Keeping Your Server Secure With Unattended Upgrades

When operating servers, you're responsible for keeping them up to date with the latest security fixes. Ubuntu comes with a mechanism that installs updates automatically so you don't have to worry about it. Obviously, this is meant for personal servers operated by hobbyists where convenience is more important than availability. In a professional environment, you would test new packages first because seemingly innocent changes may break complex applications.

Unattended upgrades are triggered by the nightly apt cron job, /etc/cron.daily/apt, and are easy to set up. Install the following two packages to get started:

$ sudo apt-get install unattended-upgrades update-notifier-common

The update-notifier-common package is optional; it provides a mechanism for other packages to register a reboot request. Some packages like the Linux kernel require a system reboot for changes to take effect, but without update-notifier-common, automatic reboots will not work and you also won't get a notification on login.

Once the packages are installed, you have to enable upgrades explicitly:

$ sudo dpkg-reconfigure unattended-upgrades

Select "yes" in the text menu that pops up. This will set two apt configuration properties in /etc/apt/apt.conf.d/20auto-upgrades:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

These two settings make sure that package lists are updated via apt-get update and that the /usr/bin/unattended-upgrade script is run. You can configure unattended-upgrades further through its configuration file in /etc/apt/apt.conf.d/50unattended-upgrades. The default configuration just upgrades packages - to also enable automatic reboots, you need to set the following property:

Unattended-Upgrade::Automatic-Reboot "true";

Make sure you read the comments inside the configuration file carefully; there are a few more features that you may find interesting. For example, if you have a working mail server on your system, you can have unattended-upgrades send status emails about installed packages. This is very useful so you can log into the system after an upgrade to check if it broke anything. Or you could disable automatic reboots and reboot the system manually if the status email tells you that a restart is required.

Once you're done configuring the system, it makes sense to monitor the log files in /var/log/unattended-upgrades/ for a few days to see if everything works as intended. Usually, security fixes are published several times a week, so you won't have to wait long to see unattended-upgrades in action.