Ubuntu unattended-upgrades: Difference between revisions
| (3 intermediate revisions by the same user not shown) | |||
| Line 209: | Line 209: | ||
==== Do automatic removal of unused packages after the upgrade - apt-get autoremove==== | ==== Do automatic removal of unused packages after the upgrade - apt-get autoremove==== | ||
* Line: 90 | |||
<code>//Unattended-Upgrade::Remove-Unused-Dependencies "false";</code><br> | <code>//Unattended-Upgrade::Remove-Unused-Dependencies "false";</code><br> | ||
Change To:<br> | Change To:<br> | ||
| Line 215: | Line 215: | ||
====Automatically reboot *WITHOUT CONFIRMATION* If the file /var/run/reboot-required is found after the upgrade==== | ====Automatically reboot *WITHOUT CONFIRMATION* If the file /var/run/reboot-required is found after the upgrade==== | ||
* Line: 94 | |||
<code>//Unattended-Upgrade::Automatic-Reboot "false";</code><br> | <code>//Unattended-Upgrade::Automatic-Reboot "false";</code><br> | ||
Change To:<br> | Change To:<br> | ||
| Line 220: | Line 221: | ||
====Automatically reboot even if there are users currently logged in when Unattended-Upgrade::Automatic-Reboot is set to true==== | ====Automatically reboot even if there are users currently logged in when Unattended-Upgrade::Automatic-Reboot is set to true==== | ||
* Line: 98 | |||
<code>//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";</code><br> | <code>//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";</code><br> | ||
Change To:<br> | Change To:<br> | ||
| Line 225: | Line 227: | ||
====If automatic reboot is enabled and needed, reboot at the specific time instead of immediately==== | ====If automatic reboot is enabled and needed, reboot at the specific time instead of immediately==== | ||
* Line: 103 | |||
<code>//Unattended-Upgrade::Automatic-Reboot-Time "02:00";</code><br> | <code>//Unattended-Upgrade::Automatic-Reboot-Time "02:00";</code><br> | ||
Change to: Note: Reboot-Time is your server/computers time zone: Use the command <code>date</code> to see time zone.<br> | Change to: Note: Reboot-Time is your server/computers time zone: Use the command <code>date</code> to see time zone.<br> | ||
Latest revision as of 16:51, 17 April 2025
Introduction
Unattended-upgrades is a tool that allows Ubuntu users to automatically update their system with the latest security patches and bug fixes. It's important to keep your system up-to-date to ensure that it's secure and running smoothly. With unattended-upgrades, you don't have to worry about manually checking for updates and installing them yourself. Instead, the tool automatically downloads and installs the updates in the background, saving you time and effort. By using unattended-upgrades, you can be confident that your Ubuntu system is always up-to-date and protected from security vulnerabilities.
Install unattended-upgrades
unattended-upgrades package should be pre installed on ubuntu
If not you can install with sudo apt install unattended-upgrades
Unattended-upgrades config files are kept in directory /etc/apt/apt.conf.d/
/etc/apt/apt.conf.d/
Each of the configuration files in directory serves a specific purpose in managing different aspects of the Ubuntu system updates. Here's a brief summary of what each of these files does:
- 01-vendor-ubuntu: This file specifies the vendor-specific configuration for Ubuntu. It defines the Ubuntu-specific package sources and repository settings.
- 01autoremove: This file specifies the list of packages that can be automatically removed from the system when they are no longer needed.
- 01autoremove-kernels: This file specifies the list of old kernel packages that can be automatically removed from the system when a new kernel is installed.
- 10periodic: This file specifies the frequency of automatic system updates. It allows you to set how often the system checks for updates and installs them.
- 15update-stamp: This file stores the timestamp of the last system update.
- 20archive: This file specifies the settings for the package archive, including the URL of the package repository and the authentication keys for verifying package integrity.
- 20auto-upgrades: This file specifies the configuration settings for automatic updates, including which packages to update and how to install them.
- 20packagekit: This file specifies the configuration settings for PackageKit, which is a system service for managing software updates.
- 20snapd.conf: This file specifies the configuration settings for the Snap package manager.
- 50command-not-found: This file specifies the behavior of the command-not-found feature, which suggests packages to install when a command is not found.
- 50unattended-upgrades: This file specifies the settings for unattended-upgrades, which is a tool for automatically installing security updates.
- 70debconf: This file specifies the settings for debconf, which is a configuration management system for Debian-based systems.
- 99update-notifier: This file specifies the behavior of the update-notifier, which is a tool for notifying users about available system updates.
Each of these configuration files plays an important role in managing different aspects of system updates in Ubuntu, and understanding their purpose can be helpful in customizing the system update settings to fit your specific needs.
Quick Start - Up and running auto updates
Check service is running and enabled
sudo systemctl enable unattended-upgrades
50unattended-upgrades
/etc/apt/apt.conf.d/50unattended-upgrades is a configuration file that specifies the settings for automatically installing security updates using the unattended-upgrades tool in Ubuntu.
$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades
Default Content /etc/apt/apt.conf.d/50unattended-upgrades
Note: Having a // At the Front of the line, will comment out the line:
lines that begin with a "#" or "//" are called comments. These lines are ignored by the system and are intended for human readers to provide explanations or context about the configuration settings.
When you "comment out" a line in a configuration file, you are essentially telling the system to ignore that line of configuration. This can be useful if you want to temporarily disable or override a specific configuration setting without having to delete it entirely.
For example, if you wanted to temporarily disable automatic updates in Ubuntu, you could comment out the line that enables them in the /etc/apt/apt.conf.d/20auto-upgrades file by adding a "#" or "//" character at the beginning of the line. This would prevent the system from executing that particular configuration setting and would effectively disable automatic updates until you uncommented the line by removing the "#" or "//" characters.
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
Common Server Changes - Quick start guide
Note: The only change required to enable auto updates is to uncomment:
// "${distro_id}:${distro_codename}-updates";
The rest is opitional.
updates
- Line: 15
// "${distro_id}:${distro_codename}-updates";
Change to:
"${distro_id}:${distro_codename}-updates";
- Line: 83
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Change to:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Do automatic removal of newly unused dependencies after the upgrade
- Line: 86
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Change To:
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Do automatic removal of unused packages after the upgrade - apt-get autoremove
- Line: 90
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Change To:
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Automatically reboot *WITHOUT CONFIRMATION* If the file /var/run/reboot-required is found after the upgrade
- Line: 94
//Unattended-Upgrade::Automatic-Reboot "false";
Change To:
Unattended-Upgrade::Automatic-Reboot "true";
Automatically reboot even if there are users currently logged in when Unattended-Upgrade::Automatic-Reboot is set to true
- Line: 98
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Change To:
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
If automatic reboot is enabled and needed, reboot at the specific time instead of immediately
- Line: 103
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Change to: Note: Reboot-Time is your server/computers time zone: Use the command date to see time zone.
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Save and Exit Config file
/etc/apt/apt.conf.d/50unattended-upgrades Config File After Changes:
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
// "linux-";
// Use $ to explicitely define the end of a package name. Without
// the $, "libc6" would match all of them.
// "libc6$";
// "libc6-dev$";
// "libc6-i686$";
// Special characters need escaping
// "libstdc\+\+6$";
// The following matches packages like xen-system-amd64, xen-utils-4.1,
// xenstore-utils and libxenstore3.0
// "(lib)?xen(store)?";
// For more information about Python regular expressions, see
// https://docs.python.org/3/howto/regex.html
};
// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";
// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
// dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";
// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";
// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";
// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";
// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";
// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";
// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";
// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";
// Verbose logging
// Unattended-Upgrade::Verbose "false";
// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";
// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";
And that's pretty much your Basic Quick Start Auto Updates taken care of!
What time does unattended-upgrades run?
By default, the unattended-upgrades tool in Ubuntu is configured to run once a day at a random time between 6:00 AM and 7:00 AM, local time.
However, you can modify the time at which unattended-upgrades runs by editing the /etc/apt/apt.conf.d/20auto-upgrades file. In this file, you can set the APT::Periodic::RandomSleep and APT::Periodic::Unattended-Upgrade::RandomSleep options to specify the range of random delay times in seconds before unattended-upgrades runs.
Additionally, you can set the APT::Periodic::Unattended-Upgrade::StartHour and APT::Periodic::Unattended-Upgrade::StartMinute options to specify the exact time at which unattended-upgrades runs each day.
For example, if you want unattended-upgrades to run at 2:30 AM every day, you can add the following lines to the /etc/apt/apt.conf.d/20auto-upgrades file:
APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Unattended-Upgrade::StartHour "2"; APT::Periodic::Unattended-Upgrade::StartMinute "30";
After making changes to this file, you will need to save and close it, and then wait for the specified time to see if the changes have taken effect.