How to Manage System Updates Using `unattended-upgrades` on Debian 12 Bookworm

This guide explains how to set up, configure, and manage automatic updates using unattended-upgrades on a Debian 12 Bookworm system.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

Keeping your system up to date is crucial for ensuring security, stability, and access to the latest features. In environments where manual updates are impractical—such as servers, virtual machines, or embedded systems—automating system updates can be a game changer. Debian provides a robust and efficient tool to help with this: unattended-upgrades.

In this article, we’ll explore how to set up, configure, and manage automatic updates using unattended-upgrades on a Debian 12 Bookworm system. Whether you’re a system administrator managing dozens of machines or a home user looking to improve your system’s security posture, this guide will walk you through the process step-by-step.

📌 What is unattended-upgrades?

unattended-upgrades is a package provided by Debian and other Debian-based systems that allows you to automatically install updated packages, especially security updates, without user intervention. It can be fine-tuned to handle only the updates you trust (e.g., security updates only, or all updates), log its actions, and even reboot the system if required.

🔧 Prerequisites

Before we begin, ensure that:

  • You are using Debian 12 Bookworm.
  • You have sudo privileges or are logged in as root.
  • Your system is connected to the internet.

Let’s get started.

📥 Step 1: Install unattended-upgrades

Although unattended-upgrades is included in the Debian repositories, it may not be installed by default.

To install it, run:

sudo apt update
sudo apt install unattended-upgrades

Once installed, you’ll also want to install apt-listchanges (optional), which shows the changelogs before updating:

sudo apt install apt-listchanges

⚙️ Step 2: Enable Unattended Upgrades

After installing the package, you need to configure APT to allow automatic updates. Debian provides a convenient command to help enable automatic updates:

sudo dpkg-reconfigure unattended-upgrades

This command will prompt you with a dialog asking whether you want to enable automatic updates. Select “Yes” to proceed.

This creates a configuration file located at:

/etc/apt/apt.conf.d/20auto-upgrades

You should see contents similar to:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

These two lines tell the system to update package lists and perform unattended upgrades daily.

🧾 Step 3: Understand and Customize Configuration

The main configuration file for unattended-upgrades is:

/etc/apt/apt.conf.d/50unattended-upgrades

Let’s walk through some important configuration options inside this file.

✅ Allowed Origins

This determines which types of updates will be installed. By default, only security updates are allowed:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}-security";
        // "${distro_id}:${distro_codename}-updates";
        // "${distro_id}:${distro_codename}-proposed";
        // "${distro_id}:${distro_codename}-backports";
};

You can uncomment the -updates line to allow general package updates (not just security):

"${distro_id}:${distro_codename}-updates";

⚠️ Be cautious with enabling proposed or backports unless you know what you’re doing—they may introduce instability.

🔐 Automatically Remove Unused Dependencies

Enable the removal of automatically installed dependencies that are no longer required:

Unattended-Upgrade::Remove-Unused-Dependencies "true";

🔁 Auto-Reboot Options

If updates require a reboot (e.g., kernel upgrades), you can configure the system to reboot automatically:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "03:00";

This setting reboots the system at 3 AM if needed. Useful for headless or remote servers.

📤 Email Notifications

You can have the system email you when updates are performed:

Unattended-Upgrade::Mail "you@example.com";
Unattended-Upgrade::MailOnlyOnError "true";

Make sure your system is configured with a working mail transfer agent (MTA) like postfix or exim4 if you want to receive these notifications.

🧪 Step 4: Test Unattended Upgrades

To verify your configuration and test how unattended-upgrades would behave, run:

sudo unattended-upgrade --dry-run --debug

This will simulate the upgrade process and print detailed logs to the terminal without actually installing anything. It’s a great way to catch misconfigurations early.

📅 Step 5: Schedule and Automate the Process

The unattended-upgrades tool uses a set of periodic configuration files located at:

/etc/apt/apt.conf.d/10periodic

If it doesn’t exist, you can create it. Here’s a recommended configuration:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

This configuration does the following:

  • Updates the package list daily.
  • Downloads upgradable packages daily.
  • Removes cached .deb files older than 7 days.
  • Runs unattended upgrades daily.

You can adjust the numbers to change the frequency.

📁 Step 6: Check Logs and Update Status

The logs for unattended upgrades are stored in:

/var/log/unattended-upgrades/

To check what has been installed recently:

cat /var/log/unattended-upgrades/unattended-upgrades.log

For a more detailed view including package decisions and errors:

cat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log

You can also check the status using:

systemctl status unattended-upgrades.service

This gives you a quick overview of whether the service is active or if any errors have occurred.

🧼 Optional: Clean Up Old Kernels

Although unattended-upgrades can remove unused packages, old kernels may linger if not explicitly removed. You can automate kernel cleanup using:

sudo apt autoremove --purge

To automate this further, consider adding it to a cron job or systemd timer.

🧰 Troubleshooting Tips

Problem: Updates are not being applied

  • Check if the 20auto-upgrades file is correctly configured.
  • Make sure unattended-upgrades service is enabled and running.

Problem: System is not rebooting after kernel updates

  • Verify that Automatic-Reboot is set to "true" and a time is configured.
  • Ensure that reboot-required packages (like linux-image) are being installed.

Problem: Not receiving email notifications

  • Confirm that an MTA is installed and properly configured.
  • Check spam folders or mail logs in /var/log/mail.log.

🧭 Best Practices

  • Security First: At minimum, keep security updates automated.
  • Backups: Always keep regular system backups before applying automatic changes.
  • Monitoring: Set up logging and notifications to stay informed of changes.
  • Manual Reviews: Periodically audit the configuration and update policies.

🏁 Conclusion

Automating system updates with unattended-upgrades in Debian 12 Bookworm is a smart way to maintain a secure and stable system with minimal intervention. While the default settings focus on security updates, the flexibility of the tool allows you to tailor it to fit various operational needs.

Whether you’re running a single machine or managing a fleet of servers, adopting unattended upgrades reduces the risk of missing critical updates and gives you peace of mind. Just remember to test your setup, monitor logs, and pair it with good system hygiene like regular backups and kernel cleanup.


< How to Perform Security Hardening on a Public-Facing Server in Debian 12 Bookworm SystemHow to Perform a Detailed Security Audit of a Debian System on Debian 12 Bookworm >