Unattended upgrades

Have the latest security patches and updates, whether you’re sleep or not is very good idea. You can automate this process to make sure your server is secure. You should always update your systems and applications everywhere on every device to avoid unpleasant situations.

upgrade

Manual updates

Thats easy:

1
sudo apt update && sudo apt upgrade

or

1
sudo apt update && sudo apt dist-upgrade

Differences between upgrade and dist-upgrade

upgrade
upgrade is used to install the newest versions of all packages
currently installed on the system from the sources enumerated in
/etc/apt/sources.list. Packages currently installed with new
versions available are retrieved and upgraded; under no
circumstances are currently installed packages removed, or packages
not already installed retrieved and installed. New versions of
currently installed packages that cannot be upgraded without
changing the install status of another package will be left at
their current version. An update must be performed first so that
apt-get knows that new versions of packages are available.

and

dist-upgrade
dist-upgrade in addition to performing the function of upgrade,
also intelligently handles changing dependencies with new versions
of packages; apt-get has a “smart” conflict resolution system, and
it will attempt to upgrade the most important packages at the
expense of less important ones if necessary. So, dist-upgrade
command may remove some packages. The /etc/apt/sources.list file
contains a list of locations from which to retrieve desired package
files. See also apt_preferences(5) for a mechanism for overriding
the general settings for individual packages.

Automatic updates

Install the unattended-upgrades package, along with a package to identify the changes:

1
sudo apt -y install unattended-upgrades apt-listchanges

Edit the 20unattended-upgrades configuration file:

1
sudo nano /etc/apt/apt.conf.d/20auto-upgrades

and your configuration file should look like this:

1
2
3
4
5
6
7
8
9
// Enable unattended upgrades.
APT::Periodic::Enable "1";
APT::Periodic::Unattended-Upgrade "1";
// Do "apt-get upgrade" every n-days (0=disable).
APT::Periodic::Update-Package-Lists "1";
// Do "apt-get upgrade --download-only" every n-days (0=disable).
APT::Periodic::Download-Upgradeable-Packages "1";
// Do "apt-get autoclean" every n-days (0=disable).
APT::Periodic::AutocleanInterval "7";

Edit the 50unattended-upgrades configuration:

1
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

and your configuration file should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
// Automatically upgrade packages from these 
Unattended-Upgrade::Origins-Pattern {
"o=Debian,a=stable";
"o=Debian,a=stable-updates";
"o=Debian,a=proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
};

// You can specify your own packages to NOT automatically upgrade here
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";

};

// Automatically run "dpkg --force-confold --configure -a".
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
// Install upgrades when the machine is shuting down instead of doing it in the background.
Unattended-Upgrade::InstallOnShutdown "false";
// Email address to recieve info about progress
Unattended-Upgrade::Mail "YOUR_EMAIL";
// Email notification will be sent only when error occurs
Unattended-Upgrade::MailOnlyOnError "true";
// Do automatic removal of new unused dependencies after the upgrade.
Unattended-Upgrade::Remove-Unused-Dependencies "true";
// If you want your server to reboot when it's necessary then set this to true
Unattended-Upgrade::Automatic-Reboot "false";
// Automatically reboot even if there are users currently logged in.
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// If automatic reboot is enabled and needed, reboot at the specific time.
Unattended-Upgrade::Automatic-Reboot-Time "now";
// Force to keep local config file
Dpkg::Options {
"--force-confdef";
"--force-confold";
};

Open /etc/apt/listchanges.conf to configure APT to save the changes to a database:

1
2
3
4
5
6
[apt]
frontend=pager
email_address=YOUR_EMAIL
confirm=0
save_seen=/var/lib/apt/listchanges.db
which=news

unattended-ugprades is running automatically and is called via cronjob.

If you want to debug it, you can easily run it with parameter:

1
sudo unattended-upgrades -d

All logs can be found here: /var/log/unattended-upgrades/unattended-upgrades.log

Now you can sleep peacefully ;)