When automatic updates fail silently on Ubuntu Server, it's often due to multiple configuration layers not working in harmony. The problem manifests through empty log directories (/var/log/unattended-upgrades/) and inactive services, despite seemingly correct configurations.
First, verify all required components are installed:
sudo apt-get install unattended-upgrades update-notifier-commonThe most reliable way to test unattended upgrades is through dry-run mode:
sudo unattended-upgrade --dry-run --debugThis outputs detailed information about which updates would be applied and why others might be skipped.
Modern Ubuntu versions use these critical files:
/etc/apt/apt.conf.d/20auto-upgrades
/etc/apt/apt.conf.d/50unattended-upgradesSample working configuration for 20auto-upgrades:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";For production servers, consider enabling only security updates initially:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
};Enable verbose logging by creating /etc/apt/apt.conf.d/10logging:
Unattended-Upgrade::SyslogEnable "true";
Unattended-Upgrade::SyslogFacility "daemon";
Unattended-Upgrade::Verbose "true";Unattended upgrades run via cron.daily. Check the timer:
systemctl list-timers --allTo exclude kernel updates while allowing others:
Unattended-Upgrade::Package-Blacklist {
"linux-image-generic";
"linux-headers-generic";
};Create a test script to verify the full workflow:
#!/bin/bash
sudo apt-get update
sudo unattended-upgrade -v --dry-run
sudo grep -i "Packages that will be upgraded" /var/log/unattended-upgrades/unattended-upgrades.logAfter configuration, run this diagnostic sequence:
sudo apt-get update
sudo unattended-upgrade -d
sudo cat /var/log/unattended-upgrades/unattended-upgrades.log
sudo systemctl status unattended-upgradesUbuntu's automatic update system relies on two main components:
unattended-upgrades
apt cron job configuration
First, verify if the unattended-upgrades package is installed:
dpkg -l unattended-upgrades
apt-cache policy unattended-upgrades
If missing, install it with:
sudo apt-get install unattended-upgrades
Edit the main configuration file:
sudo nano /etc/apt/apt.conf.d/50unattended-upgrades
Here's a more complete configuration example for modern Ubuntu versions:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}";
"${distro_id}:${distro_codename}-security";
"${distro_id}ESMApps:${distro_codename}-apps-security";
"${distro_id}ESM:${distro_codename}-infra-security";
};
Create or edit the periodic configuration:
sudo nano /etc/apt/apt.conf.d/20auto-upgrades
Add these essential lines:
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
Check if the cron job is properly configured:
ls -la /etc/cron.daily/apt-compat
Manually trigger a dry run to test:
sudo unattended-upgrade --dry-run --debug
For production servers, consider these additional settings:
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
Unattended-Upgrade::MinimalSteps "true";
Unattended-Upgrade::InstallOnShutdown "false";
Unattended-Upgrade::Remove-Unused-Dependencies "false";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Automatic-Reboot-Time "02:00";
Check the log files regularly:
tail -f /var/log/unattended-upgrades/unattended-upgrades.log
For email notifications, ensure your mail system works and configure:
Unattended-Upgrade::Mail "admin@example.com";
Unattended-Upgrade::MailReport "on-change";
If updates aren't applying, check these:
# Verify the service is running
systemctl status unattended-upgrades
# Check for configuration errors
/usr/bin/unattended-upgrade --debug