Debian

Manage Debian unattended-upgrades

As a system administrator, regularly updating the servers and applying security patches is one of the essential tasks to keep them stable and secure. However, if an administrator forgets it or takes this task for granted, it can lead to severe security threats.

Fortunately, Linux systems allow you to automatically install updates and security patches using the unattended-upgrades utility. An unattended-upgrade utility that comes installed with most of the operating systems installs the system updates and security patches automatically whenever they are available.

This article is about how to manage unattended-upgrades for automatically installing the updates and security patches. You will learn how to enable and disable the unattended-upgrades in the Debian 10 system.

Install unattended-upgrades

If unattended-upgrades is not already installed on your system, you can install using the below commands in Terminal:

$ sudo apt update
$ sudo apt install unattended-upgrades

Configure unattended –upgrades

The configuration file for unattended-upgrades is located at /etc/apt/apt.conf.d. You can edit it using any text editor.

$ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment the following lines in the file by removing // from the start of the lines:

"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";

Once done, save and exit the file.

Enable unattended-upgrades

To enable unattended-upgrades, you will need to configure /etc/apt/apt.conf.d/20auto-upgrades file. Issue the below command in Terminal to do so:

$ sudo dpkg-reconfigure --priority=low unattended-upgrades

After running the above command, the following window will appear, asking whether you want to automatically download and install stable updates. Use the tab key to select the Yes option and press Enter.

The /etc/apt/apt.conf.d/20auto-upgrades file will be updated with the following content:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

An alternative method to enable the unattended-upgrades is by using the manual method. Edit the /etc/apt/apt.conf.d/20auto-upgrades file:

$ sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Then add the following lines in the file:

APT::Periodic::Update-Package-Lists "1";APT::Periodic::Unattended-Upgrade "1";

In the above lines, the

  • Update-Package-Lists” allows us to automatically update the cached list of available packages. “1” means enable and perform update every 1 day
  • Unattended-Upgrade” allows to automatically upgrade (install the updates). “1” means enable and perform unattended-upgrade every 1 day.

To view whether the Unattended-Upgrade service is enabled and running, you can issue the below command in Terminal:

$sudo systemctl status unattended-upgrades.service

After performing the above steps, unattended-upgrades will be enabled on your system, and updates will be installed automatically on their scheduled time.

When the system performs the unattended-upgrade, it logs this activity in the files under /var/log/unattended-upgrades/ directory. To view these log files, issue the below command in Terminal:$ ls /var/log/unattended-upgrades/It will list the number of log files with the older log files in the compressed file with .gz extension.

You can view these logs file using the cat command in Terminal like this:

$ cat /var/log/unattended-upgrades/unattended-upgrades.log

To view log files with .gz extension, use zcat command:

$ zcat /var/log/unattended-upgrades/unattended-upgrades.log.1.gz

Disable unattended-upgrades

To disable the unattended-upgrades, issue the below command in Terminal:

$ sudo dpkg-reconfigure --priority=low unattended-upgrades

The following window will appear, asking whether you want to automatically download and install stable updates. Use the tab key to select the No option and press Enter.

The /etc/apt/apt.conf.d/20auto-upgrades file will be updated with the following content:

APT::Periodic::Update-Package-Lists "0";APT::Periodic::Unattended-Upgrade "0";

You can see that the “Update-Package-Lists” and “Unattended-Upgrade” values have changed to “0,” which indicates unattended upgrades are disabled. Now the system will not check for and install the updates automatically on your system.

If you want to check for the updates but do not want to install them, you can configure them as follows:

APT::Periodic::Update-Package-Lists "1";APT::Periodic::Unattended-Upgrade "0";

In this article, you have learned how to install, configure, and manage the unattended-upgrades in Debian 10 Buster system. The unattended-upgrades utility keeps your system current and secure by automatically installing the latest updates and security patches whenever they are available.

About the author

Karim Buzdar

Karim Buzdar

Karim Buzdar holds a degree in telecommunication engineering and holds several sysadmin certifications. As an IT engineer and technical author, he writes for various web sites. You can reach Karim on LinkedIn.