Many people think about installing Ubuntu but forget about regular updates. Yet these updates are essential to correct bugs, improve performance and, above all, avoid security flaws. In this tutorial, you’ll learn how to configure Ubuntu to take care of its own updates, without any intervention on your part.
Ubuntu: everything you need to know about system updates
Before automating updates on Ubuntu, it’s essential to understand the different categories available. Ubuntu organizes its updates into distinct channels, each with a specific purpose. This distinction gives you greater control over what should and shouldn’t be updated automatically.
- Security updates (-security): rapidly apply vulnerability patches. Essential and enabled by default.
- Standard updates (-updates): fix bugs and improve stability without changing major features. Recommended.
- Backported updates (-backports): offer more recent versions of certain software, adapted to your version of Ubuntu. Optional.
- Updates under test (-proposed): packages still undergoing validation that may contain bugs. Reserved for testers; avoid in production.
- Snap, Flatpak and PPA: manage their updates outside APT. Snap/Flatpak packages update automatically; PPA requires manual tracking.
Find out how to upgrade Ubuntu Desktop or Server.
Install unattended-upgrades to enable automatic updates
Ubuntu natively integrates a system capable of automatically managing updates, especially security updates. This tool is called unattended-upgrades. It is often pre-installed on recent versions of Ubuntu, but it’s best to check for its presence manually.
Install the unattended-upgrades package
Open a terminal and run the following command:
sudo apt update && sudo apt install unattended-upgrades
This command first checks that the list of packages is up to date, then installs unattended-upgrades if it is not already present on your system. If the package is already installed, no further action is required at this stage.
Enable automatic update
Once the package is in place, you can activate automatic updating with the configuration utility supplied:
sudo dpkg-reconfigure --priority=low unattended-upgrades
A screen appears in the terminal asking if you wish to activate automatic security updates. Select “Yes” and confirm.
⚠️ Note : if you see an error saying ValueError: could not convert string to float: ‘6.06 LTS’, this is a known bug related to the lsb_release tool on some Ubuntu versions. In this case, please refer to the “Troubleshooting” section below to apply a manual correction.
Basic configuration of automatic updates in Ubuntu
Setting up automatic updates in Ubuntu relies mainly on two files:
- /etc/apt/apt.conf.d/20auto-upgrades: defines APT’s periodic behavior
- /etc/apt/apt.conf.d/50unattended-upgrades: specifies authorized update sources, exclusions and advanced options.
The aim is to automate updates without compromising control, while guaranteeing system security, stability and cleanliness.
Trigger updates automatically
Start by configuring the following file:
nano /etc/apt/apt.conf.d/20auto-upgradesThis file determines the operations performed by the apt service on a daily basis.
Minimum system requirements :
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::AutocleanInterval "7";
- Update-Package-Lists: updates package indexes every day.
- Download-Upgradeable-Packages: automatically downloads available updates.
- Unattended-Upgrade: automatically installs authorized updates.
- AutocleanInterval: removes obsolete packages once a week.
💡 Please note: APT::Periodic::* directives accept integer values expressed in number of days.
- 0: completely deactivates the action.
- 1: performs the action every day.
- 7: performs the action once a week.
- 30: once a month.
This allows you to fine-tune the frequency of each task (updating, cleaning, downloading, etc.) according to your needs (personal workstation, critical server, etc.).
Define authorized repositories for updates
Next, edit the :
nano /etc/apt/apt.conf.d/50unattended-upgrades
Locate the Allowed-Origins block, which specifies the sources considered safe for automatic updates:
Unattended-Upgrade::Allowed-Origins {
"${distro_id}:${distro_codename}-security";
// "${distro_id}:${distro_codename}-updates";
// "${distro_id}:${distro_codename}-backports";
};- -security: enables critical security updates (essential).
- -updates: activates general updates (bugfix, stability improvements).
- -backports: optional, to integrate more recent versions of certain packages.
By default, only the -security repository is enabled. For a more complete and less restrictive use, we recommend uncommenting the -updates line.
Exclude certain packages (optional) from automatic updates
In the same file, you can block automatic updates of certain sensitive packages:
Unattended-Upgrade::Package-Blacklist {
"docker-ce";
"nvidia-driver-*";
};This avoids, for example, automatic updates of proprietary drivers, containers or critical tools requiring manual validation.
List installed packages matching a keyword
To identify exactly which installed packages to exclude (e.g. all NVIDIA drivers), use the following command in a terminal:
dpkg -l | grep nvidia
This command displays all installed packages whose name contains the keyword “nvidia”, along with their version and status, possible output example :
ii nvidia-driver-525 525.125.06-0ubuntu0 amd64 NVIDIA driver metapackage
ii libnvidia-gl-525 525.125.06-0ubuntu0 amd64 NVIDIA OpenGL/GLX libraries
ii nvidia-kernel-common 525.125.06-0ubuntu0 amd64 NVIDIA kernel module support files
To exclude all these packages from automatic updates, we recommend using a generic mask in the Unattended-Upgrade::Package-Blacklist block, as follows:
Unattended-Upgrade::Package-Blacklist {
"nvidia-*";
};This expression covers all packages whose name starts with “nvidia-“, without the need to list them individually.
Add more features
Also in 50unattended-upgrades, you can fine-tune system behavior:
Automatic restart at a specific time
Some updates (kernel, glibc, etc.) require a reboot to take effect. You can authorize this automatic reboot by setting it to a specific time:
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";
E-mail notification: receive an update report
To receive an update report by e-mail (useful on servers), activate :
Unattended-Upgrade::Mail "votremail@example.com";
Unattended-Upgrade::MailOnlyOnError "true";
⚠️ The mailx package must be installed and correctly configured for sending mail.
Cleaning unused outbuildings
Unattended-Upgrade::Remove-Unused-Dependencies "true";
This option automates the removal of obsolete dependencies, just as an apt autoremove would.
Troubleshooting: ValueError: could not convert string to float: ‘6.06 LTS’ error
If you see this error message when running sudo dpkg-reconfigure –priority=low unattended-upgrades
, this means that the lsb_release.py system script is trying to convert an older, poorly formatted Ubuntu version (e.g. 6.06 LTS) into a number. This bug, known from Ubuntu 22.04, causes the command to fail.
Solution: modify the Python script concerned
- Open the root file in a :
sudo nano /usr/lib/python3/dist-packages/lsb_release.py
(On some configurations, the file may be located in /usr/share/pyshared/lsb_release.py)
- Look for this line :
RELEASES_ORDER.sort(key=lambda n: float(n[0]))
- Replace it with :
RELEASES_ORDER.sort(key=lambda n: float(n[0].split()[0]))
This modification forces the script to take into account only the numerical part before “LTS”, thus avoiding conversion errors.
About the author
