When you’ve got a few machines, virtual or real, to keep updated it can become quite a chore. There are tools like Ansible that can automate day to day jobs but right now that feels like overkill for what I need. I’m, instead, going to first install automatic updates for my Debian based systems (e.g. all of them). If you are doing this for the first time I suggest rolling it out to just one machine and checking you understand how the system works and then rolling it out more widely. I intend for this to even be installed on my Proxmox server eventually.
Install the Required Package
On the target machine open a new console and switch to root. Perform and update and then install the unattended-upgrades package.
apt update apt install unattended-upgrades
Configure Automatic Updates
By default almost all automatic updates are switched off so let’s open the /etc/apt/apt.conf.d/50unattended-upgrades file and make some edits.
nano /etc/apt/apt.conf.d/50unattended-upgrades
The following lines match updates and security updated so should be uncommented (remove the //), by default only security updates are matched. This configuration will follow the system as it upgrades across major versions but it won’t trigger an major version upgrade itself. Make the changes and then save the file and exit nano. Note that I didn’t uncomment the proposed updates repository. I want a system that is as stable as I can reasonably make it.
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
If you want to update Proxmox automatically, in addition to the lines above, you’ll need to add line like the one shown below to make the Proxmox repository available for install. You can get the label etc from running the command apt-cache policy.
"origin=Proxmox,codename=${distro_codename},label=Proxmox Debian Repository";
For Docker the line looks like this:
"origin=Docker,codename=${distro_codename},label=Docker";
The official page on unattended upgrades suggests uncommenting / setting the line:
Unattended-Upgrade::Mail "root";
This causes the system to send a list of changes by email to the root user. If you’re running a mail server this is probably a good idea but if, like me, you have to relay through Google mail servers this is a pain to set up. I set it up for SMART on my Proxmox server because I really care about that information, I’m not so worried if my Jellyfin server falls over because of a bad update. You can also just set an email address in this field rather than a user, that might be worth doing as if you configure an email system mails will just start arriving automatically.
Systems can, overtime, end up with packages that are no longer required because they have, for example, been installed as a dependency of something else that has been removed. Apt has an auto-remove system that can detect and remove this type of package and the auto-update system can call that. To turn this on set the following line to true.
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Enable Automatic Updates
Turning automatic updates on (or off) involves configuring the file /etc/apt/apt.conf.d/20auto-upgrades. This can most easily be done by running dpkg-reconfigure. The following command will open a configuration window where you’ll select yes to perform automatic updates. If you want to turn off automatic upgrades simply rerun the command and choose no.
dpkg-reconfigure --priority=low unattended-upgrades
If you want to check that automatic updates are turned on issue the following command which should report that the system is active.
systemctl status unattended-upgrades.service
If the system is not enabled you can enable it with the following commands
systemctl enable unattended-upgrades systemctl start unattended-upgrades
Logs of what the unattended upgrade system does can be found at /var/log/unattended-upgrades/. That’s all there is to it, now you’ll never need to apt update && apt upgrade again.