Hey, just a heads-up that this content is based on an automatically imported version from our old CMS. If the formatting isn’t perfect, I’m sorry about that.

Debian/Ubuntu with automatic APT unattended updates

I cannot point out often enough how critical it is to keep your internet-based Servers updated. I use and manage some Servers, about 20 currently. But I hate to check them on a weekly base for Security Updates. I still remember days where Sysadmins brag with uptimes – not a smart thing to do.

If you use Debian / Ubuntu there is at least an official simple way to keep the most fears of missed security Updates. Partly as a note for myself I just add this quick “copy and paste” like Information here on how to setup the automatic upgrade on a Debian / ubuntu based server.

You can either just install security patches or do full upgrades of packages. The last one I cannot recommend but it is depending on what your server is doing. In the worst case an upgraded package could break things due to change of behavior or configuration requirements. I stay with the security updates only method.

Setup Automatic Updates

Install unattended-upgrades

apt update && apt install unattended-upgrades

After that you need to edit some Files, if they are not existing yet, create them:

Configure unattended-upgrades

/etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
// Extended Security Maintenance        
        "${distro_id}ESM:${distro_codename}";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

Then we need to Enable the whole Process by Editing / Creating:

Enable Automatic Upgrades

/etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

You can try if everything was successfull using this Command:

  • unattended-upgrades --debug