Managing servers and computers running Debian requires constant maintenance to ensure their security and stability. One of the key aspects of this maintenance is updating packages and security patches. However, performing these updates manually can be tedious and prone to forgetting. To address this problem, Debian ofrece the tool unattended-upgrades (unattended updates), which allows this process to be automated.
In this guide, we will explore in depth How to configure and manage unattended upgrades in DebianYou will learn how to install the appropriate package, configure it to your needs, and monitor its operation to ensure everything is working properly.
What is unattended-upgrades and what is it used for?
unattended-upgrades or unattended upgrades is a package designed to apply security updates and other packages automatically in Debian and its derivatives, such as Ubuntu — which has had it enabled by default for some releases now. Its goal is to reduce the need for manual intervention in system administration by facilitating the automatic installation of important updates.
This tool is especially useful on servers that must always remain up to date without manual intervention, Minimizing vulnerabilities and ensuring a stable environment. Furthermore, the use of automatic updates is gaining popularity in various distributions such as Tails and Pop!_OS, which also implement similar solutions to keep the system secure.
Installing unattended-upgrades
To install unattended-upgrades, simply run the following command in the terminal:
sudo apt install unattended-upgrades
Once installed, it is recommended to run its initial setup with:
sudo dpkg-reconfigure -plow unattended-upgrades
This will open an interactive wizard where you can enable the Automatic Updates.
NOTE: In more recent versions of Debian the service may already be installed and working..
Setting up unattended-upgrades
The behavior of unattended upgrades is defined in the configuration file /etc/apt/apt.conf.d/50unatended-upgradesHere you can specify which repositories and types of updates you want to automatically apply.
Allow updates from certain sources
Inside the configuration file, you will find a section called Unattended-Upgrade::Allowed-OriginsBy default, this list includes only the security updates:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };
If you want to include other updates, such as general system updates, you can add the following lines:
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-updates"; };
Exclude packages from automatic updates
If there are certain Packages you don't want to update automatically, you can add them to the blacklist. Within the same configuration file, look for the section Unattended-Upgrade::Package-Blacklist and add the packages you want to exclude:
Unattended-Upgrade::Package-Blacklist { "linux-image"; "apache2"; };
Set up email notifications
if you want to receive notifications When updates are applied, you can enable this option in the settings:
Unattended-Upgrade::Mail "[email protected]";
You can also configure if you want to receive notifications only in case of errors:
Unattended-Upgrade::MailOnlyOnError "true";
For more details on managing updates, you can check out how Debian could implement Automatic updates in future versions.
Frequency and scheduling of updates
To define with what frequency Automatic updates are running, edit the file /etc/apt/apt.conf.d/20auto-upgrades and make sure it contains the following:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7";
This file defines that:
- Update lists are updated daily (1).
- Unattended updates are performed daily.
- Downloaded packages are removed every week.
If you are looking for more information about the implementation of Automatic Updates in different distributions, I invite you to read about how Pop! _OS implements these functionalities.
Monitoring and verifying updates
To make sure that unattended-upgrades is working properly, you can check the logs stored in /var/log/unattended-upgrades/To inspect the most recent log, use:
less /var/log/unattended-upgrades/unattended-upgrades.log
You can also manually run a update simulation with:
sudo unattended-upgrade --dry-run -d
It is important to keep a regular track of the logs to detect any anomalies.
Disabling unattended-upgrades
If you decide to disable unattended updates, you can do so by editing the file /etc/apt/apt.conf.d/20auto-upgrades and placing the values in 0:
APT::Periodic::Unattended-Upgrade "0";
You can also uninstall the package with:
sudo apt remove unattended-upgrades
Setting up automatic updates in Debian using unattended-upgrades is a great way to keep your systems up to date without manual intervention. With the right configurations, you can ensure that only the necessary updates are installed, minimizing risks and ensuring system stability.
