debian, linux, nextcloud, raspberrypi, security

Automatic security updates on a Debian system

Computer security is an issue of paramount importance. More even so whenever we are running services exposed to the internet. Much more even so when those services can compromise sensitive data.

The first piece of advice you will always get is “keep your system up to date with the latest security patches”, and my favourite way of keeping my Debian systems safe is through the unattended-upgrades package.

Automatic security updates are handy when we are managing a considerable number of servers but we want to be careful as things can break for users or our coworkers, so choosing the right configuration and having a predefined procedure can save us some headaches.

This is included in the latest release of NextCloudPi.


Generic Installer

You can easily install it and configure it in your running server through the generic installer

git clone
./ <server_IP>
Raspbian offline

Alternatively, you can install it offline into a Raspbian SD card using QEMU.

Extract the SD card and copy the image to your computer (adjust sdx).

 sudo dd if=/dev/sdx of=my_rpi.img bs=4M


./ my_rpi.img

Once done, you can copy it back (adjust sdx).

sudo dd if=my_rpi.img if=/dev/sdx bs=4M

If you want to do it step by step, install with

sudo apt-get install unattended-upgrades

Easy configuration

If you are using the generic installer or issue nextcloudpi-config  in NextCloudPi it will only come down to two simple settings

  • ACTIVE: type yes to enable automatic updates
  • AUTOREBOOT: type yes to allow automatic reboots when needed.

In this setup, automatic reboots will only be run when needed, and will be run at 4:00 am.

Also, some settings will be configured for you:  .deb packages will be cached for 2 weeks, and a periodic apt-get autoclean will be run every week to prevent the autoupdate setup to take up too much storage.

See the code below for details. If you have different needs, continue reading.

Detailed Configuration

If you want to go in more detail, issue

sudo dpkg-reconfigure --priority=low unattended-upgrades

This will create /etc/apt/apt.conf.d/20auto-upgrades with the following simple configuration

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

, which will update package lists and perform security updates daily ( see parameter “1” ).

You can check all options on /etc/apt/apt.conf.d/50unattended-upgrades

Your updates will be run from /etc/cron.daily/apt. That file is also worth a reading if you like tweaking things, like for instance scheduled apt-get autoremove.

More on usage

You can run it yourself with

sudo unattended-upgrades -d

If you have mailing setup, use this option

Unattended-Upgrade::Mail "root";

The operations are written to



[update] Raspbian does not support the Raspbian-Security label. For Raspbian, it is either update nothing or everything, security or not. See this forum thread.



# Unattended upgrades installation on Raspbian 
# Tested with 2017-03-02-raspbian-jessie-lite.img
# Copyleft 2017 by Ignacio Nunez Hernanz <nacho _a_t_ ownyourbits _d_o_t_ com>
# GPL licensed (see end of file) * Use at your own risk!
# Usage:
#   ./ <IP> (<img>)
# See instructions for details

DESCRIPTION="unattended upgrades: automatically install security updates. Keep your cloud safe"

  apt-get update
  apt install -y --no-install-recommends unattended-upgrades 

  [[ $ACTIVE_     == "yes" ]] && local AUTOUPGRADE=1   || local AUTOUPGRADE=0
  [[ $AUTOREBOOT_ == "yes" ]] && local AUTOREBOOT=true || local AUTOREBOOT=false
  cat > /etc/apt/apt.conf.d/20nextcloudpi-upgrades <<EOF
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "$AUTOUPGRADE";
APT::Periodic::MaxAge "14"; 
APT::Periodic::AutocleanInterval "7";
Unattended-Upgrade::Automatic-Reboot "$AUTOREBOOT";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

  apt-get autoremove -y
  apt-get clean
  rm /var/lib/apt/lists/* -r
  rm -f /home/pi/.bash_history
  systemctl disable ssh

# License
# This script is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
# This script is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this script; if not, write to the
# Free Software Foundation, Inc., 59 Temple Place, Suite 330,
# Boston, MA  02111-1307  USA



Author: nachoparker

Humbly sharing things that I find useful [ github dockerhub ]


  1. I activated unattended-upgrades through nextcloudpi-config and noticed that the configuration file “/etc/apt/apt.conf.d/50unattended-upgrades” has no Origins-Pattern defined. The daily logs in “/var/log/unattended-upgrades/unattended-upgrades.log” showed “Allowed origins are: []”.

    My first question: Why is there no pattern like “o=Raspbian,a=stable,l=Raspbian-Security”; so that the logs show “Allowed origins are: [‘o=Raspbian,a=stable,l=Raspbian-Security’]” and one knows what is being upgraded?

    My second question: Should I avoid including a pattern like “o=Raspbian,a=stable,l=Raspbian” for non-security updates? I suspect that could conflict with the update policy of the NextCloudPi project.

    My third question: Does a NextCloudPi update overwrite my changes to e.g. “/etc/apt/apt.conf.d/50unattended-upgrades”?

    1. Hi, I reviewed this and fixed it in v0.17.2

      I was very surprised to learn that Raspbian-Security is not a thing for Raspbian. I wrote a post asking for it. It would be great if more people helped deliver pressure on the Raspbian developers to implement this.

      For now, unattended upgrades will upgrade the whole system, there is no way to apply only security updates. I will now update the post with this information

      Thanks again for your feedback

      edit: Regarding your last question… NextCloudPi only works with `/etc/apt/apt.conf.d/20nextcloudpi-upgrades`, so any changes to `/etc/apt/apt.conf.d/50unattended-upgrades` will not be overwritten by NCP.

      1. Hi, thank you for the quick fix and sorry for not pasting the question to github right away.

        I had a dry run with unattended upgrades which now gave me
        “Allowed origins are: [‘o=Raspbian,n=jessie,l=Raspbian’, ‘o=Raspbian,n=stretch,l=Raspbian’]”
        and (dummy) upgraded all the updated packages . I think it works fine now.

        Also, I like

        – that NextCloudPi works with /etc/apt/apt.conf.d/20nextcloudpi-upgrades and leaves /etc/apt/apt.conf.d/50unattended-upgrades untouched,
        – and that you use the codenames (n=jessie and n=stretch) in your patterns to follow the migration of those releases.

        This leaves users with the option to define additional patterns in /etc/apt/apt.conf.d/50unattended-upgrades if one prefers to be a bit more progressive and include a pattern like “o=Raspbian,a=stable,l=Raspbian” to match a different release after migration. I had another dry run with this additional pattern included in /etc/apt/apt.conf.d/50unattended-upgrades and it gave me
        “Allowed origins are: [‘o=Raspbian,n=jessie,l=Raspbian’, ‘o=Raspbian,n=stretch,l=Raspbian’, ‘o=Raspbian,a=stable,l=Raspbian’]”

        I think I will stick to the default NextCloudPi patterns.

        I also read your post about the Raspbian-Security Label and felt pretty suprised too.

        By the way, great project.

Leave a Reply

Your email address will not be published. Required fields are marked *