This article will guide you on how to set up unattended automatic system updates under Debian 11.
Unless you are a physical server, and a VPS or cloud host with a KVM architecture that has not used an oddly customized or modified kernel, there is a certain chance that upgrading the system to update the kernel will cause the Grub load to fail.
Remember to back up your important data!
The following operations need to be done under the root user, please use
sudo -i or
su root to switch to the root user for operations.
Install the necessary software
First you need to install the
By default the
unattended-upgrades service is started automatically and takes effect.
If it doesn’t take effect you can run
systemctl enable --now unattended-upgrades to make it take effect and start automatically on boot.
Configure the 50unattended-upgrades file
Let’s just create a new
/etc/apt/apt.conf.d/50unattended-upgrades file and enter the following.
In the above configuration,
APT::Periodic::Update-Package-Lists "1"; and
APT::Periodic::Unattended-Upgrade "1"; means automatic update is turned on, if
0 is set, no automatic update will be done.
APT::Periodic::AutocleanInterval "7"; This configuration means that residual useless dependencies are kept for 7 days, and will be cleaned up automatically after 7 days.
Unattended-Upgrade::Origins-Pattern represents the
apt sources that need to be updated, we only update the repositories containing
debian-security, you can also add custom
origin if you also need to update some third party
apt sources to install software. For example.
As for how to get the
origin, you can directly check the
Release file of this software repository, such as this Release of the PowerDNS repository.
Unattended-Upgrade::Package-Blacklist is a blacklist to add software that does not need to be updated automatically, e.g.
APT::Periodic::Verbose "1"; By default this setting is
0, which means no reports are sent, and
1 for progress reports.
Unattended-Upgrade::Mail "root"; is to send mail to the
root user, which can be customized as required.
Unattended-Upgrade::Automatic-Reboot "false"; is to not reboot automatically (don’t reboot the server if you don’t want to).
Test the configuration
We can test if the rules are correct by running this command.
If there are no errors, that means it’s fine, so we can configure Debian to automatically update unattended, so we don’t have to worry about security breaches and not being able to update the system in time.
To view the logs, use the command
journalctl -u apt-daily.service | tail.