56

I read here how to enable silent automatic updates for Google Chrome. However, I have other repositories like spotify, docky and others for which I would like to enable silent updates.

I am trying to do this in my Ubuntu 10.04 system. But this question applies to all Ubuntu versions. I have the unattended-upgrades package installed.

How can I do this?

Community
  • 1
nik90
  • 12,959

5 Answers5

80

The easiest way of enabling unattended updates for your system is to edit the file 50unattended-upgrades inside /etc/apt/apt.conf.d/ with your favourite text editor, for example:

gedit admin:///etc/apt/apt.conf.d/50unattended-upgrades

In it you need to comment out the commented sections of the Allowed Origins block.

Change:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id} ${distro_codename}-security";
//      "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed";
//      "${distro_id} ${distro_codename}-backports";
};

to:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id} ${distro_codename}-security";
        "${distro_id} ${distro_codename}-updates";
//      "${distro_id} ${distro_codename}-proposed";
//      "${distro_id} ${distro_codename}-backports";
};

For software that is not on the Ubuntu repos that you would like to update, you need to add an origin and archive to the file. To find what those are for your PPAs, open the folder /var/lib/apt/lists/, that is the storage area for state information for each package resource. What you are looking for is the files that end with Release in the name.

Open one with your text editor, e.g. for Google Chrome:

gedit /var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release

Inside you will see something like the following:

Origin: Google, Inc.
Label: Google
Suite: stable
Codename: stable
Version: 1.0
Date: Thu, 17 Nov 2011 19:09:01 +0000
Architectures: i386 amd64
Components: main
Description: Google chrome-linux repository.

The origin is obvious (Origin: Google, Inc.) and the archive will be whatever is under the line Suite (Suite: stable).

If either Origin or Suite is missing, then they will be the empty string. But note that if both are missing, then probably it will not be possible to use that source with unattended upgrades without including other sources with the same issue.

After you noted those 2 lines, you need to edit the 50unattended-upgrades file and add the lines using this format "<origin>:<archive>"; of for this example's sake "Google\, Inc.:stable";.

Google Chrome's origin is kinda tricky, because it has a space, an end pointn and a comma in it, but most Release files will be easy to read.

As another example, Node JS source specifies an origin (Node Source) but not an archive; so you can match it with "Node Source:";.

Allowed Origins is matched using shell-style wildcards (more specifically, with Python's fnmatch()). If you're careful enough to not include conflicting sources, it's possible to write things like "Node *:*";.

Do not forget to make a backup of your 50unattended-upgrades file before editing it. Do that with:

sudo cp /etc/apt/apt.conf.d/50unattended-upgrades /etc/apt/apt.conf.d/50unattended-upgrades.bak

To test the changes done on the file, you can use sudo unattended-upgrades with the parameters --dry-run and --debug.

  • --dry-run will run an unattended upgrades cycle, except it will not really install the upgrades, only check and verify that everything is ok.

  • --debug will enable verbose mode.

You can always check the logs for unattended-upgrades at /var/log/unattended-upgrades/unattended-upgrades.log.

You can change the configuration of the unattended upgrades by editing the file /etc/apt/apt.conf.d/10periodic. Options for the configuration are in the /etc/cron.daily/apt script header. Read them to configure the frequency of the unattended upgrades.

comfreak
  • 123
  • 1
  • 7
Bruno Pereira
  • 74,715
14

Automated approach for @Bruno Pereira's answer: (Please consider starring the github repo if you find the answer useful.)

Code Link: https://github.com/abhigenie92/unattended_upgrades_repos

  • Check repositories to add:

    $ python automatic_upgrade.py 
Add repos:
"Ubuntu:xenial";
"LP-PPA-kubuntu-ppa-backports:xenial";
"LP-PPA-tuxonice:xenial";
"LP-PPA-webupd8team-sublime-text-3:xenial";

Skipping files due to not present origin or suite. Or origin being a url.:
packagecloud.io_slacktechnologies_slack_debian_dists_jessie_InRelease
tiliado.eu_nuvolaplayer_repository_deb_dists_xenial_InRelease

  • Now edit /etc/apt/apt.conf.d/50unattended-upgrades to include them:

    // Automatically upgrade packages from these (origin:archive) pairs
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
    "${distro_id}:${distro_codename}-proposed";
    "${distro_id}:${distro_codename}-backports";
  "Ubuntu:xenial";
  "LP-PPA-kubuntu-ppa-backports:xenial";
  "LP-PPA-tuxonice:xenial";
  "LP-PPA-webupd8team-sublime-text-3:xenial";
};
....
....

  • Check to see if they are included:

    $ sudo unattended-upgrade --dry-run --debug
Initial blacklisted packages: 
Initial whitelisted packages: 
Starting unattended upgrades script
Allowed origins are: ['o=Ubuntu,a=xenial-security', 'o=Ubuntu,a=xenial-updates', 'o=Ubuntu,a=xenial-proposed', 'o=Ubuntu,a=xenial-backports', 'o=Ubuntu,a=xenial', 'o=LP-PPA-kubuntu-ppa-backports,a=xenial', 'o=LP-PPA-tuxonice,a=xenial', 'o=LP-PPA-webupd8team-sublime-text-3,a=xenial']
pkgs that look like they should be upgraded: 
Fetched 0 B in 0s (0 B/s)                                                                                  
fetch.run() result: 0
blacklist: []
whitelist: []
No packages found that can be upgraded unattended and no pending auto-removals
Abhishek Bhatia
  • 1,114
12

Editing /etc/apt/apt.conf.d/50unattended-upgrades, add the following:

Unattended-Upgrade::Origins-Pattern {
        "origin=*";
};

This will allow unattended upgrades for all packages.

Zac West
  • 221
3

There are instructions for forcing a rerun to make cron start the automatic update at the following link. The procedure to stop cron is this

sudo service anacron stop
sudo service cron stop
sudo rm -rf /var/run/unattend* /var/run/cron* /var/run/anacron*
sudo rm -rf /var/lib/apt/periodic/*

and to restart cron to make the automatic update happen now (or at least within a few miutes) is

sudo service cron start
sudo anacron -fn

How it works

Several things will trigger it to run.

  • It is fired off from the running of /etc/cron.daily by cron, specifically /etc/cron.daily/apt. Cron runs /etc/cron.daily at 6.25 am (see /etc/crontab)

  • Anacron runs from upstart? and it will fire off /etc/cron.daily after 5 minutes of uptime (see /etc/anacrontab)

    Note APT::Periodic::RandomSleep can be set in /etc/apt/apt.conf.d/10periodic, but defaults to 1800s (30 mins) so no updates may happen till 30 mins after /etc/cron.daily/apt runs.

Log

If it works things should get logged in this folder, /var/log/unattended-upgrades.

hg8
  • 13,582
Eleanor Ellis
  • 41
0

Here's a reference that might be helpful...

My system is running Ubuntu Jammy, with custom repos for PostgreSQL, Git, Datadog, and GitLab.

Here's what you put in /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
        "${distro_id}:${distro_codename}-backports";
        "apt.postgresql.org:${distro_codename}-pgdg";
        "LP-PPA-git-core:${distro_codename}";
        "packages.gitlab.com/gitlab/gitlab-*:${distro_codename}";
//        ":";   // uncomment these two lines to wildcard for EVERYTHING, then the selections above and below become irrelevant
//        "*:*"; // uncomment this as well to wildcard
};

Unattended-Upgrade::Origins-Pattern {
       "site=apt.datadoghq.com";  // Datadog is special.
};

This uses both a Unattended-Upgrade::Allowed-Origins parameter AND a Unattended-Upgrade::Origins-Pattern parameter.

Reason is that ::Allowed-Origins only selects for origin:archive pairs. But datadog publishes a blank origin, and a blank archive. So to accommodate datadog (without resorting to wildcard), I also have the ::Origins-Pattern parameter, to select datadog using the site meta-tag, which does exist.

Then, to control WHEN the upgrade happens, put this in a script, or copy into a shell prompt (need to do this as root):

#!/bin/bash
mkdir -p /etc/systemd/system/apt-daily-upgrade.timer.d
cat << EOF > /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
[Timer]
OnCalendar=
OnCalendar=Sat *-*-* 03:00:00
RandomizedDelaySec=0m
EOF

systemctl daemon-reload
systemctl enable --now apt-daily-upgrade.timer

This will now perform the actual upgrade on Saturdays at 3am, instead of daily.

The OnCalendar= is important, in order to clear out the prior schedule before adding the new schedule.

Documentation for systemd timers can be found here: https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html

With the upgrade event now more deterministic, you can add these parameters into /etc/apt/apt.conf.d/50unattended-upgrades :

Unattended-Upgrade::Automatic-Reboot true

Unattended-Upgrade::Automatic-Reboot-Time now

Hope that is helpful to someone!

Simon H
  • 11