Unattended-upgrade --- update everything out of everytihng silently without any barriers

Question

I installed unattended-upgrade via apt-get installl unattended-upgrade, then came to configure it with dpkg-reconfigure unattended-upgrade.

I then came into the following screen with the saying:

Please specify a value for the unattended-upgrade origins-pattern

What should be answered there if one wants to give 100% credibility to unattended-upgrade, that is, allow it to always upgrade everything out of everything that it can indeed upgrade--- I don't want to specify anything specific, I just want everything to be upgraded and updated always, or at least in the possible maximum. Without barriers.

What value is good for that, if at all?

I executed man unattended-upgrade but found no information about that.
A glimpse via nano /etc/apt/apt.conf.d/50unattended-upgrade doesn't bring up any "didactic data" I could recognize to determine what's the best option for me.
I didn't find any StackExchange session on this.

score 1 · Answer 1 · answered Dec 20 '18 at 11:42

An Origins-Pattern of origin=* will match all configured sources.

Note however, that this doesn't guarentee that absolutely everything will always be up to date:

Packages may be excluded by Unattended-Upgrade::Package-Blacklist, by apt pinning preferences, or by dpkg holds.
Packages where configuration files have been changed may require human intervention, depending on Dpkg::Options.
Software may require a reboot. See also Unattended-Upgrade::Automatic-Reboot.
Sources may update to have conflicting packages, which cannot be installed together.

score 1 · Answer 2 · answered May 03 '24 at 14:48

Cross linking to answer posted to similar question here: https://askubuntu.com/a/1512720/1786549

Ubuntu has moved on from Cron and uses systemd for most (all?) things that cron used to be used for. (To see all the timers sudo systemctl list-units | grep timer)

There are two systemd timers which handle "unattended upgrades". apt-daily.timer does a daily "apt update", just to keep you informed of any updates that might be available.

The second one apt-daily-upgrade.timer , will trigger the actual upgrade to run. What it will upgrade (and whether to reboot automatically or not) is controlled by /etc/apt/apt.conf.d/50unattended-upgrades. BUT it does not have to run daily! The schedule can be adjusted with an override file. See below.

My system is running Ubuntu Jammy, with custom repos for PostgreSQL, Git, Datadog, and GitLab.

Here's what you put in /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
        "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
        "${distro_id}:${distro_codename}-backports";
        "apt.postgresql.org:${distro_codename}-pgdg";
        "LP-PPA-git-core:${distro_codename}";
        "packages.gitlab.com/gitlab/gitlab-*:${distro_codename}";
//        ":";   // uncomment these two lines to wildcard for EVERYTHING, then the selections above and below become irrelevant
//        "*:*"; // uncomment this as well to wildcard
};
Unattended-Upgrade::Origins-Pattern {
       "site=apt.datadoghq.com";  // Datadog is special.
};

This uses both a Unattended-Upgrade::Allowed-Origins parameter AND a Unattended-Upgrade::Origins-Pattern parameter.

Reason is that ::Allowed-Origins only selects for origin:archive pairs. But datadog publishes a blank origin, and a blank archive. So to accommodate datadog (without resorting to wildcard), I also have the ::Origins-Pattern parameter, to select datadog using the site meta-tag, which does exist.

Then, to control WHEN the upgrade happens, put this in a script, or copy into a shell prompt (need to do this as root):

#!/bin/bash
mkdir -p /etc/systemd/system/apt-daily-upgrade.timer.d
cat << EOF > /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf
[Timer]
OnCalendar=
OnCalendar=Sat *-*-* 03:00:00
RandomizedDelaySec=0m
EOF
systemctl daemon-reload
systemctl enable --now apt-daily-upgrade.timer

This will now perform the actual upgrade on Saturdays at 3am, instead of daily.

The OnCalendar= is important, in order to clear out the prior schedule before adding the new schedule.

Documentation for systemd timers can be found here: https://www.freedesktop.org/software/systemd/man/latest/systemd.time.html

With the upgrade event now more deterministic, you can add these parameters into /etc/apt/apt.conf.d/50unattended-upgrades :

Unattended-Upgrade::Automatic-Reboot true

Unattended-Upgrade::Automatic-Reboot-Time now

Hope that is helpful to someone!

score 0 · Accepted Answer · answered Dec 27 '17 at 13:13

I think unattended-upgrades isn't the right way to go here. This cronjob is a simpler approach:

crontab -e

Then add the cronjob:

0 0 * * 0 apt-get upgrade -y && apt-get update -y

Note:

The system I upgrade and update this way is a WSL Ubuntu without much data. Generally I have no problem to uninstall and resintall it as much as I like.

Of course, the approach I've taken should always be took with caution.

Unattended-upgrade --- update everything out of everytihng silently without any barriers

3 Answers3

Note: