To protect your data in any ubuntu based system, it is imperative to update packages and apply security patches regularly. It is much better if the system itself applies the security updates. The unattended upgrades in Ubuntu 16.04 allow system administrator to automatically install updated packages and security patches whenever it becomes available.
This article covers the installation and configuration of unattended upgrades in Ubuntu 16.04.
Related Read: How to Enable Automatic Updates on Ubuntu 20.04
Install unattended upgrades in ubuntu 16.04
To install unattended-upgrades, execute the following command in the terminal.
# sudo apt install unattended-upgrades
Enable unattended upgrades in ubuntu 16.04
To pick which updates you want to make automatic by editing the file /etc/apt/apt.conf.d/50unattended-upgrades. This allows apt to search for new updates and upgrades. The default option is security.
# vi /etc/apt/apt.conf.d/50unattended-upgrades
Adjust the following lines that suit your needs.
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
..........................
..........................
..........................
"${distro_id}ESM:${distro_codename}";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-proposed";
// "${distro_id}:${distro_codename}-backports";
};
The default configuration upgrades security packages from security APT source to automatically. You can also configure automatic updates from other APT sources such as updates, proposed and back-ports by uncommenting the above corresponding lines.
Block packages from automatic updating
You can blacklist few packages from being automatically updated by adding them in the blacklist section like below. Anything that comes under this list will not be updated automatically. In the following configuration, the packages vim, libc6, libc6-dev, libc6-i686 will not be automatically updated.
Unattended-Upgrade::Package-Blacklist {
"vim";
"libc6";
"libc6-dev";
"libc6-i686";
};
At last, edit the file /etc/apt/apt.conf.d/10periodic to configure when update, upgrade and auto-clean should run.
# vi /etc/apt/apt.conf.d/10periodic APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
The above configuration lets unattended upgrades update the package list, downloads and installs available upgrades every day and the local download archive is cleaned every week. If you want to disable automatic updates, just change the value 1 to 0. Check the log of unattended-upgrades inside the folder /var/log/unattended-upgrades. You can disable the automatic updates by making the value of the parameter APT::Periodic::Update-Package-Lists to "0".
Or you can get rid of the tool itself by below command
$ sudo apt-get remove unattended-upgrades
For older versions, try below command
$ sudo apt-get remove update-manager
Now you can keep important services in any Ubuntu based system up to date and will be automatic. The automatic updates will be applied only to the services provided by the package repositories and will not be applied to the services compiled from source.
Hello, good afternoon.
I have a Ubuntu 16.04 server with a moodle platform but what I want is to disable the updates to avoid future chaos on the server, I made the modification of the 10periodic file but they are not disabled, I do not know what the problem is because it does not and I am still coming upgrades to my server, I hope you can count on the support of you maestro.As to solve this problem.Thanks
I think you made a typo:
need to execute
sudo apt-get remove unattended-upgrades
instead of
sudo apt-get remove update-manager
in my system(Ubuntu 16.04.02 LTS) update-manager isn't present
Hi Vlad,
You are right, have corrected the typo. Much appreciated for taking the time to write the comments.
The automatic upgrade to MySQL from 5.7.25 to 5.7.26 on Ubuntu Linux 16.04 web server did not preserve the mysql.service file that I had configured previously in /lib/systemd/system/mysql.service and put in the updated ExecStart. Is there some way to not let that happen in the future so that I am not blind sided by the automatic upgrade
# MySQL systemd service file
[Unit]
Description=MySQL Community Server
After=network.target
[Install]
WantedBy=multi-user.target
[Service]
User=mysql
Group=mysql
PermissionsStartOnly=true
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
# Normally, we'd simply use:
# ExecStart=/usr/sbin/mysqld
ExecStart=/usr/sbin/mysqld --sql-mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
ExecStartPost=/usr/share/mysql/mysql-systemd-start post
TimeoutSec=600
Restart=on-failure
RuntimeDirectory=mysqld
RuntimeDirectoryMode=755
Here is what I discovered after reading the post on
https://askubuntu.com/questions/659267/how-do-i-override-or-configure-systemd-services
You will need to make the changes to a folder so that it is protected from the automatic unattended upgrade that happens periodically on Ubuntu Linux (especially MySQL):
sudo systemctl edit mysql
This will put you in an editor and you will need to enter the following:
[Service]
ExecStart=
ExecStart=/usr/sbin/mysqld --sql-mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
The first ExecStart clears whatever setting this variable had been set as. The next ExecStart will set up the variable with the proper option for starting mysql.
After saving this, it will create a file called override.conf in the folder mysql.service.d i.e. in /etc/systemd/system/mysql.service.d
The file /lib/systemd/system/mysql.service should look as follows:
# MySQL systemd service file
[Unit]
Description=MySQL Community Server
After=network.target
[Install]
WantedBy=multi-user.target
[Service]
User=mysql
Group=mysql
PermissionsStartOnly=true
ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
ExecStart=/usr/sbin/mysqld
ExecStartPost=/usr/share/mysql/mysql-systemd-start post
TimeoutSec=600
Restart=on-failure
RuntimeDirectory=mysqld
RuntimeDirectoryMode=755
You will need to restart the MySQL server so do the following:
sudo systemctl daemon-reload
sudo service mysql restart
Is there the option to send alert mail if something goes wrong while update?
check /etc/apt/apt.conf.d/50unattended-upgrades
There you can enable a few features like email alert, logging, rebooting, prevent upgrades of specifi packages and so on.