TNS
VOXPOP
Where are you using WebAssembly?
Wasm promises to let developers build once and run anywhere. Are you using it yet?
At work, for production apps
0%
At work, but not for production apps
0%
I don’t use WebAssembly but expect to when the technology matures
0%
I have no plans to use WebAssembly
0%
No plans and I get mad whenever I see the buzzword
0%
Linux / Security

Enable Automatic Updates for Ubuntu Server

Many admins tend to view Linux as a set-it-and-forget-it operating system. Once upon a time, that was a valid stance to take. But security issues assure this is no longer the case.
Jan 6th, 2024 6:00am by
Featued image for: Enable Automatic Updates for Ubuntu Server

When was the last time you ran an update for Ubuntu Server? Many admins tend to view Linux as a set-it-and-forget-it operating system. Once upon a time, that was a valid stance to take, especially during that period when people were boasting of insanely long uptimes.

But not updating a server simply so you could claim you haven’t rebooted it for three years is no longer an option. Over time, unpatched software becomes vulnerable to attacks. In fact, the longer you go without updating the packages on your server, the more vulnerable it can be. Imagine you have the SSH server installed and it hasn’t been updated for a year. There are probably several CVEs afflicting that software.

And that’s just SSH.

Imagine if just 25% of the software on your machine is out of date. Even if you let that go on for a month, that server is far more vulnerable than it should be.

That is precisely the argument in favor of enabling automatic updates. Yes, there will always be those who firmly believe this is a bad idea. After all, what happens if an update goes awry or a piece of software is upgraded that includes yet another vulnerability?

Even those caveats don’t counter keeping out-of-date software installed on a server.

So, unless you have the time (or the memory capacity) to run daily (or weekly) upgrades, what are you to do?

You can enable automatic updates.

With automatic updates enabled, you can rest assured that critical software on your server is always up-to-date and patched against the latest vulnerabilities (so long as the software maintainers have patched their products). The updated packages are automatically downloaded and applied, without requiring any intervention on your part. And, at no time, will your server automatically restart after an update (so you don’t have to worry about a server going offline after an update is applied).

Canonical (the company behind Ubuntu) is so certain about the unattended upgrades for the server, that they ship the operating system with the necessary package pre-installed.

Verify the Software Is Installed

The first thing you’ll want to do is verify the required software is installed. To be certain the software is installed, issue the command:

which unattended-upgrades

The output should be:


However, just because the software is installed doesn’t mean it’s configured and working.

Configure Unattended Upgrades

Log into your Ubuntu Server. To configure unattended-upgrades, we’re going to use the dpkg-reconfigure tool, like so:


After running the above command, you’ll be presented with an ncurses window asking you if you want to automatically download and install stable updates (Figure 1).

Figure 1: Selecting Yes will enable the automatic downloading and applying of stable updates.

Tab to Yes and hit Enter on your keyboard.

That’s all there is to enabling the automatic updates. Let’s see what this does.

Checking the Configuration File

If you want to see exactly what the unattended-upgrade configuration does, open the configuration file for viewing with:


What you will see are the following two lines:


There are no configurations necessary for this file. There is, however, a second file in the same location, that you can configure. Let’s take a look at it with the command:


Much of this file is commented out (each line that starts with //). If you comb through it, however, you’ll find certain lines and/or sections are enabled. For example, we have this section:

The above configuration enables automatic updates for security, which is defined by the line:

“${distro_id}:${distro_codename}-security”;

Take a look at the lines for -updates, -proposed, and -backports, which are all commented out. The reason those lines are disabled is because they could contain updates that cause problems with installed packages.

Let’s say, however, you have a reason to enable to the -updates option. To do that, remove the leading //, so the line reads:

“${distro_id}:${distro_codename}-updates”;

Keep scrolling and you’ll find a section with a number of options that end in either “true”; or “false’;. For example, there’s this line:

//Unattended-Upgrade::Remove-Unused-Dependencies “false”;

If you don’t want to keep unused dependencies on the system, uncomment out the line by removing the leading // and change false to true, so the line reads:

Unattended-Upgrade::Remove-Unused-Dependencies “true”;

Another line is:

//Unattended-Upgrade::Automatic-Reboot “false”

I would not recommend enabling this feature because you never know when the unattended upgrade will start and finish, leading to unpredictable downtimes.

If you do wind up making any changes to the 50unattended-upgrades, you’ll need to reload it with:

sudo systemctl restart unattended-upgrades

Congratulations, you’ve just enabled unattended-upgrades on Ubuntu Server and configured it to meet your needs.

Group Created with Sketch.
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.