One of the crucial administration roles that any sysadmin is tasked to do is to ensure that the security patches and feature updates are regularly applied. Security updates address pre-existing vulnerabilities that can be exploited by malicious users to breach the system. Delayed patching of system packages may result in system breaches where confidential information is access and exfiltrated. Manually updating packages on Ubuntu - and any Linux system for that matter - is a tedious task and wastes a lot of your precious time. This is time that could have been spent elsewhere performing more productive tasks. As a workaround, configuring automatic updates on a Linux server comes highly recommended. In this guide, we walk you through how to enable automatic updates on Ubuntu 22.04.
Configuration of automatic updates is made possible by the unattended-upgrades package. The package keeps your system in sync with the latest security and feature updates. We are going to show you how to install the package, and later how to modify the configuration file to control which updates are upgraded and how you can send email alerts.
Step 1: Install unattended-upgrades package
As discussed before, the first step is to install the unattended-upgrades package. To achieve this, we will use the APT package manager as follows:
$ sudo apt install unattended-upgradesWhen the installation is complete, verify using the following systemctl command:
$ sudo systemctl status unattended-upgradesBy default, the unattended-upgrades daemon should run once the installation is complete as evidenced in the screenshot below.
To set automatic updates, we are going to install the update-notifier-common package.:
$ sudo apt install update-notifier-common
Step 2: Configure unattended-upgrades service
In this step, we are going to make changes to the unattended-upgrades configuration file.
$ sudo vim /etc/apt/apt.conf.d/50unattended-upgradesThe file helps you to specify which packages should automatically be updated or skipped during the update process. By default, however, only security updates are set to be automatically installed as shown in the lines below. Therefore, no action is needed.
Line starting with double slashes ( // ) are commented. If you want to update a repository you need to uncomment or remove the double slash signs.
For example, to blacklist some packages from being upgraded, remove the double slash signs in the line with the parameter Unattended-Upgrade::Package-Blacklist {
Then specify the package names. In the example below, we have prevented the Mariadb and Nginx packages from being upgraded.
When you scroll down, you can see a host of other options that you might decide to enable or leave them as they are.
Step 3: Enable email notifications
Sometimes, you may want to receive email notifications. To achieve this, scroll and locate the line below and remove the preceding double slashes.
//Unattended-Upgrade::Mail " ";Be sure to specify the recipient email address.
Unattended-Upgrade::Mail "me@example.com ";In addition, you can choose to receive email updates in case an update goes wrong, such as when security updates fail. To do so, locate this line:
//Unattended-Upgrade::MailReport "on-change";uncomment it and change the attribute "on-change" to "only-on-error"
When security updates are installed, it's always good practice to restart the server in order to update the kernel. You can enable an automatic reboot by locating the line below.
//Unattended-Upgrade::Automatic-Reboot "false";Change the "false" value to "true"
If there are users logged in and you would desire to proceed with the reboot, locate the line"
// Unattended-Upgrade::Automatic-Reboot-WithUsers "true";Uncomment it so that it resembles what we have below:
You can also determine the time the update will occur by uncommenting the line below. By default, this is set to 4:00 am.
// Unattended-Upgrade::Automatic-Reboot-Time "04:00";In our case, we have set it to 3:00am
There are many other rules you can set to suit your needs. Simply scroll and uncomment the directives as we have just elaborated.
Once you are done, save the changes and exit the configuration file. That's about it in this section.
Step 4: Enable automatic updates on Ubuntu 22.04
Finally, to enable automatic upgrades, edit the 20auto-upgrades file as shown.
$ sudo vim /etc/apt/apt.conf.d/20auto-upgradesIn caseauto-upgradesfiles are not found:sudo apt-get install unattended-upgrades sudo dpkg-reconfigure --priority=low unattended-upgrades
By default, the file has two lines as shown.
These lines allow you to determine how the upgrade will occur. The first line handles the update of the package lists while the second one initiates the automatic upgrades.
The value "1" enables the auto-update and the auto-upgrade respectively. If you want to disable it, set this value to "0".
No changes are required here, just save and exit the file.
Step 5: Set up a mail server
For you to receive notifications, you need to configure an email server. There are a couple of options that you can use including mailx and postfix.
For best results, install Postfix to configure SMTP relay to external SMTP servers.
Conclusion
If you have come this far, you have successfully managed to set automatic updates on Ubuntu 20.04. You can rest assured that your packages will always be to up to date with the latest versions. Also, your server will be up to speed with the latest security patches to address any underlying security loopholes.
Thank you for the clear and detailed instructions and explanation of setting auto update up. I would have missed some of the steps without it.
Thank you, very helpful
Thanks, Helped A lot During My Cyber Patriots Practice competition.
1. Install Postfix and Required Packages
If you haven’t done so already, install Postfix and some handy tools (e.g., for sending emails):
sudo apt-get update
sudo apt-get install postfix mailutils
During the installation, you’ll be asked how you want to configure Postfix – choosing “Internet Site” is usually the right option.
2. Adjust the Main Postfix Configuration
Open the file /etc/postfix/main.cf and add (or modify) the following lines:
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
These settings ensure that Postfix uses the Gmail server as a relay and authenticates using TLS encryption.
3. Set Up the Authentication Credentials
Now, create the file /etc/postfix/sasl_passwd:
sudo nano /etc/postfix/sasl_passwd
Then, insert the following line:
[smtp.gmail.com]:587 your_username@gmail.com:your_password
Tip: If you have two-factor authentication enabled on your Gmail account, you must use an App Password here.
4. Secure the File and Convert It to Hash Format
Secure the file by converting it into a format that Postfix can use:
sudo postmap /etc/postfix/sasl_passwd
sudo chmod 600 /etc/postfix/sasl_passwd /etc/postfix/sasl_passwd.db
This ensures that no one can access your credentials without authorization.
5. Restart Postfix and Test
Restart the Postfix service:
sudo systemctl restart postfix
You can test the mail sending with the following command:
echo “This is a test” | mail -s “Test Email” your_email@example.com
Then, check the log file (/var/log/mail.log) to verify that the mail was sent successfully.