Set Up Automatic Update (Unattended Upgrades) on Ubuntu + Kernel reboots

by

Configure Automatic Security Update (Unattended Upgrades) on Ubuntu Server

First, install the unattended-upgrades package.

sudo apt update

sudo apt install unattended-upgrades

You need to install the update-notifier-common package in order to set up automatic reboot.

sudo apt install update-notifier-common

Then edit the 50unattended-upgrades file.

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

In this file, you can configure what packages should be automatically updated. By default, only security updates will be automatically installed, as indicated by the following lines. So there’s no need to change this section.

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-proposed";
"${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Package-Blacklist {
};

Unattended-Upgrade::DevRelease "auto";
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

 

 

Enable Automatic Security Update

Now that automatic security update is configured, we need to enable it by creating the 20auto-upgrades file.

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Copy and paste the following two lines into the file.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

 

Run Unattended Upgrade at a Specific Time

Unattended upgrade is run randomly between 12 AM to 7AM, so as to prevent load spike to mirror servers due to everyone running updates at the same time. You can manually run unattended upgrade with:

sudo unattended-upgrade -v

You can also add this command to your Cron job.

sudo crontab -e

Add the following line at the bottom of your Crontab file, so the unattended upgrade will run every day at 2 AM.

0 2 * * * sudo /usr/bin/unattended-upgrade -v

Check Restart

The checkrestart command can help you find out which processes need to be restarted after an upgrade. It is available from debian-goodies package.

sudo apt install debian-goodies

sudo checkrestart