unattended-upgrade

unattended-upgrade [-d|--debug] [--dry-run] [-v|--verbose]

-d, --debug
    Enables extensive debug output, useful for troubleshooting the upgrade process.

--dry-run
    Simulates the upgrade process without actually making any changes to the system. Shows what would happen.

-v, --verbose
    Increases the verbosity of the output, showing more detailed information about the upgrade process.

unattended-upgrade is a powerful utility designed to automate the installation of security updates and, optionally, other package upgrades on Debian-based Linux systems (like Ubuntu). Its primary purpose is to ensure that systems remain secure by applying critical patches without requiring manual intervention. This is particularly useful for servers or systems where continuous uptime and security are paramount.

The command typically runs as a background process, often scheduled via cron or systemd timers, and silently downloads and installs updates. While it primarily focuses on security updates, its configuration can be adjusted to include other types of updates or even automatically reboot the system if necessary. Proper configuration via files in /etc/apt/apt.conf.d/ is crucial for its safe and effective operation, allowing administrators to define which updates are applied and how the system behaves post-upgrade.

• Requires careful configuration in /etc/apt/apt.conf.d/ to define update sources, automatic reboots, and email notifications.
• While convenient, automatic updates can occasionally introduce unforeseen issues or breakages, especially if not restricted to security-only updates.
• It's recommended to regularly monitor system logs (e.g., /var/log/unattended-upgrades/) to track upgrade activity and potential problems.

The primary configuration for unattended-upgrade is managed through files in the /etc/apt/apt.conf.d/ directory. Key files include 20auto-upgrades (to enable/disable automatic updates) and 50unattended-upgrades (to define specific update policies, allowed origins, automatic reboots, and email notifications).

All actions performed by unattended-upgrade are logged to files located in /var/log/unattended-upgrades/. These logs are crucial for auditing and troubleshooting, providing details on what packages were upgraded and any errors encountered.

The execution of unattended-upgrade is typically scheduled by system timers. On modern systems, this is often handled by a systemd timer (e.g., apt-daily.timer), which periodically triggers the update check and installation process.

unattended-upgrade is part of the unattended-upgrades package, which was developed primarily for Debian and Ubuntu systems. Its introduction addressed the critical need for automated security patch management, particularly for servers that require high availability and continuous security. It evolved as a robust solution to ensure systems remain updated against known vulnerabilities without manual intervention, leveraging the existing APT package management system.

apt(8), apt-get(8), dpkg(8), apt.conf(5), cron(8), systemd.timer(5)