# Unattended Upgrades **Unattended Upgrades** is a feature in Linux systems (especially Debian-based distributions like Ubuntu) that automatically installs security updates without user intervention. It ensures the system stays up-to-date with critical patches, reducing the risk of vulnerabilities, while minimizing the need for manual updates. The updates typically focus on security patches and essential package upgrades. #### Installing Unattended upgrades feature in debin server {% code overflow="wrap" %} ```bash $> sudo apt install unattended-upgrades $> sudo apt install upgrade-notifier-common ``` {% endcode %} Now we can edit the configure file using : {% code overflow="wrap" %} ```bash $> sudo vi /etc/apt/apt.conf.d/50unattended-upgrades ``` {% endcode %} *** ## Configuring Security Upgrades In the config file look for the below section `unattended-upgrade` {% code overflow="wrap" %} ```bash Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; ``` {% endcode %} Here the security upgrades are un commented means the following updates will be done automatically when recommended by the distribution. To prevent **MySQL** and **Apache2** security upgrades from being applied immediately via **unattended-upgrades**, you can modify the configuration to avoid upgrading these specific packages automatically. Here's how you can do that: ```bash Unattended-Upgrade::Package-Blacklist { "mysql*"; "apache2*"; }; ``` #### Unattended system reboot : {% code overflow="wrap" %} ```bash Unattended-Upgrade::Automatic-Reboot "true"; ## AUTO REBOOT ## HALT REBOOT IS USER LOGGED IN Unattended-Upgrade::Automatic-Reboot-WithUsers "false"; ## AUTOREBOOT TIME Unattended-Upgrade::Automatic-Reboot-Time "00:30"; ``` {% endcode %} #### Syslog unattented-upgrades: ```bash Unattended-Upgrade::SyslogEnable "false"; ``` #### Download updates only on AC Power: ```bash Unattended-Upgrade::OnlyOnACPower "true"; ``` Removing unused dependencies : ```bash ## Removing unused kerenal packages //Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; ## Removing unused dependencies //Unattended-Upgrade::Remove-New-Unused-Dependencies "true"; //Unattended-Upgrade::Remove-Unused-Dependencies "false"; ``` Removing unwanted packages & dependencies is a risky options to opt for so be carefull while configuring it. ***