1. Overview

Having security and package updates promptly installed when they become available is crucial to prevent our system from being compromised. Debian and its derivatives use the APT unattended-upgrades package to automatically install package and security updates.

Additionally, Ubuntu has recently included Snap as another package management system alongside APT in their release package, which features an auto-refresh mechanism to update its packages.

In this tutorial, we’ll learn how to check the status of and configure automatic updates for APT, Snap, and Canonical Livepatch. Livepatch is a service that Canonical offers for automatic kernel updates.

All commands that we’ll be using in this guide have been tested on APT 2.6.1 and Snap 2.59.5, running on Debian 12 (Bookworm). However, there is one exception, which is for the Canonical Livepatch section that was tested on Snap 2.59.5 and Livepatch 10.6.0 running on Ubuntu 20.04 LTS (Focal).

2. Advanced Package Tool (APT)

Advanced Package Tool (APT) is the native package management system for Debian and its derivatives. One of APT’s packages is, for example, the unattended-upgrades package for keeping our system current with the latest security and other updates automatically.

2.1. Unattended Upgrades

As of Debian 9 (Stretch), or Ubuntu 16, the unattended-upgrades package is installed by default. However, if we don’t have it in our system, we can install it manually:

$ sudo apt install unattended-upgrades

The default configuration file for the package is at /etc/apt/apt.conf.d/50unattended-upgrades. The default configuration settings work fine, but we can read it and make changes as needed. We’ll explore it further in the next section.

2.2. Checking Unattended Upgrades Status

There are two things we need to check to ensure the status of unattended-upgrades.

Firstly, the unattended-upgrades process is triggered by systemd timers, so we need to check if those timers are active.

Secondly, we need to ensure we’ve configured the settings properly.

Let’s check the systemd timers. There are two timers related to unattended-upgrades:

  • apt-daily.timer – to update the package lists (apt-get update)
  • apt-daily-upgrade.timer – to install the upgrades (unattended-upgrades)

Here we can check both timers and its services status:

$ sudo systemctl status apt-daily.timer
$ sudo systemctl status apt-daily.service
$ sudo systemctl status apt-daily-upgrade.timer
$ sudo systemctl status apt-daily-upgrade.service

If they’re all active, they’ll read the config settings when they start. Let’s check the settings:

$ apt-config dump APT::Periodic::Update-Package-Lists
APT::Periodic::Update-Package-Lists "1";
$ apt-config dump APT::Periodic::Unattended-Upgrade
APT::Periodic::Unattended-Upgrade "1";

The value for both Update-Package-Lists and Unattended-Upgrade is “1“, which means both processes will run every day.

The value means the minimal interval between runs and is expressed in days by default. However, we can also define the value in seconds, minutes, and hours by adding suffixes s, m, or h.

If the program (APT daily script – /usr/lib/apt/apt.systemd.daily) determines that less time has passed since the last time the requested action was performed, it won’t perform the action, even if the system scheduler called it.

Another value is “always”, which means the program will perform the action when requested, regardless of how much time has passed since the last run.

2.3. Enabling Unattended Upgrades

The unattended-upgrades are enabled by default. In addition, the process depends on systemd timers and its configuration settings.

Let’s first check the status of the timers and services:

$ sudo systemctl status apt-daily.timer
$ sudo systemctl status apt-daily.service
$ sudo systemctl status apt-daily-upgrade.timer
$ sudo systemctl status apt-daily-upgrade.service

If the status of any of them is inactive, we can restart it:

$ sudo systemctl restart apt-daily.timer
$ sudo systemctl restart apt-daily.service
$ sudo systemctl restart apt-daily-upgrade.timer
$ sudo systemctl restart apt-daily-upgrade.service

As a result, running the systemctl status again should tell us that the timers and services are now active.

Another thing to check is the config settings:

$ sudo vi /etc/apt/apt.conf.d/02periodic
// Enable the update/upgrade script (0=disable)
APT::Periodic::Enable "1";

// Do "apt-get update" automatically every n-days (0=disable)
APT::Periodic::Update-Package-Lists "1";

// Do "apt-get upgrade --download-only" every n-days (0=disable)
APT::Periodic::Download-Upgradeable-Packages "1";

// Run the "unattended-upgrade" security upgrade script
// every n-days (0=disabled)
// Requires the package "unattended-upgrades" and will write
// a log in /var/log/unattended-upgrades
APT::Periodic::Unattended-Upgrade "1";

By setting all the necessary settings to “1”, the unattended-upgrades process will run as scheduled.

2.4. Disabling Unattended Upgrades

The unattended-upgrades process depends on the systemd timers. Therefore, to disable the unattended-upgrades, we just need to disable the timers and its services:

$ sudo systemctl disable apt-daily.timer
$ sudo systemctl disable apt-daily.service
$ sudo systemctl disable apt-daily-upgrade.timer
$ sudo systemctl disable apt-daily-upgrade.service

Checking their statuses should tell that they’re all inactive:

$ sudo systemctl status apt-daily.timer
$ sudo systemctl status apt-daily.service
$ sudo systemctl status apt-daily-upgrade.timer
$ sudo systemctl status apt-daily-upgrade.service

Alternatively, instead of stopping the timers and services, we can update config settings at /etc/apt/apt.conf.d/02periodic:

$ sudo vi /etc/apt/apt.conf.d/02periodic
APT::Periodic::Enable "0";
APT::Periodic::Update-Package-Lists "0";
APT::Periodic::Download-Upgradeable-Packages "0";
APT::Periodic::Unattended-Upgrade "0";

As a result of setting all the necessary settings to zeros, the program will skip the unattended-upgrades process.

3. Snap

Snap is a package management system by Canonical that can run on many Linux distributions, in addition to Debian or Ubuntu-based ones.

3.1. Auto Refresh

Snap checks for updates automatically by default. It runs four times a day, and we call each update check a refresh.

3.2. Checking Snap Auto Refresh Status

Let’s check our system’s snap auto-refresh status:

$ sudo snap get system refresh
Key Value
refresh.retain 3
refresh.schedule 2:00-3:00

The output shows that the refresh will happen between 2 AM and 3 AM and will retain three package revisions.

3.3. Enabling Auto Refresh

Snap auto-refresh is enabled by default. However, if we disabled or held it indefinitely previously, we can re-enable it:

$ snap refresh --unhold
Removed auto-refresh hold on all snaps

The snap auto refresh is now back active.

3.4. Disabling Auto Refresh

Snap provides four options for managing auto-refresh:

  • refresh.timer – modify the time and the frequency for refresh
  • refresh.hold – delay the snap refreshes definite or indefinitely
  • refresh.metered – pause the refresh process when we’re on a metered connection
  • refresh.retain – modify the maximum number of a snap’s revisions to store on our system

To disable snap auto-refresh, we can delay the snap refreshes indefinitely:

$ snap refresh --hold
Auto-refresh of all snaps held indefinitely

Afterward, we can verify it by checking the auto refresh status:

$ sudo snap get system refresh
Key Value
refresh.hold forever
...

As the output shows, the snap auto refresh is now held indefinitely or forever.

4. Canonical Livepatch

Canonical, the company that develops Ubuntu, has a product called Livepatch, which is a managed live kernel patching. It allows us to do kernel updates without a system reboot.

4.1. Livepatch Licensing

Livepatch has two types of pricing: free for personal use for up to five machines and commercial, which is part of the Ubuntu Pro package.

Let’s create a Ubuntu One account on Ubuntu’s website, which will give us one Livepatch token and one machine token for free so that we can enable Livepatch.

4.2. Installing Livepatch Client

Livepatch client is a Snap application, so let’s have it installed:

$ sudo snap install canonical-livepatch
$ canonical-livepatch -v
canonical-livepatch version 10.6.0
$ canonical-livepatch status
Machine is not enabled. Please run 'sudo canonical-livepatch enable' with the
token obtained from https://ubuntu.com/livepatch.

As we can see from the canonical-livepatch status output above, we can’t yet check the status of the Livepatch client until we’ve enabled it.

4.3. Enabling Livepatch

Once we’ve signed up for Ubuntu One, we should get one Livepatch token and one machine token. We can use either of them to enable the Livepatch client.

Let’s use the machine token to enable the Livepatch client:

$ sudo canonical-livepatch enable [MACHINE TOKEN]
Successfully enabled device. Using machine-token: [MACHINE TOKEN]

The Livepatch client is now enabled.

4.4. Checking Livepatch Status

Since the Livepatch client is now active, here we can check the status:

$ canonical-livepatch status
last check: 7 seconds ago
kernel: 5.4,0-26.30-generic
server check-in: succeeded
kernel state: # kernel is supported by Canonical.
patch state: # all applicable livepatch modules inserted
patch version: 94.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: [MACHINE ID]
$ canonical-livepatch status --verbose
... (verbosed version)

As we can see from the output above, the Livepatch client is now active. Additionally, the output also says that Canonical supports our machine’s kernel, and our machine participates in beta testing for new patches.

We may need to consider that before using Livepatch, Livepatch may not support the latest kernel version. Furthermore, Canonical will use the free tier of Livepatch as the beta test for new patches.

4.5. Disabling Livepatch

We disable the Livepatch client by passing the disable option:

$ sudo canonical-livepatch disable
Successfully disabled device. Removed machine-token: [MACHINE TOKEN]

The Livepatch client is now inactive.

5. Conclusion

In this article, we learned about configuring the automatic updates of the APT of Snap package management systems, as well as exploring the Livepatch service from Canonical.

Both APT and Snap maintain our systems to stay up to date with the latest package and security updates, while Livepatch allows us to do kernel updates without a system reboot.

2 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Comments are closed on this article!