One of the crucial administration roles that any sysadmin is tasked to do is to ensure that the security patches and feature updates are regularly applied. Security updates address pre-existing vulnerabilities that can be exploited by malicious users to breach the system. Delayed patching of system packages may result in system breaches where confidential information is access and exfiltrated. Manually updating packages on Ubuntu – and any Linux system for that matter – is a tedious task and wastes a lot of your precious time. This is time that could have been spent elsewhere performing more productive tasks. As a workaround, configuring automatic updates on a Linux server comes highly recommended. In this guide, we walk you through how to enable automatic updates on Ubuntu 20.04.
Configuration of automatic updates is made possible by the unattended-upgrades package. The package keeps your system in sync with the latest security and feature updates. We are going to show you how to install the package, and later how to modify the configuration file to control which updates are upgraded and how you can send email alerts.
Step 1: Install unattended-upgrades package
As discussed before, the first step is to install the unattended-upgrades package. To achieve this, we will use the APT package manager as follows:
$ sudo apt install unattended-upgrades
When the installation is complete, verify this using the command:
$ sudo systemctl status unattended-upgrades
By default, the unattended-upgrades daemon should run once the installation is complete as evidenced in the screenshot below.
To set automatic updates, we are going to install the update-notifier-common package.:
$ sudo apt install update-notifier-common
Step 2: Configure unattended-upgrades service
In this step, we are going to make changes to the unattended-upgrades configuration file.
$ sudo vim /etc/apt/apt.conf.d/50unattended-upgrades
The file helps you to specify which packages should automatically be updated or skipped during the update process. By default, however, only security updates are set to be automatically installed as shown in the lines below. Therefore, no action is needed.
Line starting with double slashes ( // ) are commented. If you want to update a repository you need to uncomment or remove the double slash signs.
For example, to blacklist some packages from being upgraded, remove the double slash signs in the line with the parameter
Then specify the package names. In the example below, we have prevented the Mariadb and Nginx packages from being upgraded.
When you scroll down, you can see a host of other options that you might decide to enable or leave them as they are.
Step 3: Enable email notifications
Sometimes, you may want to receive email notifications. To achieve this, scroll and locate the line below and remove the preceding double slashes.
//Unattended-Upgrade::Mail " ";
Be sure to specify the recipient email address.
Unattended-Upgrade::Mail "[email protected] ";
In addition, you can choose to receive email updates in case an update goes wrong, such as when security updates fail. To do so, locate this line:
uncomment it and change the attribute “on-change” to “only-on-error”
When security updates are installed, it’s always good practice to restart the server in order to update the kernel. You can enable an automatic reboot by locating the line below.
Change the “false” value to “true“
If there are users logged in and you would desire to proceed with the reboot, locate the line”
// Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Uncomment it so that it resembles what we have below:
You can also determine the time the update will occur by uncommenting the line below. By default, this is set to 4:00 am.
// Unattended-Upgrade::Automatic-Reboot-Time "04:00";
In our case, we have set it to 3:00am
There are many other rules you can set to suit your needs. Simply scroll and uncomment the directives as we have just elaborated.
Once you are done, save the changes and exit the configuration file. That’s about it in this section.
Step 4: Enable automatic updates on Ubuntu 20.04
Finally, to enable automatic upgrades , edit the 20auto-upgrades file as shown.
$ sudo vim /etc/apt/apt.conf.d/20auto-upgrades
By default, the file has two lines as shown.
These lines allow you to determine how the upgrade will occur. The first line handles the update of the package lists while the second one initiates the automatic upgrades.
The value “1” enables the auto-update and the auto-upgrade respectively. If you want to disable it, set this value to “0”.
No changes are required here, just save and exit the file.
Step 5: Set up a mail server
For you to receive notifications, you need to configure an email server. There are a couple of options that you can use including mailx and postfix.
For best results, install Postfix to configure SMTP relay to external SMTP servers. We have a detailed guide on how to setup Postfix mail server on Ubuntu.
If you have come this far, you have successfully managed to set automatic updates on Ubuntu 20.04. You can rest assured that your packages will always be to up to date with the latest versions. Also, your server will be up to speed with the latest security patches to address any underlying security loopholes.