Unattended Upgrades on Ubuntu Linux (Rev: 06/22)

Unattended Upgrades on Ubuntu Linux (Rev: 06/22)

"Unattended Upgrades" is a package available on Ubuntu systems that automatically installs updates for security and, optionally, other software packages. This tool is crucial for maintaining system security and stability. It ensures that vulnerabilities and bugs are promptly addressed without requiring manual intervention. This post details the setup instructions for using it for security updates on an Ubuntu Linux 22.04 or 24.04 server and sending emails when the updates are completed.

Martial Martial
Mar 12, 2024
Guide Ubuntu22 Ubuntu24
Unattended Upgrades on Ubuntu Linux (Rev: 06/22)
TABLE OF CONTENTS
Preamble
Ubuntu Pro
Unattended upgrades
Initial setup
Optional setup
Email
Automatic Reboot
Testing
Manual updates
Revision History
💡
Instructions for a Linux host running an Ubuntu 22.04 or 24.04 server to set up “unattended upgrades” so that your server will automatically upgrade security updates (only). Optionally, we request that the tool send us emails each time it runs to let us know if the server needs to be rebooted.
 
Revision: 20240622-0 (init: 20240312)
 
"Unattended Upgrades" is a package available on Ubuntu systems that automatically installs updates for security and, optionally, other software packages. This tool is crucial for maintaining system security and stability. It ensures that vulnerabilities and bugs are promptly addressed without requiring manual intervention. This post details the setup instructions for using it for security updates on an Ubuntu Linux 22.04 or 24.04 server and sending emails when the updates are completed.
Another blog post was added on the same date on using FastMail with Postfix to send emails.
 
 

Preamble

"Unattended Upgrades" on Ubuntu is configured to install security updates only automatically. This ensures that the system receives essential security patches without manual intervention, helping to keep the system secure against vulnerabilities. While it can be configured to update a broader range of packages, it may increase the risk of introducing stability issues with automatic updates of non-security critical packages.
These instructions will enable the end user to have security updates (only) done automatically.

Ubuntu Pro

If your system runs Ubuntu Pro, additional security packages might be installed.
Ubuntu Pro requires a Ubuntu account and is free for up to five systems. It is a subscription-based service offered by Canonical, providing enhanced security and compliance features for Ubuntu users, including extended security maintenance (ESM) for applications and infrastructure, patching for high and critical Common Vulnerabilities and Exposures (CVEs) for supported packages, and additional compliance certifications for regulated industries or sensitive environments. If you have it enabled, go to https://ubuntu.com/pro/dashboard and look at the "Command to attach a machine" (sudo pro attach TOKEN) to enable it. You will be prompted with additional details on the different services enabled when run.
When using Ubuntu Pro, you should see more source packages from the email notification. For example, something similar to:
# For Ubuntu 22.04 (Jammy Jellyfish)
Allowed origins are: o=Ubuntu,a=jammy, o=Ubuntu,a=jammy-security, o=UbuntuESMApps,a=jammy-apps-security, o=UbuntuESM,a=jammy-infra-security

# For Ubuntu 24.04 (Noble Numbat)
Allowed origins are: o=Ubuntu,a=noble, o=Ubuntu,a=noble-security, o=UbuntuESMApps,a=noble-apps-security, o=UbuntuESM,a=noble-infra-security
Use pro status --all to check on the services enabled on the system.
Use pro help to get more details on the available services, and pro enable <service> (adapt <service> with a valid option from the pro status service list) to attempt to enable that service on your system.

Unattended upgrades

Initial setup

Ubuntu's writeup is at https://help.ubuntu.com/community/AutomaticSecurityUpdates
# Install needed packages
sudo apt install -y unattended-upgrades apt-listchanges
# accept the choices given to you in the interactive dialogue

# enable the automatic updates
sudo dpkg-reconfigure --priority=low unattended-upgrades
# select "yes" to "Automatically download and install stable updates?"

# (optional) make it possible to reboot automatically
sudo apt install -y update-notifier-common
You can confirm by checking cat /etc/apt/apt.conf.d/20auto-upgrades which should contain
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
You can sudo nano /etc/apt/apt.conf.d/50unattended-upgrades to see the options for customizing the system.

Optional setup

Email

Note: you can refer to “Sending emails: Postfix using Fastmail” as one email-sending approach.
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades find the Unattended-Upgrade::Mail line and uncomment it (remove the // at the beginning of the line) and set the destination email, such as [email protected]. Note that mail sending needs to be functional on your host for this to work. The final line will look something like:
Unattended-Upgrade::Mail "[email protected]";

Automatic Reboot

In the /etc/apt/apt.conf.d/50unattended-upgrades, find, uncomment, and modify the following ::-containing lines according to your needs:
// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in
// when Unattended-Upgrade::Automatic-Reboot is set to true
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Testing

You can see that your configuration file is functional by running sudo unattended-upgrades --dry-run
After confirming it is, use sudo unattended-upgrades -v to run the tool for the first time and confirm that everything is functional. If an update was performed and you have email notifications set up, you will receive an email with the details of the operation. It is up to you to act on Warning: A reboot is required to complete this upgrade, or a previous one notification in the email's content.

Manual updates

As noted earlier, our setup is configured to install security updates only automatically.
When your system informs you that it requires a reboot, it is an opportune time to run sudo apt-get update, sudo snap refresh—-list, brew update, etc.

Revision History

  • 20240622-0: Fix link to Postfix+Fastmail post
  • 20240529-0: Added link to Postfix+Fastmail post
  • 20240523-0: Confirmed functional on 24.04 + extended content for pro usage
  • 20240512-0: Migration to Notion
  • 20240306-0: Added Ubuntu Pro additions email example
  • 20240302-0: Added links to the introduction section.
  • 20240229-0: Intitial release.
 
 
Martial
Martial

Related Posts

Ubuntu 24.04 VPS Hardening (Rev: 06/22)
Guide Ubuntu24 VPS Security

Ubuntu 24.04 VPS Hardening (Rev: 06/22)
Martial Martial
Jun 16, 2024

Hosting on a VPS is a great option to run a blogging service, but installing services that might expose ports needs to be done with some precaution (or not at all if the service is only to be used by the server itself).

Post-Steps: Ubuntu 24.04 Desktop (Rev: 07/30)
Ubuntu24

Post-Steps: Ubuntu 24.04 Desktop (Rev: 07/30)
Martial Martial
May 25, 2024

This is a more opinionated post than usual: I live on the command line on Linux. As such, I perform a few extra steps after a fresh installation to get to a “usable” system.

Sending emails: Postfix using Fastmail (Rev: 05/31)
Guide Linux Ubuntu22 Ubuntu24 Postfix FastMail

Sending emails: Postfix using Fastmail (Rev: 05/31)
Martial Martial
Mar 12, 2024

Postfix is a free, open-source mail transfer agent (MTA) used to route and deliver email over the Internet. FastMail is a paid service that provides a secure, privacy-focused email provider supporting custom domains. This post details the setup instructions for using Postfix as a Send-Only SMTP server, using Fastmail, on a Ubuntu Linux 22.04 server.