How To Setup Automatic Updates and Security Patches on Ubuntu 16.04
Software developers are continuously releasing updates to their packages. And Ubuntu regularly releases security patches for vulnerabilities found in its OS.
Without keeping these security patches and packages on your system up-to-date, you’re leaving it potentially exposed to being penetrated or exploited by hackers.
However, not everyone has the time needed every day to log into their server(s) and manually update them.
That’s where a script named unattended-upgrades comes into play. Like its name implies, you can use it to update packages on your system without your attendance.
Install unattended-upgrades
If it’s not already installed on your system, you can install the package by typing:
sudo apt-get update
sudo apt-get install unattended-upgrades
Configure Update Types
Now you need to configure what repositories will be automatically upgraded.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Only security upgrades are enabled by default. Comment or uncomment the respective repositories according to your needs.
You can read about the different types of repositories here.
// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
Enable unattended-upgrades
In order to enable automatic updates, you’ll need to edit ==/etc/apt/apt.conf.d/10periodic==.
sudo nano /etc/apt/apt.conf.d/10periodic
Modify the values according to your needs.
Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";
Do “apt-get update” automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";
Do “apt-get upgrade –download-only” every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";
Do “apt-get autoclean” every n-days (0=disable)
APT::Periodic::AutocleanInterval "21";
Run the “unattended-upgrade” security upgrade script every n-days (0=disabled)
Requires the package “unattended-upgrades” and will write a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";
Send report mail to root
0: no report (or null string) 1: progress report (actually any string) 2: + command outputs (remove -qq, remove 2>/dev/null, add -d) 3: + trace on
APT::Periodic::Verbose "0";
Here’s the configuration that I use. It checks for updates and downloads them daily.
APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Blacklist Packages
If you want a specific package to not automatically update, you can add it to the blacklist.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Add the package name(s) you want blacklisted into ==Unattended-Upgrade::Package-Blacklist==.
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};
Disable unattended-upgrades
If you decide that you no longer want to run unattended-upgrades, you can disable it by editing ==/etc/apt/apt.conf.d/10periodic==.
sudo nano /etc/apt/apt.conf.d/10periodic
Change the value of ==APT::Periodic::Unattended-Upgrade== to ==0==
APT::Periodic::Unattended-Upgrade "0";
Debugging
All actions are by default logged to ==/var/log/unattended-upgrades/unattended-upgrades.log==
You can simulate installing updates and log extra debug output by running:
sudo unattended-upgrade --debug --dry-run
Example debug output:
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=xenial', 'o=Ubuntu,a=xenial-security', 'o=UbuntuESM,a=xenial']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
Congratulations! You’ve successfully configured automatic updates on your Ubuntu system. Was this guide useful to you? Has it saved you a lot of time from having to update your system manually? Let us know in the comments section.