Configuring Automatic Reboot at Scheduled Time After Unattended-Upgrades in Linux Servers


2 views

While enabling Unattended-Upgrade::Automatic-Reboot "true"; ensures critical security updates get applied, the immediate reboot behavior can disrupt production workloads. Servers often need to restart during specific maintenance windows rather than whenever updates complete.

The most robust solution combines unattended-upgrades with systemd timers:

# /etc/apt/apt.conf.d/50unattended-upgrades
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "00:00";

Create a systemd service to check for pending reboots:

# /etc/systemd/system/check-reboot.service
[Unit]
Description=Check if reboot is required after updates

[Service]
Type=oneshot
ExecStart=/usr/bin/test -f /var/run/reboot-required && /usr/sbin/shutdown -r 00:00

Then add a timer to run this hourly:

# /etc/systemd/system/check-reboot.timer
[Unit]
Description=Hourly check for pending reboot

[Timer]
OnCalendar=hourly
Persistent=true

[Install]
WantedBy=timers.target

For systems without systemd, use a cron job:

# /etc/cron.d/check-reboot
0 * * * * root test -f /var/run/reboot-required && shutdown -r 00:00

To test without waiting for actual updates:

# Simulate reboot needed
sudo touch /var/run/reboot-required

# Check timer activation
systemctl list-timers --all

# Manually trigger
sudo systemctl start check-reboot.service
  • Ensure users receive advance notification of pending reboots
  • Monitor /var/log/unattended-upgrades/ for update logs
  • Consider implementing maintenance windows in larger environments
  • For critical systems, implement a canary deployment strategy

While Unattended-Upgrade::Automatic-Reboot "true"; enables automatic reboots after updates, the immediate reboot behavior can disrupt production systems. Servers often need to restart during maintenance windows rather than random times.

We'll implement a two-phase approach:

  1. Disable immediate reboots in unattended-upgrades
  2. Create a scheduled job that checks for pending reboots

First, modify /etc/apt/apt.conf.d/50unattended-upgrades:


// Disable immediate rebooting
Unattended-Upgrade::Automatic-Reboot "false";

// Optional: Only reboot if required by updates
Unattended-Upgrade::Automatic-Reboot-WithUsers "false";

Create /usr/local/bin/check-reboot-needed:


#!/bin/bash

# Check if reboot required
if [ -f /var/run/reboot-required ]; then
    current_hour=$(date +%H)
    
    # Only reboot between 00:00-00:59
    if [ "$current_hour" -eq 0 ]; then
        /sbin/shutdown -r now "Automatic reboot for pending updates"
    fi
fi

Make it executable: chmod +x /usr/local/bin/check-reboot-needed

Add to root's crontab (crontab -e):


# Check every 30 minutes for pending reboots
*/30 * * * * /usr/local/bin/check-reboot-needed

For more control, consider these alternatives:


# Use systemd timer instead of cron
[Unit]
Description=Check for pending reboots

[Timer]
OnCalendar=*-*-* 00:00:00
Persistent=true

[Install]
WantedBy=timers.target

Test your configuration with:


# Simulate reboot needed
touch /var/run/reboot-required

# Force immediate check (for testing)
/usr/local/bin/check-reboot-needed
  • Add email notifications before rebooting
  • Implement maintenance mode to drain connections
  • Consider using Kubernetes pod disruption budgets for containerized environments