How can I check if automatic updates are enabled and disable them if they're enabled?

Question

I want to be sure if automatic updates are enabled on Ubuntu 12.04 server.

How exactly can I check this?

And how can I disable automatic updates if it's enabled?

Answer 1

There is a package that can be used to do this for you.

sudo apt-get install unattended-upgrades

or if unattended-upgrades already installed. Or you can checkout the Ubuntu docs

sudo dpkg-reconfigure -plow unattended-upgrades

That is the package you need to install. Once its installed edit the files

/etc/apt/apt.conf.d/10periodic
/etc/apt/apt.conf.d/20auto-upgrades

In that file you can set how often you want the server to update.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The file should look like that. The 1 means it will update every day. 7 is weekly.

/etc/apt/apt.conf.d/50unattended-upgrades

This files will let you chose what updates you want to make by choosing where apt can search for new updates and upgrades. ( My personal opinion on this is I would set it to security if this is a server )

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";

};

The variables ${distro_id} and ${distro_codename} are expanded automatically. I would comment out the updates entry and just leave security.

Answer 2

Check the logs at /var/log/unattended-upgrades/ to verify that your unattended upgrades are being applied.

Answer 3

In Ubuntu 16.04 and newer, Unattended Upgrades is already included with every stock install of Ubuntu (except Ubuntu Core, of course -- it doesn't use deb packages).

You can test for it several ways:

1. Check the timer status. Unattended Upgrades uses the apt-daily-upgrade.timer. In this example, you can see that Unattended Upgrades ran 39 minutes ago.

me@my-system:~$ systemctl status apt-daily-upgrade.timer 
● apt-daily-upgrade.timer - Daily apt upgrade and clean activities
     Loaded: loaded (/lib/systemd/system/apt-daily-upgrade.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Sun 2021-12-05 05:41:07 CST; 39min ago
    Trigger: Sun 2021-12-05 06:20:41 CST; 1s left
   Triggers: ● apt-daily-upgrade.service
Dec 05 05:41:07 my-system systemd[1]: Started Daily apt upgrade and clean activities.

2. Check the completion timestamp. Unattended Upgrades timestamps a file after each successful run.

me@my-system:~$ ls -lh /var/lib/apt/periodic/
total 0
-rw-r--r-- 1 root root 0 Dec  2 17:42 download-upgradeable-stamp
-rw-r--r-- 1 root root 0 Dec  5 06:21 unattended-upgrades-stamp    <----------
-rw-r--r-- 1 root root 0 Dec  2 17:42 update-stamp
-rw-r--r-- 1 root root 0 Dec  2 17:41 update-success-stamp
-rw-r--r-- 1 root root 0 Dec  5 06:21 upgrade-stamp

3. Check the log. Unattended Upgrades are logged. In this example, you can see that U-U ran properly. No upgraded packages happened to be available during this run. This is the most common result -- upgraded packages don't appear every day

me@my-system:~$ tail /var/log/unattended-upgrades/unattended-upgrades.log
2021-12-03 08:30:20,578 INFO Initial whitelist (not strict): 
2021-12-03 08:30:25,854 INFO No packages found that can be upgraded unattended and no pending auto-removals
2021-12-05 06:21:11,517 INFO Starting unattended upgrades script
2021-12-05 06:21:11,528 INFO Allowed origins are: o=Ubuntu,a=impish, o=Ubuntu,a=impish-security, o=UbuntuESM,a=impish, o=Ubuntu,a=impish-updates, o=Google LLC,a=stable, o=UbuntuESM,a=impish-security
2021-12-05 06:21:11,529 INFO Initial blacklist: 
2021-12-05 06:21:11,530 INFO Initial whitelist (not strict): 
2021-12-05 06:21:15,645 INFO No packages found that can be upgraded unattended and no pending auto-removals

Answer 4

(I made another answer, because my changes to LinuxBill's answer were rejected.)

There is a package that can be used to do enable automatic updates for you. It is called unattended-upgrades.

Use the following command to enable/disable automatic updates:

sudo dpkg-reconfigure -plow unattended-upgrades

That command will modify file /etc/apt/apt.conf.d/20auto-upgrades and may also modify /etc/apt/apt.conf.d/10periodic.

Alternatively you can enable automatic updates GUI way by software-properties-gtk in the Updates tab by changing setting in "When there are security updates:". That will modify files /etc/apt/apt.conf.d/10periodic and /etc/apt/apt.conf.d/20auto-upgrades.

Alternatively you can modify the aforementioned file(s) manually. EDIT: You could create a new file with greater number as name prefix (say 21auto-upgrades) to override the settings done in 20auto-upgrades.

In that file you can set how often you want update be called:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

The 1 means it will update every day. 7 is weekly. Variable APT::Periodic::AutocleanInterval determines how often "apt-get autoclean" is executed automatically. 0 means disable for these variables, so that way you can disable automatic updates and removes. EDIT: as now automatic updates and upgrades are called using Systemd timers and services rather than Cron, it is best to set the variables to "always" rather than "1". That way the changes will be get even if partly randomized timing makes the call to be done somewhat sooner than a full day after previous call.

You can check the current settings by apt-config dump APT::Periodic

You can change the way unattended upgrades work by editing file /etc/apt/apt.conf.d/50unattended-upgrades. This file will let you choose what updates you want to make by choosing where apt can search for new updates and upgrades. Actually, it is better to create a new file where you put the modifications; name it as 51unattended-upgrades-local or something else greater than the original file in the directory so that the changes will be effective; that way the original file remains unchanged which helps if upgrading unattended-upgrades implies changes to the file.

Unattended-Upgrade::Allowed-Origins {
      "${distro_id}:${distro_codename}-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

The variables ${distro_id} and ${distro_codename} are expanded automatically. In above only security updates are done automatically. You can extend automatic updates to any repository and do settings in Unattended-Upgrade::Origins-Pattern section. See another question.

You may want to change

//Unattended-Upgrade::Remove-Unused-Dependencies "false";

to

Unattended-Upgrade::Remove-Unused-Dependencies "true";

That will automatically remove e.g. excessive old kernels so that /boot does not become full. It is equivalent to sudo apt autoremove.

EDIT: Newer versions of unattended-upgrades include more sophisticated settings for removing unused packages so you don't need to enable the previous setting:

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
// Do automatic removal of newly unused dependencies after the upgrade
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";

There is more information in Ubuntu docs and unattended-upgrades github

Answer 5

With Ubuntu 20.04 you can use

systemctl status unattended-upgrades.service

to check if the unattended_upgrades service is running.

Reference: https://www.digitalocean.com/community/tutorials/how-to-keep-ubuntu-20-04-servers-updated

Also to check logs of the unattended-updrades service use journalctl command:

# For the current boot logs
journalctl --unit unattended-upgrades.service --boot
For all time logs
journalctl --unit unattended-upgrades.service

For more details see manual pages for the corresponding commands:

man systemctl
man journalctl

Answer 6

Automatic Updates are enabled by default. If not, to enable automatic updates, just press Ctrl+Alt+T on your keyboard to open Terminal. When it opens, run the command below.

sudo apt-get install unattended-upgrades

In server, you can also you can edit /etc/apt/apt.conf.d/50unattended-upgrades, and comment out update update you don't want to upgrade automatically. These edit must be done with root privileges.