Ubuntu Enable Automatic Updates Unattended Upgrades
Contents
Enable Automatic Updates
This is pretty much the same from at least 14.04 to 18.10 and beyond...
50unattended-upgrades
To stop the annoying update manager pestering to install updates, which everyone ignores [as in all updates, not just security which is all you can change in the GUI],
- Not modifying the original will stop getting nags about overwriting the package maintainers version on upgrade of the unattended-upgrade package !!
Create /etc/apt/apt.conf.d/51unattended-upgrades_on containing the below, which supersede contents of 50unattended-upgrades
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; "${distro_id}ESM:${distro_codename}"; "${distro_id}:${distro_codename}-backports"; }; Unattended-Upgrade::Remove-Unused-Dependencies "true";
One-liner
sed '/-updates\|-backports\|Remove-/s#^//##; /Remove-/s#false#true#; /\/\//d; /^$/d; /Black/,/};/d' "/etc/apt/apt.conf.d/50unattended-upgrades" | sudo tee "/etc/apt/apt.conf.d/51unattended-upgrades_on"
10periodic , 20auto-upgrades
Depending on version you may have one or other or both of /etc/apt/apt.conf.d/10periodic or /etc/apt/apt.conf.d/20auto-upgrades
- Not modifying the original will stop getting nags about overwriting the package maintainers version on upgrade of the unattended-upgrade package !!
Create /etc/apt/apt.conf.d/21periodic-auto-upgrades_on which will supersede either /etc/apt/apt.conf.d/10periodic or /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
Other useful options;
RandomSleep makes it pretty much start when anacron starts it up rather than waiting around pointlessly.
APT::Periodic::RandomSleep "1";
More logging add
APT::Periodic::Verbose "2";
One-liner
cat "/etc/apt/apt.conf.d/10periodic" "/etc/apt/apt.conf.d/20auto-upgrades" 2>/dev/null | sed "s/0/1/" | sort -u | sudo tee "/etc/apt/apt.conf.d/21periodic-auto-upgrades_on"
Resetting 10periodic 20auto--upgrades 50unattended-upgrades
Remove purge will remove all three, reinstall should set to defaults.
sudo apt-get remove --purge update-notifier-common unattended-upgrades sudo apt-get install --reinstall update-notifier-common unattended-upgrades update-manager
Deleting old kernels
With 16.04 and earlier there is/was a tendancy for kernels to not get deleted automatically. This is because they get tagged as 'manual' (due to bug or being manual updated) and only ones tagged 'auto' get removed by unattended-upgrades.
These two will show you how they are tagged currently.
apt-mark showauto 'linux-.*' apt-mark showmanual 'linux-.*'
To fix and tag all as auto (you will get a lot of errors from ones not installed etc)
sudo apt-mark auto '^linux-.*'
These will then get removed on update cycle or can be immediately removed by a 'sudo apt-get autoremove'
Older and specialised info below for reference
Permissions
Check apt entry in /etc/cron.daily is executable, mine somehow became not and it must be (i.e. chmod 755 /etc/cron.daily/apt !)
This has happened at least twice for unknown reasons.
$ ls -la /etc/cron.daily total 108 drwxr-xr-x 2 root root 4096 Nov 19 21:40 . drwxr-xr-x 199 root root 12288 Dec 1 13:43 .. -rwxr-xr-x 1 root root 311 Mar 5 2010 0anacron -rwxr-xr-x 1 root root 219 Apr 10 2012 apport -rw-r--r-- 1 root root 15466 Sep 6 23:14 apt -rwxr-xr-x 1 root root 314 Apr 9 2010 aptitude
Should be
$ sudo chmod a+x /etc/cron.daily/apt [sudo] password for xxxxx: $ ls -la /etc/cron.daily total 108 drwxr-xr-x 2 root root 4096 Nov 19 21:40 . drwxr-xr-x 199 root root 12288 Dec 1 13:43 .. -rwxr-xr-x 1 root root 311 Mar 5 2010 0anacron -rwxr-xr-x 1 root root 219 Apr 10 2012 apport -rwxr-xr-x 1 root root 15466 Sep 6 23:14 apt -rwxr-xr-x 1 root root 314 Apr 9 2010 aptitude
Adding other repositories
Check out /var/lib/apt/lists, looking for files ending 'Release' You need to find the origin (o=) and archive (a=) pair of the repository you want.
Adding Virtualbox to unattended-upgrade
$ head /var/lib/apt/lists/download.virtualbox.org_virtualbox_debian_dists_oneiric_Release Origin: Oracle Corporation Label: Oracle Corporation Codename: oneiric Date: Tue, 03 Apr 2012 16:52:39 +0000 Architectures: i386 amd64 Components: non-free contrib
so, origin=Oracle Corporation but no archive mentioned.
They are separated in the config file by spaces or a colon, (info in the /etc/cron.daily/apt file)
$ head /etc/apt/apt.conf.d/50unattended-upgrades // Automatically upgrade packages from these (origin, archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id} ${distro_codename}-security"; "${distro_id} ${distro_codename}-updates"; // "${distro_id} ${distro_codename}-proposed"; "${distro_id} ${distro_codename}-backports"; "Oracle Corporation:"; };
It turns out the archive is an empty field so this works, (without the colon it thinks 'Oracle' is the origin and 'Corporation' is the archive, as it drops to using s space delimiter)
To test without causing problems do --dry-run (note mine was up to date, usually you get slew of output here)
$ sudo unattended-upgrade --debug --dry-run Initial blacklisted packages: Starting unattended upgrades script Allowed origins are: ['o=Ubuntu,a=oneiric-security', 'o=Ubuntu,a=oneiric-updates', 'o=Oracle Corporation,a='] pkgs that look like they should be upgraded: Fetched 0 B in 0s (0 B/s) blacklist: [] Packages that are auto removed: '' InstCount=0 DelCount=0 BrokenCout=0 No packages found that can be upgraded unattended
- Note if you are running /var/log from /tmp you will get errors as it assumes the /var/log/unattended-upgrades folder is there (that isnt) - however when its running normally from cron this folder gets created. You can get around this by specifying alternate log file with this is 50unattended-upgrades.
Unattended-Upgrade::LogDir "/tmp/";
Adding xbmc to unattended-upgrade
Using same method as above...
$ head /var/lib/apt/lists/ppa.launchpad.net_team-xbmc_unstable_ubuntu_dists_oneiric_Release Origin: LP-PPA-team-xbmc-unstable Label: XBMC Unstable Suite: oneiric Version: 11.10 Codename: oneiric Date: Fri, 23 Mar 2012 23:23:05 UTC Architectures: amd64 armel i386 powerpc Components: main Description: Ubuntu Oneiric 11.10
Generally speaking, if it doesn't tell you the archive name try just omitting it "LP-PPA-team-xbmc-unstable:" , otherwise try appending the distro name, "LP-PPA-team-xbmc-unstable:${distro_codename}". (perhaps if you see the 'Suite:' present it means this is what needs setting as the archive name??)
Running "sudo unattended-upgrade --debug --dry-run" , from the output you should be able to see the archive value it is using, if you dont see this and it isnt working then the problem probably lies with using the wrong one.
2012-04-06 16:55:45,032 DEBUG Checking: xbmc (["<Origin component:'main' archive:'oneiric' origin:'LP-PPA-team-xbmc-unstable' label:'XBMC Unstable' site:'ppa.launchpad.net' isTrusted:True>"])
$ head /etc/apt/apt.conf.d/50unattended-upgrades // Automatically upgrade packages from these (origin, archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id} ${distro_codename}-security"; "${distro_id} ${distro_codename}-updates"; // "${distro_id} ${distro_codename}-proposed"; "${distro_id} ${distro_codename}-backports"; "LP-PPA-team-xbmc-unstable:${distro_codename}"; };
Forcing a rerun to test cron working
#stop sudo service stop anacron sudo service stop cron sudo rm -rf /var/run/unattend* /var/run/cron* /var/run/anacron* sudo rm -rf /var/lib/apt/periodic/* #restart sudo service start cron sudo anacron -fn
12.10 onwards (checked to 13.10 at time of writing)
#stop sudo service anacron stop sudo service cron stop sudo rm -rf /var/run/unattend* /var/run/cron* /var/run/anacron* sudo rm -rf /var/lib/apt/periodic/* #restart sudo service cron start sudo anacron -fn
How it works
Several things will trigger it to run.
a) It is fired off from the running of /etc/cron.daily by cron, specifically /etc/cron.daily/apt. Cron runs /etc/cron.daily at 6.25 am (see /etc/crontab)
b) Anacron runs from upstart? and it will fire off /etc/cron.daily after 5 minutes of uptime (see /etc/anacrontab)
- Note APT::Periodic::RandomSleep can be set in /etc/apt/apt.conf.d/10periodic, but defaults to 1800s (30 mins) so no updates may happen till 30 mins after /etc/cron.daily/apt runs.
Log
If it works things should get logged in this folder, /var/log/unattended-upgrades
Fixing Key errors
W:GPG error: http://extras.ubuntu.com precise Release: The following signatures were invalid: BADSIG 16126D3A3E5C1192 Ubuntu Extras Archive Automatic Signing Key
Run this to add the key, replacing BADSIG code with one on error
$ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192
Should then see all yours keys (snipped out others) - as you can see the last bit of the 'Key fingerprint' is the same code.
$ sudo apt-key finger /etc/apt/trusted.gpg -------------------- <SNIP> pub 1024D/3E5C1192 2010-09-20 Key fingerprint = C474 15DF F48C 0964 5B78 6094 1612 6D3A 3E5C 1192 uid Ubuntu Extras Archive Automatic Signing Key <ftpmaster@ubuntu.com>
Still a problem try
$ sudo apt-key del 16126D3A3E5C1192 $ sudo apt-get clean # Remove cached packages $ sudo mv /var/lib/apt/lists /tmp/ # Move existing mirror info $ sudo mkdir -p /var/lib/apt/lists/partial # Recreate directory structure $ sudo apt-get clean $ sudo apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 16126D3A3E5C1192 $ sudo apt-get update # Fetch mirror info
Making your own apt sources.list
Update: Ubuntu >= 12.04
- TO KEEP PRE-RELEASE (BETA) VERSIONS UPDATED also add just "${distro_id}:${distro_codename}" , i.e. without -security or -updates
// Automatically upgrade packages from these (origin:archive) pairs Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; "${distro_id}:${distro_codename}-backports"; };
- "Oracle Corporation:" does virtualbox, assuming "deb http://download.virtualbox.org/virtualbox/debian precise contrib" PPA is added to /etc/apt/sources.list);
- "LP-PPA-app-review-board:${distro_codename}" does the ubuntu extras, viz "unsupported packages from this untrusted PPA", see /var/lib/apt/lists/extras.ubuntu.com_ubuntu_dists_precise_Release
- "LP-PPA-libreoffice:${distro_codename}" does LibreOffice, see /var/lib/apt/lists/ppa.launchpad.net_libreoffice_ppa_ubuntu_dists_precise_Release
Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; "${distro_id}:${distro_codename}-updates"; "LP-PPA-app-review-board:${distro_codename}"; "LP-PPA-libreoffice:${distro_codename}"; "Oracle Corporation:"; // "${distro_id}:${distro_codename}-proposed"; "${distro_id}:${distro_codename}-backports"; };
Other useful Allowed-Origins
"Google LLC:stable"; "LP-PPA-linuxgndu-sqlitebrowser:focal"; "TeamViewer GmbH:stable";
Trouble shooting
running the unattended-upgrade shows this in the output, but doesn't do anything or error or say anything else helpful, then think archive settings on the 'allowed origins' section above.
e.g.
adjusting candidate version: '<Version: package:'libreoffice-calc' version:'1:3.5.3-0ubuntu1'>' adjusting candidate version: '<Version: package:'libreoffice-common' version:'1:3.5.3-0ubuntu1'>' adjusting candidate version: '<Version: package:'libreoffice-core' version:'1:3.5.3-0ubuntu1'>' adjusting candidate version: '<Version: package:'libreoffice-draw' version:'1:3.5.3-0ubuntu1'>'
If it doesn't update from a source you added yourself and it doesn't mention the archive name in the '_Release' file, try using ${distro_codename}. This fixed the above for libreoffice updates not working. Note the above log shows the current version, the version it could update to was 1:3.5.4~rc2.
Running this should show you the install candidate (1:3.5.4~rc2) and the current version (1:3.5.3-0)
apt-cache show libreoffice-common
You should then see something like the below (haven't got to bottom of "conffile prompt and needs to be upgraded manually", because running update manually doesn't trigger this. This was a fixed bug from ages ago.)
$ cat unattended-upgrades.log 2012-04-17 07:35:44,245 INFO Initial blacklisted packages: 2012-04-17 07:35:44,245 INFO Starting unattended upgrades script 2012-04-17 07:35:44,245 INFO Allowed origins are: ['o=Ubuntu,a=precise', 'o=Ubuntu,a=precise-security', 'o=Ubuntu,a=precise-updates', 'o=LP-PPA-app-review-board,a=precise', 'o=Oracle Corporation,a='] 2012-04-17 07:37:23,228 WARNING Package 'libgtk-3-0' has conffile prompt and needs to be upgraded manually 2012-04-17 07:37:42,214 INFO package 'gir1.2-gtk-3.0' not upgraded 2012-04-17 07:37:56,185 INFO package 'gvfs' not upgraded 2012-04-17 07:37:58,019 INFO package 'gvfs-backends' not upgraded 2012-04-17 07:38:15,499 INFO package 'libgail-3-0' not upgraded 2012-04-17 07:38:30,845 INFO package 'libgtk-3-0' not upgraded 2012-04-17 07:38:33,210 INFO package 'libgtk-3-bin' not upgraded 2012-04-17 07:38:35,580 INFO package 'libgtk-3-common' not upgraded 2012-04-17 07:38:37,939 INFO package 'libgtk-3-dev' not upgraded 2012-04-17 07:39:08,353 INFO Packages that are upgraded: aisleriot apport apport-gtk apport-retrace cpp-4.6 empathy empathy-common example-content file-roller g++-4.6 gcc-4.6 gcc-4.6-base gcc-4.6-base:i386 gcc-4.6-multilib gedit gedit-common gir1.2-dbusmenu-glib-0.4 gir1.2-dbusmenu-gtk-0.4 gir1.2-gdesktopenums-3.0 gir1.2-gdkpixbuf-2.0 gir1.2-gnomedesktop-3.0 gir1.2-gtksource-3.0 gir1.2-panelapplet-4.0 gir1.2-pango-1.0 gnome-control-center gnome-control-center-data gnome-desktop3-data gnome-panel gnome-panel-data gnome-screenshot gnome-settings-daemon gnome-system-log gnome-system-monitor gnome-terminal gnome-terminal-data gsettings-desktop-schemas gsettings-desktop-schemas-dev gvfs-bin gvfs-common gvfs-daemons:i386 gvfs-fuse gvfs-libs gvfs-libs:i386 gvfs:i386 lib32gcc1 lib32gomp1 lib32quadmath0 libc-bin libc-dev-bin libc6 libc6-dev libc6-dev-i386 libc6-i386 libc6:i386 libdbusmenu-glib4 libdbusmenu-gtk3-4 libdbusmenu-gtk4 libgcc1 libgcc1:i386 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-0:i386 libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgfortran3 libglib2.0-0 libglib2.0-0:i386 libglib2.0-bin libglib2.0-data libglib2.0-dev libgnome-control-center1 libgnome-desktop-3-2 libgnome-desktop-3-dev libgomp1 libgomp1:i386 libgtksourceview-3.0-0 libgtksourceview-3.0-common libmusicbrainz3-6 libnautilus-extension1a libobjc3 libpanel-applet-4-0 libpango1.0-0 libpango1.0-0:i386 libpango1.0-dev libquadmath0 librsvg2-2 librsvg2-2:i386 librsvg2-common librsvg2-common:i386 libstdc++6 libstdc++6-4.6-dev libstdc++6:i386 mousetweaks multiarch-support nautilus nautilus-data nautilus-sendto-empathy nscd python-apport python-problem-report python-qt4 python-qt4-dbus tomboy transmission-common transmission-gtk ttf-wqy-microhei upstart usb-creator-common usb-creator-gtk vinagre vino yelp-xsl 2012-04-17 07:39:08,353 INFO Writing dpkg log to '/var/log/unattended-upgrades/unattended-upgrades-dpkg_2012-04-17_07:39:08.353666.log' 2012-04-17 07:40:52,196 INFO All upgrades installed