Automatic Updates for Ubuntu – with all updates.

Call me a risk taker, I allow all of my systems to update everything automatically.  Managing 50+ systems on a daily basis can become a daunting task if you don’t.  I would rather cleanup after a bad update than after an attack.  At least with the update I know what happened.  This is why I configured automatic updates for Ubuntu.

So here is how I configure Automatic Updates in Ubuntu:
Packages needed: cron-apt, unattended-upgrades

  • apt-get install cron-apt
  • apt-get install unattended-upgrades
That’s it for the packages, now let’s get things configured:

First we need to edit the 50unattended-upgrades file located in /etc/apt/apt.conf.d/.  I use nano, you can us any editor you are comfortable with.

  • nano /etc/apt/apt.conf.d/50unattended-upgrades
    Mine looks like this:

    // Automatically upgrade packages from these (origin:archive) pairs
    Unattended-Upgrade::Allowed-Origins {
            "${distro_id}:${distro_codename}-security";
            "${distro_id}:${distro_codename}-updates";
    //      "${distro_id}:${distro_codename}-proposed";
    //      "${distro_id}:${distro_codename}-backports";
    };
    
    // List of packages to not update (regexp are supported)
    Unattended-Upgrade::Package-Blacklist {
    //      "vim";
    //      "libc6";
    //      "libc6-dev";
    //      "libc6-i686";
    };
    
    // This option allows you to control if on a unclean dpkg exit
    // unattended-upgrades will automatically run
    //   dpkg --force-confold --configure -a
    // The default is true, to ensure updates keep getting installed
    //Unattended-Upgrade::AutoFixInterruptedDpkg "false";
    
    // Split the upgrade into the smallest possible chunks so that
    // they can be interrupted with SIGUSR1. This makes the upgrade
    // a bit slower but it has the benefit that shutdown while a upgrade
    // is running is possible (with a small delay)
    //Unattended-Upgrade::MinimalSteps "true";
    
    // Install all unattended-upgrades when the machine is shuting down
    // instead of doing it in the background while the machine is running
    // This will (obviously) make shutdown slower
    //Unattended-Upgrade::InstallOnShutdown "true";
    
    // Send email to this address for problems or packages upgrades
    // If empty or unset then no email is sent, make sure that you
    // have a working mail setup on your system. A package that provides
    // 'mailx' must be installed. E.g. "[email protected]"
    //Unattended-Upgrade::Mail "root";
    
    // Set this value to "true" to get emails only on errors. Default
    // is to always send a mail if Unattended-Upgrade::Mail is set
    //Unattended-Upgrade::MailOnlyOnError "true";
    
    // Do automatic removal of new unused dependencies after the upgrade
    // (equivalent to apt-get autoremove)
    Unattended-Upgrade::Remove-Unused-Dependencies "true";
    
    // Automatically reboot *WITHOUT CONFIRMATION*
    //  if the file /var/run/reboot-required is found after the upgrade
    Unattended-Upgrade::Automatic-Reboot "true";
    
    // If automatic reboot is enabled and needed, reboot at the specific
    // time instead of immediately
    //  Default: "now"
    Unattended-Upgrade::Automatic-Reboot-Time "04:00";
    
    // Use apt bandwidth limit feature, this example limits the download
    // speed to 70kb/sec
    //Acquire::http::Dl-Limit "70";
  •  I simply edited the comment ” // ” out of these lines. too enable non-critical or non-security updates.  This will allow all of the updates I want.
    //  "${distro_id}:${distro_codename}-security";
    //  "${distro_id}:${distro_codename}-updates";

    which now reads

    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
  • Then I changed
    // Unattended-Upgrade::Remove-Unused-Dependencies "false";

    to

    Unattended-Upgrade::Remove-Unused-Dependencies "true";

    which does the cleanup of unneeded dependencies.

  • Next I changed the lines that reads
    // Unattended-Upgrade::Automatic-Reboot "false";

    to read

    Unattended-Upgrade::Automatic-Reboot "true";

    to enable automated reboots

  • And finally, changed
    // Unattended-Upgrade::Automatic-Reboot-Time "02:00";
  • to read as
    Unattended-Upgrade::Automatic-Reboot-Time "04:00";

    to allow automatic reboots at 4:00 am as necessary.

  • I didn’t make any other changes because I use monitoring software that reports update statuses.

Next we edit 10periodic (or 2periodic, I don’t think it matters.  I’m not sure what the difference is, if there is any.  I just know that some documentation reads 10 periodic and some 2periodic.  I don’t recommend having both files, just use on or the other)  Both files use commands that are well documented in the file /etc/cron.daily/apt.  (There is no need to edit /etc/cron.daily/apt, just read it).

  • nano /etc/apt/apt.conf.d/10periodic
    APT::Periodic::Enable "1";
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Download-Upgradeable-Packages "1";
    APT::Periodic::AutocleanInterval "7";
    APT::Periodic::Unattended-Upgrade "1";

Then verify that /etc/apt/apt.conf.d/20auto-upgrades is correct:

  • nano /etc/apt/apt.conf.d/20auto-upgrades
    APT::Periodic::Update-Package-Lists "1";
    APT::Periodic::Unattended-Upgrade "1";

Reboot your system and give it 24 hours.  You should notice that all of you updates are being installed automagically! 

Note I set my automatic updates for Ubuntu happen daily, this is my preference, you may want to change it to weekly, to reduce overhead.  I highly suggest reading the documentation to fully understand what is going on.  This is simply a guide to how I do it, use it to get going then fine tune it to your preferences. Written for Ubuntu 14, works with Ubuntu 15 and 16, I’m testing 17.