Ubuntu unattended-upgrades

From CompleteNoobs
Revision as of 22:19, 4 April 2023 by Noob (talk | contribs) (Created page with "== Introduction == Unattended-upgrades is a tool that allows Ubuntu users to automatically update their system with the latest security patches and bug fixes. It's important to keep your system up-to-date to ensure that it's secure and running smoothly. With unattended-upgrades, you don't have to worry about manually checking for updates and installing them yourself. Instead, the tool automatically downloads and installs the updates in the background, saving you time and...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Please Select a Licence from the LICENCE_HEADERS page
And place at top of your page
If no Licence is Selected/Appended, Default will be CC0

Default Licence IF there is no Licence placed below this notice! When you edit this page, you agree to release your contribution under the CC0 Licence

LICENCE: More information about the cc0 licence can be found here:
https://creativecommons.org/share-your-work/public-domain/cc0

The person who associated a work with this deed has dedicated the work to the public domain by waiving all of his or her rights to the work worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.

You can copy, modify, distribute and perform the work, even for commercial purposes, all without asking permission.

Licence:

Statement of Purpose

The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work").

Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others.

For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights.

1. Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:

   the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
   moral rights retained by the original author(s) and/or performer(s);
   publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
   rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
   rights protecting the extraction, dissemination, use and reuse of data in a Work;
   database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and
   other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof.

2. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose.

3. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the "License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose.

4. Limitations and Disclaimers.

   No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document.
   Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law.
   Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work.
   Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work.

Introduction

Unattended-upgrades is a tool that allows Ubuntu users to automatically update their system with the latest security patches and bug fixes. It's important to keep your system up-to-date to ensure that it's secure and running smoothly. With unattended-upgrades, you don't have to worry about manually checking for updates and installing them yourself. Instead, the tool automatically downloads and installs the updates in the background, saving you time and effort. By using unattended-upgrades, you can be confident that your Ubuntu system is always up-to-date and protected from security vulnerabilities.

Install unattended-upgrades

unattended-upgrades package should be pre installed on ubuntu

If not you can install with sudo apt install unattended-upgrades

Unattended-upgrades config files are kept in directory /etc/apt/apt.conf.d/

/etc/apt/apt.conf.d/

Each of the configuration files in directory serves a specific purpose in managing different aspects of the Ubuntu system updates. Here's a brief summary of what each of these files does:

  • 01-vendor-ubuntu: This file specifies the vendor-specific configuration for Ubuntu. It defines the Ubuntu-specific package sources and repository settings.
  • 01autoremove: This file specifies the list of packages that can be automatically removed from the system when they are no longer needed.
  • 01autoremove-kernels: This file specifies the list of old kernel packages that can be automatically removed from the system when a new kernel is installed.
  • 10periodic: This file specifies the frequency of automatic system updates. It allows you to set how often the system checks for updates and installs them.
  • 15update-stamp: This file stores the timestamp of the last system update.
  • 20archive: This file specifies the settings for the package archive, including the URL of the package repository and the authentication keys for verifying package integrity.
  • 20auto-upgrades: This file specifies the configuration settings for automatic updates, including which packages to update and how to install them.
  • 20packagekit: This file specifies the configuration settings for PackageKit, which is a system service for managing software updates.
  • 20snapd.conf: This file specifies the configuration settings for the Snap package manager.
  • 50command-not-found: This file specifies the behavior of the command-not-found feature, which suggests packages to install when a command is not found.
  • 50unattended-upgrades: This file specifies the settings for unattended-upgrades, which is a tool for automatically installing security updates.
  • 70debconf: This file specifies the settings for debconf, which is a configuration management system for Debian-based systems.
  • 99update-notifier: This file specifies the behavior of the update-notifier, which is a tool for notifying users about available system updates.

Each of these configuration files plays an important role in managing different aspects of system updates in Ubuntu, and understanding their purpose can be helpful in customizing the system update settings to fit your specific needs.

Quick Start - Up and running auto updates

Check service is running and enabled

sudo systemctl enable unattended-upgrades

50unattended-upgrades

/etc/apt/apt.conf.d/50unattended-upgrades is a configuration file that specifies the settings for automatically installing security updates using the unattended-upgrades tool in Ubuntu.

$EDITOR /etc/apt/apt.conf.d/50unattended-upgrades

Default Content /etc/apt/apt.conf.d/50unattended-upgrades

Note: Having a // At the Front of the line, will comment out the line:

lines that begin with a "#" or "//" are called comments. These lines are ignored by the system and are intended for human readers to provide explanations or context about the configuration settings.

When you "comment out" a line in a configuration file, you are essentially telling the system to ignore that line of configuration. This can be useful if you want to temporarily disable or override a specific configuration setting without having to delete it entirely.

For example, if you wanted to temporarily disable automatic updates in Ubuntu, you could comment out the line that enables them in the /etc/apt/apt.conf.d/20auto-upgrades file by adding a "#" or "//" character at the beginning of the line. This would prevent the system from executing that particular configuration setting and would effectively disable automatic updates until you uncommented the line by removing the "#" or "//" characters.

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	// Extended Security Maintenance; doesn't necessarily exist for
	// every release and this system may not have it installed, but if
	// available, the policy for updates is such that unattended-upgrades
	// should also install from here by default.
	"${distro_id}ESMApps:${distro_codename}-apps-security";
	"${distro_id}ESM:${distro_codename}-infra-security";
//	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";

// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

// Verbose logging
// Unattended-Upgrade::Verbose "false";

// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";

// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

Common Server Changes - Quick start guide

Note: The only change required to enable auto updates is to uncomment:
// "${distro_id}:${distro_codename}-updates";
The rest is opitional.

updates

// "${distro_id}:${distro_codename}-updates";
Change to:
"${distro_id}:${distro_codename}-updates";

Remove unused automatically installed kernel-related packages

//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Change to:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

Do automatic removal of newly unused dependencies after the upgrade

//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Change To:
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

Do automatic removal of unused packages after the upgrade - apt-get autoremove

//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Change To:
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatically reboot *WITHOUT CONFIRMATION* If the file /var/run/reboot-required is found after the upgrade

//Unattended-Upgrade::Automatic-Reboot "false";
Change To:
Unattended-Upgrade::Automatic-Reboot "true";

Automatically reboot even if there are users currently logged in when Unattended-Upgrade::Automatic-Reboot is set to true

//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Change To:
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

If automatic reboot is enabled and needed, reboot at the specific time instead of immediately

//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Change to: Note: Reboot-Time is your server/computers time zone: Use the command date to see time zone.
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

Save and Exit Config file

/etc/apt/apt.conf.d/50unattended-upgrades Config File After Changes:

// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
	"${distro_id}:${distro_codename}";
	"${distro_id}:${distro_codename}-security";
	// Extended Security Maintenance; doesn't necessarily exist for
	// every release and this system may not have it installed, but if
	// available, the policy for updates is such that unattended-upgrades
	// should also install from here by default.
	"${distro_id}ESMApps:${distro_codename}-apps-security";
	"${distro_id}ESM:${distro_codename}-infra-security";
	"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

    // Special characters need escaping
//  "libstdc\+\+6$";

    // The following matches packages like xen-system-amd64, xen-utils-4.1,
    // xenstore-utils and libxenstore3.0
//  "(lib)?xen(store)?";

    // For more information about Python regular expressions, see
    // https://docs.python.org/3/howto/regex.html
};

// This option controls whether the development release of Ubuntu will be
// upgraded automatically. Valid values are "true", "false", and "auto".
Unattended-Upgrade::DevRelease "auto";

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "true";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all updates when the machine is shutting down
// instead of doing it in the background while the machine is running.
// This will (obviously) make shutdown slower.
// Unattended-upgrades increases logind's InhibitDelayMaxSec to 30s.
// This allows more time for unattended-upgrades to shut down gracefully
// or even install a few packages in InstallOnShutdown mode, but is still a
// big step back from the 30 minutes allowed for InstallOnShutdown previously.
// Users enabling InstallOnShutdown mode are advised to increase
// InhibitDelayMaxSec even further, possibly to 30 minutes.
//Unattended-Upgrade::InstallOnShutdown "false";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
// Unattended-Upgrade::SyslogEnable "false";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

// Download and install upgrades only on AC power
// (i.e. skip or gracefully stop updates on battery)
// Unattended-Upgrade::OnlyOnACPower "true";

// Download and install upgrades only on non-metered connection
// (i.e. skip or gracefully stop updates on a metered connection)
// Unattended-Upgrade::Skip-Updates-On-Metered-Connections "true";

// Verbose logging
// Unattended-Upgrade::Verbose "false";

// Print debugging information both in unattended-upgrades and
// in unattended-upgrade-shutdown
// Unattended-Upgrade::Debug "false";

// Allow package downgrade if Pin-Priority exceeds 1000
// Unattended-Upgrade::Allow-downgrade "false";

And that's pretty much your Basic Quick Start Auto Updates taken care of!

What time does unattended-upgrades run?

By default, the unattended-upgrades tool in Ubuntu is configured to run once a day at a random time between 6:00 AM and 7:00 AM, local time.

However, you can modify the time at which unattended-upgrades runs by editing the /etc/apt/apt.conf.d/20auto-upgrades file. In this file, you can set the APT::Periodic::RandomSleep and APT::Periodic::Unattended-Upgrade::RandomSleep options to specify the range of random delay times in seconds before unattended-upgrades runs.

Additionally, you can set the APT::Periodic::Unattended-Upgrade::StartHour and APT::Periodic::Unattended-Upgrade::StartMinute options to specify the exact time at which unattended-upgrades runs each day.

For example, if you want unattended-upgrades to run at 2:30 AM every day, you can add the following lines to the /etc/apt/apt.conf.d/20auto-upgrades file:

APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Unattended-Upgrade::StartHour "2";
APT::Periodic::Unattended-Upgrade::StartMinute "30";

After making changes to this file, you will need to save and close it, and then wait for the specified time to see if the changes have taken effect.