What you will achieve
Automatic security patching on Ubuntu/Debian servers with configurable reboot windows and email notifications — set-and-forget for CVE response.
1) Install and enable
sudo apt install unattended-upgrades apt-listchanges
sudo dpkg-reconfigure -plow unattended-upgrades2) Configure origins
Edit /etc/apt/apt.conf.d/50unattended-upgrades:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
};3) Auto-reboot policy
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:30";On production boxes, schedule reboots outside peak hours or disable auto-reboot and monitor /var/run/reboot-required instead.
4) Dry run
sudo unattended-upgrades --dry-run --debugVerify
systemctl status unattended-upgrades
grep unattended /var/log/apt/history.log5) Email notifications
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "on-change";Requires working local MTA or ssmtp/msmtp relay — see Postfix relay guide.
6) Blacklist packages
Unattended-Upgrade::Package-Blacklist {
"linux-image-*";
"postgresql-*";
};7) Logging
grep unattended /var/log/apt/history.log
journalctl -u unattended-upgrades --since todayDebian differences
Debian uses the same package but default origins differ. Ensure -security suite matches your tracking (stable vs oldstable). On LTS Ubuntu, enable ESM origins if subscribed.
Production tip
Pair unattended-upgrades with monitoring that alerts on /var/run/reboot-required — security patches applied but not rebooted still leave kernel CVEs exploitable until restart.
8) Phased rollout servers
Canary group gets unattended-upgrades first; monitor 24h before enabling on database primaries. Kernel reboots during replication lag cause brief blips.
Prerequisites
Ubuntu or Debian with apt. Working DNS and outbound HTTPS to security mirrors. Mail relay or monitoring if you need reboot notifications. Sudo for config edits in /etc/apt/apt.conf.d/.
Override confdef conffile prompts
DPkg::Options {
"--force-confdef";
"--force-olddef";
};Add to unattended-upgrades config so security updates do not stall on interactive conffile questions.
APT periodic settings
cat /etc/apt/apt.conf.d/20auto-upgradesShould show APT::Periodic::Unattended-Upgrade "1" — without it, package installed but timer never triggers upgrades.
Landscape and enterprise
Ubuntu Advantage Landscape can override unattended-upgrades centrally — homelab uses local config; enterprises push maintenance windows from dashboard. For Debian without Landscape, ansible playbook copying 50unattended-upgrades standardises fleet. Test reboot-required flag integration with monitoring: Nagios check file exists on /var/run/reboot-required pages on-call before Tuesday patch reboot.
Kernel autoremove pairing
Enable Unattended-Upgrade::Remove-Unused-Kernel-Packages and Remove-New-Unused-Dependencies in config — stops /boot filling with old kernels on unattended cadence. Pair with APT::Periodic::AutocleanInterval for cache hygiene.
Testing on VM clone
Snapshot VM, run unattended-upgrades --dry-run --debug, inspect proposed package set, then run live and verify services. Clone again before promoting config to production fleet via ansible copy module.
Inventory integration
Export list of packages upgraded last night from auth.log and apt history into CMDB — helps security team correlate CVE announcements with actual deployed versions without manual ssh spot checks across dozens of VPS instances.