Ubuntu Unattended Upgrades

Infos

Check for pending updates:

  • /usr/lib/update-notifier/apt-check
  • List pending updates:
    • apt dist-upgrade --dry-run --verbose-versions  2> /dev/null
  • List pending security updates:
    • apt dist-upgrade --dry-run --verbose-versions  2> /dev/null | awk '/^Inst.*security/ {print $2}'
  • Count pending security updates:
    • apt dist-upgrade --dry-run --verbose-versions  2> /dev/null | awk '/^Inst.*security/ {print $2}' | wc --lines

Install

  • sudo apt install unattended-upgrades

Configure

Configuration for best automatisation:

  • vi /etc/apt/apt.conf.d/20auto-upgrades
    • Some entries are double. Use 20-auto-upgrades as it overrules 10periodic
    • APT::Periodic::Update-Package-Lists "1";
      APT::Periodic::Download-Upgradeable-Packages "1";
      APT::Periodic::Unattended-Upgrade "1";
      APT::Periodic::AutocleanInterval "7";
      APT::Periodic::CleanInterval "7";
      APT::Periodic::MaxAge "14";
  • vi /etc/apt/apt.conf.d/50unattended-upgrades
    • Unattended-Upgrade::MinimalSteps "true";
      Unattended-Upgrade::Mail "root";
      Unattended-Upgrade::MailOnlyOnError "true";
      Unattended-Upgrade::Remove-Unused-Dependencies "true";
      Unattended-Upgrade::Automatic-Reboot "true";
      Unattended-Upgrade::Automatic-Reboot-Time "04:24";
      Unattended-Upgrade::OnlyOnACPower "true";
      Unattended-Upgrade::SyslogEnable "true";
  • Or put all your custom settings cleanly into
    • vi /etc/apt/apt.conf.d/90custom-conf

Run manually

  • /usr/lib/apt/apt.systemd.daily

Troubleshoot

Which settings are actually used? Some settings are doubles e.g. in 10periodic and 20auto-upgrades.

  • 20auto-upgrades replaces configuration of 10periodic.
    Apt will read each file in sequence. The same setting twice then the last one found will be active.
    Not everybody has 20auto-upgrades. That one is installed when you in stall package unattended-upgrades.10periodic is from package update-notifier-common and that one is installed by default.
    (Find which package a file belongs to: dpkg-query -S /path/to/file)

  • apt-config dump | grep 'APT::Periodic::\|Unattended-Upgrade::\|Dir::Cache'

Dryrun

  • sudo unattended-upgrades --dry-run --debug

Logfiles

  • vi /var/log/unattended-upgrades/unattended-upgrades.log
  • vi /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

Service Status

  • systemctl status apt-daily.service
  • cat /lib/systemd/system/apt-daily.timer
  • systemctl list-timers apt-daily.timer

References