rss logo

Configuring Automatic Updates in Debian

Debian Logo

When we (like me) have to manage a bunch of Debian servers, it can be challenging to keep them all up to date. This involves logging to each server individually, executing a few commands, and occasionally rebooting the system depending on the updates applied. To automate this process, we can use the unattended-upgrades tool. In this article, I will describe the way to use this tool to keep a Debian system up to date and how to configure it to send and email notification at the end of an update.


  • First, install the unattended-upgrades package:
root@host:~# apt update && apt install unattended-upgrades


Depending on the sensitivity of our servers, we can configure them to reboot automatically, to install only security updates, etc. Personally, I choose to install all updates and reboot the system as necessary.

  • Edit the /etc/apt/apt.conf.d/50unattended-upgrades file:
Unattended-Upgrade::Origins-Pattern { // The Recommended Updates are software changes, but not updates that will affect the security of your system. They tend to fix bugs and annoying problems. "origin=Debian,codename=${distro_codename}-updates"; // The proposed updates are updates which are waiting to be moved into the recommended updates queue after some testing. They may never reach recommended or they may be replaced with a more recent update. //"origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; }; […] // Allow the system to restart automatically if necessary Unattended-Upgrade::Automatic-Reboot "true"; […] // If automatic reboot is enabled and needed, reboot at the specific // time instead of immediately // Default: "now" Unattended-Upgrade::Automatic-Reboot-Time "02:00";
  • Create or edit the /etc/apt/apt.conf.d/20auto-upgrades file to activate unattended-upgrades:
// Do "apt-get update" automatically every n-days (0=disable) APT::Periodic::Update-Package-Lists "1"; // Run the "unattended-upgrade" security upgrade script // every n-days (0=disabled) // Requires the package "unattended-upgrades" and will write // a log in /var/log/unattended-upgrades APT::Periodic::Unattended-Upgrade "1";
  • Run a debug to check everything is fine:
root@host:~# unattended-upgrade -d --dry-run

Modifying download and upgrade schedules

By default, the update will run twice daily at 6 AM and 6 PM, with upgrades scheduled for 6 AM. We can modify these settings by editing two systemd files.

Modifying the Download Scheduler

  • Edit the /etc/systemd/system/ file and replace the existing value with the desired one:
[Unit] Description=Daily apt download activities [Timer] OnCalendar=*-*-* 6,18:00 RandomizedDelaySec=12h Persistent=true [Install]

Modifying the upgrade scheduler

  • Edit the /etc/systemd/system/ file and replace value by the desired one:
[Unit] Description=Daily apt upgrade and clean activities After=apt-daily.timer [Timer] OnCalendar=*-*-* 6:00 RandomizedDelaySec=60m Persistent=true [Install]

Take modifications into account

  • Run this commands to take the changes into account:
root@host:~# systemctl daemon-reload && systemctl restart apt-daily-upgrade.timer && systemctl restart apt-daily.timer

Set up mail alerts

It can be useful to receive email reports to ensure that updates are correctly applied and to know when a server has been restarted to apply the latest updates. To achieve this, we must configure at least an SMTP client. In this article, I will show how to configure msmtp.

  • Install the msmtp package and set restrictive permissions on the /etc/msmtprc file:
root@host:~# apt update && apt install msmtp root@host:~# chmod 600 /etc/msmtprc
  • Edit the /etc/msmtprc file and adapt it to your mail server, for example in my case:
    • Mail server:
    • Protocol: smtps / TCP465
    • Login:
    • Password: MyWeakPassword
account STD #Mail Server : host port 465 from #LOGIN / PASSWORD user password MyWeakPassword auth on tls on tls_starttls on tls_trust_file /etc/ssl/certs/ca-certificates.crt tls_certcheck off logfile /var/log/msmtp account default : STD
  • Make msmtp the default program for sendmail:
root@host:~# ln -fs /usr/bin/msmtp /usr/sbin/sendmail
  • Edit the /etc/apt/apt.conf.d/50unattended-upgrades file:
// Send email to this address for problems or packages upgrades Unattended-Upgrade::Mail ""; […] // Replace on-change with always and run unattended-upgrade -d to test wether mail reports work Unattended-Upgrade::MailReport "on-change"; // Optionnal : Add Unattended-Upgrade value to specify From field Unattended-Upgrade::Sender "";
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Contact :

contact mail address