Caution
Setting up automatic updates can lead to broken system. If this happens and the Pi does not boot (after an attempted reboot) the next update won't fix the problem. It has happened to me.
The best practice is to wait a week or two after an update is released to make sure there are no show-stopper bugs or regressions. This is not possible if you use unattended upgrade.
You may want to make periodic disk images as backups in an attached USB drive. This way you can restore the MicroSD card from the image file using another computer and the Imager app.
Install unattended-upgrades
Open a terminal and enter the command:
sudo apt install unattended-upgrades
The default setting will look for updates every night and install them.
Basic Configuration
Edit the file: /etc/apt/apt.conf.d/50unattended-upgrades uncomment (remove //) or add the following lines
Unattended-Upgrade::Origins-Pattern {
"origin=Debian,codename=${distro_codename}-updates";
"origin=Debian,codename=${distro_codename},label=Debian";
"origin=Debian,codename=${distro_codename},label=Debian-Security";
"origin=Raspbian,codename=${distro_codename},label=Raspbian";
"origin=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";
};
The last two lines with Raspbian and Raspberry Pi are the most important ones. I am not sure if you need the Debian ones. I have them and so far I have not had any issues. YMMV.
Autoremove
To set up autoremove, look for these lines in the above file:
// Do automatic removal of unused packages after the upgrade
// (equivalent to apt-get autoremove)
//Unattended-Upgrade::Remove-Unused-Dependencies "false";
Uncomment the third line above and make it look like:
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Reboot if needed
Periodically updates need restarting the Pi to take effect. This is particularly true for kernel updates. look for these lines in the above file:
// Automatically reboot *WITHOUT CONFIRMATION* if
// the file /var/run/reboot-required is found after the upgrade
//Unattended-Upgrade::Automatic-Reboot "false";
Uncomment the third line above and make it look like:
Unattended-Upgrade::Automatic-Reboot "true";
If you want to reboot the Pi at a fixed time at night, such as at 2:00 AM only if a reboot is needed look for these lines
// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
// Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Uncomment the fourth line above and make it look like:
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Note: Some have said that reboot does not work in unattended-upgrades. If you find this is the case, see a workaround below under the Advanced Configuration.
Reference: https://www.linuxcapable.com/how-to-enable-configure-unattended-upgrades-on-debian-11/
Also see Configuring `unattended-upgrades` on Raspbian Stretch
Advanced Configuration
Reduce Upgrade Frequency
Upgrade takes place every morning by the default configuration. To change it to weekly upgrade, edit the file /etc/apt/apt.conf.d/20auto-upgrades:
APT::Periodic::Unattended-Upgrade "7";
Note, unattended-upgades does not allow for setting a specific day, such as Monday, for the upgrade. The "7" above sets the interval of upgrades to 7 days.
Change the upgrade time of the day
The default time of unattended upgrade is randomly set between 6 and 7 AM. The default randomization is needed so that every computer using this app do not overload the upgrade repositories by trying to get updates exactly at the same time.
To set the upgrade time to 4:00 AM, use the following command to create the file /etc/systemd/system/apt-daily-upgrade.timer.d/override.conf:
sudo systemctl edit apt-daily-upgrade.timer
This will open a blank file if none exists. Enter the following lines:
[Timer]
OnCalendar=
OnCalendar=04:00
RandomizedDelaySec=0
Save and exit the editor. See the Debian documentation for the explanation.
Add Other Repositories
So far unattended-upgrades is configured to upgrade applications that exist only in the official repositories. Sometimes we install software that are in special repositories not included in the default system.
I have no experience with Pi-Hole, and the Zerotier. As far as I can tell Pi-Hole does not use the apt system for upgrade. As a result it cannot be (easily) included in the unattended-upgrades configuration.
As far as I can tell Zerotier adds a PPA in the file /etc/apt/sources.list.d/zerotier.list The line in that file looks like something like:
http://download.zerotier.com/debian/RELEASE RELEASE main
Where RELEASE is the OS nickname, maybe buster or bullseye for Pi.
You would like to add a origin and archive to the file /etc/apt/apt.conf.d/50unattended-upgrades. To find what those are for your PPAs open the folder /var/lib/apt/lists/, that is the storage area for state information for each package resource. What you are looking for is the files that begins with "Zerotier" and ends with "Release" in the name.
As I don't have Zerotier, I will give the example of "Google Chrome"
Open one with your text editor, ie for Google Chrome:
sudo nano /var/lib/apt/lists/dl.google.com_linux_chrome_deb_dists_stable_Release
You will see something like:
Origin: Google, Inc.
Label: Google
Suite: stable
Codename: stable
Version: 1.0
Date: Thu, 17 Nov 2011 19:09:01 +0000 Architectures: i386 amd64
Components: main
Description: Google chrome-linux repository.
The origin is obvious (Origin: Google, Inc.) and the archive will be whatever is in the line Suite (Suite: stable).
If either Origin or Suite is missing then they will be the empty string. But note that if both are missing then probably it will not be possible to use that source with unattended upgrades without including other sources with the same issue.
After you noted those 2 lines you need to edit the /etc/apt/apt.conf.d/50unattended-upgrades file and add the lines using this format "o=<origin>,a=<archive>"; for this example’s sake:
"o=Google Inc.,a=stable";
See commented out similar lines in the file to determine where the above line should go.
Reboot using crontab
Some have reported that automated reboot configuration in unattended-upgrades do not work as intended. If that is the case you may want to use a bash script and crontab to reboot the Pi if and when needed by unattended-upgrade.
Stop Unattended-Upgrades from restarting the computer
Right now Unattended-Upgrades is setup to restart the computer at 2:00AM if the update requires a restart. This step will stop this behavior.
Step: edit the file /etc/apt/apt.conf.d/50unattended-upgrades
Inside the file look for the line:
unattended-Upgrade::Automatic-Reboot "true";
and make it look like:
Unattended-Upgrade::Automatic-Reboot "false";
Create a bash script to check if restart is required and do it if needed
The script below checks if the file reboot-required exists and if so, it reboots the computer immediately. Let's call this file reboot_if_needed.sh.
#!/bin/bash
if [ -f /var/run/reboot-required ]; then
echo $(date) Sytem restart required by: $(cat /var/run/reboot-required.pkgs)
/sbin/reboot now
fi
Save this file as /opt/bin/reboot_if_needed.sh
Make this file executable:
sudo chmod +x `/opt/bin/reboot_if_needed.sh`
Explanation
When the script runs and the file var/run/reboot-required exists it will output some text that will be captured in a log file /var/log/reboot_history.log. Then the system will restart.
Schedule reboot_if_needed.sh every night at 2:00 AM
Note, even though script is to run every night, the Pi will not be rebooted every night. It will be rebooted only when it is required by the upgrade.
We want to run the script with administrator privileges. So we use sudo:
sudo crontab -e
This command will open the crontab file for the root user if one exists, or create a blank new file. Add the following line at the end of the file:
0 02 * * * /opt/bin/reboot_if_needed.sh >> /var/log/reboot_history.log
Save the file and exit the text editor.
For more details on rebooting with crontab for unattended-upgrades see this answer in Ask Ubuntu
I have unattended-upgrade running for about a year in Buster, and a few weeks in Bullseye. Once my system got screwed up by a bad update. Otherwise it has been working fine.
Hope this helps
unattended-upgrades. Unless you have PPAs setting it up is not that difficult. – user68186 Dec 10 '21 at 22:24unattended-upgradesisn't capable of determining if a reboot is required, what is the point, exactly? – Seamus Dec 11 '21 at 16:19unattended upgradescreates a file if reboot is required, and it gets deleted on reboot. The existence of that file in RPi shows that the app is "capable of determining if reboot is required" There are use cases where you may not want a server to reboot automatically, but continue to run until it is convenient to reboot. See my answer below for an alternate method of automatic reboot when needed. – user68186 Jan 07 '22 at 23:55unattended-upgradesis a good idea - certainly it's not for me personally. This opinion is based on a risk-reward comparison for my RPi use-case. I'm just not that bothered to spend a few minutes every week or so to manually update & upgrade. YMMV. – Seamus Jan 08 '22 at 08:22