Ubuntu: Unattended Upgrades for security patches

ubuntuIf you are running an Ubuntu server for any extended period of time, security issues will arise that affect the kernel, distribution, or packages installed on that host.

While there are always minimal risks associated with automatically applying security fixes, I feel those are dwarfed by the risks of running hosts that have known security flaws.  For example, a media frenzy over the OpenSSL vulnerability Heartbleed may have forced administrators the world over to go out and manually patch their fleet of Linux hosts, but the truth is there is a constant stream of public vulnerabilities.

Expecting system administrators to manually patch each of these (in addition to their other daily tasks) is unrealistic, and therefore Ubuntu provides a simple way of scheduling unattended security updates.

First, install the unattended-upgrades package:

> sudo apt install unattended-upgrades

Then edit ‘/etc/apt/apt.conf.d/50unattended-upgrades‘, and select which updates you would like automatically updates.  In our case, we only want security related patches and so that is the only one we leave uncommented.

Unattended-Upgrade::Allowed-Origins {    
//    "${distro_id} stable";
    "${distro_id} ${distro_codename}-security";
//    "${distro_id} ${distro_codename}-updates";
//  "${distro_id} ${distro_codename}-proposed-updates";

// Automatically reboot *WITHOUT CONFIRMATION* if a 
// the file /var/run/reboot-required is found
Unattended-Upgrade::Automatic-Reboot "false";

This same file also takes extra parameters such as whether a reboot should happen if necessary.  For most production deployments, you will set Automatic-Reboot to false to avoid downtime until a maintenance window.

Then you will need to edit ‘/etc/apt/apt.conf.d/10periodic’.  Be sure to set the Unattended-Upgrade and Update-Package-Lists keys so that the functionality is enabled. 

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

As a sanity test, you can force an invocation of the unattended upgrades job with:

> sudo unattended-upgrade -d

And the logs are sent to ‘/var/log/unattended-upgrades/unattended-upgrades.log’