Unattended Upgrades - auto update OS

Following on from this discussion about automatically updating operating systems...

I've now had chance to review unattended-upgrades after being suggested by @Colin, and after first installing it on a friends Pi, followed by my own, and it seems to work well, with no major issues.
It's applied numerous updates (it's surprising how many there are!) over the past week or so, and I've been comparing the updates with the default dpkg and they have been identical so far (sudo apt list --upgradable).

Installation on a Pi running Buster was quick & easy - apt-get install unattended-upgrades which installed the package, set up logrotate & also created systemd triggers to run the package twice daily to check for updates.

There are 2 main config files which determine how unattended-upgrades functions. I found them a little complicated to set up at first, but it eventually sort of made sense;
/etc/apt/apt.conf.d/20auto-upgrades which is the apt configuration stub, I've edited mine to be -

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";

and the second, /etc/apt/apt.conf.d/50unattended-upgrades which determines which update origins to apply. My config is -

Unattended-Upgrade::Origins-Pattern {
      "origin=Raspbian,codename=${distro_codename},label=Raspbian";
      "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspber$
      "origin=Node Source,codename=${distro_codename},label=Node Source";
};
Unattended-Upgrade::Automatic-Reboot True;

..so that I allow updates from the origins 'Raspbian', 'Raspberry Pi Foundation' & 'Node Source' (to update node), which match the sources included in 'Buster's' apt-cache policy.
I picked up a tip to rename this config file to something like /etc/apt/apt.conf.d/52unattended-upgrades to prevent it being overwritten when the package is updated.
You will note that I've set Automatic-Reboot True, this will automatically reboot the pi if any of the updates have set the 'reboot' flag. If you don't want to do this, then set it to False. I've only had 1 auto-reboot so far.

I haven't set up the email reporting (as I don't want to be bothered with emails every few days), but there are 2 logs to view to see what's been happening;
/var/log/unattended-upgrades/unattended-upgrades.log to see what update checks have been made, and;
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log to see the actual updates applied and any error messages.

Definitely worth a look!

3 Likes

I was surprised to find unattended-upgrades already installed on my new Debian Buster minimal installation.

I've only made a couple of minor changes so far (from: https://wiki.debian.org/UnattendedUpgrades):

In order to enable auto-updates, you need to uncomment the line of in /etc/apt/apt.conf.d/50unattended-upgrades that has the text

"${distro_id}:${distro_codename}-updates";.

And run:

sudo dpkg-reconfigure -plow unattended-upgrades

which creates: /etc/apt/apt.conf.d/20auto-upgrades

I had been running webmin on my Pi 3 which includes an autoupdate feature. Don't need that now.

1 Like

Nice find Julian.

NOTE: When installing via apt on a Raspberry Pi, there is no need to run those commands, as apt does that for you.

I initially thought that checking for updates every day was excessive & unnecessary, but having thought about it. it's probably the safest way to update...
If (like I've done in the past) I update every 3-6 months, then I'm installing a massive number of updates at once, and if something thereafter doesn't work it's not easy to establish the cause.

Whereas, updating a relatively small number of packages regularly, at least gives a good indication of where to start looking...

3 Likes

Typically, most nights, I've checked which upgrades apt has earmarked in need of attention, by checking;

pi@raspberrypi:~ $ sudo apt list --upgradeable
Listing... Done
libjavascriptcoregtk-4.0-18/stable 2.26.4-1~deb10u1+rpi1 armhf [upgradable from: 2.26.3-1~deb10u1+rpi1]
libwebkit2gtk-4.0-37/stable 2.26.4-1~deb10u1+rpi1 armhf [upgradable from: 2.26.3-1~deb10u1+rpi1]
raspberrypi-ui-mods/testing 1.20200218 all [upgradable from: 1.20200127]
pi@raspberrypi:~ $

The following morning, checking the unattended-upgrades.log, I see that the correct packages have been downloaded and an upgrade has taken place.

2020-02-21 05:26:05,442 INFO Packages that will be upgraded: libjavascriptcoregtk-4.0-18 libwebkit2gtk-4.0-37 raspberrypi-ui-mods
2020-02-21 05:26:05,443 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
2020-02-21 05:27:35,014 INFO All upgrades installed

If a more detailed log is needed, the unattended-upgrades-dpkg.log contains entries for each of upgrades that has taken place.

Log started: 2020-02-21  05:26:50
(Reading database ... 99582 files and directories currently installed.)
Preparing to unpack .../libwebkit2gtk-4.0-37_2.26.4-1~deb10u1+rpi1_armhf.deb ...
Unpacking libwebkit2gtk-4.0-37:armhf (2.26.4-1~deb10u1+rpi1) over (2.26.3-1~deb10u1+rpi1) ...
Preparing to unpack .../libjavascriptcoregtk-4.0-18_2.26.4-1~deb10u1+rpi1_armhf.deb ...
Unpacking libjavascriptcoregtk-4.0-18:armhf (2.26.4-1~deb10u1+rpi1) over (2.26.3-1~deb10u1+rpi1) ...
Setting up libjavascriptcoregtk-4.0-18:armhf (2.26.4-1~deb10u1+rpi1) ...
Setting up libwebkit2gtk-4.0-37:armhf (2.26.4-1~deb10u1+rpi1) ...
Processing triggers for libc-bin (2.28-10+rpi1) ...
Log ended: 2020-02-21  05:27:33
2 Likes

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.