A
allrounder55
Guest
Hello, i thought id share this as its a great help, if you follow the steps it is very straight forward, i was fed up of manually updating my server, especially when you login to your server via ssh and your greeted with eg: 8 security updates are available etc
This will automatically update your server and you can reboot at a time which is more convenient at a time of your choice.
First login to your server via ssh with root access:
Step 1: package installation
Install the unattended-upgrades package:
sudo apt install unattended-upgrades
or if you have root type:
apt install unattended-upgrades
This package may already be installed on your server.
Step 2: configure automatic updates
Edit the configuration file i personally use nano – or you may use another text editor eg: vim)
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
or if you have root
nano /etc/apt/apt.conf.d/50unattended-upgrades
The beginning of the configuration file should look like this:
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
>> "${distro_id}:${distro_codename}-updates"; <<
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Anything after a double slash “//” is a comment and has no effect. To “enable” a line, remove the double slash at the beginning of the line (replace with nothing or with spaces to keep alignment). Ive added 2 << >> to pinpoint for you
Just to remind you
uncomment the “updates” line by deleting the two slashes at the beginning of it:
"${distro_id}:${distro_codename}-updates";
These next steps are Optional:
You should uncomment and adapt the following lines to ensure you’ll be notified if an error happens:
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "true";
Next is Recommended:
remove unused kernel packages and dependencies and make sure the system automatically reboots if needed by uncommenting and adapting the following lines:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
↑ You may have to add a semicolon at the end of this line. ↑
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:38"; this can be set at anytime you like to use.
To save your changes in nano, use Ctrl + O followed by Enter. To quit, use Ctrl + X
Step 3: enable automatic updates
Enable automatic updates and set up update intervals by running:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
In most cases, the file will be empty. Copy and paste the following lines:
APT: : Periodic: : Update-Package-Lists "1";
APT: : Periodic: : Download-Upgradeable-Packages "1";
APT: : Periodic: : AutocleanInterval "7";
APT: : Periodic: : Unattended-Upgrade "1";
Please note: i have edited the colons as they where showing smiley faces if and etc was used
The time interval is specified in days, feel free to change the values. Save changes and exit.
Step 4: check to see if it works
You can see if the auto-upgrades work by launching a dry run:
sudo unattended-upgrades --dry-run --debug
or if you have root:
unattended-upgrades --dry-run --debug
The dry run should output something like this:
root@Ubuntu-1804-bionic-64-minimal ~ # unattended-upgrades --dry-run --debug
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*|^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^l etc etc etc etc etc
Another way to check if automatic updates work is waiting a few days and checking the unattended upgrades logs:
cat /var/log/unattended-upgrades/unattended-upgrades.log
Done! Ubuntu Server 18.04 should now update itself according to the dates time you set.
This will automatically update your server and you can reboot at a time which is more convenient at a time of your choice.
First login to your server via ssh with root access:
Step 1: package installation
Install the unattended-upgrades package:
sudo apt install unattended-upgrades
or if you have root type:
apt install unattended-upgrades
This package may already be installed on your server.
Step 2: configure automatic updates
Edit the configuration file i personally use nano – or you may use another text editor eg: vim)
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
or if you have root
nano /etc/apt/apt.conf.d/50unattended-upgrades
The beginning of the configuration file should look like this:
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// available, the policy for updates is such that unattended-upgrades
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
>> "${distro_id}:${distro_codename}-updates"; <<
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
// List of packages to not update (regexp are supported)
Anything after a double slash “//” is a comment and has no effect. To “enable” a line, remove the double slash at the beginning of the line (replace with nothing or with spaces to keep alignment). Ive added 2 << >> to pinpoint for you
Just to remind you
uncomment the “updates” line by deleting the two slashes at the beginning of it:
"${distro_id}:${distro_codename}-updates";
These next steps are Optional:
You should uncomment and adapt the following lines to ensure you’ll be notified if an error happens:
Unattended-Upgrade::Mail "[email protected]";
Unattended-Upgrade::MailOnlyOnError "true";
Next is Recommended:
remove unused kernel packages and dependencies and make sure the system automatically reboots if needed by uncommenting and adapting the following lines:
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
↑ You may have to add a semicolon at the end of this line. ↑
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:38"; this can be set at anytime you like to use.
To save your changes in nano, use Ctrl + O followed by Enter. To quit, use Ctrl + X
Step 3: enable automatic updates
Enable automatic updates and set up update intervals by running:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
In most cases, the file will be empty. Copy and paste the following lines:
APT: : Periodic: : Update-Package-Lists "1";
APT: : Periodic: : Download-Upgradeable-Packages "1";
APT: : Periodic: : AutocleanInterval "7";
APT: : Periodic: : Unattended-Upgrade "1";
Please note: i have edited the colons as they where showing smiley faces if and etc was used
The time interval is specified in days, feel free to change the values. Save changes and exit.
Step 4: check to see if it works
You can see if the auto-upgrades work by launching a dry run:
sudo unattended-upgrades --dry-run --debug
or if you have root:
unattended-upgrades --dry-run --debug
The dry run should output something like this:
root@Ubuntu-1804-bionic-64-minimal ~ # unattended-upgrades --dry-run --debug
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=bionic, o=Ubuntu,a=bionic-security, o=UbuntuESM,a=bionic, o=Ubuntu,a=bionic-updates
Using (^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*|^linux-image-[0-9]+\.[0-9\.]+-.*|^linux-headers-[0-9]+\.[0-9\.]+-.*|^linux-image-extra-[0-9]+\.[0-9\.]+-.*|^linux-modules-[0-9]+\.[0-9\.]+-.*|^linux-modules-extra-[0-9]+\.[0-9\.]+-.*|^linux-signed-image-[0-9]+\.[0-9\.]+-.*|^linux-image-unsigned-[0-9]+\.[0-9\.]+-.*|^kfreebsd-image-[0-9]+\.[0-9\.]+-.*|^kfreebsd-headers-[0-9]+\.[0-9\.]+-.*|^gnumach-image-[0-9]+\.[0-9\.]+-.*|^.*-modules-[0-9]+\.[0-9\.]+-.*|^.*-kernel-[0-9]+\.[0-9\.]+-.*|^linux-backports-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-modules-.*-[0-9]+\.[0-9\.]+-.*|^linux-tools-[0-9]+\.[0-9\.]+-.*|^linux-cloud-tools-[0-9]+\.[0-9\.]+-.*|^linux-buildinfo-[0-9]+\.[0-9\.]+-.*|^linux-source-[0-9]+\.[0-9\.]+-.*) regexp to find kernel packages
Using (^l etc etc etc etc etc
Another way to check if automatic updates work is waiting a few days and checking the unattended upgrades logs:
cat /var/log/unattended-upgrades/unattended-upgrades.log
Done! Ubuntu Server 18.04 should now update itself according to the dates time you set.
Last edited by a moderator: