnerabilities on your sever.

“${distro_id}:${distro_codename}-updates”; – Updates (aka: Recommended Updates) contain non-critical updates which can remove major annoyances and broken packages, but which do not affect your security. Other than fixing some, they do not enable any features. Enabling this is generally a good idea. The amount to download as well as the changes are not too big, but it improves your server stability in various ways.

“${distro_id}:${distro_codename}-proposed”; – The proposed updates are updates which are waiting to be moved into the recommended updates queue after some testing. They may never reach recommended or they may be replaced with a more recent update. Enabling this is reasonable if you want to participate in testing minor updates, or know that your specific problem has been solved here but the package hasn’t reached recommended yet. WARNING: Enabling the proposed updates repository can break your system. It is not recommended for inexperienced users.

“${distro_id}:${distro_codename}-backports”; – Backported updates are pieces of software which come from a newer major release. Thus, they can contain new features, but may also break compatibility with their older version. However, they are compiled specifically for your version of Ubuntu. In effect it saves you the hassle of broken dependencies and major downloads. Enabling this is reasonable if you want new features but don’t want your system to be unstable.

Enabling email reporting

Next, to enable email reporting. Find this line:

//Unattended-Upgrade::Mail "root";

Change it to:

Unattended-Upgrade::Mail "replacewithyouremail";

You can also leave it set to the default “root” to send email reports to the server’s root account. Here’s an example of unattended-upgrades mail config:

The remainder of the config file is self explanatory. If you have any questions, post below.

Configure update frequency

By default, unattended-upgrades will install available updates daily. To confirm, take a look at the config file: /etc/apt/apt.conf.d/20auto-upgrades. It should look like this:

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";

APT::Periodic::Update-Package-Lists – allows you to specify the frequency (in days) at which the package lists are refreshed.

APT::Periodic::Unattended-Upgrade – When enabled, the daily script will execute unattended-upgrade .

APT::Periodic::Download-Upgradeable-Packages – Frequency (in days), for the downloading of the actual packages.

APT::Periodic::AutocleanInterval – It controls how often obsolete packages are removed from the APT cache. This keeps the APT cache at a reasonable size and means that you don’t need to worry about that task.

Sample config:



The above configuration will update package lists, download packages and install available upgrades daily. While APT cache will be cleaned every 7 days.

Test unattended-upgrades

You can test your config with a dry run. Use the following command. Refer to man page for help:

sudo unattended-upgrades --dry-run --debug

Conclusion

By enabling Unattended Upgrades (Automatic Updates) on Ubuntu or Debian servers, you’ve taken an important step to protect your server from vulnerabilities. Manually updating the system and applying patches can be a very time-consuming process. Unattended Upgrades saves a lot of time. However, for a large number of servers and/or VMs, I would recommend using bulk automation tools such as Ansible, Salt, Chef, Puppet, etc. Automatic updates are also available on Red Hat, CentOS and Fedora Linux. I will post a how-to article about this next.