How To Enable and Setup Automatic Unattended Security Updates on Ubuntu 16.04 or 18.04

This post will guide you how to enable and set up automatic unattented security updates on your Ubuntu 16.04 or 18.04 Linux systems. How do I configure unattented automatic updates under Ubuntu Linux systems.

• Installing Unattended Upgrades Package
• Configuring Unattended Automatic Upgrades
• Enabling Unattended Automatic upgrades
• Checking Unattended Automatic upgrades

Installing Unattended Upgrades Package

You need to install the unattented-upgrades package in your Ubuntu system, and this package can be used to install updated packages automaticlly. And you can install it by the default Ubuntu Apt repository, just type the following command at the shell prompt from the command line:

$ sudo apt update
$ sudo apt install unattented-upgrades

Outputs:

devops@devops:~$ sudo apt install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
bsd-mailx default-mta | mail-transport-agent needrestart
The following NEW packages will be installed:
unattended-upgrades
0 upgraded, 1 newly installed, 0 to remove and 36 not upgraded.
Need to get 41.0 kB of archives.
After this operation, 393 kB of additional disk space will be used.
Get:1 http://mirrors.aliyun.com/ubuntu bionic-updates/main amd64 unattended-upgrades all 1.1ubuntu1.18.04.11 [41.0 kB]
Fetched 41.0 kB in 0s (266 kB/s)
Preconfiguring packages ...
Selecting previously unselected package unattended-upgrades.
(Reading database ... 185900 files and directories currently installed.)
Preparing to unpack .../unattended-upgrades_1.1ubuntu1.18.04.11_all.deb ...
Unpacking unattended-upgrades (1.1ubuntu1.18.04.11) ...
Setting up unattended-upgrades (1.1ubuntu1.18.04.11) ...

Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version

Creating config file /etc/apt/apt.conf.d/50unattended-upgrades with new version
Created symlink /etc/systemd/system/multi-user.target.wants/unattended-upgrades.service → /lib/systemd/system/unattended-upgrades.service.
Synchronizing state of unattended-upgrades.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable unattended-upgrades
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
devops@devops:~$

Once the unattended-upgrades package is installed on your ubuntu system, and the Unattended upgrades server will be enabled and started automaticlly. you can check its status by running the following command:

$ systemctl status unattended-upgrades

Outputs:

devops@devops:~$ systemctl status unattended-upgrades
unattended-upgrades.service - Unattended Upgrades Shutdown
Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-10-02 23:34:50 EDT; 15min ago
Docs: man:unattended-upgrade(8)
Main PID: 1200 (unattended-upgr)
Tasks: 2 (limit: 1121)
CGroup: /system.slice/unattended-upgrades.service
└─1200 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Oct 02 23:34:50 devops systemd[1]: Started Unattended Upgrades Shutdown.
Oct 02 23:48:36 devops systemd[1]: unattended-upgrades.service: Current command vanished from the unit file, execution of the command list won't be resumed.

Configuring Unattended Automatic Upgrades

You can configure the unattended-upgrades configuration file is located in the “/etc/apt/apt.conf.d” directory, and you need to edit the configuration file called 50unattended-upgrades to define upgrade type or blanklist updates.

For example, you can use your vi or vim text editor to open the configuration file “50unattended-upgrades“, and then you need comment all lines and leave only the security line in the first “Allowed-Origins” section. And it will only update all security updates. If you want to update other packages, and you can uncomment other origins. See below type definition for security updates only:

Unattended-Upgrade::Allowed-Origins {
// "${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
// "${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

If you do not want some certain packages to be updated, and you can add it to the pacakge blacklist, and regexp are supported. see below:

Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};

If you want to get an email notification for every updates, and you can uncomment the following two lines and type your own emial address for receiving notification.

Unattended-Upgrade::Mail "mytest@gmail.com";
Unattended-Upgrade::MailOnlyOnError "true";

Save and close the file.

Enabling Unattended Automatic upgrades

You still need to enable automatic updates in your ubuntu system, and you need to edit the configuration file called “20auto-upgrades” under /etc/apt/apt.conf.d/ directory using vim text editor:

$ sudo vim /etc/apt/apt.conf.d/20auto-upgrades

you need to make the configuration as below:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

Save and close the file.

Checking Unattended Automatic upgrades

Once Unattended Automatic upgrades is configured in the above steps, and you can now check whether the automatic upgrades works well or not by running the following command:

$ sudo unattended-upgrades --dry-run --debug

Outputs:

devops@devops:~$ sudo unattended-upgrade --dry-run --debug
[sudo] password for devops:
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic-security
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\
......

adjusting candidate version: systemd-sysv=237-3ubuntu10.29
Checking: udev ([<Origin component:'main' archive:'bionic-proposed' origin:'Ubuntu' label:'Ubuntu' site:'mirrors.aliyun.com' isTrusted:True>])
adjusting candidate version: udev=237-3ubuntu10.29
pkgs that look like they should be upgraded:
Fetched 0 B in 0s (0 B/s)
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals

Conclusion

You should know that how to set up and configure automatic security updates in your Ubuntu or Debian Linux system.