How to Configure Automatic Updates on Debian and Ubuntu
Learn how to configure automatic updates on Debian and Ubuntu with clear, step-by-step guidance for Linux and DevOps beginners. Secure systems using apt, unattended-upgrades, and simple scheduling tips.
Introduction
Keeping Debian and Ubuntu systems up to date is essential for security and stability, but manually applying updates on many machines is time-consuming and error-prone. This guide shows practical, beginner-friendly steps to configure automatic updates, explain the main options, and help you test and monitor updates safely.
Why enable automatic updates?
Automatic updates reduce the window of exposure for known vulnerabilities and simplify maintenance for single servers or fleets. They’re particularly useful for security updates (e.g., CVEs), while you may want to be more selective with feature or major version upgrades.
Example: check which packages are currently upgradable
sudo apt update
apt list --upgradable
Notes and considerations:
- Automatic security updates are generally safe and recommended for most systems.
- On production servers, consider automatic security updates but review major or non-security upgrades manually.
- Use logging and monitoring to detect failed updates early.
Install and configure unattended-upgrades (recommended)
The unattended-upgrades package is the standard tool on Debian/Ubuntu for automatic installation of security updates and other packages. It’s lightweight and well-documented.
Test a dry run:
sudo unattended-upgrade --dry-run --debug
Configure the frequency with /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
Values are in days; "1" runs daily.
Control the automatic actions in the same file:
// Enable automatic reboots if needed (see next section)
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Mail "root@example.com";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Configure which releases and origins to allow automatic upgrades. Edit /etc/apt/apt.conf.d/50unattended-upgrades and set allowed origins (example):
Unattended-Upgrade::Allowed-Origins {
"Debian stable";
"Debian-security stable/updates";
"Ubuntu stable";
"Ubuntu-security xenial-security";
};
Enable automatic upgrades (Debian/Ubuntu friendly method):
sudo dpkg-reconfigure --priority=low unattended-upgrades
Install the package:
sudo apt update
sudo apt install unattended-upgrades apt-listchanges
Tips:
- Use the Mail setting to get email notifications when upgrades occur.
- apt-listchanges can be used to email changelogs for upgraded packages.
Alternatives: apticron and cron-apt
If you prefer notifications without automatic installation, or need a different workflow, consider apticron or cron-apt.
cron-apt: runs apt-get on a schedule and can be configured to install or only download updates.
sudo apt install cron-apt
# Default configuration: /etc/cron-apt/config
# Example command to download only:
sudo cron-apt --download
apticron: sends email notifications listing available package upgrades.
sudo apt install apticron
# Configure /etc/apticron/apticron.conf with your email:
# EMAIL="admin@example.com"
Compare behaviors:
- unattended-upgrades: installs automatically (good for security updates).
- apticron: only notifies (good for controlled environments).
- cron-apt: flexible scriptable approach (good if you want custom hooks).
Example: simulate apticron email run (no email delivered in dry-run):
sudo apticron
Kernel updates, automatic reboots, and safety
Kernel and libc updates typically require a reboot. unattended-upgrades can automatically reboot a machine after installing such updates, but do this carefully on production servers.
Enable automatic reboot in /etc/apt/apt.conf.d/50unattended-upgrades:
// Reboot automatically if required after the upgrade
Unattended-Upgrade::Automatic-Reboot "true";
// Reboot at a specific time (24-hour)
Unattended-Upgrade::Automatic-Reboot-Time "03:00";
If you prefer to avoid automatic reboots but still apply kernel updates, use livepatch solutions (Ubuntu Livepatch service) or schedule maintenance windows. Example: check if a reboot is required:
if [ -f /var/run/reboot-required ]; then echo "Reboot required"; else echo "No reboot required"; fi
Use systemd to delay reboots or notify admins:
# Example: run a script before reboot to notify via alert
cat <<'EOF' >/usr/local/sbin/pre-reboot-notify.sh
#!/bin/sh
logger "Automatic reboot scheduled due to package upgrades"
# Add email or webhook calls here
EOF
chmod +x /usr/local/sbin/pre-reboot-notify.sh
# Call this script using Unattended-Upgrade::Exec
Safety checklist:
- Enable automatic reboot only if you have redundancy or maintenance windows.
- Configure maintenance-mode hooks to cordon nodes in clusters (Kubernetes, etc.) before rebooting.
Commands table
Below is a handy table of common commands and what they do. Use these to inspect, test, and control automatic updates.
| Command | Purpose |
|---|---|
| sudo apt update | Refresh package lists (required before checking upgrades) |
| apt list --upgradable | List packages available for upgrade |
| sudo apt install unattended-upgrades | Install the automatic-upgrade engine |
| sudo dpkg-reconfigure unattended-upgrades | Turn unattended-upgrades on/off interactively |
| sudo unattended-upgrade --dry-run --debug | Simulate an unattended upgrade with debugging |
| sudo apt-mark hold |
Prevent a package from being upgraded |
| tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log | View recent unattended-upgrades activity |
| cat /var/run/reboot-required | Quick check if a reboot is required |
Example: prevent upgrading a specific package (hold)
sudo apt-mark hold mysql-server
# To unhold:
sudo apt-mark unhold mysql-server
Example: view logs of automatic-upgrades
sudo tail -n 100 /var/log/unattended-upgrades/unattended-upgrades.log
Common Pitfalls
- Forgetting to enable Periodic updates: unattended-upgrades won’t run unless APT::Periodic settings are configured.
- Not accounting for reboots: kernel upgrades may leave systems requiring a reboot, causing services to run vulnerable code until the system restarts.
- Unintended package holds or pinning blocking updates: apt-mark holds or apt pinning can prevent security updates.
List holds:
apt-mark showhold
Check for reboot requirement:
[ -f /var/run/reboot-required ] && echo "Reboot required"
Check with:
grep -E 'Periodic' /etc/apt/apt.conf.d/* || echo "No periodic settings found"
Next Steps
- Apply a staged rollout: test automatic updates on a staging server before enabling across production.
- Consider high-availability strategies: use redundancy or orchestration (load balancers, Kubernetes, failover) to tolerate reboots or failures during updates.
Monitor updates and logs regularly: set up alerts for failed unattended-upgrades and review /var/log/unattended-upgrades/.
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log
This tutorial covered the practical steps to enable and manage automatic updates on Debian and Ubuntu, including configuration, alternatives, kernel reboot handling, useful commands, and common pitfalls. With careful configuration, automatic updates can greatly reduce security risk while keeping administrative overhead low.
👉 Explore more IT books and guides at dargslan.com.
