Unattended security updates — turning on auto-patching per distro

Manually running apt upgrade every week is a discipline most operators lose within three months of provisioning. Unattended security updates are the cheap defense: auto-install upgrades from the security channel only, leave everything else alone so behavior changes don't surprise you, and reboot only when necessary. This article covers the per-distro setup for the LYLIX supported distros.

What "security only" means

You want to auto-apply patches from the distro's security repository — backported fixes for known CVEs — while leaving the regular updates channel alone. The distinction matters: regular updates can change application behavior (a new version of nginx with different default ciphers, a new PHP point release that deprecates a function), and you want to choose when to deal with those. Security patches are intended to be drop-in fixes that don't change behavior.

Debian / Ubuntu — unattended-upgrades

apt install unattended-upgrades apt-listchanges
dpkg-reconfigure -plow unattended-upgrades

The reconfigure prompt creates /etc/apt/apt.conf.d/20auto-upgrades with the basic enable. The substantive config is in /etc/apt/apt.conf.d/50unattended-upgrades; key knobs to verify:

Unattended-Upgrade::Allowed-Origins {
    "${distro_id}:${distro_codename}-security";
    // "${distro_id}:${distro_codename}-updates";  // leave commented for security-only
};

Unattended-Upgrade::Automatic-Reboot "false";        // don't auto-reboot mid-day
Unattended-Upgrade::Automatic-Reboot-Time "03:30";   // if you DO enable auto-reboot
Unattended-Upgrade::Mail "root";                     // emails on action
Unattended-Upgrade::MailReport "on-change";          // only when something happened

Test without actually installing anything:

unattended-upgrade --debug --dry-run

The systemd timer (apt-daily-upgrade.timer) is enabled by default and runs once a day. No additional scheduling needed.

AlmaLinux — dnf-automatic

dnf install dnf-automatic

Edit /etc/dnf/automatic.conf:

[commands]
upgrade_type = security        # security-only, not all updates
download_updates = yes
apply_updates = yes            # actually install (default is download-only)

[emitters]
emit_via = stdio,email
system_name = my-vps

[email]
email_from = root@my-vps
email_to = you@example.com
email_host = localhost

Enable the timer:

systemctl enable --now dnf-automatic.timer

Default schedule is daily; check systemctl list-timers dnf-automatic*.

Ubuntu Server — same as Debian, plus livepatch (optional)

Ubuntu offers Canonical's Livepatch service, which patches the running kernel without rebooting. Free for personal use up to 5 machines, paid above. Enable with pro attach <token> after registering at ubuntu.com/pro. Livepatch covers kernel CVEs; you still need unattended-upgrades for userspace packages.

What auto-updates won't cover

• Application-level vulnerabilities. Distro security updates patch distro-packaged software. If you run Nextcloud or WordPress or a custom Python app installed outside the package manager, those need their own update workflow.
• Major version upgrades. Debian 11 → 12, AlmaLinux 9 → 10 — those are intentional decisions, not security patches. Use the OS-reload feature in the LYLIX portal or do an in-place upgrade per the distro's docs.
• Things broken by an update. Even security-only patches occasionally regress. Logging the updates is essential; without it, "why did this start failing on Tuesday morning" is unanswerable. Both unattended-upgrades and dnf-automatic log to /var/log/unattended-upgrades/ and /var/log/dnf*.log.

Reboot policy

Auto-reboot after a kernel update is the most contentious knob. Pragmatic positions:

• Production with downtime impact: auto-reboot OFF. Set up a monitoring check that fires when /var/run/reboot-required exists on Debian (or needs-restarting -r returns non-zero on Alma); reboot manually during a planned window.
• Hobby / dev / things that can take a 60-second outage: auto-reboot ON at 03:30 local. Set Automatic-Reboot-WithUsers "false" so it skips if anyone's logged in via SSH.
• PBX / VoIP: auto-reboot OFF (active calls), use the FreePBX® or system-level scheduled-maintenance window.

Verify it's actually running

A month after enabling, check that updates have actually been applied:

# Debian / Ubuntu
zcat /var/log/unattended-upgrades/unattended-upgrades-dpkg.log.* | grep -E "^Start-Date|installed|removed" | tail -50

# AlmaLinux
journalctl -u dnf-automatic.service --since "30 days ago" | tail -100

If you see "nothing to install" every day for a month, either there genuinely were no security patches (rare) or the config isn't actually targeting the security repo (more likely — double-check the origin filter).