Call me a risk taker, I allow all of my systems to update everything automatically. Managing 50+ systems on a daily basis can become a daunting task if you don’t. I would rather cleanup after a bad update than after an attack. At least with the update I know what happened. This is why I configured automatic updates for Ubuntu.
So here is how I configure Automatic Updates in Ubuntu:
Packages needed: cron-apt, unattended-upgrades
- apt-get install cron-apt
- apt-get install unattended-upgrades
That’s it for the packages, now let’s get things configured:
First we need to edit the 50unattended-upgrades file located in /etc/apt/apt.conf.d/. I use nano, you can us any editor you are comfortable with.
- nano /etc/apt/apt.conf.d/50unattended-upgrades
Mine looks like this:// Automatically upgrade packages from these (origin:archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; // List of packages to not update (regexp are supported) Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; }; // This option allows you to control if on a unclean dpkg exit // unattended-upgrades will automatically run // dpkg --force-confold --configure -a // The default is true, to ensure updates keep getting installed //Unattended-Upgrade::AutoFixInterruptedDpkg "false"; // Split the upgrade into the smallest possible chunks so that // they can be interrupted with SIGUSR1. This makes the upgrade // a bit slower but it has the benefit that shutdown while a upgrade // is running is possible (with a small delay) //Unattended-Upgrade::MinimalSteps "true"; // Install all unattended-upgrades when the machine is shuting down // instead of doing it in the background while the machine is running // This will (obviously) make shutdown slower //Unattended-Upgrade::InstallOnShutdown "true"; // Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "[email protected]" //Unattended-Upgrade::Mail "root"; // Set this value to "true" to get emails only on errors. Default // is to always send a mail if Unattended-Upgrade::Mail is set //Unattended-Upgrade::MailOnlyOnError "true"; // Do automatic removal of new unused dependencies after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "true"; // Automatically reboot *WITHOUT CONFIRMATION* // if the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "true"; // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "04:00"; // Use apt bandwidth limit feature, this example limits the download // speed to 70kb/sec //Acquire::http::Dl-Limit "70";
- I simply edited the comment ” // ” out of these lines. too enable non-critical or non-security updates. This will allow all of the updates I want.
// "${distro_id}:${distro_codename}-security"; // "${distro_id}:${distro_codename}-updates";
which now reads
"${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates";
- Then I changed
// Unattended-Upgrade::Remove-Unused-Dependencies "false";
to
Unattended-Upgrade::Remove-Unused-Dependencies "true";
which does the cleanup of unneeded dependencies.
- Next I changed the lines that reads
// Unattended-Upgrade::Automatic-Reboot "false";
to read
Unattended-Upgrade::Automatic-Reboot "true";
to enable automated reboots
- And finally, changed
// Unattended-Upgrade::Automatic-Reboot-Time "02:00";
- to read as
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
to allow automatic reboots at 4:00 am as necessary.
- I didn’t make any other changes because I use monitoring software that reports update statuses.
Next we edit 10periodic (or 2periodic, I don’t think it matters. I’m not sure what the difference is, if there is any. I just know that some documentation reads 10 periodic and some 2periodic. I don’t recommend having both files, just use on or the other) Both files use commands that are well documented in the file /etc/cron.daily/apt. (There is no need to edit /etc/cron.daily/apt, just read it).
- nano /etc/apt/apt.conf.d/10periodic
APT::Periodic::Enable "1"; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
Then verify that /etc/apt/apt.conf.d/20auto-upgrades is correct:
- nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
Reboot your system and give it 24 hours. You should notice that all of you updates are being installed automagically!
Note: I set my automatic updates for Ubuntu happen daily, this is my preference, you may want to change it to weekly, to reduce overhead. I highly suggest reading the documentation to fully understand what is going on. This is simply a guide to how I do it, use it to get going then fine tune it to your preferences. Written for Ubuntu 14, works with Ubuntu 15 and 16, I’m testing 17.