# Unattended Upgrades Policy for Ubuntu 24.04 Server ![Ubuntu](https://img.shields.io/badge/Ubuntu-24.04-orange) [![Feature](https://img.shields.io/badge/feature-controlled_updates-0078D7)](#) ![License](https://img.shields.io/badge/License-MIT-green) Install unattended upgrades on Ubuntu 24.04 server — with **explicit OPS control**. > **Production notice** > This script configures automatic updates and optional automatic reboots. > Read and understand the policy modes before applying it on production systems. --- ## Why this installer exists Ubuntu already ships with unattended upgrades — but the defaults are a bear trap. This installer exists to give **OPS full control** over: - what gets updated - when updates run - whether systems reboot automatically - how users are impacted No hidden timers. No silent defaults. No surprises. --- ## What this installer does ✔ Installs required packages (`unattended-upgrades`, `update-notifier-common`) ✔ Disables Ubuntu’s automatic APT timers ✔ Enforces **one explicit update policy (mode 1–4)** ✔ Configures unattended-upgrades accordingly ✔ Creates a controlled cron job ✔ Backs up original configuration files **once**, in-place ✔ Can be safely re-run to switch policies ✔ Does **NOT** enable automatic package removal (`apt autoremove`) --- ## What this installer does NOT do It won’t stop you from running the script without reading the documentation like there’s no tomorrow. Skip the README, and whatever happens next is your headache, not a bug report. --- ## Supported systems - Ubuntu **24.04 Server** - Designed for **servers**, not desktops - Not intended for containers or Docker images --- ## Before you run the script Update package metadata **manually**: ``` apt update ``` This is intentionally not done by the script. --- ## Installation Clone the repository: ``` git clone https://git.x-files.dk/server/auto-update-ubuntu.git ``` Change into the directory: ``` cd auto-update-ubuntu ``` --- ## Usage The script is **non-interactive** and **argument-driven**. You must select **exactly one mode**: ``` sudo ./auto-update-ubuntu ``` Example: ``` sudo ./auto-update-ubuntu 1 ``` ### Available modes **Mode 1** - Security **and** software updates - Automatic reboot - Reboot happens even if users are logged in **Mode 2** - Security **and** software updates - No automatic reboot - Users are notified on next login if a reboot is required **Mode 3** - Security updates only - Automatic reboot - Reboot happens even if users are logged in **Mode 4** - Security updates only - No automatic reboot - Users are notified on next login if a reboot is required Running the script again with a different mode will **overwrite the previous policy**. --- ## Cron schedule Updates are executed via cron: - **Every Friday at 03:00** - Command executed: ``` apt update && unattended-upgrade -v ``` The cron file is managed at: ``` /etc/cron.d/updatesystem ``` Re-running the script will always reassert this schedule. --- ## Backups and rollback ### Full rollback (restore Ubuntu defaults) This rollback **fully returns the system to Ubuntu’s default unattended-upgrades behavior**. It restores the original configuration files, removes the OPS-controlled cron job, and hands scheduling control back to Ubuntu’s built-in APT timers. Partial rollback is **not recommended**. --- ### 1. Restore original configuration files ``` sudo cp /etc/apt/apt.conf.d/20auto-upgrades.orig /etc/apt/apt.conf.d/20auto-upgrades sudo cp /etc/apt/apt.conf.d/50unattended-upgrades.orig /etc/apt/apt.conf.d/50unattended-upgrades ``` Restart unattended-upgrades: ``` sudo systemctl restart unattended-upgrades.service ``` --- ### 2. Re-enable Ubuntu’s default APT timers (important) This script disables and masks Ubuntu’s automatic APT timers to ensure OPS-controlled scheduling. To restore Ubuntu defaults: ``` sudo systemctl unmask apt-daily.service apt-daily-upgrade.service sudo systemctl enable --now apt-daily.timer apt-daily-upgrade.timer ``` --- ### 3. Remove the OPS-controlled cron job ``` sudo rm -f /etc/cron.d/updatesystem sudo systemctl restart cron.service ``` --- ### Important note about collisions Do **not** run Ubuntu’s APT timers **and** this cron job at the same time. Doing so may result in: - concurrent APT locks - unpredictable update timing - reboots outside approved maintenance windows Choose **one scheduling mechanism only**. --- ## Operational notes - The script is silent on success - Invalid or missing arguments cause a hard failure - No defaults are assumed - All configuration is **authoritative**, not incremental This is a **policy tool**, not a wizard. --- ### More Information More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk) --- ### License Licensed under the MIT License. Licensed under the [MIT License](./LICENSE). ---