One of the little white lies that we tell ourselves is that ‘security is a priority’. It’s not. If it were, we would spend more time on it. Because what is the single most important thing that we can do to secure our systems? Keep them up to date. Not only the patches marked as security updates, but all of them, rebooting the system when necessary.
For me personally this is a bit of a pain. I have a lot of systems, and I don’t want to have to log into each one to update them. I want to automate this. Not by launching an ansible playbook (or similar), but by having the system do it itself.
This is where unattended-upgrades
comes in. It’s a package that you can install on your system that will automatically install updates for you. It’s not perfect, but it’s a good start. Fetch, install, and reboot. That’s it.
In this post I will show you how to install and configure unattended-upgrades
on your system. I will also show you how to test it, and how to check if it’s working.
Installing unattended-upgrades
The first thing that you need to do is install the package. You can do this with the following command:
sudo apt-get install unattended-upgrades
Configuring unattended-upgrades
/etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-proposed";
"${distro_id}:${distro_codename}-backports";
};
// Automatically reboot *WITHOUT* confirmation if a restart is required
Unattended-Upgrade::Automatic-Reboot "true";
// Automatically reboot even if users are logged in
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
// Delay the reboot by 5 minutes to allow any services to shut down cleanly
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
/etc/apt/apt.conf.d/20auto-upgrades
// Tells the system to automatically run apt update (which refreshes the list of available packages) every N days, where “1” means it will run every day.
APT::Periodic::Update-Package-Lists "1";
// It instructs the system to automatically download (but not install) the available updates for packages every N days. Here, “1” means it will check and download updates every day.
APT::Periodic::Download-Upgradeable-Packages "1";
// It tells the system to run the apt autoclean command every N days, where “7” means it will clean up every 7 days.
APT::Periodic::AutocleanInterval "7";
// It configures the system to perform automatic installation of upgrades every N days, with “1” meaning upgrades are installed daily.
APT::Periodic::Unattended-Upgrade "1";
Testing unattended-upgrades
Ensure the service is running properly with:
sudo systemctl status unattended-upgrades
*Manually trigger an unattended upgrade to test it:
sudo unattended-upgrade --dry-run --debug
Logs for unattended upgrades can be found in the /var/log/unattended-upgrades directory
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log