Unattended Upgrade – Fix Unattended Upgrade Ignoring Some Packages

aptunattended-upgradesupgrade

I have unattended-upgrades set up, but some packages are not being auto-updated.

root@survey:/home/martin# apt update

root@survey:/home/martin# unattended-upgrade -v --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-updates, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
No packages found that can be upgraded unattended and no pending auto-removals

root@survey:/home/martin# /usr/lib/update-notifier/apt-check -p
python-rfc3339
python-zope.hookable
python-configargparse
python-zope.component

The configuration of origins in /etc/apt/apt.conf.d/50unattended-upgrades:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-updates";
        "${distro_id}:${distro_codename}-security";
        "${distro_id}ESM:${distro_codename}";
};

The pending packages come, to my best knowledge, from the official ubuntu repository (Launchpad link), so I don't see a reason why it would not be picked up by unattended-upgrade.

The output of the command does say that

No packages found that can be upgraded unattended and no pending auto-removals.

Is there a case where a package is picked up by the tool, comes from an allowed source, but for some reason is not allowed to be upgraded unattended? What further steps can I do to find out why some packages are not eligible?

Best Answer

I believe you are missing 20auto-upgrades and should first implement it properly to see if that fixes your issue before moving on. You can see that this is an important step in the Automatic Upgrades documentation.

$ cat /etc/apt/apt.conf.d/20auto-upgrades 
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

If you have that file and it is still not working, you can try figuring out what's keeping the packages back. I prefer Origins-Pattern to Allowed-Origins, which is different from the documentation, but has worked well for me:

$ vim /etc/apt/apt.conf.d/50unattended-upgrades
# You need to customize configuration

Here is an example of the critical 'Pattern' component in 50unattended-upgrades:

Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Ubuntu,a=stable";
//      "o=Ubuntu,a=stable-updates";
//      "o=Ubuntu,a=proposed-updates";
        "origin=Ubuntu,codename=${distro_codename}";
};

This is an example that doesn't restrict based on the repository:

Unattended-Upgrade::Origins-Pattern {
      "o=*";
}

You will only want either Origin-Patterns or Allowed-Origins and not both. This is more clear and documented in Debian's Unattended Upgrades documentation.

Try enabling just this, which is only the Security updates. Test that it works and add your other patterns, one by one, until you add each and verify that each updated doesn't break your dry run testing.

I'd also recommend specifying Ubuntu and writing completely different configuration files for Debian systems, if you have a mix.

Be sure you aren't holding any packages that could prevent updates:

$ sudo apt-mark showhold

Be sure that you can install the updates normally, or that apt is configured to prioritize each release type correctly:

$ cat /etc/apt/preferences.d/custom
Package: *
Pin: release a=bionic
# Only explicit installs
#Pin-Priority: 1001
# Explicit and dependencies
Pin-Priority: 900

Package: *
Pin: release a=testing
Pin-Priority: 399

Package: *
Pin: release a=unstable
Pin-Priority: -10

Some updates will require a machine reboot and you will have to decide if you do that manually, or allow apt to restart the machine at a given time when required by updates.

Related Solutions

APT – Resolve Heavy Load by APT Unattended-Upgrade

The functionality on unattended-upgrades is automatically enabled after the installation of 16.04 Xenial Server. I mistakenly didn't really disable it so observed the unexpected behaviors above. Method Two here I had followed is unlikely effective.

To properly disable the automatic updates, we need change the configuation on /etc/apt/apt.conf.d/20auto-upgrades from:

APT::Periodic::Unattended-Upgrade "1";

to:

APT::Periodic::Unattended-Upgrade "0";

APT-mark vs APT-pin for Version Locking – Which is More Reliable?

Yes, pinning is more reliable, than apt-mark.

What I have discovered:

last 12-14 years Synaptic uses its own pinning file (/var/lib/synaptic/preferences) - see bug 42178 on launchpad. For system-wide one may want to set symlink between /etc and Synaptic
```
sudo ln -s /etc/apt/preferences.d/synaptic /var/lib/synaptic/preferences
```
so it is workaround, locking versions in Synaptic is not recommended method (this file does not read by apt-get and aptitude).
Muon uses system-wide pin files per-application in /etc/apt/preferences.d.
aptitude has two bugs:
1. on 14.04 LTS it does not respect apt-mark completely (see my bug 1747189 at launchpad).
2. on 16.04 LTS holds, which were set by apt-mark are lost after clicking on Actions -> Cancel pending actions (see my bug 1747191 at launchpad).
but in 18.04 LTS aptitude do not have such bugs, it is great.

So my conclusion is the following: apt-mark is usable only if you install/remove/upgrade software only with apt-get, otherwise you should use pinning (i.e. /etc/apt/preferences.d/), it is more reliable and straightforward.

Note: to prevent package installation pin priority should be negative:

P < 0 :
prevents the version from being installed

for example Pin-Priority: -10.

Best Answer

Related Solutions

APT – Resolve Heavy Load by APT Unattended-Upgrade

APT-mark vs APT-pin for Version Locking – Which is More Reliable?

Related Question