Ubuntu has a convenient feature for installing unattended updates to security and upgrades to software if you so choose it. The set-up is quite good, and you have multiple options to fine-tune the automatic process compared to coming from a Windows environment.
You do not have anything close to this sort of optimization. Quite frankly, it’s a big reason people love Linux over Windows, as returning to restart PC because of Windows updates randomly is frustrating.
In today’s guide, we will go over how to set this process up. The article below has been tested and works for Ubuntu 20.04 LTS and 21.04 latest release.
We need to check if we have unattended-upgrades installed and up to date. Most Ubuntu Distro’s installs these days should come with it, I found, we do this with invoking the terminal, which you can access using shortcut Ctrl+Alt+T, then enter the following commands:
sudo apt update && sudo apt install unattended-upgrades -y
If you want your system to restart, you will need to check if the update-notifier-common package is installed and up to date. You can do this by the command below:
sudo apt install update-notifier-common -y
Configure Unattended-Upgrades And Set Up
After you have checked or installed unattended-upgrades and update-notifier-common, we now proceed to edit the 50unattended-upgrades config file using your favorite terminal text editor.
In our guide, we will use nano. You can do this with the following command:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
The unattended-upgrades package will not process lines that start with //, just like any comment field. We can continue to edit the config with what options you want to have enabled for your system. The most basic setup is to have automatic security switched on, which is done by default when you open the file. I would suggest never editing those settings.
We now process to next steps in editing what we use here at BossBytes. Most default settings are fine and recommended, so we will only touch on ones we recommend editing, or you should know.
Proceed down the page by using your down arrow key. Next, we hit exclude matching packages from upgrading in Unattended-Upgrades. Our example 3 packages we 100% do not want to be updated while we are not around are fail2ban, NGINX, and MariaDB. Having these updates without proper supervision could cause a major malfunction to your web server or services.
Feel free to add anything else you are not comfortable with within this list:
Next, proceed to the auto Remove Unused Dependencies option, which is default set to false. However, in our guide, we modified the line to have it enabled. If a software package is changed and you received a notification, it should be doing a cleanup.
If you do not wish to do this, then leave the line untouched.
Scroll down to the Automatic Reboot option. By default, I do not edit this option as I cannot afford my servers to rebooted without my knowledge. Still, suppose your services only serve a few people. In that case, this option may be viable to have on. Linux/Ubuntu systems will only typically reboot due to a Kernel Linux update that is critical, but I have automatic notifications for change. I will know it will need doing and can plan for it.
In our example, we modified it to have it set to true:
If you enable the option, you can set reboot with users logged in or not. I would strongly advise set this to false as getting logged out in the middle of something wouldn’t be amusing at all.
The final option you can set a time again. If you have a small server in a particular time zone and know a good time to restart, say 3 am then adjust the following line:
Set up Email Notifications
Setting up email notifications is recommended, especially if running servers unattended. In the setup, a great option is to select email “on-change,” so you only receive notifications when software has changed. Alternatively, you can choose “only-on-error,” so you only receive notifications when an error has occurred.
In our guide, we selected on-change because you should know what updates are happening in our personal opinion. You can set an email address here also:
In our final steps, we will go check to make sure our automatic upgrade files are present by the following commands:
cd /etc/apt/apt.conf.d/ \
We will now proceed to check and, if need be, edit the file /etc/apt/apt.conf.d/20auto-upgrades using in our example nano text editor:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
You should see in the file the following. If not, copy below:
By default, setting “1” is enabled. However, if you want to disable it, you can change it to “0”, If you don’t like to check daily, proceed to change the number to “2,” which makes automatic upgrades check every other day. In our guide, for example, only we changed it to 2. We recommend leaving this set to “1”:
Optional. You can set if you like a cronjob that may suit you better if you want to set up a different schedule/time to check for automatic upgrades. You can do this by the following:
sudo crontab -e
Then proceed to add this line at bottom, you can modify it anyway you like. If you are new to Linux, visit Crontab.Guru which you can get help, make and test cron settings time, this site is highly recommended by BytesBoss.
00 04 * * */3 sudo /usr/bin/unattended-upgrade -v
In our example, we choose to run exactly every 3rd day, at 4:00 am.
Lastly, unattended-upgrades logs to its directory, so if you want to check to unattended automatic upgrade logs, you can find it on the following path:
Comments and Conclusion
Setting Up Unattended Upgrades is a critical job that you invest in setting up. As explained in our guide, the process has so many options to suit nearly everyone’s needs, and even then, you can do some external factors to have more options, as an example, with cronjob’s.
At a minimum, you would want to have this run daily for security and general peace of mind.
If you have questions, feel free to leave a comment below.