When operating servers, you’re responsible for keeping them up to date with the latest security fixes. Ubuntu comes with a mechanism that installs updates automatically so you don’t have to worry about it. Obviously, this is meant for personal servers operated by hobbyists where convenience is more important than availability. In a professional environment, you would test new packages first because seemingly innocent changes may break complex applications.
Unattended upgrades are triggered by the nightly apt
cron job, /etc/cron.daily/apt
, and are easy to set up. Install the following two packages to get started:
$ sudo apt-get install unattended-upgrades update-notifier-common
The update-notifier-common
package is optional; it provides a mechanism for other packages to register a reboot request. Some packages like the Linux kernel require a system reboot for changes to take effect, but without update-notifier-common
, automatic reboots will not work and you also won’t get a notification on login.
Once the packages are installed, you have to enable upgrades explicitly:
$ sudo dpkg-reconfigure unattended-upgrades
Select "yes" in the text menu that pops up. This will set two apt
configuration properties in /etc/apt/apt.conf.d/20auto-upgrades
:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
These two settings make sure that package lists are updated via apt-get update
and that the /usr/bin/unattended-upgrade
script is run. You can configure unattended-upgrades
further through its configuration file in /etc/apt/apt.conf.d/50unattended-upgrades
. The default configuration just upgrades packages – to also enable automatic reboots, you need to set the following property:
Unattended-Upgrade::Automatic-Reboot "true";
Make sure you read the comments inside the configuration file carefully; there are a few more features that you may find interesting. For example, if you have a working mail server on your system, you can have unattended-upgrades
send status emails about installed packages. This is very useful so you can log into the system after an upgrade to check if it broke anything. Or you could disable automatic reboots and reboot the system manually if the status email tells you that a restart is required.
Once you’re done configuring the system, it makes sense to monitor the log files in /var/log/unattended-upgrades/
for a few days to see if everything works as intended. Usually, security fixes are published several times a week, so you won’t have to wait long to see unattended-upgrades
in action.
Pingback: Automatic updates with reboot for your Ubuntu sever | Kian's blog
Thxs! I linked you in my blog: http://kiansblog.com/
Thanks for the post. I have a VPS from RamNode with Ubuntu 14.04 Minimal installed on it and it was missing
cron-apt
. After I installed it withapt-get install cron-apt
I noticed/etc/cron.daily/apt
was empty so I just copied the default config from another Ubuntu 14.04 machine. It should be working now. :)Thanks for this but why does it differ so much with official doc:
https://help.ubuntu.com/lts/serverguide/automatic-updates.html
So confusing why they have so many files in that directory that are editable? Thanks!
To clarify I mean… why do they say edit `10periodic` but you say to edit only `20auto-upgrades` for these settings? sorry for double posting…
The difference actually isn’t that big. The only relevant changes they’re making in 10periodic is updating package lists and enabling unattended upgrades. In my opinion, this should be done through dpkg-reconfigure like I described above, but eventually it doesn’t matter how those two properties are set (you don’t have to edit 20auto-upgrades manually, that’s what dpkg-reconfigure does for you).
thanks for your reply Matthias… but from my understanding if following your way then these following settings get left out?
APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Download-Upgradeable-Packages “1”;
APT::Periodic::AutocleanInterval “7”;
APT::Periodic::Unattended-Upgrade “1”;
or, can we add these settings to `20auto-upgrades` instead of `10periodic`
thanks again for your time —
The following two settings are not left out:
APT::Periodic::Update-Package-Lists “1”;
APT::Periodic::Unattended-Upgrade “1”;
They are written by the dpkg-reconfigure command to 20auto-upgrades, like I wrote in the article. The other two you listed are not important for the security upgrade part unattended-upgrades – my setup works fine without them. They just run “apt-get autoclean” once a week and “apt-get upgrade –download-only” daily. You can set them if you want that functionality or just to be sure though :)
Pingback: Detecting Security Upgrades on Ubuntu | Matthias Friedrich's Blog