While updating a specific package to a newer version is the user's personal choice as it won't break your system and you will only miss out on new features, security patches are different.
Any experienced user will always advise you to install security patches as soon as possible as they contain patches to the current vulnerability you have in your system.
But users often forget to install new security patches so to tackle this situation, I will walk you through how you can automate installation of security patches in Ubuntu.
How to install security patches automatically in Ubuntu
To install security patches automatically, you need to install two packages
And to install those packages, simply use the following command:
sudo apt update && sudo apt install unattended-upgrades update-notifier-common
Once done, enable it using the following command:
sudo dpkg-reconfigure --priority=low unattended-upgrades
You'll see a prompt asking if you want to automatically download and install updates or not. Use the
Tab button, and press the
Now, let's take a look at how you can configure it.
How to configure auto updates in Ubuntu
In this section, I will walk you through some basic steps to configure the unattended-upgrades package including:
- Enable email notifications
- Set time reboot to take effect from security patches
- Test configuration
Enable email notifications
You may want to receive notifications regarding the automatic updates. For that, first, you need to install one package called malix using the following:
sudo apt install mailutils
Now, open the configuration file using the following command:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Find the following line in the file and remove two forward slashes (
//)to uncomment the line:
Make sure you write your email address between
"". For example, my email address is [email protected], then, I will be using the following:
Unattended-Upgrade::Mail "[email protected]";
Additionally, if you want to receive email if something goes wrong with updates, first, find the following line:
Now, remove uncomment the line by removing the first two forward slashes and change
"only-on-error" as shown here:
Save changes and exit from the nano text editor.
Set time to reboot to take effect from security patches
First, you need to enable automatic reboot. To do so, find the following line in the configuration file:
Uncomment the above line by removing
// and change it to
"true" as shown:
If you have multiple users logged in and you still want to reboot, then find the following line and uncomment it:
// Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
When uncommented, it should look like this:
If you skip this step and go away with the above configuration, it will reboot once it installs security patches which is super random.
So setting up a specific time when no one is working and your server is sitting in an idle position to reboot the system is the best way to opt for.
To do so, find the following line in the configuration file:
Uncomment the file by removing
// and define the time when you want to reboot your system.
For example, here, I want to reboot my system at 1:00 so I used the following:
Test the configuration you've done so far
Once you are done with the configuring auto updates of your liking, it is time to test if it is configured properly or not.
First, open the
20auto-upgrades file using the following command:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
And you should see the following two lines:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Unattended-Upgrade "1";
The first line indicates how often the package list is going to be updated and 1 means it will be done once every day.
The second line indicates how often it will use the
Unattended-Upgrade package to install security patches without the intervention of the user and 1 means once every day.
To query the current configuration, use the following command:
apt-config dump APT::Periodic::Unattended-Upgrade
Here's the expected output:
Here's how you live patch Ubuntu
Did you know that you can apply security patches without rebooting your system? Yep, that's one of the best features of Ubuntu.
While it looks pretty complex process, it is pretty easy, and here's how you can configure live patching of Ubuntu:
I hope you will find this guide helpful.