Logging into machines and installing security updates periodically isn’t fun but for internet-exposed devices it’s important. Any device that’s on your home network has the possibility of being a stepping stone for attackers if it can be easily breached.

The first thing to do before setting up automatic updates is to ensure your Raspberry Pi can send email. You’ll want to know when updates are being installed (or if they fail). My previous blog post covers how to do this with Postfix.

As always, start off by making sure your apt list and existing packages are up-to-date:

# Update the package list, update all packages and remove any packages that are no longer required
sudo apt-get update -y && sudo apt-get dist-upgrade -y && sudo apt-get autoremove -y

Next we need to install the unattended-upgrades package and to ensure it sends emails the apt-listchanges package. apt-listchanges also requires a mailx program so if you don’t already have one you can grab bsd-mailx:

sudo apt-get install unattended-upgrades apt-listchanges bsd-mailx -y

Next we should configure where the updates are allowed to come from.If you choose to stick with Stable then when the next version of Raspbian goes stable (Stretch) it’ll automatically update. I’ve decided to stick with Jessie for now. This config lives in /etc/apt/apt.conf.d/50unattended-upgrades and you can use this script to uncomment the line for Jessie.

sudo sed -i 's/^\/\/      "o=Raspbian,n=jessie"/      "o=Raspbian,n=jessie"/g' /etc/apt/apt.conf.d/50unattended-upgrades

Next we want to instruct the updater to send emails. Again, this is already in the config file so it’s just a case of uncommenting it (you may wish to tweak the user, but I’ve already set root mail to be forwarded on to my user).

sudo sed -i 's/^\/\/Unattended-Upgrade::Mail "root";/Unattended-Upgrade::Mail "root";/g' /etc/apt/apt.conf.d/50unattended-upgrades

By default your Pi won’t be rebooted if required, so if you want it to (and want to set the time) you can do that like this:

sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot "false";/Unattended-Upgrade::Automatic-Reboot "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades
sudo sed -i 's/^\/\/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/Unattended-Upgrade::Automatic-Reboot-Time "02:00";/g' /etc/apt/apt.conf.d/50unattended-upgrades

And if if you want unused packages to be removed (like when you run apt-get autoremove:

sudo sed -i 's/^\/\/Unattended-Upgrade::Remove-Unused-Dependencies "false";/Unattended-Upgrade::Remove-Unused-Dependencies "true";/g' /etc/apt/apt.conf.d/50unattended-upgrades

Next we must create the /etc/apt/apt.conf.d/20auto-upgrades file to instruct the updater what to do:

# You could also create this file by running "dpkg-reconfigure -plow unattended-upgrades"
sudo tee /etc/apt/apt.conf.d/20auto-upgrades > /dev/null <<EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";
EOF

And that’s all there is to it! Every day your Pi will now check for updates and you’ll receive an email like this if there were:

If you want to chek it’s working, you can check the log file tomorrow:

cat /var/log/unattended-upgrades/unattended-upgrades.log

Hope this is helpful. If you have any problems, leave a comment. Bear in mind I’m a Linux noob and what’s written above might not be the best way to achieve this and I take no responsibility if anything breaks :)