How to Configure Unattended Upgrades on Debian 12/11/10 Linux

Debian stands out for its robustness and comprehensive software library in Linux-based operating systems. For users seeking to configure unattended upgrades on Debian 12 Bookworm or the older stable releases of Debian 11 Bullseye or Debian 10 Buster, the Unattended Upgrades Package offers a streamlined solution. This utility simplifies maintaining an updated and secure system by automating the update process.

Key Advantages of the Unattended Upgrades Package:

Seamless Automation: The package is designed to automatically fetch and install security and software updates, eliminating the need for manual oversight.
Enhanced Security: The package fortifies the system against potential threats and vulnerabilities by ensuring timely installation of the latest security patches.
Tailored Updates: Users can specify which packages to update and which ones to exclude, allowing for a customized update experience.
Transparency: All update activities are meticulously logged, and users receive notifications post-installation, ensuring they are always in the loop regarding system changes.

Harnessing the capabilities of the Unattended Upgrades Package ensures that Debian systems remain secure and up-to-date, optimizing performance and reliability.

Install Unattended Upgrades Package

Step 1: Update Debian System Packages

Before installing and setting up the Unattended Upgrades Package, update your Debian system to prevent conflicts. To update your Debian system, open the terminal and enter the following command:

sudo apt update && sudo apt upgrade

This command will update all the installed packages and their dependencies to the latest versions. Depending on the number of updates available for your system, it may take some time.

Step 2: Install Unattended Upgrades Package

To install the Unattended Upgrades Package on your Debian system, you will need to open the terminal and enter the following command:

sudo apt install unattended-upgrades

This command will install the package and all its dependencies on your system.

Note: The package should already be installed by default, but if you have removed it, you can use the above command to reinstall it.

Step 3: Install Additional Packages for Unattended Upgrades

If you aim for your Debian system to restart automatically after upgrades that need a system restart, you must install the apt-config-auto-update package. Execute the command below to install it:

sudo apt install apt-config-auto-update

Laptop users should install the powermgmt-base package to leverage unattended options related to battery settings. To get this package, launch the terminal and type in the subsequent command:

sudo apt install powermgmt-base

After installing the package, configure it to fit your preferences. For instance, you might decide which updates to apply automatically, which ones to bypass, and the timing for the installations. Keep in mind that the Unattended Upgrades Package demands root access. Therefore, always prefix the commands highlighted in this guide with sudo.

Step 4: Verify Unattended Upgrades Installation

We recommend you verify the Unattended Upgrades Package to ensure it works correctly. Open the terminal and enter the following command:

sudo unattended-upgrades --dry-run --debug

It would be best to familiarize yourself with the systemctl commands for Unattended Upgrades. This is crucial because you might need to check the status after making changes or restarting.

To check the status of Unattended Upgrades, enter this command:

systemctl status unattended-upgrades

Step 5: Understanding Unattended Upgrades Systemd Commands

The following systemctl commands will allow you to start, stop, enable on boot, disable on boot, or restart the Unattended Upgrades service:

Start the unattended services:

sudo systemctl start unattended-upgrades

Stop the unattended services:

sudo systemctl stop unattended-upgrades

Enable on boot the unattended services:

sudo systemctl enabe unattended-upgrades

Disable on boot the unattended services:

sudo systemctl disable unattended-upgrades

Restart the unattended services:

sudo systemctl restart unattended-upgrades

Configure Unattended Upgrades

In this section, we’ll walk you through configuring the Unattended Upgrades package settings in the configuration file using terminal commands. Remember that you can customize these settings based on your needs. We’ll dive deep into each set to ensure you grasp its purpose and functionality, helping you make knowledgeable adjustments to the Unattended Upgrades package on your Debian system.

Step 1: Understanding CLI Options for Unattended Upgrades

Before we tackle the configuration file, let’s review and explain all CLI options available for the Unattended Upgrades package:

Option	Description
-h, –help	Displays the help message and exits
-d, –debug	Enables debug messages
–apt-debug	Makes `apt/libapt` print verbose debug messages
-v, –verbose	Enables info messages
–dry-run	Simulates upgrade process and downloads but does not install
–download-only	Only downloads upgrades; do not attempt to install them
–minimal-upgrade-steps	Upgrades packages in minimal steps (and allows interruption with SIGTERM) – this is the default behavior
–no-minimal-upgrade-steps	Upgrades all packages together instead of in smaller sets

When you run the unattended-upgrades command in the terminal, these options play a crucial role. You have the flexibility to control the automatic upgrade process using various options. For instance, you can use the –dry-run option to test the upgrade process without making real-time system changes. Similarly, the –download-only option allows you to download the upgrades without installing them.

By default, Unattended Upgrades uses the –minimal-upgrade-steps option. On the other hand, the –no-minimal-upgrade-steps option upgrades all packages at once rather than in smaller batches. Comprehending these options as you configure Unattended Upgrades is essential to ensure the process aligns with your preferences and needs.

Step 2: Setup Unattended Upgrades Configuration File

We recommend modifying the configuration file with a text editor with root privileges, like nano. Open the configuration file in the nano editor with the command:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Once opened, you can modify various options as per your requirements. It is essential to remove any comments (lines beginning with "//" or "#") in the file to activate the options.

After making any changes to the configuration file, it is essential to run the following command to apply the changes:

sudo unattended-upgrades --dry-run --debug

This command will simulate an upgrade run and display any errors or warnings that may occur due to the changes you made to the configuration file. If everything looks good, you can then run the command below to perform the actual upgrade:

sudo unattended-upgrades

There are several options that you can modify in the configuration file. Here are some examples:

Allowed Origins

By default, the Unattended Upgrades package only allows updates from the security and update repositories. You can add other repositories by uncommenting this option in the configuration file and specifying the desired sources. An example is provided below.

Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}";
      "${distro_id}:${distro_codename}-security";
      "${distro_id}:${distro_codename}-updates";
      "${distro_id}:${distro_codename}-proposed";
      "${distro_id}:${distro_codename}-backports";
};

Package Blacklist

This setting allows you to automatically select packages you do not want to update. To do this, remove the comment from this option and add the names of the packages you want to exclude, as illustrated in the example below:

Unattended-Upgrade::Package-Blacklist {
      "my-package";
      "my-other-package";
};

AutoFixInterruptedDpkg

This setting determines if the system should automatically fix interrupted “dpkg” installations. To activate automatic fixing, change the value to “true,” as demonstrated in the example below:

Unattended-Upgrade::AutoFixInterruptedDpkg "true";

DevRelease “auto”

Use this option to determine if the system should automatically upgrade to the development release. By default, the system doesn’t activate this option. To trigger automatic upgrades to the development release, change the value to “auto,” as shown in the example below:

Unattended-Upgrade::DevRelease "auto";

MinimalSteps “true”

This option allows you to choose whether to execute upgrades in minimal steps. The system enables this option by default. If you want to turn off minimal steps and carry out upgrades in one go, change the value to “false”, as demonstrated in the example below:

Unattended-Upgrade::MinimalSteps "false";

InstallOnShutdown “false”

This option decides if the system should install upgrades during its shutdown. The system disables this option by default. To activate installation on shutdown, change the value to “true”, as shown in the example below:

Unattended-Upgrade::InstallOnShutdown "true";

Mail

Use this option to designate the email address for receiving notifications. By default, the system doesn’t send out notifications. To assign a specific email address, input it as a string value, like in the example below:

Unattended-Upgrade::Mail "example@mail.com";

MailReport “on-change”

This option sets the timing for email notifications. By default, the system sends notifications only when detecting a change. If you want to receive notifications every time, change the value to “on-start”, as demonstrated in the example below:

Unattended-Upgrade::MailReport "on-start";

Remove-Unused-Kernel-Packages

This option decides if the system should remove kernel packages that are no longer in use after an upgrade. By default, the system enables this option. If you want to stop the system from removing unused kernel packages, set the value to “false”, as demonstrated in the example below:

Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";

Remove-New-Unused-Dependencies

This option lets you remove newly introduced dependencies that package upgrades have made obsolete. By default, the system enables this option, ensuring it deletes any new dependencies it no longer requires.

Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

If you want to keep the new dependencies, set the value to “false” to deactivate this option. However, remember that deactivating can result in a buildup of unused dependencies on your system, consuming considerable disk space.

Remove-Unused-Dependencies

This option lets you remove unused dependencies after an upgrade. By default, the system doesn’t enable this option. To use this option and eliminate unused dependencies, change the value to “true” as illustrated in the example below:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

Automatic-Reboot

Use this option to decide if the system should reboot automatically after an upgrade. The system doesn’t enable this option by default. To activate automatic reboot, change the value to “true”, as shown in the example below:

Unattended-Upgrade::Automatic-Reboot "true";

Automatic-Reboot-WithUsers

Use this option to decide if the system should reboot automatically when users are logged in after an upgrade. The system enables this option by default. To turn off the automatic reboot, change the value to “false”, as demonstrated below:

Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Automatic-Reboot-Time

This option sets the time the system will reboot automatically after an upgrade. The system defaults to a reboot time of “02:00”. To adjust the reboot time, modify the value as demonstrated in the example below:

Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Acquire::http::Dl-Limit

Use this option to specify the maximum download speed for package downloads in kilobytes per second. By default, the system doesn’t enable this option. To set a download speed limit, adjust the value to your preferred speed in kilobytes per second, as demonstrated in the example below:

Acquire::http::Dl-Limit "100";

SyslogEnable

Use this option to determine if the system should log upgrade events to the system log. By default, the system enables this option. To turn off logging, change the value to “false” as shown in the example below:

Unattended-Upgrade::SyslogEnable "false";

SyslogFacility

Use this option to determine which facility logs upgrade events. The system logs events to the “daemon” facility by default. To alter the facility, adjust the value as illustrated in the example below:

Unattended-Upgrade::SyslogFacility "local7";

OnlyOnACPower

Use this option to determine if upgrades should occur only when the system connects to AC power. The system doesn’t activate this option by default. To allow upgrades solely on AC power, set the value to “true”, as shown in the example below:

Unattended-Upgrade::SyslogFacility "local7";

Skip-Updates-On-Metered-Connections

This option decides if the system should skip updates when connected to a metered connection. By default, the system enables this option, preventing updates from downloading on metered connections.

To allow updates on metered connections, change the value to “false” as demonstrated in the example below:

Unattended-Upgrade::Skip-Updates-On-Metered-Connections "false";

Verbose

Use this option if you want to display detailed upgrade information. The system disables this option by default. To see a verbose output, change the value to “true”, as demonstrated in the example below:

Unattended-Upgrade::Verbose "true";

Debug

Use this option to decide if you want the system to display debug information during upgrades. By default, the system doesn’t activate this option. To turn on debug output, change the value to “true”, as shown in the example below:

Unattended-Upgrade::Debug "true";

Allow-downgrade

Use this option to decide if the system should allow package downgrades during upgrades. The system disables this option by default. To allow downgrades, change the value to “true”, as demonstrated in the example below:

Unattended-Upgrade::Allow-downgrade "true";

Please remember that enabling downgrades can be risky and cause system instability or expose security vulnerabilities. It is advised only to use this option when needed and to assess potential risks thoroughly.

Schedule Automatic Upgrades with a Cron Job

To schedule automatic unattended upgrades on your Debian system, you can use a cron job. Cron is a time-based job scheduler in Linux that allows you to run commands or scripts automatically at specified times or intervals.

To create a cron job for unattended upgrades, follow the steps below.

Open the crontab configuration file by running the following command:

sudo crontab -e

Once the file is open, add the following line at the bottom:

0 0 * * * /usr/bin/unattended-upgrade -d

After adding the above line, the unattended-upgrade command will run daily at midnight (0 0 * * *). To save and exit the file, press “Ctrl+X”, then “Y”, and then “Enter”.

It is crucial to schedule automatic upgrades when your system is not in use since upgrades may require a reboot or cause applications to restart.

Audit Unattended Upgrade Logs

The Unattended-Upgrades package by default logs all upgrade activities to the syslog facility. These logs are in the /var/log/syslog file and other system logs.

To view the logs of Unattended-Upgrades, you can use the following command:

sudo grep unattended-upgrades /var/log/syslog

To display the last 50 entries in the syslog file related to Unattended-Upgrades, you can use the following command:

sudo tail -n 50 /var/log/syslog | grep unattended-upgrades

You can filter the logs using various grep options based on specific criteria. For instance, to filter the logs by date and time, you can use the following command:

sudo grep "unattended-upgrades.*YYYY-MM-DD" /var/log/syslog

Substitute “YYYY-MM-DD” with the date you want in the year-month-day format. By doing so, this command will exhibit all the log entries that include the keyword “unattended-upgrades” and correspond to the date you specified.

To filter the logs by package name, use the following command, replacing “package_name” with the name of the package:

sudo grep "unattended-upgrades.*<package_name>" /var/log/syslog

To filter the logs by package name, use the following command and replace “<package_name>” with the package name you want to search for. This command will display all log entries that contain the “unattended-upgrades” keyword and match the specified package name.

The commands mentioned above enable you to check and filter the Unattended-Upgrades logs on your Debian system quickly, allowing you to identify and address any issues that may occur during the upgrade process.

Conclusion

Setting up unattended upgrades on Debian Linux is a valuable practice that ensures your system remains up-to-date and secure. By automating the process, you can minimize the risk of missing critical security patches and bug fixes. Overall, unattended upgrades help maintain your Debian Linux system’s stability, security, and performance, making them an essential tool for administrators and users alike.