How To Setup Automatic Updates and Security Patches on Ubuntu 16.04

How To Setup Automatic Updates and Security Patches on Ubuntu 16.04

comments

Software developers are continuously releasing updates to their packages. And Ubuntu regularly releases security patches for vulnerabilities found in its OS.

Without keeping these security patches and packages on your system up-to-date, you're leaving it potentially exposed to being penetrated or exploited by hackers.

However, not everyone has the time needed every day to log into their server(s) and manually update them.

That's where a script named unattended-upgrades comes into play. Like its name implies, you can use it to update packages on your system without your attendance.

Install unattended-upgrades

If it's not already installed on your system, you can install the package by typing:

sudo apt-get update
sudo apt-get install unattended-upgrades

Configure Update Types

Now you need to configure what repositories will be automatically upgraded.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Only security upgrades are enabled by default. Comment or uncomment the respective repositories according to your needs.

You can read about the different types of repositories here.

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESM:${distro_codename}";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Enable unattended-upgrades

In order to enable automatic updates, you'll need to edit /etc/apt/apt.conf.d/10periodic.

sudo nano /etc/apt/apt.conf.d/10periodic

Modify the values according to your needs.

Enable the update/upgrade script (0=disable)

APT::Periodic::Enable "1";

Do "apt-get update" automatically every n-days (0=disable)

APT::Periodic::Update-Package-Lists "1";

Do "apt-get upgrade --download-only" every n-days (0=disable)

APT::Periodic::Download-Upgradeable-Packages "1";

Do "apt-get autoclean" every n-days (0=disable)

APT::Periodic::AutocleanInterval "21";

Run the "unattended-upgrade" security upgrade script every n-days (0=disabled)

Requires the package "unattended-upgrades" and will write a log in /var/log/unattended-upgrades

APT::Periodic::Unattended-Upgrade "1";

Send report mail to root

0: no report (or null string)
1: progress report (actually any string)
2: + command outputs (remove -qq, remove 2>/dev/null, add -d)
3: + trace on

APT::Periodic::Verbose "0";

Here's the configuration that I use. It checks for updates and downloads them daily.

APT::Periodic::Enable "1";
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

Blacklist Packages

If you want a specific package to not automatically update, you can add it to the blacklist.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Add the package name(s) you want blacklisted into Unattended-Upgrade::Package-Blacklist.

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};

Disable unattended-upgrades

If you decide that you no longer want to run unattended-upgrades, you can disable it by editing /etc/apt/apt.conf.d/10periodic.

sudo nano /etc/apt/apt.conf.d/10periodic

Change the value of APT::Periodic::Unattended-Upgrade to 0

APT::Periodic::Unattended-Upgrade "0";

Debugging

All actions are by default logged to /var/log/unattended-upgrades/unattended-upgrades.log

You can simulate installing updates and log extra debug output by running:

sudo unattended-upgrade --debug --dry-run

Example debug output:

Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=xenial', 'o=Ubuntu,a=xenial-security', 'o=UbuntuESM,a=xenial']
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals

Congratulations! You've successfully configured automatic updates on your Ubuntu system. Was this guide useful to you? Has it saved you a lot of time from having to update your system manually? Let us know in the comments section.