Unattended Upgrades (Debian Derivative)
This is going to be more of a tl;dr version of my write-up here
Install and Configure
sudo apt install -y unattended-upgrades apt-listchangesOrigin Patterns
Understanding Origin Patterns
Origin patterns inform UnattendedUpgrades which apt package caches to install packages from. In a default installation of UnattendedUpgrades, you may see something like this in the configuration file:
"origin=${distro_id},codename=${distro_codename}-updates";Example default origin pattern
lsb_release -aDistributor ID: Debian
Description: Debian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye${distro_id}=Debianfromlsb_release -a${distro_codename}=bullseyefromlsb_release -a
Identifying Origin Patterns
Accepted keywords for the origin pattern are found in the comments of /etc/apt/apt.conf.d/50unattended-upgrades
// a,archive,suite (eg, "stable")
// c,component (eg, "main", "contrib", "non-free")
// l,label (eg, "Debian", "Debian-Security")
// o,origin (eg, "Debian", "Unofficial Multimedia Packages")
// n,codename (eg, "jessie", "jessie-updates")
// site (eg, "http.debian.net")Accepted keywords for the origin pattern
Note that b or branch are not listed as accepted keywords. See example output below.
The comments also describe how you can find existing apt package cache origins on your system:
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.Run apt-cache policy to list apt package origins
apt-cache policyExample Output (show/hide)
100 /var/lib/dpkg/status
release a=now
500 http://security.debian.org bullseye-security/main amd64 Packages
release v=11,o=Debian,a=oldstable-security,n=bullseye-security,l=Debian-Security,c=main,b=amd64
origin security.debian.org
500 http://ftp.debian.org/debian bullseye-updates/main amd64 Packages
release v=11-updates,o=Debian,a=oldstable-updates,n=bullseye-updates,l=Debian,c=main,b=amd64
origin ftp.debian.org
500 http://ftp.debian.org/debian bullseye/contrib amd64 Packages
release v=11.11,o=Debian,a=oldstable,n=bullseye,l=Debian,c=contrib,b=amd64
origin ftp.debian.org
500 http://ftp.debian.org/debian bullseye/main amd64 Packages
release v=11.11,o=Debian,a=oldstable,n=bullseye,l=Debian,c=main,b=amd64
origin ftp.debian.orgConfiguring the Service
sudo nano /etc/apt/apt.conf.d/50unattended-upgradesDefining Origin Patterns
You're not required to use all of the keywords when defining an origin pattern. You can use one or all of the keywords. So, if you set an origin pattern to "o=${distro_id}"; then this will match any apt package cache where o=Debian exists.
If the accepted keywords are:
aorarchivecorcomponentlorlabeloororiginnorcodename- and
site
Then, based on the output above, the package origins I'd be most interested in are:
bullseye-securitybullseye-updatesbullseye
"origin=${distro_id},codename=${distro_codename}-updates";Default origin pattern(s)
A note that when configuring an Ubuntu server in the past, unattended-upgrades would not run if anything other than o= or origin= and a= or archive= keys were in the configuration.
// Pull non-security patches, bug fixes
"origin=${distro_id},codename=${distro_codename}-updates";
// Pull security patches
"o=${distro_id},n=${distro_codename}-security";
// General releases to the stable branch
// c="main" instead of c="contrib" since both would match without the correct component
"o=${distro_id},n=${distro_codename},c=main";New origin patterns
Set Upgrade Options
Still editing the /etc/apt/apt.conf.d/50unattended-upgrades file
You'll see several of these configuration options are commented out by a // prefix. Uncomment and configure according to your needs. Ways that I prefer to configure the service.
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
Unattended-Upgrade::OnlyOnACPower "false";- Automatic reboots at
04:00 AM - Does NOT configure the
Unattended-Upgrade::Mailoption, which is handy for production system in the event you want to track upgrades - Read the
//Commentsin the configuration file to understand more about each option
You may now save your changes to the configuration file
Configure the Schedule
sudo nano /etc/apt/apt.conf.d/20auto-upgrades// How often (in days) to apt update
APT::Periodic::Update-Package-Lists "1";
// How often (in days) to download new packages
APT::Periodic::Download-Upgradeable-Packages "1";
// How often (in days) to clean the apt clean
APT::Periodic::AutocleanInterval "7";
// How often (in days) to run unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";Testing and Troubleshooting
Dry Run Mode
Running in dry run mode will perform all of the expected actions an actual run would perform, except no changes will be made to the system. Running with debug output will output the actions to the console to help you see what will be applied and if there are any errors with your configuration.
sudo unattended-upgrades -d --dry-runRun unattended-upgrades in dry run mode, with debug output
Manual Run
This runs unattended-upgrades manually, and with debug output, to perform an actual upgrade of the system, while allowing you to see output to the console.
sudo unattended-upgrades -dEnable and Start the Service
sudo systemctl enable --now unattended-upgradesEnable and immediately start the daemon