Unattended Upgrades

Unattended Upgrades is a feature in Linux systems (especially Debian-based distributions like Ubuntu) that automatically installs security updates without user intervention. It ensures the system stays up-to-date with critical patches, reducing the risk of vulnerabilities, while minimizing the need for manual updates. The updates typically focus on security patches and essential package upgrades.

Installing Unattended upgrades feature in debin server

$> sudo apt install unattended-upgrades
$> sudo apt install upgrade-notifier-common

Now we can edit the configure file using :

$> sudo vi /etc/apt/apt.conf.d/50unattended-upgrades

---

Configuring Security Upgrades

In the config file look for the below section unattended-upgrade

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Here the security upgrades are un commented means the following updates will be done automatically when recommended by the distribution.

To prevent MySQL and Apache2 security upgrades from being applied immediately via unattended-upgrades, you can modify the configuration to avoid upgrading these specific packages automatically. Here's how you can do that:

Unattended-Upgrade::Package-Blacklist {
    "mysql*";
    "apache2*";
};

Unattended system reboot :

Unattended-Upgrade::Automatic-Reboot "true"; ## AUTO REBOOT
## HALT REBOOT IS USER LOGGED IN
Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; 
## AUTOREBOOT TIME 
Unattended-Upgrade::Automatic-Reboot-Time "00:30";

Syslog unattented-upgrades:

Unattended-Upgrade::SyslogEnable "false";

Download updates only on AC Power:

Unattended-Upgrade::OnlyOnACPower "true";

Removing unused dependencies :

## Removing unused kerenal packages 
//Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
## Removing unused dependencies 
//Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
//Unattended-Upgrade::Remove-Unused-Dependencies "false";

Removing unwanted packages & dependencies is a risky options to opt for so be carefull while configuring it.

---