This article will guide you on how to set up unattended automatic system updates under Debian 11.

Preparation

Unless you are a physical server, and a VPS or cloud host with a KVM architecture that has not used an oddly customized or modified kernel, there is a certain chance that upgrading the system to update the kernel will cause the Grub load to fail.

Remember to back up your important data!

The following operations need to be done under the root user, please use sudo -i or su root to switch to the root user for operations.

Install the necessary software

First you need to install the unattended-upgrades and apt-listchanges packages.

1
2
apt update
apt install unattended-upgrades apt-listchanges -y

By default the unattended-upgrades service is started automatically and takes effect.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
root@debian ~ # systemctl status unattended-upgrades
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-05-03 09:50:36 UTC; 1 months 13 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 697 (unattended-upgr)
      Tasks: 2 (limit: 1059)
     Memory: 8.5M
        CPU: 69ms
     CGroup: /system.slice/unattended-upgrades.service
             └─697 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

If it doesn’t take effect you can run systemctl enable --now unattended-upgrades to make it take effect and start automatically on boot.

Configure the 50unattended-upgrades file

Let’s just create a new /etc/apt/apt.conf.d/50unattended-upgrades file and enter the following.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
cat > /etc/apt/apt.conf.d/50unattended-upgrades << EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1"; 
APT::Periodic::Verbose "1";
APT::Periodic::AutocleanInterval "7";

Unattended-Upgrade::Mail "root";

Unattended-Upgrade::Origins-Pattern {
  "origin=Debian,codename=\${distro_codename},label=Debian";
  "origin=Debian,codename=\${distro_codename},label=Debian-Security";
  "origin=Debian,codename=\${distro_codename}-security,label=Debian-Security";
};

Unattended-Upgrade::Package-Blacklist {
};

Unattended-Upgrade::Automatic-Reboot "false";
EOF

In the above configuration, APT::Periodic::Update-Package-Lists "1"; and APT::Periodic::Unattended-Upgrade "1"; means automatic update is turned on, if 0 is set, no automatic update will be done.

APT::Periodic::AutocleanInterval "7"; This configuration means that residual useless dependencies are kept for 7 days, and will be cleaned up automatically after 7 days.

Unattended-Upgrade::Origins-Pattern represents the apt sources that need to be updated, we only update the repositories containing debian and debian-security, you can also add custom origin if you also need to update some third party apt sources to install software. For example.

1
"origin=PowerDNS";

As for how to get the origin, you can directly check the Release file of this software repository, such as this Release of the PowerDNS repository.

1
2
root@debian ~ # curl -s https://repo.powerdns.com/debian/dists/bullseye-auth-master/Release | grep Origin
Origin: PowerDNS

Unattended-Upgrade::Package-Blacklist is a blacklist to add software that does not need to be updated automatically, e.g.

1
2
3
4
5
6
7
8
Unattended-Upgrade::Package-Blacklist {
    // Do not automatically update all packages starting with linux-
    "linux-";
    // Does not automatically update Apache 2
    "apache2";
    // Regular expressions are also supported. This rule does not update all packages that contain xen, xenstore and libxen starters, such as xen-system-amd64, xen-utils-4.1, xenstore-utils and libxenstore3.0
    "(lib)?xen(store)?";
};

APT::Periodic::Verbose "1"; By default this setting is 0, which means no reports are sent, and 1 for progress reports.

Unattended-Upgrade::Mail "root"; is to send mail to the root user, which can be customized as required.

Unattended-Upgrade::Automatic-Reboot "false"; is to not reboot automatically (don’t reboot the server if you don’t want to).

Test the configuration

We can test if the rules are correct by running this command.

1
unattended-upgrades --dry-run --debug

If there are no errors, that means it’s fine, so we can configure Debian to automatically update unattended, so we don’t have to worry about security breaches and not being able to update the system in time.

To view the logs, use the command journalctl -u apt-daily.service | tail.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
root@u ~ # journalctl -u apt-daily.service | tail
Jun 15 09:53:46 u.sb systemd[1]: apt-daily.service: Consumed 2.791s CPU time.
Jun 15 21:10:43 u.sb systemd[1]: Starting Daily apt download activities...
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: verbose level 1
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: check_stamp: interval=86400, now=1655251200, stamp=1655251200, delta=0 (sec)
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: download updated metadata (not run).
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: download upgradable (not run)
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: check_stamp: interval=86400, now=1655251200, stamp=1655251200, delta=0 (sec)
Jun 15 21:10:43 u.sb apt.systemd.daily[104653]: unattended-upgrade -d (not run)
Jun 15 21:10:43 u.sb systemd[1]: apt-daily.service: Succeeded.
Jun 15 21:10:43 u.sb systemd[1]: Finished Daily apt download activities.