How to Install/Configure Unattended Upgrades on Ubuntu 22.04 LTS

Keeping your system up to date is an essential factor for anyone from simple desktop users, developers, and sysadmins; let’s face it, anyone with a device primarily connected to the Internet. Ubuntu, by default, is not set up for automatic updates. However, by enabling and configuring unattended-upgrades packages, you can easily apply security, package, or even new feature upgrades if you do not always have the time to check or forget. IT is highly recommended to enable this just for security alone.

The following tutorial will demonstrate how to install or enable and configure Unattended Upgrades on Ubuntu 22.04 LTS Jammy Jellyfish Desktop or Server using the command line terminal with an example only steps that you can customize to suit your purpose.

Update Ubuntu

First, before you begin, ensure your system is up-to-date by avoiding any conflicts using the following command.

sudo apt update && sudo apt upgrade -y

Install Unattended-Upgrades Package

Firstly, suppose you have not installed unattended-upgrades or have removed the package. In that case, you must re-install this with the following command:

sudo apt install unattended-upgrades

By default, this should be installed.

You will also need to install the apt-config-auto-update package if you want your Debian system to restart after applying upgrades requiring the system restarts automatically. To do this, use the following command below:

sudo apt install apt-config-auto-update

For laptop users, you will need to install the package powermgmt-base if you plan to utilize any unattended options that use battery options.

sudo apt install powermgmt-base

Once the installation has been completed, Ubuntu should start the process by default.

Verify using the following command.

systemctl status unattended-upgrades

Example output:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

The following systemctl commands will explain the options you have to start, stop, enable on boot, disable on boot or restart the unattended-upgrades service:

Start the unattended services:

sudo systemctl start unattended-upgrades

Stop the unattended services:

sudo systemctl stop unattended-upgrades

Enable on boot the unattended services:

sudo systemctl enabe unattended-upgrades

Disable on boot the unattended services:

sudo systemctl disable unattended-upgrades

Restart the unattended services:

sudo systemctl restart unattended-upgrades

Configure Unattended-Upgrades

After checking or installing an unattended upgrade, we now edit the 50unattended-upgrades config file using your favorite terminal text editor. From here, you can configure unattended-upgrades from some of the examples in this tutorial and explore some of the other less-used options; the documentation in the configuration file gives a good explanation of each setting by itself.

THE FOLLOWING IS AN EXAMPLE CONFIGURATION ONLY FOR LEARNING PURPOSES. EACH USER HAS DIFFERENT NEEDS, ADJUST TO YOUR REQUIREMENTS AS WHAT WORKS FOR ONE USER WILL NOT WORK OR BE DESIRED FOR ANOTHER.

First, open the unattended-upgrades configuration file with the following command.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Example window opening and first look:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Allowed-Origins and Updates

The unattended-upgrades package will not process lines that start with // syntax. Only security updates are automatically installed by default, as shown in the lines below. It would be best if you never disabled security updates; however, you can add additional options here.

For example, to include regular package updates that are off by default:

Change from:

//      "${distro_id}:${distro_codename}-updates";

Change to enable:

       "${distro_id}:${distro_codename}-updates";

Example configuration that comes with default (recommended for most users):

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

To break it down even further, the options that you can enable besides default:

  • “${distro_id}:${distro_codename}-updates”; – this option will be the same as running sudo apt update in your terminal to pull package updates. This is often unadvised as specific packages need manual intervention when upgrading. If you set this, make it set to blacklist specific packages you know will cause issues if updated unattended, as explained later on in the tutorial.
  • “${distro_id}:${distro_codename}-proposed”; – this option will pull updates from the testing. This is defiantly not recommended for all users as the packages are unstable and may not even make it to a live environment.
  • “${distro_id}:${distro_codename}-backports”; – this option will enable that are mainly used to update packages. This is usually more stable than proposed, but you should investigate before turning this on for a blanket rule as it can cause instability.

Exclude Packages from Updates

With updates, some packages can become unstable or break entirely if you are not supervising the process. For example, an Nginx automatic upgrade for a user having ModSecurity compiled will fail; you often won’t need to fill anything here; this is only for dedicated servers running packages that require intervention.

Note, it is always better to use the python expressions to match packages:

Example from

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
//  "linux-";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

Example change too excludes Nginx web application:

// Python regular expressions, matching packages to exclude from upgrading
Unattended-Upgrade::Package-Blacklist {
    // The following matches all packages starting with linux-
  "nginx";

    // Use $ to explicitely define the end of a package name. Without
    // the $, "libc6" would match all of them.
//  "libc6$";
//  "libc6-dev$";
//  "libc6-i686$";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Remove Unused Dependencies

Next, proceed to the auto-remove unused dependencies with three options; the default is false. However, optionally you can enable these settings. If you automatically update a package, the dependencies and or the kernel and the old no longer in use remnants are no longer required; it will automatically clean and remove them. This usually is always safe for most users.

If you do not wish to do this, leave the line untouched.

Example from:

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
// Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
// Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
// Unattended-Upgrade::Remove-Unused-Dependencies "false";

Example change too:

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";

// Do automatic removal of newly unused dependencies after the upgrade
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

While cleaning unused dependencies is a good option, it can prevent reverting to old packages since they will no longer exist. If you are in a production environment or similar and do not have a sound backup system in place, switching this option to false or leaving it blanked out would be good.

Email Notifications

Setting up e-mail notifications is recommended, especially if running servers unattended. In the setup, a great option is to select e-mail “on-change,” so you only receive notifications when software has changed. Alternatively, you can choose “only-on-error,” so you only receive notifications when an error has occurred.

It is recommended to select on-change because you should know what updates are happening in your system. You can set an e-mail address here also:

Note that this will require you to have e-mails set up on your server for the notifications to work.

Example from:

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "";

Example change too:

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "EMAILNAME@YOURDOMAIN.COM";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

The second option for e-mail notifications is on what actually to report on. For most users, only on-error or on-change is sufficient; setting the reporting to always will incur a lot of unwanted e-mails, but this may be warranted for critical systems.

Below is an example for only-on-error, which is fine for desktop users in non-production/webserver environments:

Example from:

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
//Unattended-Upgrade::MailReport "on-change";

Example change too:

// Set this value to one of:
//    "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "only-on-error";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Automatic Reboot Options

Scroll down to the Automatic Reboot option. By default, this is switched off. Nearly all desktops, especially servers running dedicated software and services, will not have this, and it can often cause significant interruptions to those software services.

Still, suppose your services only serve a few people. In that case, this option may be viable to have on. Linux/Ubuntu systems will only typically reboot due to a critical Kernel Linux update, but I have automatic notifications for change. I will know it will need doing and can plan for it.

Example from:

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

Example change too:

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

If you enable the option, you can set reboot with users logged in or not. This should be disabled, as users logged in and being forced out due to a reboot can cause interruptions to work environments, not to mention the frustration of that user logged in.

However, if you would prefer this on:

Example from:

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

Example change too:

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

If you have a small server in a particular time zone and know a good time to restart, say 2 am, then adjust the following:

Example from:

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Example change too:

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Note, make sure to change this to false if you cannot afford users to be logged out.

Final Checklist for Unattended-Upgrades

To make sure the automatic upgrade files are present in the directory /etc/apt/apt.conf.d/ by using the following commands:

cd /etc/apt/apt.conf.d
ls

Example output:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Now open the file /etc/apt/apt.conf.d/20auto-upgrades:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Example output:

You should see the command code below in the file the following. If not, copy and paste:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

By default, setting “1” is enabled. However, suppose you want to disable it. In that case, you can change it to “0”, If you don’t like to check daily, proceed to change the number to “2,” which makes automatic upgrades check every other day.

For example, in the tutorial, it was changed to “2” However, the recommendation is to leave this set to “1”.

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Save the file (CTRL+O)then press Y, and afterward exit press (CTRL+X) to quit the text editor.

Create Cronjob for Unattended-Upgrades

Optionally, if you would like complete control over the timing of your automatic upgrades, you can create a cronjob. To do this, first, open the crontab:

sudo crontab -e

Next, add this line at the bottom of the last entry; you can modify the “timing” any way you like. If you are new to Linux, visit Crontab.Guru, where you can get help, make and test cron settings time.

Below will demonstrate to run exactly every 3rd day, at 4:00 am.

Example:

00 04 * * */3 /usr/bin/unattended-upgrade -v

Example in a live environment:

How to Install & Configure Unattended Upgrades on Ubuntu 22.04 LTS

Save the file (CTRL+O)then press Y, and afterward exit press (CTRL+X) to quit the text editor.

How to access Unattended-Upgrades Logs

Lastly, unattended-upgrades logs to its directory, so if you want to check the log files for any issues and to find errors, you can find them on the following path:

/var/log/unattended-upgrades/

Additional Tools – Check Restart (Debian Goodies), NeedRestart

An excellent program for checking if you have returned to a server with automatic updates applied instead of checking logs or e-mails is to run the checkrestart command to inform you if any packages require restarting.

Install checkrestart, and run the following command.

sudo apt install debian-goodies -y

Now run the following command to check for packages requiring restarts:

sudo checkrestart

Example output:

Found 0 processes using old versions of upgraded files

As you can see, the machine the tutorial is using is up to date; however, if anything needs a manual restart, it will be listed here in the output.

The NeedRestart package is automatically applied to Ubuntu 22.04 LTS servers, but this is another highly recommended option if the CheckRestart package fails to deliver.

To install this package, use the following command.

sudo apt install needrestart -y

And that’s it, and you will be prompted when you use the standard apt upgrade command if any packages require a restart automatically, making this a better option for those who tend to forget to run a command.

Comments and Conclusion

Setting Up Unattended Upgrades is a critical job that you invest in. As explained in our guide, the process has many options to suit nearly everyone’s needs. Even then, you can do some external factors to have more options, for example, with cronjobs.

At a minimum, you would want to have this run daily for security and general peace of mind.



Follow LinuxCapable.com!

Like to get automatic updates? Follow us on one of our social media accounts!