Skip to main content
Prerequisites:
  • Ubuntu or Debian-based Linux system
  • Root or sudo access
  • Internet connection
Keeping your Linux system updated is crucial for security. This guide shows you how to set up automatic upgrades using unattended-upgrades to ensure your system receives security patches automatically.

Manual System Updates

Before setting up automatic upgrades, understand the basic update commands:
1

Update package lists

Refresh the package index to get the latest information about available packages:
sudo apt update
This downloads package information from all configured repositories.
2

Upgrade installed packages

Upgrade all installed packages to their latest versions:
sudo apt upgrade
You can also combine both commands:
sudo apt update && sudo apt upgrade
3

Full system upgrade (optional)

For a complete system upgrade including kernel updates:
sudo apt update && sudo apt full-upgrade
full-upgrade may remove packages if necessary to resolve dependencies. Use with caution on production systems.

Installing Unattended-Upgrades

1

Install unattended-upgrades

Install the unattended-upgrades package:
sudo apt update
sudo apt install unattended-upgrades
2

Verify installation

Check that the service is installed and running:
sudo systemctl status unattended-upgrades

Configuring Unattended-Upgrades

Configure unattended-upgrades to automatically install security updates.
1

Run configuration wizard

Launch the interactive configuration tool:
sudo dpkg-reconfigure --priority=low unattended-upgrades
You’ll be presented with a series of prompts:
  1. Automatically download and install stable updates? - Select “Yes”
  2. Email address for update notifications - Enter your email (optional)
  3. Automatic reboot options - Choose based on your needs
2

Manual configuration (alternative)

If you prefer manual configuration, edit the configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Configuration File Settings

The main configuration file is located at /etc/apt/apt.conf.d/50unattended-upgrades. Here are key settings:
Specify which updates to install. The default configuration includes:
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};
This ensures only security updates are installed automatically.
Prevent specific packages from being automatically updated:
Unattended-Upgrade::Package-Blacklist {
    "package-name";
    "another-package";
};
Useful for packages that require manual intervention or testing.
Configure automatic reboots after updates:
# Reboot automatically when needed
Unattended-Upgrade::Automatic-Reboot "false";

# Reboot even if users are logged in
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

# Reboot at a specific time
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Automatic reboots can disrupt services. Only enable if your system can handle unexpected reboots.
Receive email notifications about updates:
Unattended-Upgrade::Mail "your-email@example.com";
Unattended-Upgrade::MailOnlyOnError "true";
Set MailOnlyOnError to false to receive notifications for all updates.
Automatically remove unused packages after updates:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Remove "true";

Enable Automatic Updates

1

Enable automatic updates

Create or edit the auto-update configuration file:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Add the following configuration:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
2

Configuration values explained

  • Update-Package-Lists "1" - Update package lists daily
  • Unattended-Upgrade "1" - Run unattended-upgrade daily
  • Download-Upgradeable-Packages "1" - Download upgradeable packages daily
  • AutocleanInterval "7" - Clean package cache every 7 days
Values are in days. Use "0" to disable a feature.
3

Verify configuration

Check that automatic updates are enabled:
cat /etc/apt/apt.conf.d/20auto-upgrades

Testing Unattended-Upgrades

1

Test configuration

Test the configuration without making changes:
sudo unattended-upgrades --dry-run --debug
This shows what would be updated without actually installing anything.
2

Manually trigger updates

Force unattended-upgrades to run immediately:
sudo unattended-upgrades
3

Check update logs

View logs to see what updates were installed:
# View recent logs
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

# View today's updates
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log | grep "$(date +%Y-%m-%d)"

Monitoring Automatic Upgrades

View the current status of automatic updates:
sudo unattended-upgrades --dry-run
Check what updates have been installed:
# View package update history
grep "Unattended-Upgrade:" /var/log/unattended-upgrades/unattended-upgrades.log

# View all package installations
grep "Inst" /var/log/unattended-upgrades/unattended-upgrades.log
See what updates are available:
sudo apt list --upgradable
Check if the unattended-upgrades service is running:
sudo systemctl status unattended-upgrades
Here’s a complete recommended configuration for production servers:

/etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

// Only install security updates
Unattended-Upgrade::Package-Blacklist {
    // Add packages that should never be auto-updated
};

// Email notifications
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailOnlyOnError "true";

// Automatic reboot (disabled by default)
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

// Clean up after updates
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Remove "true";

/etc/apt/apt.conf.d/20auto-upgrades

// Update package lists daily
APT::Periodic::Update-Package-Lists "1";

// Run unattended-upgrade daily
APT::Periodic::Unattended-Upgrade "1";

// Download upgradeable packages daily
APT::Periodic::Download-Upgradeable-Packages "1";

// Clean package cache weekly
APT::Periodic::AutocleanInterval "7";

Disabling Automatic Upgrades

If you need to disable automatic upgrades:
1

Disable automatic updates

Edit the configuration file:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Change values to "0" to disable:
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Unattended-Upgrade "0";
APT::Periodic::Download-Upgradeable-Packages "0";
2

Stop the service

Stop and disable the unattended-upgrades service:
sudo systemctl stop unattended-upgrades
sudo systemctl disable unattended-upgrades

Troubleshooting

Check:
  1. Service status: sudo systemctl status unattended-upgrades
  2. Configuration files: cat /etc/apt/apt.conf.d/20auto-upgrades
  3. Logs: sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log
  4. Test manually: sudo unattended-upgrades --dry-run
Reduce notification frequency:
Unattended-Upgrade::MailOnlyOnError "true";
Or disable email notifications entirely by removing or commenting out the Mail line.
Add packages to the blacklist in /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Package-Blacklist {
    "problematic-package";
    "another-package";
};
Disable automatic reboots:
Unattended-Upgrade::Automatic-Reboot "false";
Then restart the service:
sudo systemctl restart unattended-upgrades
Automatic updates can fill up disk space. Enable automatic cleanup:
Unattended-Upgrade::Automatic-Remove "true";
APT::Periodic::AutocleanInterval "7";
Manually clean up:
sudo apt autoremove
sudo apt autoclean

Best Practices

Security Updates Only

Configure to install only security updates automatically. Regular updates can be done manually after testing.

Email Notifications

Set up email notifications to monitor what updates are being installed.

Package Blacklist

Blacklist critical packages that require manual testing before updates.

Regular Monitoring

Review logs weekly to ensure updates are installing correctly.

Backup Before Updates

Ensure you have backups before enabling automatic updates on production systems.

Test Environment

Test automatic updates in a staging environment before enabling on production.

Quick Reference

1

Install and configure

sudo apt update
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
2

Manual update

sudo apt update && sudo apt upgrade
3

Check status

sudo unattended-upgrades --dry-run
sudo systemctl status unattended-upgrades
Important: While automatic updates improve security, always test updates in a staging environment first, especially for production systems. Consider blacklisting critical packages that require manual testing.