Raspberry Pi: Configure automatic security updates

You can stay up to date with the latest Raspbian security updates by installing the Unattended Upgrades package and setting it to run periodically.


Install the unattended-upgrades package


MuhUser@MuhPi:~$ sudo apt-get install unattended-upgrades
Reading package lists... Done
Building dependency tree
Reading state information... Done
Suggested packages:
  bsd-mailx mail-transport-agent
The following NEW packages will be installed:
  unattended-upgrades
0 upgraded, 1 newly installed, 0 to remove and 1 not upgraded.
Need to get 45.7 kB of archives.
After this operation, 322 kB of additional disk space will be used.
Get:1 http://mirrordirector.raspbian.org/raspbian/ jessie/main unattended-upgrades all 0.81+rpi1 [45.7 kB]
Fetched 45.7 kB in 0s (64.8 kB/s)
Preconfiguring packages ...
Selecting previously unselected package unattended-upgrades.
(Reading database ... 112557 files and directories currently installed.)
Preparing to unpack .../unattended-upgrades_0.81+rpi1_all.deb ...
Unpacking unattended-upgrades (0.81+rpi1) ...
Processing triggers for man-db (2.7.0.2-5) ...
Processing triggers for systemd (215-17+deb8u6) ...
Setting up unattended-upgrades (0.81+rpi1) ...
update-rc.d: warning: start and stop actions are no longer supported; falling back to defaults
Processing triggers for systemd (215-17+deb8u6) ...

Configure unattended updates

The installation should have created a file named /etc/apt/apt.conf.d/50unattended-upgrades. If it was not created then run


MuhUser@MuhPi:~$ sudo dpkg-reconfigure -plow unattended-upgrades

Now edit the file:


MuhUser@MuhPi:~$ sudo vi /etc/apt/apt.conf.d/50unattended-upgrades



`Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        //      "o=Raspbian,n=jessie";
       "o=Raspbian,n=jessie,l=Raspbian-Security";<-- Add this line

Enter :wq! to save your changes and exit.

Restart the service:


MuhUser@MuhPi:~$ sudo service unattended-upgrades restart

Verify that the service is running:


MuhUser@MuhPi:~$ sudo service unattended-upgrades status -l

● unattended-upgrades.service - LSB: Check if unattended upgrades are being applied
   Loaded: loaded (/etc/init.d/unattended-upgrades)
   Active: active (exited) since Wed 2017-04-12 20:21:56 PDT; 5min ago
  Process: 1722 ExecStart=/etc/init.d/unattended-upgrades start (code=exited, status=0/SUCCESS)

Apr 12 20:21:56 MuhPi systemd[1]: Started LSB: Check if unattended upgrades a...d.
Hint: Some lines were ellipsized, use -l to show in full.

Set unattended upgrades to start automatically on boot

Sysv-rc-conf is a utility that simplifies the configuration of packages on Raspbian with a simple character-based interface.


MuhUser@MuhPi:/etc/apt/apt.conf.d$ sudo apt-get install sysv-rc-conf
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following extra packages will be installed:
  libcurses-perl libcurses-ui-perl libterm-readkey-perl
The following NEW packages will be installed:
  libcurses-perl libcurses-ui-perl libterm-readkey-perl sysv-rc-conf
0 upgraded, 4 newly installed, 0 to remove and 1 not upgraded.
Need to get 375 kB of archives.
After this operation, 1,329 kB of additional disk space will be used.
Do you want to continue? [Y/n] y
Get:1 http://mirrordirector.raspbian.org/raspbian/ jessie/main libcurses-perl armhf 1.32-1 [83.2 kB]
Get:2 http://mirrordirector.raspbian.org/raspbian/ jessie/main libterm-readkey-perl armhf 2.32-1+b2 [26.1 kB]
Get:3 http://mirrordirector.raspbian.org/raspbian/ jessie/main libcurses-ui-perl all 0.9609-1 [241 kB]
Get:4 http://mirrordirector.raspbian.org/raspbian/ jessie/main sysv-rc-conf all 0.99-7 [24.2 kB]
Fetched 375 kB in 5s (64.8 kB/s)
Selecting previously unselected package libcurses-perl.
(Reading database ... 112605 files and directories currently installed.)
Preparing to unpack .../libcurses-perl_1.32-1_armhf.deb ...
Unpacking libcurses-perl (1.32-1) ...
Selecting previously unselected package libterm-readkey-perl.
Preparing to unpack .../libterm-readkey-perl_2.32-1+b2_armhf.deb ...
Unpacking libterm-readkey-perl (2.32-1+b2) ...
Selecting previously unselected package libcurses-ui-perl.
Preparing to unpack .../libcurses-ui-perl_0.9609-1_all.deb ...
Unpacking libcurses-ui-perl (0.9609-1) ...
Selecting previously unselected package sysv-rc-conf.
Preparing to unpack .../sysv-rc-conf_0.99-7_all.deb ...
Unpacking sysv-rc-conf (0.99-7) ...
Processing triggers for man-db (2.7.0.2-5) ...
Setting up libcurses-perl (1.32-1) ...
Setting up libterm-readkey-perl (2.32-1+b2) ...
Setting up libcurses-ui-perl (0.9609-1) ...
Setting up sysv-rc-conf (0.99-7) ...

Configure services by running the user interface:


MuhUser@MuhPi:/etc/apt/apt.conf.d$ sudo sysv-rc-conf

Scroll down to unattende$, tab to column 2 and press space bar to add an 'X'. Tab to columns 3, 4, and 5 and press space bar to put an 'X' in each.

Enter 'q' to exit.

Now reboot and check that the service started automatically:


MuhUser@MuhPi:~$ sudo reboot

MuhUser@MuhPi:~$ sudo service unattended-upgrades status

● unattended-upgrades.service - LSB: Check if unattended upgrades are being applied
   Loaded: loaded (/etc/init.d/unattended-upgrades)
   Active: active (exited) since Fri 2017-04-14 13:49:50 PDT; 4min 19s ago
  Process: 410 ExecStart=/etc/init.d/unattended-upgrades start (code=exited, status=0/SUCCESS)

Apr 14 13:49:49 MuhPi systemd[1]: Starting LSB: Check if unattended upgrades are......
Apr 14 13:49:50 MuhPi systemd[1]: Started LSB: Check if unattended upgrades are ...ed.
Hint: Some lines were ellipsized, use -l to show in full.

Approximately 24 hours after the unattended-upgrades service has started, it will check for and apply security updates. Check the output log after about 24 hours to verify that it has run:


MuhUser@MuhPi:~$ sudo cat /var/log/unattended-upgrades/unattended-upgrades.log
2017-04-19 06:41:09,726 INFO Initial blacklisted packages:
2017-04-19 06:41:09,728 INFO Starting unattended upgrades script
2017-04-19 06:41:09,728 INFO Allowed origins are: ['o=Raspbian,n=jessie,l=Raspbian-Security']
2017-04-19 06:41:18,077 INFO No packages found that can be upgraded unattended
2017-04-20 06:54:42,165 INFO Initial blacklisted packages:
2017-04-20 06:54:42,167 INFO Starting unattended upgrades script
2017-04-20 06:54:42,167 INFO Allowed origins are: ['o=Raspbian,n=jessie,l=Raspbian-Security']
2017-04-20 06:54:50,499 INFO No packages found that can be upgraded unattended

If you want to monitor the changes more closely, look here for instructions to install the apt-listchanges package which can monitor the upgrades and send you an email when they are applied.