I grew up when computers were major purchases with four digits in the dollar sign. As technology advanced, perfectly capable laptops can be found for three digits. That was a major psychological barrier in my mind, and now I have another adjustment to make: today we can get a full-fledged PC (new/used) for well under a hundred bucks. Affordable enough that we can set up these general-purpose machines for a single specialized role and left alone.

I've had a few Raspberry Pi around the house running specialized tasks like OctoPi and TrueNAS replication target, and I've always known that I've been slacking off on keeping those systems updated. Security researchers and malicious actors are in a never-ending game to one-up each other and it's important to keep up with security updates. The good news is that Ubuntu distributions come with an automated update mechanism called unattended-upgrades, so many security patches are automatically applied. However, its default settings only cover critical security updates, and sometimes they need a system reboot before taking effect. This is because Ubuntu chose default behavior to ensure they are least disruptive to actively used computers.

But what about task-specific machines that sees infrequent user logins? We can configure unattended-upgrades to be more aggressive. I went searching for more information and found a lot of coverage on this topic. I chose to start with this very old and frequently viewed AskUbuntu thread "How do I enable automatic updates?" The top two answer links lead to "AutomaticSecurityUpdates" page on help.ubuntu.com, and to "Automatic updates" on Ubuntu Server package management documentation. Browsing beyond official Ubuntu resources, I found "How to Install & Configure Unattended-Upgrades on Ubuntu 20.04" on LinuxCapable.com to be a pretty good overview.

For my specific situation, the highlights are:

  • Configuration file is at /etc/apt/apt.conf.d/50unattended-upgrades

  • Look at the Allowed-Origins entry up top. The line that ends with "-security" is active (as expected) and the line that ends with "-updates" is not. Uncomment that line to automatically pick up all updates, not just critical security fixes.

  • In order to pick up fixes that require a reboot, let unattended-upgrades reboot the machine as needed via "Unattended-Upgrade::Automatic-Reboot" to "true".

  • (Optional) For computers that sleep most of the day, we may need to add an entry in root cron job table (sudo crontab -e) to run /usr/bin/unattended-upgrade at a specified time within the machine's waking time window.

  • (Optional) There are several lines about automatically cleaning up unused packages and dependencies. Setting them to "true" will reduce chances of filling our disk.

  • Log files are written to directory /var/log/unattended-upgrades