Debian is a widely used Linux-based operating system renowned for its versatility and expansive collection of software packages and tools. However, keeping the system up-to-date and secure can be challenging, given the significant volume of packages and updates available. To help streamline this process, the Unattended Upgrades Package can be utilized.
The Unattended Upgrades Package is a valuable utility that automates the process of updating and securing the Debian system. It enables automatic downloading, installation, and configuration of security and software updates, thus ensuring that the system is always secure and up-to-date without any manual intervention.
This package boasts several benefits and features, including:
- Automatic Updates: The Unattended Upgrades Package can automatically download and install security and software updates without manual intervention.
- Security: The package installs the latest security updates, providing additional security and protecting the system from potential vulnerabilities and attacks.
- Customization: Users can configure the package to install updates for specific packages or exclude particular packages from the update process based on their needs.
- Logging and Notifications: The package logs all updates and sends notifications to the user when updates are installed, providing complete visibility into the update process.
Configuring and setting up the Unattended Upgrades Package is a straightforward process that can be done using the command line terminal. This guide will describe the Unattended Upgrades Package, its features, and advantages and walk you through setting up and configuring it on Debian 12 Bookworm, Debian 11 Bullseye, or Debian 10 Buster using the command line terminal.
Table of Contents
Step 1: Update Debian
Before installing and setting up the Unattended Upgrades Package, it is recommended that you update your Debian system to avoid any conflicts. To update your Debian system, open the terminal and enter the following command:
sudo apt update && sudo apt upgrade
This command will update all the installed packages and their dependencies to the latest versions. Depending on the number of updates available for your system, it may take some time.
Step 2: Install Unattended-Upgrades Package
To install the Unattended Upgrades Package on your Debian system, you will need to open the terminal and enter the following command:
sudo apt install unattended-upgrades
This command will install the package and all its dependencies on your system. Note that the package should already be installed by default, but if you have removed it, you can use the above command to reinstall it.
If you want your Debian system to automatically restart after applying upgrades requiring a system restart, you must install the apt-config-auto-update
package. Use the following command to install it:
sudo apt install apt-config-auto-update
For laptop users, it is recommended to install the powermgmt-base package to use any unattended options that use battery options. To install this package, open the terminal and enter the following command:
sudo apt install powermgmt-base
Once the package is installed, you must configure it to meet your needs. For example, you may want to customize which updates to install automatically, which to ignore, and when to install them. Note that the Unattended Upgrades Package requires root privileges, so you must run all the commands mentioned in this guide with the sudo
command.
Verifying that the Unattended Upgrades Package is working correctly is also recommended. To do this, open the terminal and enter the following command:
sudo unattended-upgrades --dry-run --debug
Being familiar with the systemctl commands for Unattended Upgrades is important, as you may need to check the status after making changes or restarting. To check the status of Unattended Upgrades, use the following command:
systemctl status unattended-upgrades
The following systemctl commands will allow you to start, stop, enable on boot, disable on boot, or restart the Unattended Upgrades service:
Start the unattended services:
sudo systemctl start unattended-upgrades
Stop the unattended services:
sudo systemctl stop unattended-upgrades
Enable on boot the unattended services:
sudo systemctl enabe unattended-upgrades
Disable on boot the unattended services:
sudo systemctl disable unattended-upgrades
Restart the unattended services:
sudo systemctl restart unattended-upgrades
Section 3: Configure Unattended Upgrades
This section covers the configuration of Unattended Upgrades package settings in the configuration file using terminal commands. It is important to note that these settings are optional and can be personalized according to your requirements. Each setting will be explained in detail to help you understand its purpose and functionality. This will enable you to make informed decisions when configuring the Unattended Upgrades package on your Debian system.
Before going into the configuration file, here is a summary of all CLI options for the Unattended Upgrades package with explanations:
Option | Description |
---|---|
-h, –help | Displays the help message and exits |
-d, –debug | Enables debug messages |
–apt-debug | Makes apt/libapt print verbose debug messages |
-v, –verbose | Enables info messages |
–dry-run | Simulates upgrade process and downloads but does not install |
–download-only | Only downloads upgrades; do not attempt to install them |
–minimal-upgrade-steps | Upgrades packages in minimal steps (and allows interruption with SIGTERM) – this is the default behavior |
–no-minimal-upgrade-steps | Upgrades all packages together instead of in smaller sets |
These options are important when running the unattended-upgrades command in the terminal, you can use several options to control the behavior of the automatic upgrade process. For example, the –dry-run option can be useful for testing the upgrade process without actually making any changes to the system, while the –download-only option can be used to download the upgrades without installing them.
The –minimal-upgrade-steps option is the default behavior for Unattended Upgrades, while the –no-minimal-upgrade-steps option upgrades all packages together instead of in smaller sets. Understanding these options when configuring Unattended Upgrades is crucial to ensure that the behavior matches your preferences and requirements.
Modifying Unattended Upgrades Configuration File
To modify the configuration file, it is recommended to use a text editor with root privileges, such as nano. You can use the following command to open the configuration file in nano editor:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Once opened, you can modify various options as per your requirements. It is important to remove any comments (lines beginning with “//” or “#”) in the file to activate the options.
After making any changes to the configuration file, it is essential to run the following command to apply the changes:
sudo unattended-upgrades --dry-run --debug
This command will simulate an upgrade run and display any errors or warnings that may occur due to the changes you made to the configuration file. If everything looks good, you can then run the command below to perform the actual upgrade:
sudo unattended-upgrades
There are several options that you can modify in the configuration file. Here are some examples:
Allowed Origins
By default, the Unattended Upgrades package only allows updates from the security and update repositories. You can add other repositories by uncommenting this option in the configuration file and specifying the desired sources. An example is provided below.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-proposed";
"${distro_id}:${distro_codename}-backports";
};
Package Blacklist
This setting allows you to select packages that you do not want to update automatically. To do this, remove the comment from this option and add the names of the packages you want to exclude, as illustrated in the example below:
Unattended-Upgrade::Package-Blacklist {
"my-package";
"my-other-package";
};
AutoFixInterruptedDpkg
This setting determines if the system should automatically fix interrupted “dpkg” installations. To activate automatic fixing, change the value to “true,” as demonstrated in the example below:
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
DevRelease “auto”
This option controls whether to upgrade to the development release automatically. By default, this option is turned off. To enable automatic upgrades to the development release, set the value to “auto,” as illustrated in the following example:
Unattended-Upgrade::DevRelease "auto";
MinimalSteps “true”
This option determines whether to perform upgrades in minimal steps. By default, this option is enabled. To disable minimal steps and perform upgrades in a single step, set the value to “false” as shown in the example below:
Unattended-Upgrade::MinimalSteps "false";
InstallOnShutdown “false”
This option determines whether to install upgrades during system shutdown. By default, this option is disabled. To enable installation on shutdown, set the value to “true” as illustrated in the example below:
Unattended-Upgrade::InstallOnShutdown "true";
This option specifies the email address where notifications should be sent. By default, notifications are not sent. To set a specific email address, add it as a string value, as shown in the example below:
Unattended-Upgrade::Mail "example@mail.com";
MailReport “on-change”
This option determines when to send email notifications. By default, notifications are only sent when there is a change. To send notifications every time, set the value to “on-start” as shown in the example below:
Unattended-Upgrade::MailReport "on-start";
Remove-Unused-Kernel-Packages
This option determines whether to remove kernel packages no longer in use after an upgrade. By default, this option is enabled. To prevent the removal of unused kernel packages, set the value to “false” as shown in the example below:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
Remove-New-Unused-Dependencies
This option controls removing new dependencies that the system no longer requires after package upgrades. By default, it is enabled, and any newly installed dependencies no longer needed will be automatically removed from your system. To enable this option, use the following command:
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
If you wish to retain the new dependencies, you can turn off this option by setting the value to “false”. But, keep in mind that this can lead to the accumulation of unused dependencies on your system, which can take up significant disk space.
Remove-Unused-Dependencies
This option allows you to remove unused dependencies after an upgrade. By default, this option is not enabled. To activate this option and remove unused dependencies, set the value to “true” as shown in the example below:
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Automatic-Reboot
This option determines whether the system should automatically reboot after an upgrade. By default, this option is disabled. To enable automatic reboot, set the value to “true” as demonstrated in the example below:
Unattended-Upgrade::Automatic-Reboot "true";
Automatic-Reboot-WithUsers
This option determines whether the system should automatically reboot when users are logged in after an upgrade. By default, this option is enabled. To disable automatic reboot, set the value to “false” as shown in the example below:
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";
Automatic-Reboot-Time
This option specifies the time for the system to reboot automatically after an upgrade. By default, the reboot time is set to “02:00”. To modify the reboot time, change the value as shown in the example below:
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
Acquire::http::Dl-Limit
This option sets the maximum download speed for package downloads in kilobytes per second. By default, this option is not enabled. To activate download speed limit, set the value to the desired speed in kilobytes per second, as shown in the example below:
Acquire::http::Dl-Limit "100";
SyslogEnable
This option specifies whether to log upgrade events to the system log. By default, this option is enabled. To disable logging, set the value to “false” as demonstrated in the example below:
Unattended-Upgrade::SyslogEnable "false";
SyslogFacility
This option specifies which facility to log upgrade events to. By default, events are logged to the “daemon” facility. To change the facility, modify the value as shown in the example below:
Unattended-Upgrade::SyslogFacility "local7";
OnlyOnACPower
This option specifies whether to perform upgrades only when the system is connected to AC power. By default, this option is disabled. To enable upgrades only on AC power, set the value to “true” as illustrated in the example below:
Unattended-Upgrade::SyslogFacility "local7";
Skip-Updates-On-Metered-Connections
This option determines whether updates should be skipped when the system is connected to a metered connection. This option is enabled by default, so updates won’t be downloaded when using a metered connection. To download updates on metered connections, set the value to “false” as shown in the example below:
Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";
Verbose
This option specifies whether to display detailed upgrade information. By default, this option is disabled. To enable verbose output, set the value to “true” as shown in the example below:
Unattended-Upgrade::Verbose "true";
Debug
This option determines whether to output debug information during upgrades. By default, this option is disabled. To enable debug output, set the value to “true” as illustrated in the example below:
Unattended-Upgrade::Debug "true";
Allow-downgrade
This option determines whether downgrades of packages are allowed during upgrades. By default, this option is disabled. To enable downgrades, set the value to “true” as shown in the example below:
Unattended-Upgrade::Allow-downgrade "true";
Please remember that enabling downgrades can be risky and cause system instability or expose security vulnerabilities. It is advised to only use this option when needed and to thoroughly assess potential risks.
Section 4: Schedule Automatic Upgrades with a Cron Job
To schedule automatic unattended upgrades on your Debian system, you can use a cron job. Cron is a time-based job scheduler in Linux that allows you to run commands or scripts automatically at specified times or intervals.
To create a cron job for unattended upgrades, follow the steps below.
Open the crontab configuration file by running the following command:
sudo crontab -e
Once the file is open, add the following line at the bottom:
0 0 * * * /usr/bin/unattended-upgrade -d
After adding the above line, the unattended-upgrade command will run daily at midnight (0 0 * * *). To save and exit the file, press “Ctrl+X”, then “Y”, and then “Enter”.
It is crucial to schedule automatic upgrades when your system is not in use since upgrades may require a system reboot or cause applications to restart.
Section 5: Checking Unattended Upgrade Logs
The Unattended-Upgrades package logs all upgrade activities to the syslog facility by default. These logs are in the /var/log/syslog file and other system logs.
To view the logs of Unattended-Upgrades, you can use the following command:
sudo grep unattended-upgrades /var/log/syslog
To display the last 50 entries in the syslog file related to Unattended-Upgrades, you can use the following command:
sudo tail -n 50 /var/log/syslog | grep unattended-upgrades
Using various grep options, you can filter the logs based on specific criteria. For instance, to filter the logs by date and time, you can use the following command:
sudo grep "unattended-upgrades.*YYYY-MM-DD" /var/log/syslog
Substitute “YYYY-MM-DD” with the date you want in the year-month-day format. By doing so, this command will exhibit all the log entries that include the keyword “unattended-upgrades” and correspond to the date you specified.
To filter the logs by package name, use the following command, replacing “package_name” with the name of the package:
sudo grep "unattended-upgrades.*<package_name>" /var/log/syslog
To filter the logs by package name, use the following command and replace “<package_name>” with the package name you want to search for. This command will display all log entries that contain the “unattended-upgrades” keyword and match the specified package name.
The commands mentioned above enable you to check and filter the Unattended-Upgrades logs on your Debian system quickly, allowing you to identify and address any issues that may occur during the upgrade process.
Conclusion
Setting up unattended upgrades on Debian Linux is a valuable practice to ensure that your system remains up-to-date and secure. By automating the process, you can minimize the risk of missing critical security patches and bug fixes. Overall, unattended upgrades help maintain the stability, security, and performance of your Debian Linux system, making it an essential tool for administrators and users alike.
Additional Resources and Links
Here is a collection of resources to help you learn more about unattended upgrades on Debian Linux. Each link is accompanied by a brief description to provide context on the content.
- Debian Wiki – Unattended Upgrades: This official Debian Wiki page offers comprehensive information on setting up and configuring unattended upgrades for Debian Linux.
- Debian Security Team: The official Debian Security Team page provides updates and announcements related to security issues and vulnerabilities, which is essential for staying informed about potential risks.
- Debian Mailing Lists – Debian Security Announce: This mailing list offers timely notifications about Debian security advisories and updates, ensuring you stay informed about important security developments.