server/auto-update-ubuntu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
552f8c566dff9b2efa6ad60b33f546a2e5773e83
auto-update-ubuntu/README.md

234 lines
4.9 KiB
Markdown
Raw Normal View History

latest commit
2026-01-30 09:35:27 +01:00
# Unattended Upgrades Policy for Ubuntu 24.04 Server
![Ubuntu](https://img.shields.io/badge/Ubuntu-24.04-orange)
[![Feature](https://img.shields.io/badge/feature-controlled_updates-0078D7)](#)
![License](https://img.shields.io/badge/License-MIT-green)
Install unattended upgrades on Ubuntu 24.04 server — with **explicit OPS control**.
> **Production notice**
> This script configures automatic updates and optional automatic reboots.
> Read and understand the policy modes before applying it on production systems.
---
## Why this installer exists
Ubuntu already ships with unattended upgrades — but the defaults are a bear trap.
This installer exists to give **OPS full control** over:
- what gets updated
- when updates run
- whether systems reboot automatically
- how users are impacted
No hidden timers.
No silent defaults.
No surprises.
---
## What this installer does
✔ Installs required packages (`unattended-upgrades`, `update-notifier-common`)
✔ Disables Ubuntus automatic APT timers
✔ Enforces **one explicit update policy (mode 14)**
✔ Configures unattended-upgrades accordingly
✔ Creates a controlled cron job
✔ Backs up original configuration files **once**, in-place
✔ Can be safely re-run to switch policies
✔ Does **NOT** enable automatic package removal (`apt autoremove`)
---
## What this installer does NOT do
It wont stop you from running the script without reading the documentation like theres no tomorrow.
Skip the README, and whatever happens next is your headache, not a bug report.
---
## Supported systems
- Ubuntu **24.04 Server**
- Designed for **servers**, not desktops
- Not intended for containers or Docker images
---
## Before you run the script
Update package metadata **manually**:
```
apt update
```
This is intentionally not done by the script.
---
## Installation
Clone the repository:
```
git clone https://git.x-files.dk/server/auto-update-ubuntu.git
```
Change into the directory:
```
cd auto-update-ubuntu
```
---
## Usage
The script is **non-interactive** and **argument-driven**.
You must select **exactly one mode**:
```
sudo ./auto-update-ubuntu <mode>
```
Example:
```
sudo ./auto-update-ubuntu 1
```
### Available modes
**Mode 1**
- Security **and** software updates
- Automatic reboot
- Reboot happens even if users are logged in
**Mode 2**
- Security **and** software updates
- No automatic reboot
- Users are notified on next login if a reboot is required
**Mode 3**
- Security updates only
- Automatic reboot
- Reboot happens even if users are logged in
**Mode 4**
- Security updates only
- No automatic reboot
- Users are notified on next login if a reboot is required
Running the script again with a different mode will **overwrite the previous policy**.
---
## Cron schedule
Updates are executed via cron:
- **Every Friday at 03:00**
- Command executed:
```
apt update && unattended-upgrade -v
```
The cron file is managed at:
```
/etc/cron.d/updatesystem
```
Re-running the script will always reassert this schedule.
---
## Backups and rollback
### Full rollback (restore Ubuntu defaults)
This rollback **fully returns the system to Ubuntus default unattended-upgrades behavior**.
It restores the original configuration files, removes the OPS-controlled cron job, and hands scheduling control back to Ubuntus built-in APT timers.
Partial rollback is **not recommended**.
---
### 1. Restore original configuration files
```
sudo cp /etc/apt/apt.conf.d/20auto-upgrades.orig /etc/apt/apt.conf.d/20auto-upgrades
sudo cp /etc/apt/apt.conf.d/50unattended-upgrades.orig /etc/apt/apt.conf.d/50unattended-upgrades
```
Restart unattended-upgrades:
```
sudo systemctl restart unattended-upgrades.service
```
---
### 2. Re-enable Ubuntus default APT timers (important)
This script disables and masks Ubuntus automatic APT timers to ensure OPS-controlled scheduling.
To restore Ubuntu defaults:
```
sudo systemctl unmask apt-daily.service apt-daily-upgrade.service
sudo systemctl enable --now apt-daily.timer apt-daily-upgrade.timer
```
---
### 3. Remove the OPS-controlled cron job
```
sudo rm -f /etc/cron.d/updatesystem
sudo systemctl restart cron.service
```
---
### Important note about collisions
Do **not** run Ubuntus APT timers **and** this cron job at the same time.
Doing so may result in:
- concurrent APT locks
- unpredictable update timing
- reboots outside approved maintenance windows
Choose **one scheduling mechanism only**.
---
## Operational notes
- The script is silent on success
- Invalid or missing arguments cause a hard failure
- No defaults are assumed
- All configuration is **authoritative**, not incremental
This is a **policy tool**, not a wizard.
---
### More Information
More guides and documentation can be found on [wiki.x-files.dk](https://wiki.x-files.dk)
---
### License
Licensed under the MIT License.
Licensed under the [MIT License](./LICENSE).
---
Reference in New Issue Copy Permalink