server/auto-update-ubuntu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7228214d41f8b682dc492b7847573ac997e5ee22
auto-update-ubuntu/README.md
allan 552f8c566d latest commit
2026-01-30 09:35:27 +01:00

4.9 KiB
Raw Blame History

Unattended Upgrades Policy for Ubuntu 24.04 Server

Ubuntu Feature License

Install unattended upgrades on Ubuntu 24.04 server — with explicit OPS control.

Production notice
This script configures automatic updates and optional automatic reboots.
Read and understand the policy modes before applying it on production systems.

Why this installer exists

Ubuntu already ships with unattended upgrades — but the defaults are a bear trap.

This installer exists to give OPS full control over:

  • what gets updated
  • when updates run
  • whether systems reboot automatically
  • how users are impacted

No hidden timers.
No silent defaults.
No surprises.

What this installer does

✔ Installs required packages (unattended-upgrades, update-notifier-common)
✔ Disables Ubuntus automatic APT timers
✔ Enforces one explicit update policy (mode 14)
✔ Configures unattended-upgrades accordingly
✔ Creates a controlled cron job
✔ Backs up original configuration files once, in-place
✔ Can be safely re-run to switch policies
✔ Does NOT enable automatic package removal (apt autoremove)

What this installer does NOT do

It wont stop you from running the script without reading the documentation like theres no tomorrow.
Skip the README, and whatever happens next is your headache, not a bug report.

Supported systems

  • Ubuntu 24.04 Server
  • Designed for servers, not desktops
  • Not intended for containers or Docker images

Before you run the script

Update package metadata manually:

apt update

This is intentionally not done by the script.

Installation

Clone the repository:

git clone https://git.x-files.dk/server/auto-update-ubuntu.git

Change into the directory:

cd auto-update-ubuntu

Usage

The script is non-interactive and argument-driven.

You must select exactly one mode:

sudo ./auto-update-ubuntu <mode>

Example:

sudo ./auto-update-ubuntu 1

Available modes

Mode 1

  • Security and software updates
  • Automatic reboot
  • Reboot happens even if users are logged in

Mode 2

  • Security and software updates
  • No automatic reboot
  • Users are notified on next login if a reboot is required

Mode 3

  • Security updates only
  • Automatic reboot
  • Reboot happens even if users are logged in

Mode 4

  • Security updates only
  • No automatic reboot
  • Users are notified on next login if a reboot is required

Running the script again with a different mode will overwrite the previous policy.

Cron schedule

Updates are executed via cron:

  • Every Friday at 03:00
  • Command executed: 
    apt update && unattended-upgrade -v

The cron file is managed at:

/etc/cron.d/updatesystem

Re-running the script will always reassert this schedule.

Backups and rollback

Full rollback (restore Ubuntu defaults)

This rollback fully returns the system to Ubuntus default unattended-upgrades behavior.

It restores the original configuration files, removes the OPS-controlled cron job, and hands scheduling control back to Ubuntus built-in APT timers.
Partial rollback is not recommended.

1. Restore original configuration files

sudo cp /etc/apt/apt.conf.d/20auto-upgrades.orig /etc/apt/apt.conf.d/20auto-upgrades
sudo cp /etc/apt/apt.conf.d/50unattended-upgrades.orig /etc/apt/apt.conf.d/50unattended-upgrades

Restart unattended-upgrades:

sudo systemctl restart unattended-upgrades.service

2. Re-enable Ubuntus default APT timers (important)

This script disables and masks Ubuntus automatic APT timers to ensure OPS-controlled scheduling.

To restore Ubuntu defaults:

sudo systemctl unmask apt-daily.service apt-daily-upgrade.service
sudo systemctl enable --now apt-daily.timer apt-daily-upgrade.timer

3. Remove the OPS-controlled cron job

sudo rm -f /etc/cron.d/updatesystem
sudo systemctl restart cron.service

Important note about collisions

Do not run Ubuntus APT timers and this cron job at the same time.

Doing so may result in:

  • concurrent APT locks
  • unpredictable update timing
  • reboots outside approved maintenance windows

Choose one scheduling mechanism only.

Operational notes

  • The script is silent on success
  • Invalid or missing arguments cause a hard failure
  • No defaults are assumed
  • All configuration is authoritative, not incremental

This is a policy tool, not a wizard.

More Information

More guides and documentation can be found on wiki.x-files.dk

License

Licensed under the MIT License. Licensed under the MIT License.

Reference in New Issue View Git Blame Copy Permalink