How to Enable/Disable Unattended Upgrades in Ubuntu 16.04

Unattended upgradesTo protect your data in any ubuntu based system, it is imperative to update packages and apply security patches regularly. It is much better if the system itself applies the security updates. The unattended upgrades in Ubuntu 16.04 allow system administrator to automatically install updated packages and security patches whenever it becomes available.

This article covers the installation and configuration of unattended upgrades in Ubuntu 16.

Install unattended upgrades in ubuntu 16.04

To install unattended-upgrades, execute the following command in the terminal.

 # sudo apt install unattended-upgrades

Enable unattended upgrades in ubuntu 16.04

To pick which updates you want to make automatic by editing the file /etc/apt/apt.conf.d/50unattended-upgrades. This allows apt to search for new updates and upgrades. The default option is security.

# vi /etc/apt/apt.conf.d/50unattended-upgrades

Adjust the following lines that suit your needs.

Unattended-Upgrade::Allowed-Origins {
 "${distro_id}:${distro_codename}";
 "${distro_id}:${distro_codename}-security";
 ..........................
 ..........................
 ..........................
 "${distro_id}ESM:${distro_codename}";
 // "${distro_id}:${distro_codename}-updates";
 // "${distro_id}:${distro_codename}-proposed";
 // "${distro_id}:${distro_codename}-backports";
 };

The default configuration upgrades security packages from security APT source to automatically. You can also configure automatic updates from other APT sources such as updates, proposed and back-ports by uncommenting the above corresponding lines.

Block packages from automatic updating

You can blacklist few packages from being automatically updated by adding them in the blacklist section like below. Anything that comes under this list will not be updated automatically. In the following configuration, the packages vim, libc6, libc6-dev, libc6-i686 will not be automatically updated.

Unattended-Upgrade::Package-Blacklist {
 "vim";
 "libc6";
 "libc6-dev";
 "libc6-i686";
};

At last, edit the file /etc/apt/apt.conf.d/10periodic to configure when update, upgrade and auto-clean should run.

# vi /etc/apt/apt.conf.d/10periodic
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The above configuration lets unattended upgrades update the package list, downloads and installs available upgrades every day and the local download archive is cleaned every week. If you want to disable automatic updates, just change the value 1 to 0. Check the log of unattended-upgrades inside the folder /var/log/unattended-upgrades. You can disable the automatic updates by making the value of the parameter APT::Periodic::Update-Package-Lists to "0".

Or you can get rid of the tool itself by below command

$ sudo apt-get remove unattended-upgrades

For older versions, try below command

$ sudo apt-get remove update-manager

Now you can keep important services in any Ubuntu based system up to date and will be automatic. The automatic updates will be applied only to the services provided by the package repositories and will not be applied to the services compiled from source.

Dwijadas Dey 4:30 am

Comments

Your email address will not be published. Required fields are marked *

All comments are subject to moderation.

6 Comments

  1. Hello, good afternoon.
    I have a Ubuntu 16.04 server with a moodle platform but what I want is to disable the updates to avoid future chaos on the server, I made the modification of the 10periodic file but they are not disabled, I do not know what the problem is because it does not and I am still coming upgrades to my server, I hope you can count on the support of you maestro.As to solve this problem.Thanks

  2. I think you made a typo:
    need to execute
    sudo apt-get remove unattended-upgrades
    instead of
    sudo apt-get remove update-manager

    in my system(Ubuntu 16.04.02 LTS) update-manager isn't present

    1. Hi Vlad,

      You are right, have corrected the typo. Much appreciated for taking the time to write the comments.

  3. The automatic upgrade to MySQL from 5.7.25 to 5.7.26 on Ubuntu Linux 16.04 web server did not preserve the mysql.service file that I had configured previously in /lib/systemd/system/mysql.service and put in the updated ExecStart. Is there some way to not let that happen in the future so that I am not blind sided by the automatic upgrade

    # MySQL systemd service file

    [Unit]
    Description=MySQL Community Server
    After=network.target

    [Install]
    WantedBy=multi-user.target

    [Service]
    User=mysql
    Group=mysql
    PermissionsStartOnly=true
    ExecStartPre=/usr/share/mysql/mysql-systemd-start pre
    # Normally, we'd simply use:
    # ExecStart=/usr/sbin/mysqld
    ExecStart=/usr/sbin/mysqld --sql-mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
    ExecStartPost=/usr/share/mysql/mysql-systemd-start post
    TimeoutSec=600
    Restart=on-failure
    RuntimeDirectory=mysqld
    RuntimeDirectoryMode=755

    1. Here is what I discovered after reading the post on

      https://askubuntu.com/questions/659267/how-do-i-override-or-configure-systemd-services

      You will need to make the changes to a folder so that it is protected from the automatic unattended upgrade that happens periodically on Ubuntu Linux (especially MySQL):

      sudo systemctl edit mysql
      This will put you in an editor and you will need to enter the following:

      [Service]

      ExecStart=

      ExecStart=/usr/sbin/mysqld --sql-mode=ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION

      The first ExecStart clears whatever setting this variable had been set as. The next ExecStart will set up the variable with the proper option for starting mysql.

      After saving this, it will create a file called override.conf in the folder mysql.service.d i.e. in /etc/systemd/system/mysql.service.d

      The file /lib/systemd/system/mysql.service should look as follows:
      # MySQL systemd service file

      [Unit]
      Description=MySQL Community Server
      After=network.target

      [Install]
      WantedBy=multi-user.target

      [Service]

      User=mysql

      Group=mysql

      PermissionsStartOnly=true

      ExecStartPre=/usr/share/mysql/mysql-systemd-start pre

      ExecStart=/usr/sbin/mysqld

      ExecStartPost=/usr/share/mysql/mysql-systemd-start post

      TimeoutSec=600

      Restart=on-failure

      RuntimeDirectory=mysqld

      RuntimeDirectoryMode=755
      You will need to restart the MySQL server so do the following:

      sudo systemctl daemon-reload
      sudo service mysql restart