Activate automatic updates on the Raspberry Pi

Posted on : Posted in : Hardware (EN)|Software (EN)

Automatic updates on a Raspberry Pi are – in addition to other tweaks that I have presented here – particularly useful to ensure the security of the system. Regular updates close known security gaps and keep the operating system stable and up-to-date. Important security patches are installed automatically without manual intervention, which minimizes the attack surface for hackers and malware. In combination with email notifications, you are always informed when an update has been carried out or a problem has occurred. This ensures maximum security and reduces maintenance costs. And this is how it works:

1. Install and activate unattended upgrades:

First we update the apt Package Manager and update existing packages:

sudo apt update && sudo apt upgrade -y && sudo reboot

After the reboot, install the necessary package…

sudo apt install unattended-upgrades -y

…and then activate the automatic updates:

sudo dpkg-reconfigure --priority=low unattended-upgrades

2. Configuration of **unattended-upgrades**:

Open the configuration file:

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Here you can customize the update options and ensure which updates are installed. I use this configuration (lines starting with // are commented out/disabled):

Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
        "origin=Debian,codename=${distro_codename}-updates"; // this line enables regular package updates from the Debian archive
// "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian"; // this line enables non-security updates labeled as 'Debian' from the Debian archive
        "origin=Debian,codename=${distro_codename},label=Debian-Security"; // this line enables security updates from the Debian archive
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; // this line enables security updates from the Debian archive
        "origin=Raspbian,codename=${distro_codename},label=Raspbian"; // this line enables non-security updates labeled as 'Raspbian' from the Raspbian archive
        "origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation"; // this line enables non-security updates labeled as 'Raspberry Pi Foundation' from the Raspberry Pi Foundation archive

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
// "o=Debian,a=stable";
// "o=Debian,a=stable-updates";
// "o=Debian,a=proposed-updates";
// "o=Debian backports,a=${distro_codename}-backports,l=Debian backports";
};

In addition, it makes sense to allow an automatic reboot after the installation of the updates, for this the following line must be in the file 50unattended-upgrades:

Unattended-Upgrade::Automatic-Reboot "true";

As I don’t want to miss any shooting stars or other exciting events at night, I have set the time for the reboot to 11:00 am:

Unattended-Upgrade::Automatic-Reboot-Time "11:00";

3. Configuration of the automatic updates:

Open the file “/etc/apt/apt.conf.d/20auto-upgrades”:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Add the following lines:

APT::Periodic::Update-Package-Lists "7";
APT::Periodic::Unattended-Upgrade "7";
APT::Periodic::Download-Upgradeable-Packages "7";
APT::Periodic::AutocleanInterval "14";

These settings ensure that the system checks for updates once a week, downloads them and installs them automatically. A wipe is performed every 14 days. The intervals can of course be adjusted as required.

5. Setting up e-mail notifications:

To receive e-mail notifications about updates that have been carried out, you must install the file

6. Set up e-mail notifications:

To receive e-mail notifications about updates that have been carried out, you must edit the file “/etc/apt/apt.conf.d/50unattended-upgrades”, for example with

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Search for the section `// Send email` and activate it:

Unattended-Upgrade::Mail "your-email@example.com";

You can also specify that emails are only sent in the event of problems by activating this line:

Unattended-Upgrade::MailOnlyOnError "true";

7. Testing the e-mail notifications:

Test if the email sending works by sending a test email:

echo "test message" | mail -s "test subject" your-email@example.com

8. Restart the services:

To ensure that all changes have been applied, restart the service:

sudo systemctl restart unattended-upgrades

With these steps, automatic updates and e-mail notifications are set up on your Raspberry Pi. And if, contrary to expectations, there are problems with an update, you will receive a notification.

9. Check unattended-upgrades:

A dry run with the command checks whether everything is set up properly and working:

sudo unattended-upgrades --dry-run --debug

Enjoyed this post?

You can support allsky-rodgau.de with a small coffee on BuyMeACoffee.

Buy me a coffee!