How to Disable Unattended Upgrades on Ubuntu

by

Unattended upgrades can be a double-edged sword. While they keep your system up to date automatically, they might also unexpectedly change the system’s state or introduce new issues without your prior knowledge. In certain environments, especially in production or where stability is a must, it might be preferable to disable these automatic updates. This guide will walk you through the steps necessary to disable unattended upgrades on your Ubuntu system.

In this tutorial you will learn:

  • How to disable the unattended-upgrades service
  • How to configure Apt’s periodic upgrade settings
  • How to ensure your system does not perform automatic installations without your consent
How to Disable Unattended Upgrades on Ubuntu

How to Disable Unattended Upgrades on Ubuntu
Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Ubuntu 16.04,18.04,20.04,22.04,24.04
Software None
Other Access to a terminal window/command line (Ctrl-Alt-T, Ctrl-Alt-F2)
Conventions # – requires given linux commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux commands to be executed as a regular non-privileged user
TL;DR
To disable unattended upgrades on Ubuntu, stop the service and modify the configuration file to prevent automatic updates. This gives you full control over when system updates are applied.

Quick Steps to Disable Unattended Upgrades
Step Command/Action
1. Disable the service sudo systemctl disable --now unattended-upgrades
2. Edit configuration file sudo nano /etc/apt/apt.conf.d/20auto-upgrades
3. Set Unattended-Upgrade to “0” APT::Periodic::Unattended-Upgrade "0";
4. Verify the changes systemctl status unattended-upgrades
IMPORTANT WARNING ABOUT DISABLING UNATTENDED UPGRADES
Disabling unattended upgrades transfers the responsibility of keeping the system secure and updated entirely to you. Without automatic updates, you must regularly check for and manually install updates to protect your system from vulnerabilities that are often patched through these updates. Failing to keep your system updated can expose it to security risks and potential breaches. Always ensure your system’s software is up-to-date to maintain its security integrity.

Steps to Disable Unattended Upgrades on Ubuntu

Follow these steps carefully to disable automatic updates on your Ubuntu system. This will give you full control over when and how updates are installed, which is crucial for managing dependencies and system stability, especially when you need to ensure that updates do not disrupt existing software configurations.

  1. Disable the Unattended-Upgrades Service: The first step is to stop the unattended-upgrades service from running automatically. 
    $ sudo systemctl disable --now unattended-upgrades

    This command stops the ‘unattended-upgrades’ service if it is currently running and prevents it from starting during the system boot. Disabling this service ensures that no upgrades are applied without your intervention.

  2. Edit the 20auto-upgrades File: To take control over the automatic installation of updates, modify the apt configuration file. 
    $ sudo nano /etc/apt/apt.conf.d/20auto-upgrades

    You need to insert or update the following lines:

    APT::Periodic::Update-Package-Lists "1";   // "1" enables, "0" disables automatic checking for new packages
APT::Periodic::Unattended-Upgrade "0";      // Setting to "0" disables automatic installations

    This configuration ensures the package lists are still updated regularly if set to 1 (useful for manual upgrades), but prevents any updates from being installed automatically by setting Unattended-Upgrade to 0. To completely disable automatic checking for updates, change APT::Periodic::Update-Package-Lists to 0. This stops your system from even checking for new updates automatically, thereby requiring you to manually check and update your packages to maintain system security and performance.

    Disabled unattended upgrades in 20auto-upgrades File

    Disabled unattended upgrades in 20auto-upgrades File

  3. Adjust the 50unattended-upgrades File (Optional): For finer control or to disable certain types of updates, modify the 50unattended-upgrades file. 
    $ sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

    You can comment out lines corresponding to the types of updates you do not want automatically installed, such as:

    // "${distro_id}:${distro_codename}-updates";

    By commenting out these lines, you prevent automatic updates from these repositories, though manual updates are still possible.

  4. Verify Changes: Ensure that automatic updates are disabled. 
    $ systemctl status unattended-upgrades

    This command checks the status of the unattended-upgrades service. It should report “inactive (disabled)” if the service is properly disabled.

    $ cat /etc/apt/apt.conf.d/20auto-upgrades

    This will display the current configuration of the 20auto-upgrades file to verify that unattended upgrades are disabled.

    Verify that unattended upgrades had been disabled

    Verify that unattended upgrades had been disabled

Understanding Update Management Files in Ubuntu

differences between the 10periodic, 20auto-upgrades, and 50unattended-upgrades configuration files in Ubuntu

Differences between the 10periodic, 20auto-upgrades, and 50unattended-upgrades configuration files in Ubuntu

It’s important to understand the roles and differences between the 10periodic, 20auto-upgrades, and 50unattended-upgrades configuration files in Ubuntu. These files dictate how automatic updates should be handled by the system, but each serves a distinct purpose:

10periodic

This file is used to configure how frequently the package lists are updated and how often the script checks for upgrades. The settings in this file are more about scheduling the timing of update checks and the cleanup operations:

  • APT::Periodic::Update-Package-Lists: This option schedules the update of the package lists (how often the system checks for new packages).
  • APT::Periodic::Download-Upgradeable-Packages: Schedules how often to download upgradable packages.
  • APT::Periodic::AutocleanInterval: Defines how often the package cache is cleaned.

20auto-upgrades

This file specifically controls the automatic installation of updates. It is more focused than 10periodic and directly influences whether updates are applied automatically:

  • APT::Periodic::Update-Package-Lists: Similar to 10periodic, it controls the frequency of checking for updates.
  • APT::Periodic::Unattended-Upgrade: This crucial setting determines whether updates are installed automatically without user intervention.

50unattended-upgrades

Unlike the previous files, 50unattended-upgrades provides granular control over which types of updates are applied automatically. It allows specifying security updates or other updates from specific repositories to be included or excluded from automatic upgrades. Configuration here is primarily about inclusion and exclusion rules for updates, specifying from which origins updates should be automatically installed.

Understanding these files and their configurations helps in effectively managing system updates according to your needs, providing a balance between automation and manual control. This knowledge is crucial for customizing the update behavior of your Ubuntu system to fit your requirements. For more detailed information about Ubuntu package management with APT, you can explore the comprehensive APT command reference.

Conclusion

By following the steps outlined above, you will have successfully disabled unattended upgrades on your Ubuntu system. This change allows you to manually control when updates are applied, preventing unexpected changes and potential software conflicts. Once you’ve disabled automatic updates, it’s essential to establish a regular manual update routine using apt update and apt upgrade commands to maintain system security and stability. For comprehensive information about Ubuntu’s security update process and best practices, refer to the official Ubuntu Security Notices page.

Frequently Asked Questions

  1. Will disabling unattended upgrades affect my system’s security?Yes, disabling unattended upgrades does impact your system’s security posture. Without automatic updates, you become solely responsible for keeping your system patched against vulnerabilities. Security updates often contain critical fixes for newly discovered exploits, and delayed installation can leave your system exposed to attacks. To mitigate this risk, establish a regular schedule for manually checking and installing updates using sudo apt update and sudo apt upgrade commands. Consider subscribing to Ubuntu Security Notices to stay informed about critical patches that require immediate attention.
  2. How do I re-enable unattended upgrades if I change my mind?Re-enabling unattended upgrades is straightforward. First, enable and start the service: 
    # sudo systemctl enable --now unattended-upgrades

    Then edit the /etc/apt/apt.conf.d/20auto-upgrades file and change the values back to “1”:

    APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Unattended-Upgrade "1";

    After making these changes, verify the service is running with systemctl status unattended-upgrades. Your system will resume automatic security updates within the next scheduled update cycle.

  3. Can I disable automatic updates for specific packages only?Yes, you can selectively prevent certain packages from being automatically upgraded while keeping the unattended-upgrades service running for other packages. Edit the /etc/apt/apt.conf.d/50unattended-upgrades file and add packages to the blacklist section: 
    Unattended-Upgrade::Package-Blacklist {
    "package-name1";
    "package-name2";
};

    This approach is particularly useful when you need to maintain specific versions of critical software while still receiving security updates for the rest of your system. You can also use regular expressions to match package patterns.

  4. What’s the difference between disabling the service and editing configuration files?Disabling the unattended-upgrades service with systemctl disable prevents the service from running at all, which is the most comprehensive approach. However, editing configuration files like 20auto-upgrades provides more granular control – you can keep the service running but configure it to only check for updates without installing them, or specify which types of updates to apply. The systemctl method is cleaner and more direct, while configuration file editing offers flexibility. For complete disabling, it’s recommended to do both: stop the service and set configuration values to “0”.
  5. How often should I manually update my system after disabling automatic updates?Best practices recommend checking for updates at least weekly for desktop systems and daily for servers, especially those exposed to the internet. Critical security updates can be released at any time in response to newly discovered vulnerabilities. A practical approach is to run sudo apt update && sudo apt upgrade every Monday morning, or integrate it into your weekly system maintenance routine. For production servers, consider implementing a scheduled maintenance window where you review available updates, test them in a staging environment, and then apply them systematically. You can also configure email notifications for security updates to stay informed between manual checks.

Related Posts: