How to Configure Unattended Upgrades on Debian 12/11/10

Debian is a widely used Linux-based operating system renowned for its versatility and expansive collection of software packages and tools. However, keeping the system up-to-date and secure can be challenging, given the significant volume of packages and updates available. To help streamline this process, the Unattended Upgrades Package can be utilized.

The Unattended Upgrades Package is a valuable utility that automates the process of updating and securing the Debian system. It enables automatic downloading, installation, and configuration of security and software updates, thus ensuring that the system is always secure and up-to-date without any manual intervention.

This package boasts several benefits and features, including:

  • Automatic Updates: The Unattended Upgrades Package can automatically download and install security and software updates without manual intervention.
  • Security: The package installs the latest security updates, providing additional security and protecting the system from potential vulnerabilities and attacks.
  • Customization: Users can configure the package to install updates for specific packages or exclude particular packages from the update process based on their needs.
  • Logging and Notifications: The package logs all updates and sends notifications to the user when updates are installed, providing complete visibility into the update process.

Configuring and setting up the Unattended Upgrades Package is a straightforward process that can be done using the command line terminal. This guide will describe the Unattended Upgrades Package, its features, and advantages and walk you through setting up and configuring it on Debian 12 Bookworm, Debian 11 Bullseye, or Debian 10 Buster using the command line terminal.

Step 1: Update Debian

Before installing and setting up the Unattended Upgrades Package, it is recommended that you update your Debian system to avoid any conflicts. To update your Debian system, open the terminal and enter the following command:

sudo apt update && sudo apt upgrade

This command will update all the installed packages and their dependencies to the latest versions. Depending on the number of updates available for your system, it may take some time.

Step 2: Install Unattended-Upgrades Package

To install the Unattended Upgrades Package on your Debian system, you will need to open the terminal and enter the following command:

sudo apt install unattended-upgrades

This command will install the package and all its dependencies on your system. Note that the package should already be installed by default, but if you have removed it, you can use the above command to reinstall it.

If you want your Debian system to automatically restart after applying upgrades requiring a system restart, you must install the apt-config-auto-update package. Use the following command to install it:

sudo apt install apt-config-auto-update

For laptop users, it is recommended to install the powermgmt-base package to use any unattended options that use battery options. To install this package, open the terminal and enter the following command:

sudo apt install powermgmt-base

Once the package is installed, you must configure it to meet your needs. For example, you may want to customize which updates to install automatically, which to ignore, and when to install them. Note that the Unattended Upgrades Package requires root privileges, so you must run all the commands mentioned in this guide with the sudo command.

Verifying that the Unattended Upgrades Package is working correctly is also recommended. To do this, open the terminal and enter the following command:

sudo unattended-upgrades --dry-run --debug

Being familiar with the systemctl commands for Unattended Upgrades is important, as you may need to check the status after making changes or restarting. To check the status of Unattended Upgrades, use the following command:

systemctl status unattended-upgrades

The following systemctl commands will allow you to start, stop, enable on boot, disable on boot, or restart the Unattended Upgrades service:

Start the unattended services:

sudo systemctl start unattended-upgrades

Stop the unattended services:

sudo systemctl stop unattended-upgrades

Enable on boot the unattended services:

sudo systemctl enabe unattended-upgrades

Disable on boot the unattended services:

sudo systemctl disable unattended-upgrades

Restart the unattended services:

sudo systemctl restart unattended-upgrades

Section 3: Configure Unattended Upgrades

This section covers the configuration of Unattended Upgrades package settings in the configuration file using terminal commands. It is important to note that these settings are optional and can be personalized according to your requirements. Each setting will be explained in detail to help you understand its purpose and functionality. This will enable you to make informed decisions when configuring the Unattended Upgrades package on your Debian system.

Before going into the configuration file, here is a summary of all CLI options for the Unattended Upgrades package with explanations:

OptionDescription
-h, –helpDisplays the help message and exits
-d, –debugEnables debug messages
–apt-debugMakes apt/libapt print verbose debug messages
-v, –verboseEnables info messages
–dry-runSimulates upgrade process and downloads but does not install
–download-onlyOnly downloads upgrades; do not attempt to install them
–minimal-upgrade-stepsUpgrades packages in minimal steps (and allows interruption with SIGTERM) – this is the default behavior
–no-minimal-upgrade-stepsUpgrades all packages together instead of in smaller sets

These options are important when running the unattended-upgrades command in the terminal, you can use several options to control the behavior of the automatic upgrade process. For example, the –dry-run option can be useful for testing the upgrade process without actually making any changes to the system, while the –download-only option can be used to download the upgrades without installing them.

The –minimal-upgrade-steps option is the default behavior for Unattended Upgrades, while the –no-minimal-upgrade-steps option upgrades all packages together instead of in smaller sets. Understanding these options when configuring Unattended Upgrades is crucial to ensure that the behavior matches your preferences and requirements.

Modifying Unattended Upgrades Configuration File

To modify the configuration file, it is recommended to use a text editor with root privileges, such as nano. You can use the following command to open the configuration file in nano editor:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Once opened, you can modify various options as per your requirements. It is important to remove any comments (lines beginning with “//” or “#”) in the file to activate the options.

After making any changes to the configuration file, it is essential to run the following command to apply the changes:

sudo unattended-upgrades --dry-run --debug

This command will simulate an upgrade run and display any errors or warnings that may occur due to the changes you made to the configuration file. If everything looks good, you can then run the command below to perform the actual upgrade:

sudo unattended-upgrades

There are several options that you can modify in the configuration file. Here are some examples:

Allowed Origins

By default, the Unattended Upgrades package only allows updates from the security and update repositories. You can add other repositories by uncommenting this option in the configuration file and specifying the desired sources. An example is provided below.

Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}";
      "${distro_id}:${distro_codename}-security";
      "${distro_id}:${distro_codename}-updates";
      "${distro_id}:${distro_codename}-proposed";
      "${distro_id}:${distro_codename}-backports";
};

Package Blacklist

This setting allows you to select packages that you do not want to update automatically. To do this, remove the comment from this option and add the names of the packages you want to exclude, as illustrated in the example below:

Unattended-Upgrade::Package-Blacklist {
      "my-package";
      "my-other-package";
};

AutoFixInterruptedDpkg

This setting determines if the system should automatically fix interrupted “dpkg” installations. To activate automatic fixing, change the value to “true,” as demonstrated in the example below:

Unattended-Upgrade::AutoFixInterruptedDpkg "true";

DevRelease “auto”

This option controls whether to upgrade to the development release automatically. By default, this option is turned off. To enable automatic upgrades to the development release, set the value to “auto,” as illustrated in the following example:

Unattended-Upgrade::DevRelease "auto";

MinimalSteps “true”

This option determines whether to perform upgrades in minimal steps. By default, this option is enabled. To disable minimal steps and perform upgrades in a single step, set the value to “false” as shown in the example below:

Unattended-Upgrade::MinimalSteps "false";

InstallOnShutdown “false”

This option determines whether to install upgrades during system shutdown. By default, this option is disabled. To enable installation on shutdown, set the value to “true” as illustrated in the example below:

Unattended-Upgrade::InstallOnShutdown "true";

Mail

This option specifies the email address where notifications should be sent. By default, notifications are not sent. To set a specific email address, add it as a string value, as shown in the example below:

Unattended-Upgrade::Mail "example@mail.com";

MailReport “on-change”

This option determines when to send email notifications. By default, notifications are only sent when there is a change. To send notifications every time, set the value to “on-start” as shown in the example below:

Unattended-Upgrade::MailReport "on-start";

Remove-Unused-Kernel-Packages

This option determines whether to remove kernel packages no longer in use after an upgrade. By default, this option is enabled. To prevent the removal of unused kernel packages, set the value to “false” as shown in the example below:

Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";

Remove-New-Unused-Dependencies

This option controls removing new dependencies that the system no longer requires after package upgrades. By default, it is enabled, and any newly installed dependencies no longer needed will be automatically removed from your system. To enable this option, use the following command:

Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

If you wish to retain the new dependencies, you can turn off this option by setting the value to “false”. But, keep in mind that this can lead to the accumulation of unused dependencies on your system, which can take up significant disk space.

Remove-Unused-Dependencies

This option allows you to remove unused dependencies after an upgrade. By default, this option is not enabled. To activate this option and remove unused dependencies, set the value to “true” as shown in the example below:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatic-Reboot

This option determines whether the system should automatically reboot after an upgrade. By default, this option is disabled. To enable automatic reboot, set the value to “true” as demonstrated in the example below:

Unattended-Upgrade::Automatic-Reboot "true";

Automatic-Reboot-WithUsers

This option determines whether the system should automatically reboot when users are logged in after an upgrade. By default, this option is enabled. To disable automatic reboot, set the value to “false” as shown in the example below:

Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Automatic-Reboot-Time

This option specifies the time for the system to reboot automatically after an upgrade. By default, the reboot time is set to “02:00”. To modify the reboot time, change the value as shown in the example below:

Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Acquire::http::Dl-Limit

This option sets the maximum download speed for package downloads in kilobytes per second. By default, this option is not enabled. To activate download speed limit, set the value to the desired speed in kilobytes per second, as shown in the example below:

Acquire::http::Dl-Limit "100";

SyslogEnable

This option specifies whether to log upgrade events to the system log. By default, this option is enabled. To disable logging, set the value to “false” as demonstrated in the example below:

Unattended-Upgrade::SyslogEnable "false";

SyslogFacility

This option specifies which facility to log upgrade events to. By default, events are logged to the “daemon” facility. To change the facility, modify the value as shown in the example below:

Unattended-Upgrade::SyslogFacility "local7";

OnlyOnACPower

This option specifies whether to perform upgrades only when the system is connected to AC power. By default, this option is disabled. To enable upgrades only on AC power, set the value to “true” as illustrated in the example below:

Unattended-Upgrade::SyslogFacility "local7";

Skip-Updates-On-Metered-Connections

This option determines whether updates should be skipped when the system is connected to a metered connection. This option is enabled by default, so updates won’t be downloaded when using a metered connection. To download updates on metered connections, set the value to “false” as shown in the example below:

Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";

Verbose

This option specifies whether to display detailed upgrade information. By default, this option is disabled. To enable verbose output, set the value to “true” as shown in the example below:

Unattended-Upgrade::Verbose "true";

Debug

This option determines whether to output debug information during upgrades. By default, this option is disabled. To enable debug output, set the value to “true” as illustrated in the example below:

Unattended-Upgrade::Debug "true";

Allow-downgrade

This option determines whether downgrades of packages are allowed during upgrades. By default, this option is disabled. To enable downgrades, set the value to “true” as shown in the example below:

Unattended-Upgrade::Allow-downgrade "true";

Please remember that enabling downgrades can be risky and cause system instability or expose security vulnerabilities. It is advised to only use this option when needed and to thoroughly assess potential risks.

Section 4: Schedule Automatic Upgrades with a Cron Job

To schedule automatic unattended upgrades on your Debian system, you can use a cron job. Cron is a time-based job scheduler in Linux that allows you to run commands or scripts automatically at specified times or intervals.

To create a cron job for unattended upgrades, follow the steps below.

Open the crontab configuration file by running the following command:

sudo crontab -e

Once the file is open, add the following line at the bottom:

0 0 * * * /usr/bin/unattended-upgrade -d

After adding the above line, the unattended-upgrade command will run daily at midnight (0 0 * * *). To save and exit the file, press “Ctrl+X”, then “Y”, and then “Enter”.

It is crucial to schedule automatic upgrades when your system is not in use since upgrades may require a system reboot or cause applications to restart.

Section 5: Checking Unattended Upgrade Logs

The Unattended-Upgrades package logs all upgrade activities to the syslog facility by default. These logs are in the /var/log/syslog file and other system logs.

To view the logs of Unattended-Upgrades, you can use the following command:

sudo grep unattended-upgrades /var/log/syslog

To display the last 50 entries in the syslog file related to Unattended-Upgrades, you can use the following command:

sudo tail -n 50 /var/log/syslog | grep unattended-upgrades

Using various grep options, you can filter the logs based on specific criteria. For instance, to filter the logs by date and time, you can use the following command:

sudo grep "unattended-upgrades.*YYYY-MM-DD" /var/log/syslog

Substitute “YYYY-MM-DD” with the date you want in the year-month-day format. By doing so, this command will exhibit all the log entries that include the keyword “unattended-upgrades” and correspond to the date you specified.

To filter the logs by package name, use the following command, replacing “package_name” with the name of the package:

sudo grep "unattended-upgrades.*<package_name>" /var/log/syslog

To filter the logs by package name, use the following command and replace “<package_name>” with the package name you want to search for. This command will display all log entries that contain the “unattended-upgrades” keyword and match the specified package name.

The commands mentioned above enable you to check and filter the Unattended-Upgrades logs on your Debian system quickly, allowing you to identify and address any issues that may occur during the upgrade process.

Conclusion

Setting up unattended upgrades on Debian Linux is a valuable practice to ensure that your system remains up-to-date and secure. By automating the process, you can minimize the risk of missing critical security patches and bug fixes. Overall, unattended upgrades help maintain the stability, security, and performance of your Debian Linux system, making it an essential tool for administrators and users alike.

Additional Resources and Links

Here is a collection of resources to help you learn more about unattended upgrades on Debian Linux. Each link is accompanied by a brief description to provide context on the content.

  • Debian Wiki – Unattended Upgrades: This official Debian Wiki page offers comprehensive information on setting up and configuring unattended upgrades for Debian Linux.
  • Debian Security Team: The official Debian Security Team page provides updates and announcements related to security issues and vulnerabilities, which is essential for staying informed about potential risks.
  • Debian Mailing Lists – Debian Security Announce: This mailing list offers timely notifications about Debian security advisories and updates, ensuring you stay informed about important security developments.

Share to...