Debian system unattended automatic update setup full process: from installation to configuration and testing

In Debian system administration, realizing unattended automatic update can greatly improve the system maintenance efficiency, repair security vulnerabilities in time and keep the system running stably. However, there are some important things you need to pay special attention to before doing so.

For non-physical servers, especially KVM-built VPS and cloud hosts with customized or modified kernels, there is a risk of Grub loading failure when performing system upgrades and kernel updates. Therefore, be sure to back up important data in advance to avoid data loss. Moreover, the operations in this article need to be performed under root user privileges, you can switch to root user by sudo -i or su root command.

I. Installation of essential software

• First, run apt update command to update the package list and ensure that the system gets the latest package information.
• Next, use the apt install unattended-upgrades -y command to install the unattended-upgradesThe

user1@debian:~$ sudo apt install unattended- upgrades -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed.
  gir1.2-glib-2.0 libgirepository-1.0-1 libglib2.0-0 libglib2.0-data libicu72 libxml2 python3-dbus python3-distro-info
  python3-gi shared-mime-info xdg-user-dirs xz-utils
Suggested packages: lowmemory-monitor
  low-memory-monitor python-dbus-doc bsd-mailx default-mta | mail-transport-agent needrestart powermgmt-base
The following NEW packages will be installed.
  gir1.2-glib-2.0 libgirepository-1.0-1 libglib2.0-0 libglib2.0-data libicu72 libxml2 python3-dbus python3-distro-info
  python3-gi shared-mime-info unattended-upgrades xdg-user-dirs xz-utils
0 upgraded, 13 newly installed, 0 to remove and 0 not upgraded.
Need to get 14.6 MB of archives.
After this operation, 62.1 MB of additional disk space will be used.
Get:1 https://mirrors.aliyun.com/debian bookworm/main amd64 xz-utils amd64 5.4.1-0.2 [471 kB]
Get:2 https://mirrors.aliyun.com/debian bookworm/main amd64 libglib2.0-0 amd64 2.74.6-2+deb12u5 [1,403 kB]
Get:3 https://mirrors.aliyun.com/debian bookworm/main amd64 libgirepository-1.0-1 amd64 1.74.0-3 [101 kB]
Get:4 https://mirrors.aliyun.com/debian bookworm/main amd64 gir1.2-glib-2.0 amd64 1.74.0-3 [159 kB]
Get:5 https://mirrors.aliyun.com/debian bookworm/main amd64 libglib2.0-data all 2.74.6-2+deb12u5 [1,209 kB]
Get:6 https://mirrors.aliyun.com/debian bookworm/main amd64 libicu72 amd64 72.1-3 [9,376 kB]
Get:7 https://mirrors.aliyun.com/debian bookworm/main amd64 libxml2 amd64 2.9.14+dfsg-1.3~deb12u1 [687 kB]
Get:8 https://mirrors.aliyun.com/debian bookworm/main amd64 python3-dbus amd64 1.3.2-4+b1 [95.1 kB]
Get:9 https://mirrors.aliyun.com/debian bookworm/main amd64 python3-distro-info all 1.5+deb12u1 [6,772 B]
Get:10 https://mirrors.aliyun.com/debian bookworm/main amd64 python3-gi amd64 3.42.2-3+b1 [219 kB]
Get:11 https://mirrors.aliyun.com/debian bookworm/main amd64 shared-mime-info amd64 2.2-1 [729 kB]
Get:12 https://mirrors.aliyun.com/debian bookworm/main amd64 unattended-upgrades all 2.9.1+nmu3 [63.3 kB]
Get:13 https://mirrors.aliyun.com/debian bookworm/main amd64 xdg-user-dirs amd64 0.18-1 [54.4 kB]
Fetched 14.6 MB in 14s (1,059 kB/s)

• After the installation is complete, theunattended-upgrades The service usually starts and takes effect automatically.
• This can be done by systemctl status unattended-upgrades command to view the running status of the service.

user1@debian:~$ systemctl status unattended -upgrades
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; preset: enabled)
     Active: active (running) since Mon 2025-02-10 09:20:16 EST; 3min 56s ago
       Docs: man:unattended-upgrade(8)
   Main PID: 12444 (unattended-upgr)
      Tasks: 2 (limit: 9474)
     Memory: 13.5M
        CPU: 256ms
     CGroup: /system.slice/unattended-upgrades.service
             └─12444 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

• If the service does not take effect, execute the systemctl enable -now unattended-upgrades command to take effect immediately and set it to boot.

user1@debian:~$ sudo systemctl enable --now unattended-upgrades
Synchronizing state of unattended-upgrades.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable unattended-upgrades.

II. Configuring the 50unattended-upgrades file

Next, to the /etc/apt/apt.conf.d/50unattended-upgrades file to edit the configuration, you can refer to the following:

#nano /etc/apt/apt.conf.d/50unattended- upgrades

APT::Periodic::Update-Package-Lists "1".
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Verbose "1"; APT::Periodic::Verbose "1";
APT::Periodic::AutocleanInterval "7"; APT::Periodic::AutocleanInterval "7";

Unattended-Upgrade::Mail "root";

Unattended-Upgrade::Origins-Pattern {
  "origin=Debian,codename=\${distro_codename},label=Debian";
  "origin=Debian,codename=\${distro_codename},label=Debian-Security";
  "origin=Debian,codename=\${distro_codename}-security,label=Debian-Security";
}.

Unattended-Upgrade::Package-Blacklist {
};; Unattended-Upgrade::Package-Blacklist {

Unattended-Upgrade::Automatic-Reboot "false";

Then restart the service:

# systemctl restart unattended-upgrades

in the above configuration:

• These configuration items are explained in detail below:
• APT::Periodic::Update-Package-Lists respond in singing APT::Periodic::Unattended-Upgrade These two configuration items, when the value is set to "1", it means that the automatic update function is turned on; if it is set to "0", the automatic update will be turned off.
• APT::Periodic::AutocleanInterval "7"; means the system will keep the residual useless dependency packages for 7 days and clean them up automatically after 7 days to free up disk space.
• Unattended-Upgrade::Origins-Pattern Used to specify the apt sources to be updated. By default, only repositories containing debian and debian-security will be updated. If you want to update a third-party source, you can add a customized origin; for example, to update a PowerDNS source, add origin=PowerDNS, where the origin value can be obtained from the repository's Release file.
• Unattended-Upgrade::Package-Blacklist is used to set a blacklist of software packages. Software in this list will not be updated automatically, and the use of regular expressions is supported. For example, if you set "linux-", you can prevent all packages starting with linux- from being updated; if you set "apache2″, you can prevent Apache 2 packages from being updated; if you set "(lib)?xen( store)?" to block updates of Apache 2 packages, and "(lib)?xen( store)?" to block updates of packages starting with xen, xenstore and libxen.
• APT::Periodic::Verbose "1" The update progress report feature is turned on, the default value "0" means no report will be sent. Turning it on gives a clearer picture of the update process.
• Unattended-Upgrade::Mail "root"; Indicates that the update report email will be sent to the root user, and can be modified to other specified users according to actual needs.
• Unattended-Upgrade::Automatic-Reboot "false". Indicates that the system will not reboot automatically after an update. If you want the system to reboot automatically after an update, you can change the value to "true".

After completing the above configuration, execute the systemctl restart unattended-upgrades command to restart the service so that the new configuration takes effect.

Third, test configuration and view logs

To ensure that the configuration is correct, you can run unattended-upgrades -dry-run -debug command to test it. If no error message appears, then the configuration is correct.

To view the changelog, you can use the journalctl -u apt-daily.service | tail command. When you see the log with the download updated metadata (success) . and unattended-upgrade -d (success) When you see a message like this, it means that the automatic update configuration has been successful. By following these steps, you can set up unattended automatic updates on your Debian system, making system maintenance easier and more efficient.