Home » Blog » Automating Linux System Updates: A Starter Guide to Unattended Upgrades

Automating Linux System Updates: A Starter Guide to Unattended Upgrades

Automating Linux System Updates: A Starter Guide to Unattended Upgrades
naxslabs October 14, 2025 8 0

A Starter Guide to Linux Unattended Upgrades

Keeping Linux systems updated with the latest security patches and bug fixes is crucial for maintaining system security and stability. However, manually updating dozens or hundreds of servers is time-consuming and error-prone. Unattended upgrades provide an automated solution for keeping systems current while maintaining control over what gets updated and when.

This guide covers implementing automated updates on both Ubuntu/Debian and AlmaLinux/RHEL systems, with best practices for different deployment scenarios.

Prerequisites

  • Root or sudo access on target systems
  • Understanding of your system’s update requirements
  • Test environment for validating updates before production deployment
  • Monitoring system to track update status and failures
  • Backup strategy in place for critical systems

Understanding Unattended Upgrades

Unattended upgrades automatically download and install system updates based on predefined criteria. The approach differs between distribution families:

Debian/Ubuntu Family:

  • Uses unattended-upgrades package
  • Configured via /etc/apt/apt.conf.d/ files
  • Focuses primarily on security updates by default

RHEL/AlmaLinux Family:

  • Uses dnf-automatic package (or yum-cron on older systems)
  • Configured via /etc/dnf/automatic.conf
  • Supports flexible update policies

Ubuntu/Debian Systems

Step 1: Install and Verify Unattended Upgrades

Check if the unattended upgrades package is already installed and running:

# Check service status
systemctl status unattended-upgrades

# Check if package is installed
dpkg -l | grep unattended-upgrades

Install if not present:

# Install unattended upgrades
sudo apt update
sudo apt install unattended-upgrades

# Enable the service
sudo systemctl enable unattended-upgrades
sudo systemctl start unattended-upgrades

Step 2: Configure Automatic Updates

Edit the main configuration file to enable automatic updates:

sudo vim||nano /etc/apt/apt.conf.d/20auto-upgrades

Basic Configuration:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Download-Upgradeable-Packages "1";

Configuration Explanation:

  • Update-Package-Lists: Update package lists daily (1 = daily, 0 = disabled)
  • Unattended-Upgrade: Enable automatic installation of upgrades
  • AutocleanInterval: Clean package cache weekly
  • Download-Upgradeable-Packages: Pre-download packages for faster installation

Step 3: Configure Upgrade Behavior

Edit the detailed configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Essential Configuration Options:

// Automatically upgrade packages from these origins
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    "${distro_id}ESMApps:${distro_codename}-apps-security";
    "${distro_id}ESM:${distro_codename}-infra-security";
};

// Packages you may not want automatically upgraded
Unattended-Upgrade::Package-Blacklist {
    "kernel*";
    "mysql*";
    "postgresql*";
    "nginx";
    "apache2";
};

// Automatically reboot if required
Unattended-Upgrade::Automatic-Reboot "false";

// Reboot time (if automatic reboot is enabled)
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Email notifications
Unattended-Upgrade::Mail "admin@yourdomain.com";
Unattended-Upgrade::MailOnlyOnError "true";

// Remove unused dependencies
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Keep debs after installation
Unattended-Upgrade::Keep-Debs-After-Install "false";

Production vs. Development Configurations

Development/Test Systems:

// More aggressive updates for testing
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}";
    "${distro_id}:${distro_codename}-security";
    "${distro_id}:${distro_codename}-updates";
};

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

Critical Production Systems:

// Security updates only
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};

AlmaLinux/RHEL Systems

Step 1: Install DNF Automatic

Install and configure the DNF automatic update service:

# Install dnf-automatic
sudo dnf install dnf-automatic

# Enable and start the service
sudo systemctl enable dnf-automatic.timer
sudo systemctl start dnf-automatic.timer

# Check timer status
systemctl status dnf-automatic.timer

Step 2: Configure DNF Automatic

Edit the main configuration file:

sudo nano /etc/dnf/automatic.conf

Basic Configuration:

[commands]
# What kind of upgrade to perform:
# default                            = all available upgrades
# security                           = only the security upgrades
upgrade_type = security
random_sleep = 3600

# Whether a message should be emitted when updates are available,
# were downloaded, or applied.
download_updates = yes
apply_updates = yes

[emitters]
# Name to use for this system in messages that are emitted
system_name = prod-server-01
emit_via = email,stdio

[email]
email_from = dnf-automatic@yourdomain.com
email_to = admin@yourdomain.com
email_host = localhost

Step 3: Different Update Strategies

Security Updates Only (Recommended for Production):

[commands]
upgrade_type = security
apply_updates = yes
download_updates = yes
random_sleep = 3600

[base] 
debuglevel = 1

Download Only Strategy:

[commands]
upgrade_type = security
apply_updates = no
download_updates = yes
random_sleep = 1800

Full Updates (Development/Test):

[commands]
upgrade_type = default
apply_updates = yes
download_updates = yes
random_sleep = 7200

Monitoring and Verification

Check Update Status

Ubuntu/Debian:

# Check unattended upgrades log
sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

# Check APT history
sudo tail -f /var/log/apt/history.log

# List available updates
sudo apt list --upgradable

# Check last update activity
sudo unattended-upgrade --dry-run

AlmaLinux/RHEL:

# Check dnf-automatic log
sudo journalctl -u dnf-automatic.service -f

# Check available updates
sudo dnf check-update

# Review update history
sudo dnf history

Verify Service Status

# Ubuntu/Debian
systemctl status unattended-upgrades

# AlmaLinux/RHEL
systemctl status dnf-automatic.timer
systemctl list-timers dnf-automatic*

Best Practices and Considerations

Critical System Guidelines

Never Enable on Critical Production Systems Without Testing:

  • Database servers (MySQL, PostgreSQL, MongoDB)
  • Load balancers and reverse proxies
  • Container orchestration nodes
  • Financial or healthcare systems
  • Custom application servers

Safe for Automatic Updates:

  • Web servers with load balancing
  • Development and staging environments
  • Desktop workstations
  • Non-critical utility servers

Testing Strategy

  1. Staged Rollout:
    • Test environment first (full updates)
    • Staging environment (security updates)
    • Production environment (security only, after validation)
  2. Monitoring Requirements:
    • Set up log aggregation
    • Monitor system metrics post-update
    • Configure alerting for failed updates
  3. Rollback Planning:
    • Maintain system snapshots
    • Document rollback procedures
    • Keep package downgrade capabilities

Security Considerations

# Ubuntu: Restrict to security updates only
Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
};


# AlmaLinux: Security updates with email notifications
[commands]
upgrade_type = security
[emitters]
emit_via = email

Troubleshooting Common Issues

Updates Failing to Install

Check locks and conflicts:

# Ubuntu/Debian
sudo lsof /var/lib/dpkg/lock-frontend
sudo apt --fix-broken install

# AlmaLinux/RHEL
sudo dnf clean all
sudo dnf check

Service Not Running

Restart services:

# Ubuntu/Debian
sudo systemctl restart unattended-upgrades

# AlmaLinux/RHEL
sudo systemctl restart dnf-automatic.timer

Conclusion

Unattended upgrades provide essential automation for maintaining system security, but implementation requires careful consideration of your infrastructure needs. Security updates can generally be automated safely, while kernel and application updates should be tested thoroughly before production deployment.

Start with conservative settings focusing on security updates only, then gradually expand scope based on your testing results and operational requirements. Always maintain proper monitoring, backup procedures, and rollback capabilities when implementing automated update strategies.

Remember: automation should enhance security and reduce manual overhead, not replace proper change management and testing procedures.

Automating Linux System Updates: A Starter Guide to Unattended Upgrades
Automating Linux System Updates: A Starter Guide to Unattended Upgrades

Related Articles
🚧 Site under development – content may change
NAXS LABS
Logo