Automatic updates in Debian

Regularly installing software updates is one of the most basic measures to keep a computer system safe. However, searching for and installing those updates is a tedious job that lends itself to some degree of automation. This article will show you how to configure automatic updates in Debian.

(2016-04-14 Updated for Debian Jessie.)

Automatic updates? On my server?

Lots of system administrators caution against automatic updates because any update might break some delicate component or configuration. So you are told to review each update before installing it. But is this really necessary? Well, it depends.

If you are running Debian Sid (aka unstable) you should not be too surprised when an update indeed gets some part of your system into trouble. (Then again, if you are running Debian Sid on an important production system you will probably face a bunch of other problems anyway.) Similarly, if you create some fragile, highly customized setup that depends on a specific version of some package then a “careless” software update might of course damage this setup.

However, if you are running Debian stable with only a handful of applications installed and a sane configuration then keeping your system up to date probably consists of nothing more than doing a manual aptitude update and aptitude full-upgrade every day just to accept every update anyway (hey, it’s Debian stable). Think about it: Have you ever rejected a regular update on a system like this? If not, why shouldn’t you let your system do more or less the same thing automatically? The biggest difference is that your system won’t forget to look for updates like your poor old brain does from time to time.

So after having justified our cause let’s move on to the technical details of configuring automatic updates in Debian.

Installation

Install and activate the unattended-upgrades package (it’s not activated by default after installation):

# aptitude install unattended-upgrades
# dpkg-reconfigure unattended-upgrades

Answer Yes when asked whether you want updates to be installed automatically.

Configuration

The file /etc/apt/apt.conf.d/50unattended-upgrades contains a section Unattended-Upgrade::Origins-Pattern where you configure which packages will be updated automatically. The default is to install security updates for the current release:

Unattended-Upgrade::Origins-Pattern {
    "origin=Debian,codename=${distro_codename},label=Debian-Security"
};

If you want all updates (not only security updates) to be installed automatically, you should first use the apt-cache policy command to find out which software sources are used on your system. Its output will look something like this (but may well be shorter if you have less sources activated in your sources.list file):

$ apt-cache policy | grep release
release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=non-free
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=contrib
release o=Debian,a=stable-updates,n=jessie-updates,l=Debian,c=main
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=non-free
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=contrib
release v=8,o=Debian,a=stable,n=jessie,l=Debian-Security,c=main
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=non-free
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=contrib
release v=8.4,o=Debian,a=stable,n=jessie,l=Debian,c=main

Then adapt the configuration file to reflect the information from the apt-cache policy command:

Unattended-Upgrade::Origins-Pattern {
    "o=Debian,n=jessie";
    "o=Debian,n=jessie-updates";
    "o=Debian Backports,n=jessie-backports";
};

Instead of a line like o=Debian,n=jessie you could as well use o=Debian,a=stable which means the same as long as Jessie remains the stable release. When Jessie becomes oldstable however, n=jessie will continue tracking Jessie while a=stable will automatically switch to Stretch (which then is the stable release). You have to decide what fits your situation, but I prefer n=jessie since it gives me more control over the upgrade.

Wrap-Up

Start a test run and check the log file /var/log/unattended-upgrades/unattended-upgrades.log for entries that show everything is working correctly (Yes, it’s unattended-upgrade in this case, without a trailing ‘s’!):

# unattended-upgrade --debug --dry-run

Now your system will regularly run update and upgrade jobs without any manual interaction needed on your side. This works on server systems running 24/7 (using cron) as well as on desktop systems which are irregularly switched on and off (using anacron, which is installed with most desktops). To verify that everything is working as expected you should every now and then take a look at the abovementioned log file.

A note to laptop users: By default, anacron does not run while on battery power, so your laptop won’t get updates unless it is plugged in. You can change this by putting the following line into /etc/default/anacron:

ANACRON_RUN_ON_BATTERY_POWER=yes

Further reading

Documentation for the unattended-upgrade package can be found in /usr/share/doc/unattended-upgrades/README.