Unattended upgrades in Debian or Ubuntu¶
Installation¶
apt install unattended-upgrades apt-listchanges
Configuration¶
Package sources and options¶
In /etc/apt/apt.conf.d/50unattended-upgrades this section controls which package sources are used including
custom sources. In addition, you can also configure sending e-mails and automatic reboot here (usally the
file contains several sources commented out, like non-security updates which you may want to install manually
only):
Unattended-Upgrade::Origins-Pattern {
// upgrades for the distribution
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// custom packages sources
"LP-PPA-ondrej-php:${distro_codename}";
"LP-PPA-redislabs-redis:${distro_codename}";
"Docker:${distro_codename}";
}
// E-Mail address to send reports to
Unattended-Upgrade::Mail "someone@domain.example";
// Set this value to one of:
// "always", "only-on-error" or "on-change"
// If this is not set, then any legacy MailOnlyOnError (boolean) value
// is used to chose between "only-on-error" and "on-change"
Unattended-Upgrade::MailReport "on-change";
// Reboot if needed
Unattended-Upgrade::Automatic-Reboot "true";
// Time when to reboot if needed
Unattended-Upgrade::Automatic-Reboot-Time "05:00";
To determine the name of packages sources which got added manually (e.h. Docker, PHP etc.) use the following command:
apt-cache policy
This will output something like this:
500 https://ppa.launchpadcontent.net/ondrej/php/ubuntu jammy/main amd64 Packages
release v=22.04,o=LP-PPA-ondrej-php,a=jammy,n=jammy,l=***** The main PPA for supported PHP versions with many PECL extensions *****,c=main,b=amd64
origin ppa.launchpadcontent.net
Here you take the name after o= and combine it with the placeholder for the distribution name as shown in the
example above.
Frequency of updates¶
In /etc/apt/apt.conf.d/20auto-upgrades you can define how often upgrades should be installed and how often unused
packages should be cleaned up to save space. Ever number is the interval in days where 1 means daily:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
Day of time to run unattended upgrades¶
Unattended upgrades are executed using systemd timers:
apt-daily.timerto update the package lists (apt-get update)apt-daily-upgrade.timerto install the upgrades (unattended-upgrade).
To edit this, you use the following command:
systemctl edit apt-daily.timer
This will create /etc/systemd/system/apt-daily.timer.d/override.conf to store the local customization.
Here you can add the desired values as following - for example to run the job between 1:00 and 1:15:
[Timer]
OnCalendar=
OnCalendar=03:00
RandomizedDelaySec=15m
The random start point with up to 15 minutes daly helps to avoid running many jobs at the same time.
Repeat this with the daily upgrades which should follow 30 minutes later:
systemctl edit apt-daily-upgrade.timer
This will create /etc/systemd/system/apt-daily.timer.d/override.conf to store the local customization.
Here you can add the desired values as following - for example to run the job between 1:00 and 1:15:
[Timer]
OnCalendar=
OnCalendar=03:30
RandomizedDelaySec=0
This time the upgrade process will not have a random delay to have a predictable time when services may become unresponsive temporarily due to upgrades.
To verify that the timers are set as desired, use the following command:
systemctl cat apt-daily{,-upgrade}.timer
systemctl --all list-timers apt-daily{,-upgrade}.timer