Skip to content

Ubuntu — Enable Unattended Upgrades

unattended-upgrades automatically installs security updates in the background. It is pre-installed on Ubuntu but not always fully enabled. This guide covers enabling it, the key configuration knobs, and how to verify it is working.

Pre-requisites

  • Ubuntu 20.04 or later
  • sudo access

1. Install (if missing)

sudo apt install unattended-upgrades

On most Ubuntu installations this is already present. Skip if dpkg -l unattended-upgrades shows it installed.

2. Enable

sudo dpkg-reconfigure -plow unattended-upgrades

Select Yes. This writes /etc/apt/apt.conf.d/20auto-upgrades with the correct defaults:

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

The value is the interval in days. "1" = daily.

3. Configure

The main config file is /etc/apt/apt.conf.d/50unattended-upgrades. Edit it with:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Update sources

By default only security updates are applied. To also include standard updates, uncomment:

"${distro_id}:${distro_codename}-updates";

Automatic reboot

If an update requires a reboot (e.g. kernel updates), this controls what happens:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Reboot on servers

Automatic-Reboot "true" on a production server means it will reboot at 02:00 after kernel updates — with no warning. Keep "false" unless you accept that.

Package blacklist

Block specific packages from automatic updates (useful for databases, custom kernels):

Unattended-Upgrade::Package-Blacklist {
    "linux-";
    "postgresql-";
};

Use $ to match exact names: "libc6$" matches libc6 but not libc6-dev.

Email notifications

Requires a working mail client (msmtp, postfix, etc.):

Unattended-Upgrade::Mail "you@example.com";
Unattended-Upgrade::MailReport "on-change";

MailReport options: "always" | "only-on-error" | "on-change"

4. Verify

Dry run — shows what would be upgraded without applying anything:

sudo unattended-upgrade --dry-run -v

Check the log after the next scheduled run:

sudo tail -f /var/log/unattended-upgrades/unattended-upgrades.log

A successful run looks like:

2026-05-24 02:17:01,123 INFO Starting unattended upgrades script
2026-05-24 02:17:04,456 INFO Packages that will be upgraded: ...
2026-05-24 02:17:30,789 INFO All upgrades installed

If the log shows "No packages found that can be upgraded" — your system is up to date, which is the correct outcome.

Key Files

File Purpose
/etc/apt/apt.conf.d/20auto-upgrades Enable/disable + frequency
/etc/apt/apt.conf.d/50unattended-upgrades Behaviour config (reboot, email, blacklist)
/var/log/unattended-upgrades/ Run logs