I have been using unattended upgrades on development machines since the end of last November, when I installed Debian Jessie release.

Installation

You are required to install the following package.

$ sudo apt-get install unattended-upgrades

Configuration

Location of the configuration file

Configuration is stored inside /etc/apt/apt.conf.d/50unattended-upgrades file.

Supported package sources

Use Origins-Pattern directive to define examined package sources.

Only packages from matched repositories will be upgraded.

Use following code to upgrade packages only from the current distribution including additional updates.

Unattended-Upgrade::Origins-Pattern {
      "o=Debian,n=${distro_codename}";
      "o=Debian,n=${distro_codename}-updates";
}
${distro_codename} macro will be expanded to distribution name – it will be jessie in this case.

As an alternative to the previous example, use following code to install every upgrade available through the used sources lists.

Unattended-Upgrade::Origins-Pattern {
      "o=*";
}

The following example will help you understand keywords used in the above-mentioned configuration samples.

$ apt-cache policy
[..]
 100 http://ftp.pl.debian.org/debian/ jessie-backports/main amd64 Packages
     release o=Debian Backports,a=jessie-backports,n=jessie-backports,l=Debian Backports,c=main
     origin ftp.pl.debian.org
[..]

<td>
  Definition
</td>

<td>
  Example
</td>

<td>
  origin
</td>

<td>
  Debian Backports
</td>

<td>
  archive
</td>

<td>
  jessie-backports
</td>

<td>
  codename
</td>

<td>
  jessie-backports
</td>

<td>
  label
</td>

<td>
  Debian Backports
</td>

<td>
  component
</td>

<td>
  main
</td>

<td>
  FQDN
</td>

<td>
  ftp.pl.debian.org
</td>
Keyword
o
a
n
l
c
site

Blacklist

Use blacklist directive to define list of not upgraded packages.

Unattended-Upgrade::Package-Blacklist {
      "atom";
      "angband*";
};

Remove orphaned dependencies

Use the following directive to automatically remove packages that were installed to satisfy dependencies, but currently are not needed.

This directive is equivalent to apt-get autoremove command.
Unattended-Upgrade::Remove-Unused-Dependencies "true";

Bandwidth cap

The following code will impose bandwidth cap [KB/s] on apt utilities.

Acquire::http::Dl-Limit "400";

E-mail notifications

Use following code to define email address and set notification for every action.

Unattended-Upgrade::Mail "root";
Unattended-Upgrade::MailOnlyOnError "false";

Other options

More options are available for user like whitelist or automatic reboot. These are well documented inside configuration file, so I will just skip them for the sake of simplicity.

Execution

Update and upgrade process is initiated daily from /etc/cron.daily/apt cron task.

Installation process will not automatically enable unattended upgrades.

The interactive way to enable or disable unattended upgrades is to reconfigure package.

$ sudo dpkg-reconfigure unattended-upgrades

The non interactive way to enable whole process requires simple copy command.

$ sudo cp /usr/share/unattended-upgrades/20auto-upgrades /etc/apt/apt.conf.d/20auto-upgrades

The non interactive way to disable whole process is very similar to the above one.

$ sudo cp /usr/share/unattended-upgrades/20auto-upgrades-disabled /etc/apt/apt.conf.d/20auto-upgrades

The /usr/share/unattended-upgrades/20auto-upgrades file contains only two directives that enable automatic update and upgrade process. The second one contains opposite settings.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

Ending notes

Please read unattended-upgrade manual page and /usr/share/doc/unattended-upgrades//README.md.gz documentation.

This software is often used together with apt-listchanges and apticron apt notification utilities.
I will not describe these useful packages now, but remember that you can always transmit a mail to an external SMTP server using msmtp utility.