Set up automatic unattended updates for Ubuntu 20.04

How do I configure automatic unattended updates for Ubuntu Linux 20.04 LTS “Focal Fossa” server?

The Linux server security is indeed an essential task for sysadmins. One of the most fundamental ways to keep the Ubuntu server secure is by installing security updates on time to patch vulnerabilities. By default, the unattended-upgrades package installed, but you still need to configure a few options. It will automatically install software updates, including security updates. This page shows how to configure security updates automatically when released by the Ubuntu security team using an unattended-upgrades package.
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Ubuntu Linux 20.04 LTS
Est. reading time 2 minutes

Automatic unattended updates for Ubuntu 20.04 LTS

  1. Update the Ubuntu 20.04 LTS server for security patches, run:
    [admin@aws-ec2-007]$ sudo apt update && sudo apt upgrade
  2. Install unattended upgrades on Ubuntu if not installed. Type the following apt command [admin@aws-ec2-007]$ sudo apt install unattended-upgrades apt-listchanges bsd-mailx
  3. Turn on unattended security updates, run:
    [admin@aws-ec2-007]$ sudo dpkg-reconfigure -plow unattended-upgrades
    How To set up automatic unattended updates for Ubuntu 20.04 Linux
  4. Configure automatic unattended updates, enter:
    [admin@aws-ec2-007]$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades
    Set up alert email ID:
    Unattended-Upgrade::Mail "vivek@server1.cyberciti.biz";
    Automatically reboot Ubuntu box WITHOUT CONFIRMATION for kernel updates:
    Unattended-Upgrade::Automatic-Reboot "true";
    Finally edit the /etc/apt/listchanges.conf and set email ID:
    email_address=vivek@server1.cyberciti.biz
    Save and close the file.

    It would be best if you have a working email server to get an alert. You can always use AWS SES with Postfix MTA to route email safely.

  5. Verify that it is working by running the following command:
    [admin@aws-ec2-007]$ sudo unattended-upgrades --dry-run
    How to Enable and Set up Automatic Unattended Security Updates on Ubuntu

Ubuntu automatic unattended updates sample email alert

Configuring Unattended-Upgrade::Mail in 50unattended-upgrades file enables unattended-upgrades to email a sysadmin detailing any packages that need upgrading or have problems. The Ubuntu server sent an update report via email as follows:
Notifications

Displaying automatic updates logs from the CLI

Now that you set up automatic updates on Ubuntu Server 20.04 LTS. It is time to see logs. Hence, we can use command such as grep command or cat command or more command/egrep command as follows:
[admin@aws-ec2-007]$ sudo cat /var/log/unattended-upgrades/unattended-upgrades.log
[admin@aws-ec2-007]$ sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log
[admin@aws-ec2-007]$ sudo grep 'linux-image' /var/log/unattended-upgrades/unattended-upgrades.log

And you are done. I hope this helps you to keep the server or virtual machine running in cloud current with the latest security updates automatically.

Conclusion

You learned how to configure automatic unattended updates for your Ubuntu Linux based server up-to-date. It is a simple and easiest way to protect your server from vulnerabilities. This method is also beneficial when you administrate multiple servers. Manually updating the system and applying patches can be a very time-consuming process. However, for a large number of servers/VMs, I would recommend something like Ansible:


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 14 comments so far... add one

CategoryList of Unix and Linux commands
Disk space analyzersncdu pydf
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network UtilitiesNetHogs dig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04
14 comments… add one
  • Pedro Aug 19, 2020 @ 9:28

    When i run
    unattended-upgrades --dry-run
    It said pending. why?

    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/software-properties-common_0.98.9.2_all.deb /var/cache/apt/archives/python3-software-properties_0.98.9.2_all.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/ubuntu-release-upgrader-core_1%3a20.04.24_all.deb /var/cache/apt/archives/python3-distupgrade_1%3a20.04.24_all.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/wireguard-tools_1.0.20200513-1~20.04.2_amd64.deb /var/cache/apt/archives/wireguard_1.0.20200513-1~20.04.2_all.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/sudo_1.8.31-1ubuntu1.1_amd64.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/xz-utils_5.2.4-1ubuntu1_amd64.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/bcache-tools_1.0.8-3ubuntu0.1_amd64.deb 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    apt-listchanges: Reading changelogs...
    apt-listchanges: Reading changelogs...
    /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/liblzma5_5.2.4-1ubuntu1_amd64.deb 
    /usr/bin/dpkg --status-fd 10 --no-triggers --configure liblzma5:amd64 
    /usr/bin/dpkg --status-fd 10 --configure --pending 
    
    • 🐧 Vivek Gite Aug 19, 2020 @ 9:29

      Remote the --dry-run option which just simulate installing updates, do not actually apply updates.

  • Gabriel Sep 17, 2020 @ 15:53

    Hello, I ran the command with and without debug mode and it didn’t send me a notification mail (gmail). The configuration files are exactly the same as the publication

    Please could you help me?

  • TOM Jan 5, 2021 @ 6:47

    I did all as your tutorial but when I run command: sudo unattended-upgrades –dry-run
    There is nothing result, what does that mean?

  • RL Feb 3, 2021 @ 17:02

    I dont have a personal email domain setup. What should I use as System mail name under Postfix Configuration?

  • Tato Feb 5, 2021 @ 10:35

    is there a way to schedule it to happen on a specific weekday at given hour?

    • 🐧 Vivek Gite Apr 9, 2021 @ 3:58

      I don’t think so. But you can write a script. Then set up a cron job for that purpose, I guess.

  • Milo Johnston Apr 9, 2021 @ 3:56

    I am using this method to update my community forum hosted with Ubuntu 20.04 LTS server. So far worked like a charm. I love those email updates telling me about system updates installed.

  • Kostas May 4, 2021 @ 15:30

    Is there a way to make it upgrade packages ONLY when there are security fixes for them?
    Because, doing it for every new version sounds more like asking for trouble for no obvious gain…

    • 🐧 Vivek Gite May 4, 2021 @ 18:43

      The "${distro_id}:${distro_codename}-security"; only apply security updates:

      Unattended-Upgrade::Allowed-Origins {
          "${distro_id}:${distro_codename}-security";
      };

Leave a Reply

Your email address will not be published.

Use HTML <pre>...</pre> for code samples. Still have questions? Post it on our forum