This article will guide you on how to set up unattended automatic system updates under Debian 11.
Preparation
Unless you are a physical server, and a VPS or cloud host with a KVM architecture that has not used an oddly customized or modified kernel, there is a certain chance that upgrading the system to update the kernel will cause the Grub load to fail.
Remember to back up your important data!
The following operations need to be done under the root user, please use sudo -i
or su root
to switch to the root user for operations.
Install the necessary software
First you need to install the unattended-upgrades
and apt-listchanges
packages.
By default the unattended-upgrades
service is started automatically and takes effect.
|
|
If it doesn’t take effect you can run systemctl enable --now unattended-upgrades
to make it take effect and start automatically on boot.
Configure the 50unattended-upgrades file
Let’s just create a new /etc/apt/apt.conf.d/50unattended-upgrades
file and enter the following.
|
|
In the above configuration, APT::Periodic::Update-Package-Lists "1";
and APT::Periodic::Unattended-Upgrade "1";
means automatic update is turned on, if 0
is set, no automatic update will be done.
APT::Periodic::AutocleanInterval "7";
This configuration means that residual useless dependencies are kept for 7 days, and will be cleaned up automatically after 7 days.
Unattended-Upgrade::Origins-Pattern
represents the apt
sources that need to be updated, we only update the repositories containing debian
and debian-security
, you can also add custom origin
if you also need to update some third party apt
sources to install software. For example.
|
|
As for how to get the origin
, you can directly check the Release
file of this software repository, such as this Release of the PowerDNS repository.
Unattended-Upgrade::Package-Blacklist
is a blacklist to add software that does not need to be updated automatically, e.g.
|
|
APT::Periodic::Verbose "1";
By default this setting is 0
, which means no reports are sent, and 1
for progress reports.
Unattended-Upgrade::Mail "root";
is to send mail to the root
user, which can be customized as required.
Unattended-Upgrade::Automatic-Reboot "false";
is to not reboot automatically (don’t reboot the server if you don’t want to).
Test the configuration
We can test if the rules are correct by running this command.
|
|
If there are no errors, that means it’s fine, so we can configure Debian to automatically update unattended, so we don’t have to worry about security breaches and not being able to update the system in time.
To view the logs, use the command journalctl -u apt-daily.service | tail
.
|
|