Setting up Automatic Updates for Ubuntu

Keeping your system up to date is the single most important way to prevent security and malware issues.  Ubuntu provides nice tools for maintaining your system, but if you manage it via a command line you may be used to seeing:

1 2

3 packages can be updated. 3 updates are security updates.

This is the Ubuntu system notifying you that it noticed there are 3 packages that have updates available.  This check is enabled by default and is part of the update-motd system.  Some background on how this works will provide insight into the workings of Ubuntu and then we’ll talk about automating those updates.

Background

update-motd is a system program introduced in Ubuntu that allows for the /etc/motd file to be dynamically updated at each user’s interactive login.  When a user logs onto the system a PAM module (pam_motd) displays the contents of the /etc/motd file.  /etc/motd used to just be a static text file that administrators could edit to communicate information to their users.  Ubuntu changed that with update-motd and now that file is dynamically created whenever the update-motd command is run, by executing a series of scripts found in the /etc/update-motd.d directory.  One of those scripts is 90-updates-available and that script runs /usr/lib/update-notifier/update-motd-updates-available.  update-motd-updates-available prints the cached output of the command /usr/lib/update-notifier/apt-check –human-readable (or else it’s cached equivalent if there’s been no changes).

The problem with the notification system is that it only notifies you.  The updates are not automatically downloaded and they are not automatically applied.  So, how do we get our systems to just update themselves?

Configuring Automatic Updates

What we are actually configuring is the ability to perform unattended upgrades.  These updates are going to happen without your intervention (though you will be notified).  In order to have your system perform unattended upgrades, you have to install the unattended-upgrades package (depending on your version of Ubuntu, it may already be installed):

1

sudo apt-get install unattended-upgrades

After this package installs, check to make sure the /etc/apt/apt.conf.d/50unattended-upgrades file suits your system needs:

1 2 3 4 5 6 7

// Automatically upgrade packages from these (origin:archive) pairs Unattended-Upgrade::Allowed-Origins { "${distroid}:${distrocodename}-security"; // "${distroid}:${distrocodename}-updates"; // "${distroid}:${distrocodename}-proposed"; // "${distroid}:${distrocodename}-backports"; };

By default only the security distribution is enabled, if you want additional package categories enabled, you’ll need to uncomment them.

You should also note that you can blacklist packages and prevent them from being automatically upgraded.  This is to prevent the automatic updates from breaking version-sensitive applications:

1 2 3 4 5 6 7

// List of packages to not update Unattended-Upgrade::Package-Blacklist { // "vim"; // "libc6"; // "libc6-dev"; // "libc6-i686"; };

While you’re editing the /etc/apt/apt.conf.d/50unattended-upgrades file you may also want to setup notification emails of when upgrades happen:

1 2 3 4 5

// Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. Unattended-Upgrade::Mail "admin@myserver.mydomain.com";

There are several other options in the file, including automatic reboots, though I suggest leaving them all at the default until you get used to the service.

Once you have the file edited to your liking, you will then enable the actual updates by editing the /etc/apt/apt.conf.d/10periodic file and adding a new line to the configuration:

1 2 3 4

APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";

The above configuration updates the package list, downloads, and installs available upgrades every day and cleans the download archive every week.  Make sure to update the numbers to reflect how often you wish these tasks to be performed.

The results of unattended-upgrades will be logged to the /var/log/unattended-upgrades file.

The next day when the /etc/cron.daily/apt script runs, if there are any packages to upgrade, your system will automatically upgrade them and then email you the results.

howto linux security sysadmin ubuntu
Tweet Post Share Update Email RSS

Leader, Mentor, Challenger, Educator, Network Engineer, System Administrator, Developer, Hacker, Writer, Diver, and Technology Explorer.