Purpose:
This document outlines the steps to configure unattended upgrades on Debian-based Linux systems, ensuring that systems automatically receive and apply security updates.
-
Open a terminal.
-
Run the following commands to ensure that
unattended-upgrades
is installed:sudo apt update sudo apt install unattended-upgrades
-
Open the configuration file for
unattended-upgrades
:sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
-
Ensure the following lines are included in the file for Linux Mint Victoria (based on Ubuntu 22.04 Jammy):
Unattended-Upgrade::Allowed-Origins { "Ubuntu:jammy"; "Ubuntu:jammy-security"; "Ubuntu:jammy-updates"; }; Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; Unattended-Upgrade::Automatic-Reboot "true"; Unattended-Upgrade::Automatic-Reboot-Time "02:00"; Unattended-Upgrade::SyslogEnable "true"; Unattended-Upgrade::MailReport "on-change"; Unattended-Upgrade::OnlyOnACPower "true"; Unattended-Upgrade::Allow-APT-Mark-Fallback "true";
-
Save and exit the file.
-
Find the
distro_id
anddistro_codename
:- Run the following commands to determine the system's distribution ID and codename:
lsb_release -si # This shows the distro_id (e.g., Ubuntu, Debian) lsb_release -sc # This shows the codename (e.g., buster, focal)
-
Update the
Allowed-Origins
block accordingly. For example, if using Debian Buster:Unattended-Upgrade::Allowed-Origins { "Debian:buster"; "Debian:buster-security"; };
-
Check the current timers for
apt-daily
andapt-daily-upgrade
by running:systemctl list-timers --all | grep apt
-
Verify that the timers for the update check and upgrade services are running as expected. You should see entries like:
apt-daily.timer
: Scheduled daily.apt-daily-upgrade.timer
: Scheduled daily.
If the times are acceptable (e.g., 6:30 AM for upgrades), no further changes are needed.
-
To simulate unattended upgrades and verify the configuration, run:
sudo unattended-upgrade --dry-run
-
This command will simulate the upgrade process without making any actual changes, ensuring the setup works correctly.
-
Logs for the unattended upgrades can be found in:
/var/log/unattended-upgrades/
-
You can monitor the logs to ensure updates are being applied. Use the following command to view the log output:
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log
-
If a reboot is required after an update (e.g., after a kernel update), the system will automatically reboot at 2:00 AM.
-
To change the reboot time, modify this line in
/etc/apt/apt.conf.d/50unattended-upgrades
:Unattended-Upgrade::Automatic-Reboot-Time "02:00";
-
Manual Upgrades:
If you need to manually perform an upgrade at any time, use the following command:sudo apt update && sudo apt upgrade -y
-
Automatic Updates Frequency:
By default, updates are checked and applied daily. If you need to modify the frequency, adjust the settings in/etc/apt/apt.conf.d/20auto-upgrades
. -
Email Notifications:
If you wish to receive email notifications for problems or successful upgrades, configure the email in theunattended-upgrades
configuration.
This procedure ensures that your Linux systems are automatically updated with security patches and other necessary updates, reducing manual intervention and helping meet security compliance standards.
Prepared by: Daniel L. Van Den Bosch Date: September 4, 2024