I have unattended-upgrades set up, but some packages are not being auto-updated.
root@survey:/home/martin# apt update
root@survey:/home/martin# unattended-upgrade -v --dry-run
Initial blacklisted packages:
Initial whitelisted packages:
Starting unattended upgrades script
Allowed origins are: o=Ubuntu,a=xenial, o=Ubuntu,a=xenial-updates, o=Ubuntu,a=xenial-security, o=UbuntuESM,a=xenial
No packages found that can be upgraded unattended and no pending auto-removals
root@survey:/home/martin# /usr/lib/update-notifier/apt-check -p
python-rfc3339
python-zope.hookable
python-configargparse
python-zope.component
The configuration of origins in /etc/apt/apt.conf.d/50unattended-upgrades
:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-updates";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESM:${distro_codename}";
};
The pending packages come, to my best knowledge, from the official ubuntu repository (Launchpad link), so I don't see a reason why it would not be picked up by unattended-upgrade
.
The output of the command does say that
No packages found that can be upgraded unattended and no pending auto-removals.
Is there a case where a package is picked up by the tool, comes from an allowed source, but for some reason is not allowed to be upgraded unattended? What further steps can I do to find out why some packages are not eligible?
Best Answer
I believe you are missing
20auto-upgrades
and should first implement it properly to see if that fixes your issue before moving on. You can see that this is an important step in the Automatic Upgrades documentation.If you have that file and it is still not working, you can try figuring out what's keeping the packages back. I prefer
Origins-Pattern
toAllowed-Origins
, which is different from the documentation, but has worked well for me:Here is an example of the critical 'Pattern' component in
50unattended-upgrades
:This is an example that doesn't restrict based on the repository:
You will only want either
Origin-Patterns
orAllowed-Origins
and not both. This is more clear and documented in Debian's Unattended Upgrades documentation.Try enabling just this, which is only the Security updates. Test that it works and add your other patterns, one by one, until you add each and verify that each updated doesn't break your dry run testing.
I'd also recommend specifying Ubuntu and writing completely different configuration files for Debian systems, if you have a mix.
Be sure you aren't holding any packages that could prevent updates:
Be sure that you can install the updates normally, or that
apt
is configured to prioritize each release type correctly:Some updates will require a machine reboot and you will have to decide if you do that manually, or allow
apt
to restart the machine at a given time when required by updates.