Unattended Upgrades

Some notes on installing and configuring unattended-upgrades

Unattended Upgrades is needed for installing updates automatically but not if we only want to run apt update automatically (or downloading upgradable packages automatically), see apt.systemd.daily shell script for more info.

Files timestamp in /var/lib/apt/periodic/ are updated when the script is triggered by its systemd timer apt-daily.timer.

The software-properties GUI has an “Updates” tab to control how updates are handled when the unattended-upgrades package is installed.

Install the required packages

sudo apt install powermgmt-base unattended-upgrades

The powermgmt-base package is required for AC/battery options (e.g. Unattended-Upgrade::OnlyOnACPower)

The default configuration file is at /etc/apt/apt.conf.d/50unattended-upgrades

To override the configuration it is recommended to create an other apt configuration file fragment which overrides the shipped default value because updates to shipped configuration file may conflict with the local changes blocking updating unattended-upgrades itself.

The new file should sort later than 50unattended-upgrades to be parsed later than the one shipping the default values, it can be e.g. 51unattended-upgrades-local.

Example of /etc/apt/apt.conf.d/51unattended-upgrades-local overriding default values

Unattended-Upgrade::Origins-Pattern {
        "origin=Debian,codename=${distro_codename}-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
};
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "05:00";

The current configuration can be queried by running apt-config

apt-config dump APT::Periodic::Unattended-Upgrade

Reconfigure the unattended-upgrades package with dpkg-reconfigure(8) to enable it

sudo dpkg-reconfigure -plow unattended-upgrades

Or create this file /etc/apt/apt.conf.d/52periodic where: (info from apt.systemd.daily script)

• Update-Package-Lists update package lists every n days (0 to not update package lists)
• Download-Upgradeable-Packages download upgradable packages every n days (0 to not download in advance)
• Unattended-Upgrade upgrade packages every n days (0 to not upgrade packages)

APT::Periodic::Update-Package-Lists "2";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";

• Debian

• https://github.com/mvo5/unattended-upgrades
• https://packages.debian.org/stable/unattended-upgrades
• https://wiki.debian.org/UnattendedUpgrades
• https://help.ubuntu.com/community/AutomaticSecurityUpdates
• https://www.debian.org/doc/manuals/debian-reference/ch02.en.html#_automatic_download_and_upgrade_of_packages
• https://debian-handbook.info/browse/stable/sect.regular-upgrades.html