Automatic Updates on Debian

Automatic updates are highly recommended.  Configuring your systems to update their packages automatically improves stability, performance, and most importantly the security of those systems.  The unfortunate nature of software development is that exploits can be discovered or bugs found after release.  Updates allow developers to correct these bugs and close exploits, which is why they are highly recommended.  Setting up automatic updates means the system will update periodically and not need you to check for and install updates manually, ensuring you are kept up to date during an OS’s life-cycle.

Automatic Updates on Debian via unattended-upgrades

On Debian, automatic updates are facilitated by the unattended-upgrades package.  Install the package with the following command.

sudo apt install unattended-upgrades

This will install the unattended-upgrades package with a default configuration.  By default, the unattended-upgrades package installs updates for security packages only.  You can change this by editing the configuration file for the package, which should be located at etc/apt/apt.conf.d/50unattended-upgrades.  An example default of the package selection area of this file is shown below:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Lines starting with a // are commented out.  You can simply remove these slashes to enable additional packages for automatic updates.  Enabling the “-updates” line will allow unattended-upgrades to keep your normal non-security packages also up-to-date, and as such is recommended.

You can also black-list specific packages that you do not want updating.  It is recommended to avoid this feature as it can lead to instability and security concerns.  However, there are cases where it may be necessary to hold a package at a certain version to ensure compatibility or similar reasons.  You can do so by simply adding the package to the black-list.  An example that tells the system to not update vim is provided below.

Unattended-Upgrade::Package-Blacklist {
      "vim";
};

Finally, you can adjust the frequency of the automatic updates in a configuration file which should be at /etc/apt/apt.conf.d/20auto-upgrades.  This file shows the frequency in days of the various portions of the update process.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

In this example, unattended-upgrades will grab a fresh package list every day.  It will also download and install upgrades every day, and clean up the download archive for packages every 7 days.  You can adjust these values as desired, but the default configuration should work for almost all systems.  It is recommended to keep the Update-Package-Lists, Download-Upgradable-Packages, and Unattended-Upgrade values in sync, as these generally should be run in sequence for updates.

Leave a Reply

Your email address will not be published. Required fields are marked *