Keeping your Ubuntu system updated is one of the best ways to protect it. Security vulnerabilities are found all the time, and patches are released to fix them. If those patches do not get installed, your system stays at risk.
If you manage more than one server, checking for updates manually every day is not practical. And even on a single machine, updates are easy to forget. Ubuntu has a built-in tool called unattended-upgrades that handles this in the background for you. This guide shows you how to set up automatic updates on Ubuntu. The same steps work on other Ubuntu-based systems like Kubuntu, Linux Mint, and Elementary OS.
<strong>Prerequisite:</strong> You need a user with sudo access to follow this guide.
The unattended-upgrades package checks for updates and installs them on a schedule. It is often pre-installed on Ubuntu. If it is not on your system, run:
bashsudo apt install unattended-upgrades
The service starts on its own after install. Check it is running:
bashsystemctl status unattended-upgrades
Look for active (running) in the output. That confirms the service is ready.
The settings file is at /etc/apt/apt.conf.d/50unattended-upgrades. The defaults are fine for most people, but you can edit it to change what gets updated.
The file has an Allowed-Origins section that controls which sources are checked. Here is what each option does:
To also get regular updates, find the right line and remove the // at the start:
perl// "${distro_id}:${distro_codename}-updates"; To stop specific packages from being auto-updated, add them to the blacklist:
perlUnattended-Upgrade::Package-Blacklist {// "vim";// "libc6";}; You can also get email alerts when an update fails. Add these lines and enter your email address. You will need mailx or postfix on the server for this to work:
perlUnattended-Upgrade::Mail "your@email.com";Unattended-Upgrade::MailOnlyOnError "true";
Open /etc/apt/apt.conf.d/20auto-upgrades and check that it has these two lines:
perlAPT::Periodic::Update-Package-Lists "1";APT::Periodic::Unattended-Upgrade "1";
The "1" means each task runs every day. The first line updates the package list. The second one installs the updates.
You can also clean up old downloaded files every 7 days by adding:
perlAPT::Periodic::AutocleanInterval "7";
Rather than editing the file by hand, you can run this command to get a simple setup screen:
bashsudo dpkg-reconfigure -plow unattended-upgrades
Run a dry run to check the setup. This does not install anything:
bashsudo unattended-upgrades --dry-run --debug
Look through the output. If you see “No packages found that can be upgraded unattended”, that is normal when your system is already up to date. If errors appear, check the config file for typos.
If you want to run updates right now without waiting for the schedule, use:
bashsudo unattended-upgrades -v
The -v flag shows what is being installed. This is useful when you need an update applied straight away.
All update activity is saved to /var/log/unattended-upgrades/unattended-upgrades.log. Check it any time to see which packages were updated and when.
With unattended-upgrades running, your Ubuntu system will install security patches on its own every day. You do not have to think about it. If you ever want to change what gets updated, just edit the config files above. Any questions? Leave a comment below.
PostgreSQL (often called Postgres) is an open-source relational database system. It supports advanced features like JSON…
Xrdp is an open-source server that lets you connect to your Ubuntu machine from another computer…
Apache Tomcat is an open-source web server and Java servlet container. It is one of the…
Intelligence analysts do not use OSINT only to collect information. They use it to turn…
OSINT reconnaissance is the first stage of ethical security research. Before testing anything, a security…
Yarn is a JavaScript package manager that works with npm. It makes it easy to install,…