Automating Security Updates on Ubuntu Servers

Most of the time our Ubuntu servers don’t have a GUI. How do you enable automated updates?

It’s pretty easy.

How To Do It

1. Install the package ‘unattended-upgrades’ – e.g.

aptitude install unattended-upgrades

2. Configuration 50unattended-upgrades by opening the configuration file – e.g.

vi /etc/apt/apt.conf.d/50unattended-upgrades

Uncomment the *-security and *-updates lines in the Allowed-Origins section (should be the 3rd or 4th lines in the file) – e.g.

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};

3. Configure 10periodic by opening the configuration file – e.g.

vi /etc/apt/apt.conf.d/10periodic

Set ‘APT::Periodic::Download-Upgradeable-Packages’ to ‘1’ (true). And add the following line, at the end of the file:

APT::Periodic::Unattended-Upgrade "1";

If things are not working as expected, the logs can be found in /var/log/unattended-upgrades.

FAQ

When will it apply updates?

Whenever cron.daily runs (see /etc/crontab). Usually about 6:30AM system time.

Do you want to get notified when things are updated?

In the 50unattended-upgrades file uncomment the following line:

Unattended-Upgrade::Mail "root@localhost";

Do you want to only get notified when there is an error?

In the 50unattended-upgrades file uncomment the following line:

Unattended-Upgrade::MailOnlyOnError "true";

What about updates that require rebooting?

Some updates, like kernel updates, require rebooting. These are disabled by default. If you have email notifications on you’ll see them there. There is also an automatic reboot option – commented out by default for obvious reasons – in 50unattended-upgrades you can explore using.

Isn’t It Risky to Automate Updates?

It is up to you to decide whether automatic updates are acceptable in your situation. I find that I have a mixture of hosts: some where automated updates are a definite no-no and others where the modest risk introduced by allowing automated security updates is far preferably to waiting for manual patching.

In general, I use this a lot with standalone hosts that do special purpose things behind the scenes, but rarely with production web applications.

Technologist. ex-CTO. Beer appreciator. Check me out on Google+ or follow me on Twitter.

Please note: I reserve the right to delete comments that are offensive or off-topic.