Setting up automatic upgrades with unattended-upgrades

Write tutorials for Linux Mint here
More tutorials on https://github.com/orgs/linuxmint/discu ... /tutorials and (archive) on https://community.linuxmint.com/tutorial
Forum rules
Don't add support questions to tutorials; start your own topic in the appropriate sub-forum instead. Before you post read forum rules
Post Reply
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

In some cases you may wish to set up automatic upgrades for Linux Mint. This tutorial will show you the basics on how to do this. For those interested I'll add a comment below with some tips on how to configure it for repositories other than Linux Mint and Ubuntu.

The tutorial is written for Linux Mint 17.2 Rafaela. It does not work as-is on Linux Mint 18.

Before you do this!
Some food for thought beforehand as to whether you should enable automatic upgrades, as it goes against Linux Mint's policy of the user being in control of upgrades.
  • You can configure Update Manager as to how often it will check for, and thus show, available upgrades. (From its menu select Edit > Preferences, go to Auto-Refresh tab, and configure as needed.) For example set it to updating once a week. This may be a better approach (optionally combined with only installing security upgrades automatically).
  • If you have installed Linux Mint for somebody else (or yourself :)) and want to use automatic upgrades for them, consider they will not be able to tell you "I just updated and now LibreOffice won't open" or "I updated yesterday and today my computer doesn't boot." For problem diagnosis you can of course go through /var/log/dpkg.log yourself when somebody comes to you with a problem, to check what upgrades have been applied when that could have caused the problem. But having the user themselves be able to give you that information can be a time saver.
  • It would also allow the users some form of control. "I have a paper due the day after tomorrow, so I'll postpone upgrades till then to not take any risk having to call <insert your name here> tomorrow in panic if the computer doesn't work." Perhaps this is a little overcautious, but there you have it.
Installation
If not already installed, install the package unattended-upgrades. Either using Software Manager or with the command:

Code: Select all

apt update && apt install unattended-upgrades
Configuration — Part I
First step is to configure from where automatic upgrades will be installed. You configure this in the file /etc/apt/apt.conf.d/50unattended-upgrades. To edit it run this command (that is for Cinnamon and Xfce; for MATE replace "gedit" with "pluma"; for KDE replace "gksudo gedit" with "kdesudo kate"):

Code: Select all

gksudo gedit /etc/apt/apt.conf.d/50unattended-upgrades
The default installed file is intended for Ubuntu and doesn't work on Linux Mint. First step is to comment out the third line in this file (place two forward slashes, i.e. //, in front of the line):

Code: Select all

	"${distro_id}:${distro_codename}-security
Now we add our own configuration to the file. To enable only security upgrades from the Ubuntu package base use (if you must do automatic upgrades, this is what I'd recommended):

Code: Select all

Unattended-Upgrade::Origins-Pattern {
	"o=Ubuntu,a=trusty-security";
};
To enable all upgrades from the default Linux Mint and Ubuntu configured repositories use:

Code: Select all

Unattended-Upgrade::Origins-Pattern {
	"o=Ubuntu,a=trusty-security";
	"o=Ubuntu,a=trusty-updates";
	"o=Ubuntu,a=trusty";
	"o=Canonical,a=trusty";
	"o=linuxmint,n=rafaela";
};
Save and close the file. You'll notice that when you are using a different Linux Mint 17.x distribution, or when you upgrade to Linux Mint 17.3 later, you'll have to replace "rafaela" on that last line.

Configuration — Part II ­— Testing your changes
Now before you enable automatic upgrades you should test your configuration. You can do this with the command (it will likely ask for your password; note that on the terminal you do not get any visual feedback as you type a password):

Code: Select all

sudo unattended-upgrades --verbose --dry-run
Depending on how many upgrades are available it may take some time to complete. The important thing for this test is to confirm the first few lines of information it shows are correct. With only the security upgrades enable it should show:

Code: Select all

Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=trusty-security']
With all upgrades enabled it should show:

Code: Select all

Initial blacklisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=trusty-security', 'o=Ubuntu,a=trusty-updates', 'o=Ubuntu,a=trusty', 'o=Canonical,a=trusty', 'o=linuxmint,a=rafaela']
Configuration — Part III — Enabling automatic upgrades
With you having confirmed the configuration is correct you can configure the automatic upgrades. First step is to install the default configuration file /etc/apt/apt.conf.d/20auto-upgrades. You do this with the command:

Code: Select all

sudo dpkg-reconfigure -plow unattended-upgrades
Use the Tab key to highlight <YES> and press Enter key. The default configuration is to update your system daily and install available upgrades once a day. If that is all you need you are now done :)

You might want to edit /etc/apt/apt.conf.d/20auto-upgrades and add the following line to once a month run autoclean:

Code: Select all

APT::Periodic::AutocleanInterval "30";
Autoclean clears out the local repository of retrieved package files. It only removes package files that can no longer be downloaded, and are largely useless. This allows a cache to be maintained over a long period without it growing out of control. For more options see the apt.conf manpage ("man apt.conf") or run the command "less /usr/share/doc/apt/examples/configure-index.gz" and search for the keyword "Periodic" to jump to the documentation on all available APT::Periodic options.
Image
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

Further configuration
If you have added other repositories to your system for which you want automatic upgrades, like Google Chrome or some PPA, you will have to figure out what line to add in the block you added in the file /etc/apt/apt.conf.d/50unattended-upgrades. When you make changes to this file I recommend you always test your changes again.

Let's take Google Chrome as an example. There may be another way to find this information but this is how I've been doing it. First, after adding a new repository or PPA to your system (which the Google Chrome installer does), run "apt update" to fetch the package index files to your local cache. Then I run this command to show the information from all repositories:

Code: Select all

egrep '^(Origin|Label|Suite|Codename)' /var/lib/apt/lists/*Release
For Google Chrome this would be relevant part (the egrep command adds some color to read the relevant parts; the part before the first colon is the filename that helps you find which 4 lines go together in the output, but you need the information after the first colon):

Code: Select all

/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release:Origin: Google, Inc.
/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release:Label: Google
/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release:Suite: stable
/var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release:Codename: stable
All you need to know for adding a line to the block in the file /etc/apt/apt.conf.d/50unattended-upgrades is that:

Code: Select all

o=Origin
l=Label
a=Suite
n=Codename
And that if you have commas in the text you need to backslash escape those. So for Google Chrome you'd add this line to enable automatic upgrades:

Code: Select all

	"o=Google\, Inc.,a=trusty";
And again, test your changes!

Looking at what unattended-upgrades is doing
There are two files that can be useful to see what unattended-upgrades is doing:
  • /var/log/dpkg.log — this file keeps a log of any install, remove/purge, or upgrade actions done on your system. A quick way to list all upgrades (whether with Update Manager by unattended-upgrades) performed is with:

    Code: Select all

    grep " upgrade " /var/log/dpkg.log
  • /var/log/unattended-upgrades/unattended-upgrades.log — a log kept by unattended-upgrades. Suggest you use less to read it (press Shift+G to jump to the end of the file):

    Code: Select all

    less /var/log/unattended-upgrades/unattended-upgrades.log
Image
Xwrc

Re: Setting up automatic upgrades with unattended-upgrades

Post by Xwrc »

One question, probably stupid: does this, as described, only enable updates corresponding to levels 2 and 3 in the updater app, or also levels 4 and 5?
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

Update Manager assigns a level to an available upgrade based on the name and/or origin of the package. It does this from a list of rules built in to Update Manager (here you can see the rules for package names: https://github.com/linuxmint/mintupdate ... date/rules; packages with origin Linux Mint default to level 1). If you only want to update specific levels as displayed in Update Manager then you'll have to use Update Manager.
Image
Magissia
Level 1
Level 1
Posts: 11
Joined: Sun Nov 22, 2015 2:20 pm

Re: Setting up automatic upgrades with unattended-upgrades

Post by Magissia »

To reproduce level's management, one may be able to use Unattended-Upgrade::Package-Blacklist

Example with my config (mostly level 4&5 stuff with programs that may break compatibility too easily for my requirement)

Code: Select all

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
	"systemd.*";
	"dbus.*";
	"libdbus.*";
	"acpid.*";
	"mountall.*";
	"mesa.*";
	"systemd";
	".*base-files.*";
	"plymouth.*";
	"upstart.*";
	".*base-files.*";
	".*linux-*.";
	"linux.*";
//	"libhal.*";
//	"hal-.*";
	"grub.*";
	"grub2.*";
	"wine.*";
	"nvidia-.*";
};
Then test config with

Code: Select all

sudo unattended-upgrades --verbose --dry-run
As you can use regex, you can make a regex that will include everything but specific packages if required (or maybe there's a whitelist mode i'm not aware of)
antcj
Level 3
Level 3
Posts: 148
Joined: Thu Jun 28, 2012 11:17 pm

Re: Setting up automatic upgrades with unattended-upgrades

Post by antcj »

Is doing updates as explained above the same as doing this manually?

sudo apt-get update && apt-get upgrade -y && apt-get autoclean


thanks
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

Almost but no it's not the same. It's recommended to set it up to only install security upgrades. Even if you set it up to install all upgrades from Ubuntu and Linux Mint, if you've added repositories to your system (like for Google software) those wouldn't be included unless you configure that specifically. With apt-get upgrade -y you always install all upgrades, no exceptions.
Image
antcj
Level 3
Level 3
Posts: 148
Joined: Thu Jun 28, 2012 11:17 pm

Re: Setting up automatic upgrades with unattended-upgrades

Post by antcj »

Thanks for the quick response.
Using unattended upgrades , will the updates follow the levels as set by the user or are all levels done?
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

See the earlier comment: posting.php?mode=reply&f=42&t=202715#pr1054236. Only Update Manager uses levels.
Image
West_Training_8668
Level 2
Level 2
Posts: 71
Joined: Tue Mar 29, 2016 8:41 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by West_Training_8668 »

I'm trying to do this on linux mint 18 sarah. The files look like this:

Code: Select all

// Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
//      "${distro_id}:${distro_codename}-security";
        "${distro_id}:${distro_codename}-updates";
        "${distro_id}:${distro_codename}-proposed";
        "${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Origins-Pattern {
        "o=Ubuntu,a=trusty-security";
        "o=Ubuntu,a=trusty-updates";
        "o=Ubuntu,a=trusty";
        "o=Canonical,a=trusty";
        "o=linuxmint,n=sarah";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//      "vim";
//      "libc6";
//      "libc6-dev";
//      "libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";


// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shuting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
//Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

Code: Select all

sudo unattended-upgrade --dry-run -v
detects the packages

Code: Select all

user@linux ~ $ sudo dpkg-reconfigure -plow unattended-upgrades
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
As the file isn't created I did it myself

Code: Select all

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "30";
APT::Periodic::Unattended-Upgrade "1";
I'd also like to make a script to make this automatic. How can I do that?
Last edited by West_Training_8668 on Tue Jul 05, 2016 12:33 pm, edited 1 time in total.
User avatar
xenopeek
Level 25
Level 25
Posts: 29459
Joined: Wed Jul 06, 2011 3:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by xenopeek »

Linux Mint 17.2 was based on Ubuntu 14.04 "trusty". Linux Mint 18 is based on Ubuntu 16.04 "xenial". So replace all occurrences of "trusty" in your configuration with "xenial".

I don't know exactly how to schedule unattended-upgrades to run daily on Linux Mint 18 but I do see the unattended-upgrades service is enabled by default and if so configured will install upgrades when you shutdown or reboot. To configure it for that that edit the file /etc/apt/apt.conf.d/50unattended-upgrades and uncomment or add the line Unattended-Upgrade::InstallOnShutdown "true";. The unattended-upgrades service does not have anything in place to run it at another time. As ideally you'd reboot after installing upgrades, this makes some sense.
Image
West_Training_8668
Level 2
Level 2
Posts: 71
Joined: Tue Mar 29, 2016 8:41 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by West_Training_8668 »

Code: Select all

if [[ ! -f /etc/apt/apt.conf.d/50unattended-upgrades.bak ]]; then                                                     
        clear                                                                                                             
        echo "Unattended upgrades"                                                                                        
        echo "========================================================================"                                   
        sudo cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades.bak                   
        sudo sed -i '3s#^#//#' /etc/apt/apt.conf.d/50unattended-upgrades                                                  
        echo -e "\nUnattended-Upgrade::Origins-Pattern {                                                                  
            \"o=Ubuntu,a=xenial-security\";                                                                               
            \"o=Ubuntu,a=xenial-updates\";                                                                                
            \"o=Ubuntu,a=xenial\";                                                                                        
            \"o=Canonical,a=xenial\";                                                                                     
            \"o=linuxmint,n=sarah\";                                                                                      
        };" | sudo tee --append /etc/apt/apt.conf.d/50unattended-upgrades                                                 
        echo "========================================================================"                                   
    fi                                                                                                                    
    if [[ ! -f /etc/apt/apt.conf.d/20auto-upgrades.bak ]]; then                                                           
        sudo cp /etc/apt/apt.conf.d/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades.bak                               
        sudo rm /etc/apt/apt.conf.d/20auto-upgrades                                                                       
        echo "APT::Periodic::Update-Package-Lists \"1\";                                                                          APT::Periodic::Download-Upgradeable-Packages \"1\";                                                                       APT::Periodic::AutocleanInterval \"30\";                                                                                  APT::Periodic::Unattended-Upgrade \"1\";" | sudo tee --append /etc/apt/apt.conf.d/20auto-upgrades                 
    fi
User avatar
Voltron
Level 2
Level 2
Posts: 85
Joined: Tue Oct 21, 2014 12:48 am
Location: Indiana University--Bloomington

Re: Setting up automatic upgrades with unattended-upgrades

Post by Voltron »

Wow! Nice information, xenopeek; thank you!

:D
antcj
Level 3
Level 3
Posts: 148
Joined: Thu Jun 28, 2012 11:17 pm

Re: Setting up automatic upgrades with unattended-upgrades

Post by antcj »

This is a follow on to Xenopeeks info.

I finally got to look at 18.1 (I missed 18)
To cut a long story short, security updates automatically, daily, can be done.
I have the normal updates set at level 3 to be checked and run manually once a week.

This so far is what ive discovered via Google.:

The distro name has to be changed as xenopeek suggested.

Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
"Ubuntu:xenial-security";
// "Ubuntu:xenial-updates";
// "Ubuntu:xenial-backports";
// "Ubuntu:xenial-proposed";
};
// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
// "vim";
// "libc6";
// "libc6-dev";
// "libc6-i686";
};


I then found that to test was a problem as the timer was random.

To set the time of update to your desire:

go to:
/lib/systemd/system/apt-daily.timer


change the time to whatever you like after commenting out the random line:


[Unit]
Description=Daily apt activities

[Timer]
OnCalendar=*-*-* 6,18:15
//RandomizedDelaySec=12h
AccuracySec=1h
Persistent=true

[Install]
WantedBy=timers.target




The last thing was to create the 10periododic as per xenopeeks instructions.

I still have never been able to do normal updates, maybe that’s a good thing.

If ive missed something or got it wrong please advise
dragnod0

Re: Setting up automatic upgrades with unattended-upgrades

Post by dragnod0 »

xenopeek wrote: Mon Aug 17, 2015 5:35 am And that if you have commas in the text you need to backslash escape those. So for Google Chrome you'd add this line to enable automatic upgrades:

Code: Select all

	"o=Google\, Inc.,a=trusty";
And again, test your changes!
This syntax produces an error for me on Linux Mint KDE 18.3
This worked for me:

Code: Select all

"Origin:Suite";
For the GPU Driver PPA:

Code: Select all

"LP-PPA-graphics-drivers:xenial";
sorry, my english is bad ... mostly translatet with google
Enkidu
Level 1
Level 1
Posts: 33
Joined: Sat Apr 14, 2012 7:58 am

Re: Setting up automatic upgrades with unattended-upgrades

Post by Enkidu »

Since a while LM comes with mintupdate-tool command line utility, doing the same as the gui. (For a normal user, now there is no need anymore for such a complicated way of doing it, I'd say.)

On basis of this tool, I have written a small script for laptop/notenbook or similar users that performs an update 1-3x per day and discribed it in this tutorial:

http://enkidu.eu/LMmow

Maybe it is useful for some of you... Comments welcome.


Cheers,
Enkidu
Linux Mint 16, 64bit, Cinnamon, fully encrypted (luks) on Lenovo Thinpad T520 (Intel i7, 16GB RAM, 750GB SSHD)
Post Reply

Return to “Tutorials”