How to Set Up Automatic Updates on Debian

How To Set Up Automatic Updates On Debian

One central part of keeping Linux servers secure, is by installing security updates in a timely manner. On Debian, the unattended-upgrades package can be configured to perform unattended upgrades to automatically install updated packages and/or security updates.

Above all, one of an important task for Linux admins to make the system up-to-date. It keeps your system more stable and secured. Therefore, as a system administrator, regularly updating the servers and applying security patches is one of the essential tasks to keep them stable and secure. However, if an administrator forgets it or takes this task for granted, it can lead to severe security threats.

This is a simple tutorial that will show you to configure your Debian system to receive automatic security updates. Of course, there are many ways to automate this. However, we are going with an official method.

Install unattended-upgrades Package on Debian

Firstly, if unattended-upgrades is not already installed on your system, you can install using the below commands in the console:

sudo apt update
sudo apt install unattended-upgrades
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  gir1.2-glib-2.0 libgirepository-1.0-1 libglib2.0-0 libglib2.0-data python3-dbus python3-distro-info python3-gi shared-mime-info xdg-user-dirs
Suggested packages:
  python-dbus-doc python3-dbus-dbg bsd-mailx default-mta | mail-transport-agent needrestart
The following NEW packages will be installed:
  gir1.2-glib-2.0 libgirepository-1.0-1 libglib2.0-0 libglib2.0-data python3-dbus python3-distro-info python3-gi shared-mime-info unattended-upgrades xdg-user-dirs
0 upgraded, 10 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,792 kB of archives.
After this operation, 20.5 MB of additional disk space will be used.
Do you want to continue? [Y/n]

Configure Automatic Updates On Debian

The configuration file for unattended-upgrades is located at /etc/apt/apt.conf.d. Its name is 50unattended-upgrades. You can edit it using any text editor.

By default only the minimal required options were enabled for security updates. Uncomment the following lines in the file by removing // from the start of the lines:

sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
        "origin=Debian,codename=${distro_codename}-updates";
        "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};

Once done, save and exit the file.

Enable Email Notification

If you like to receive email notifications after every security update, then modify the following line (uncomment it and add your email id).

Before:

//Unattended-Upgrade::Mail "";

After:

Unattended-Upgrade::Mail "[email protected]";

Auto Remove Unused Dependencies

Moreover, you may need to run “sudo apt autoremove” command after every update to remove unused dependencies from the system. Now you can automate this task by making the changes in the following line (uncomment it and change  from “false” to “true”).

Before:

//Unattended-Upgrade::Remove-Unused-Dependencies "false";

After:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Enable Automatic Updates On Debian

To enable unattended-upgrades, you will need to configure /etc/apt/apt.conf.d/20auto-upgrades file. Issue the below command in console to do so:

sudo dpkg-reconfigure --priority=low unattended-upgrades

After running the above command, the following window will appear, asking whether you want to automatically download and install stable updates. Use the tab key to select the Yes option and press Enter.

Enable unattended-upgrades
Creating config file /etc/apt/apt.conf.d/20auto-upgrades with new version

The /etc/apt/apt.conf.d/20auto-upgrades file will be updated with the following content:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

To view whether the Unattended-Upgrade service is enabled and running, you can issue the command shown below:

sudo systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
   Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2020-08-22 10:33:04 EDT; 45min ago
     Docs: man:unattended-upgrade(8)
 Main PID: 1796 (unattended-upgr)
    Tasks: 2 (limit: 1149)
   Memory: 8.7M
   CGroup: /system.slice/unattended-upgrades.service
           └─1796 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Aug 22 10:33:04 debian systemd[1]: Started Unattended Upgrades Shutdown.

After performing the above steps, unattended-upgrades will be enabled on your system, and updates will be installed automatically.

When the system performs the unattended-upgrade, it logs this activity in the files under /var/log/unattended-upgrades/ directory.

Disable Automatic Updates On Debian

To disable the unattended-upgrades, issue the command shown below:

sudo dpkg-reconfigure --priority=low unattended-upgrades

The following window will appear, asking whether you want to automatically download and install stable updates. Use the tab key to select the No option and press Enter.

Disable unattended-upgrades
Replacing config file /etc/apt/apt.conf.d/20auto-upgrades with new version

Conclusion

By enabling unattended-upgrades (Automatic Updates) on Debian servers, you’ve taken an important step to protect your server from vulnerabilities. Manually updating the system and applying patches can be a very time-consuming process. Unattended Upgrades saves a lot of time.

The unattended-upgrades utility keeps your system current and secure by automatically installing the latest updates and security patches whenever they are available.

If this guide has helped you, please consider buying us a coffee.

Buy me a coffee!

Your support and encouragement are greatly appreciated!

Leave a Reply

Your email address will not be published.

Latest from Tutorials