Skip to content
Setup unattended-upgrades on Debian-based systems
Branch: master
Clone or download
Pull request Compare This branch is 2 commits ahead, 29 commits behind jnv:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Unattended-Upgrades Role for Ansible

Install and setup unattended-upgrades for Debian (since Wheezy), to periodically install security upgrades.

MODIFICATIONS in this fork:

  1. Removed references to Ubuntu (unneeded in our deployment).
  2. Switched debian box to debian/jessie64.
  3. Updated contents of auto-upgrades and unattended-upgrades.j2 with content from
  4. Updated name of auto-upgrades script from 20auto-upgrades to 02periodic (per the model found elsewhere).


The role uses apt module which has additional dependencies. You can use bootstrap-debian role to setup common Ansible requirements on Debian-based systems.

If you set unattended_mail to an e-mail address, make sure mailx command is available and your system is able to send e-mails.

The role requires unattended-upgrades version 0.70 and newer, which is available since Debian Wheezy. This is due to Origins Patterns usage; if this is not available on your system, you may use the first version of the role.

Automatic Reboot

If you enable automatic reboot feature (unattended_automatic_reboot), the role will install update-notifier-common package, which is required for detecting and executing reboot after the upgrade. You may optionally define a specific time for rebooting (unattended_automatic_reboot_time).

NOTE: This feature is not currently supported on Debian Jessie, due to a missing replacement for the said package. Attempt to enable this feature on unsupported system will cause a failure. See the discussion in #6 for more details.

Disabled Cron Jobs

On some hosts you may find that the unattended-upgrade's cronfile /etc/cron.daily/apt file has been renamed to apt.disabled. This is possibly provider's decision, to save some CPU cycles. Use enable-standard-cronjobs role to reenable unattended-upgrades. See also discussion in #9.

Role Variables

  • unattended_origins_patterns: array of origins patterns to determine whether the package can be automatically installed, for more details see Origins Patterns below.
    • Default for Debian: ['origin=Debian,codename=${distro_codename},label=Debian-Security']
    • Default for Ubuntu: ['origin=Ubuntu,archive=${distro_codename}-security,label=Ubuntu']
  • unattended_package_blacklist: packages which won't be automatically upgraded
    • Default: []
  • unattended_autofix_interrupted_dpkg: whether on unclean dpkg exit to run dpkg --force-confold --configure -a
    • Default: true
  • unattended_minimal_steps: split the upgrade into the smallest possible chunks so that they can be interrupted with SIGUSR1.
    • Default: false
  • unattended_install_on_shutdown: install all unattended-upgrades when the machine is shuting down.
    • Default: false
  • unattended_mail: e-mail address to send information about upgrades or problems with unattended upgrades
    • Default: false (don't send any e-mail)
  • unattended_mail_only_on_error: send e-mail only on errors, otherwise e-mail will be sent every time there's a package upgrade.
    • Default: false
  • unattended_remove_unused_dependencies: do automatic removal of new unused dependencies after the upgrade.
    • Default: false
  • unattended_automatic_reboot: Automatically reboot system if any upgraded package requires it, immediately after the upgrade.
    • Default: false
  • unattended_automatic_reboot_time: Automatically reboot system if any upgraded package requires it, at the specific time (HH:MM) instead of immediately after the upgrade.
    • Default: false

Origins Patterns

Origins Pattern is a more powerful alternative to the Allowed Origins option used in previous versions of unattended-upgrade.

Pattern is composed from specific keywords:

  • a,archive,suite – e.g. stable, trusty-security (archive=stable)
  • c,component – e.g. main, crontrib, non-free (component=main)
  • l,label – e.g. Debian, Debian-Security, Ubuntu
  • o,origin – e.g. Debian, Unofficial Multimedia Packages, Ubuntu
  • n,codename – e.g. jessie, jessie-updates, trusty
  • site – e.g.

You can review the available repositories using apt-cache policy and debug your choice using unattended-upgrades -d command on a target system.

Additionally unattended-upgrades support two macros (variables), derived from /etc/debian_version:

  • ${distro_id} – Installed distribution name, e.g. Debian or Ubuntu.
  • ${distro_codename} – Installed codename, e.g. jessie or trusty.

Role Usage Example

- hosts: all
  - role: jnv.unattended-upgrades
    - 'origin=Ubuntu,archive=${distro_codename}-security'
    - 'o=Ubuntu,a=${distro_codename}-updates'
    unattended_package_blacklist: [cowsay, vim]
    unattended_mail: ''

Patterns Examples

By default, only security updates are allowed for both Ubuntu and Debian. You can add more patterns to allow unattended-updates install more packages automatically, however be aware that automated major updates may potentially break your system.

For Debian

# Archive based matching
  - 'origin=Debian,codename=${distro_codename},label=Debian-Security' # resolves to codename=jessie
  - 'o=Debian,a=stable'
  - 'o=Debian,a=stable-updates'
  - 'o=Debian,a=proposed-updates'

For Ubuntu

In Ubuntu, archive always contains the distribution codename

  - 'origin=Ubuntu,archive=${distro_codename}-security'
  - 'o=Ubuntu,a=${distro_codename}'
  - 'o=Ubuntu,a=${distro_codename}-updates'
  - 'o=Ubuntu,a=${distro_codename}-proposed-updates'



You can’t perform that action at this time.