The purpose of unattended-upgrades is to keep the computer current with the latest security (and other) updates automatically.
If you plan to use it, you should have some means to monitor your systems, such as installing the apt-listchanges package and configuring it to send you emails about updates. And there is always /var/log/dpkg.log, or the files in /var/log/unattended-upgrades/.
As of Debian 9 (Stretch) both the unattended-upgrades and apt-listchanges packages are installed by default and upgrades are enabled with the GNOME desktop.
Step 1: Install Packages
The ModSecurity module for Apache is included in the default Debian/Ubuntu repository. To install it, run
# apt install unattended-upgrades needrestart
Step 2: Configure Unattended Upgrades
In the /etc/apt/apt.conf.d/50unattended-upgrades configuration file you can define various parameters that will define what and how things will get upgraded.
Unattended-Upgrade::Origins-Pattern
In the section Unattended-Upgrade::Origins-Pattern you can define which debian sources will be defined within the upgrade path. Recommended at least to select the security options, however everything is possible.
Unattended-Upgrade::Origins-Pattern {
// Codename based matching:
// This will follow the migration of a release through different
// archives (e.g. from testing to stable and later oldstable).
// Software will be the latest available for the named release,
// but the Debian release itself will not be automatically upgraded.
"origin=Debian,codename=${distro_codename}-updates";
// "origin=Debian,codename=${distro_codename}-proposed-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Debian,codename=${distro_codename}-security,label=Debian-Security";
// Archive or Suite based matching:
// Note that this will silently match a different release after
// migration to the specified archive (e.g. testing becomes the
// new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
Unattended-Upgrade::Origins-Pattern – Other entries
Depending on your other sources defined, you could include puppetlab, Wazuh and other (agent) components to be upgraded as well.
Unattended-Upgrade::Origins-Pattern {
....
// Puppetlabs
"site=apt.puppetlabs.com";
// Wazuh
"site=packages.wazuh.com";
....
};
Unattended-<other values>
Following values can also be set, see inline comments for details
// Send email to this address for problems or packages upgrades // If empty or unset then no email is sent, make sure that you // have a working mail setup on your system. A package that provides // 'mailx' must be installed. E.g. "user@example.com" unattended-Upgrade::Mail "admin@your-company.com"; // Set this value to one of: // "always", "only-on-error" or "on-change" // If this is not set, then any legacy MailOnlyOnError (boolean) value // is used to chose between "only-on-error" and "on-change" Unattended-Upgrade::MailReport "onnly-on-error"; // Remove unused automatically installed kernel-related packages // (kernel images, kernel headers and kernel version locked tools). Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // Do automatic removal of newly unused dependencies after the upgrade Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; // Do automatic removal of unused packages after the upgrade // (equivalent to apt-get autoremove) Unattended-Upgrade::Remove-Unused-Dependencies "false"; // Automatically reboot *WITHOUT CONFIRMATION* if // the file /var/run/reboot-required is found after the upgrade Unattended-Upgrade::Automatic-Reboot "false"; // Allow package downgrade if Pin-Priority exceeds 1000 Unattended-Upgrade::Allow-downgrade "false";
Unattended-Upgrade::Package-Blacklist
This value can define if you want skip/blacklist specific packages, personally always like to upgrade linux kernels myself, my /tmp disk space is limited so always run into errors as debian requires a large amount of /tmp disk space.
Unattended-Upgrade::Package-Blacklist {
// The following matches all packages starting with linux-
"linux-";
// Other packages/software which you want more control over
"wazuh-manager-";
"opendistroforelasticsearch";
};
Step 3: Configure auto upgrade file
Enable automatic updates and set up update intervals by defining the file /etc/apt/apt.conf.d/20auto-upgrades with the following content:
# This option allows you to specify the frequency (in days) at which the package lists are refreshed. APT::Periodic::Update-Package-Lists "1"; # When this option is enabled, the daily script will execute unattended-upgrade (from the unattended-upgrades package) # which — as its name suggest — can automatize the upgrade process for some packages (by default it only # takes care of security updates, but this can be customized in /etc/apt/apt.conf.d/50unattended-upgrades). # Note that this option can be set with the help of debconf by running dpkg-reconfigure -plow unattended-upgrades. # If apt-listbugs is installed, it will prevent an automatic upgrade of packages which are affected by an already # reported serious or grave bug. APT::Periodic::Unattended-Upgrade "1"; # Again, this option indicates a frequency (in days), this time for the downloading of the actual packages. APT::Periodic::Download-Upgradeable-Packages "1"; # This option covers a feature that apticron doesn't have. It controls how often obsolete packages # (those not referenced by any distribution anymore) are removed from the APT cache. This keeps the APT # cache at a reasonable size and means that you don't need to worry about that task. APT::Periodic::AutocleanInterval "7";
Step 4: Configure needrestart
The package needrestart will allow the upgrade service to perform specific activities automatically i.e. restarting services when glibc has been upgraded. Create a new config.d configuration file in the following configuration location /etc/needrestart/conf.d/auto-restart.conf to define that services may be restarted automatically:
# Restart mode: (l)ist only, (i)nteractive or (a)utomatically.
#
# ATTENTION: If needrestart is configured to run in interactive mode but is run
# non-interactive (i.e. unattended-upgrades) it will fallback to list only mode.
#
$nrconf{restart} = 'a';
Step 5: Check that it works
Use the following command to check that the solution works like desired:
# unattended-upgrades --dry-run --debug
One can also check the log file /var/log/unattended-upgrades/unattended-upgrades.log after a few days and review what upgrades and steps have been executed.