If you administer servers, you know the importance of keeping your packages up to date for security concerns.

In Ubuntu Server 18, this is carried out by editing the /etc/apt/apt.conf.d/50unattended-upgrades file. Let’s edit it with the following command:

1


Changes to the file

There are only a few lines that need to be uncommented:

1
2
3
4
"${distro_id}:${distro_codename}-updates"; // will enable automatic security updates
Unattended-Upgrade::Automatic-Reboot-Time "04:00"; // will set up 4AM as the reboot time
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; // will prevent your boot partition from getting filled of junk, which will block any and all updates at a point


Special attention should be given to the last line, which will enable the update to automatically clean up old kernel packages. Without it, you can find yourself with a full boot partition, which has the nasty ability to halt any and all updates! I have faced this in the past and it can be a pain.

My file contents

If you just want to copy and paste, here is my file, with these changes made.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
// Automatically upgrade packages from these (origin:archive) pairs
//
// Note that in Ubuntu security updates may pull in new dependencies
// from non-security sources (e.g. chromium). By allowing the release
// pocket these get automatically pulled in.
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
// Extended Security Maintenance; doesn't necessarily exist for
// every release and this system may not have it installed, but if
// should also install from here by default.
"${distro_id}ESM:${distro_codename}";
"${distro_id}:${distro_codename}-updates";
//	"${distro_id}:${distro_codename}-proposed";
//	"${distro_id}:${distro_codename}-backports";
};

// List of packages to not update (regexp are supported)
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
};

// This option will controls whether the development release of Ubuntu will be

// This option allows you to control if on a unclean dpkg exit
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGTERM. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower

// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set

// Remove unused automatically installed kernel-related packages
// (kernel images, kernel headers and kernel version locked tools).

// Do automatic removal of newly unused dependencies after the upgrade

// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)

// Automatically reboot *WITHOUT CONFIRMATION*
//  if the file /var/run/reboot-required is found after the upgrade

// If automatic reboot is enabled and needed, reboot at the specific
//  Default: "now"

// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False