top of page
Search

Automatic Ubuntu Updates the "Right Way"

Greetings, Tech Talkers! This is Tor, your trusted network engineering uplink. Today we’re making Ubuntu do the boring work for you:


  • Daily updates at a fixed time,

  • Configuring and Verifying your server clock is synced to the

  • Configuring and Verifying the time zone set to Eastern (replace with your time zone if you hate the default UTC.


By the end, your box will patch itself on schedule and your logs will finally make sense.

Getting Started - What you’ll need:


  1. Ubuntu 20.04 or newer

  2. Sudo access

  3. An internet connection


Step 1: Turn on unattended upgrades


Unless you feel like messing around with manual configuration of crontabs, I recommend you use the Ubuntu has a built‑in auto‑update mechanism. Enable it:


sudo apt update
sudo apt install -y unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

This enables daily package list refresh + auto‑upgrades, which we’ll pin to a fixed time next.


Step 2: Force a fixed daily time with systemd timers


Ubuntu’s auto‑update cadence is driven by two timers:


apt-daily.timer for the daily apt update
apt-daily-upgrade.timer for the daily apt upgrade

We’ll override them so they fire on a precise schedule, in local time.


1) Set the upgrade to 2:00 AM (adjust as needed) 

sudo systemctl edit apt-daily-upgrade.timer

Then paste in the below and save the file (use CTL+X to exit Nano and and choose "yes" to save the updates)

[Timer]
OnCalendar=
OnCalendar=02:00
RandomizedDelaySec=0

Reload the daemon and restart the upgrade timer.


sudo systemctl daemon-reload
sudo systemctl restart apt-daily-upgrade.timer

2) Set the update to run a few minutes earlier (1:45 AM)

sudo systemctl edit apt-daily.timer

Then paste in the below and save the file (use CTL+X to exit Nano and and choose "yes" to save the updates)

[Timer]
OnCalendar=
OnCalendar=01:45
RandomizedDelaySec=0

Reload the daemon and restart the upgrade timer.


sudo systemctl daemon-reload
sudo systemctl restart apt-daily.timer

  1. Verify:


systemctl list-timers | grep apt


You should see 01:45 and 02:00 for the next runs.


Output of 'systemctl list-timers | grep apt' showing the timers have been implemented.
Output of 'systemctl list-timers | grep apt' showing the timers have been implemented.


Step 3: Configure and Verify the time zone (instead of the default UTC)


sudo timedatectl set-timezone America/New_York

To Verify, issue:

timedatectl
Output of 'timedatectl' showing the updated time zone.
Output of 'timedatectl' showing the updated time zone.

You should see Time zone: America/New_York (EDT/EST) and your local time reflected accordingly.


Step 4: Sync to the US East NTP pool (or whatever you want) with systemd‑timesyncd


Edit the timesyncd config:


sudo nano /etc/systemd/timesyncd.conf

Uncomment or add the NTP line under [Time]:


[Time]
NTP=0.us.pool.ntp.org

Apply and enable:


sudo systemctl restart systemd-timesyncd
sudo systemctl enable systemd-timesyncd

Verify sync:


timedatectl timesync-status

Output of 'timedatectl timesync-status' showing the server is in sync and NTP is working.
Output of 'timedatectl timesync-status' showing the server is in sync and NTP is working.

Step 5: Optional safe reboots after updates


If you want the system to auto‑reboot when a kernel or critical update requires it, schedule it for a safe window. Edit:


sudo nano /etc/apt/apt.conf.d/50unattended-upgrades



Add or adjust:


Unattended-Upgrade::Automatic-Reboot "true";

Unattended-Upgrade::Automatic-Reboot-Time "04:00";


That reboots at 4 AM local time when a reboot is required. Leave it off if you have fragile workloads. Note: There are some other neat features in there to consider as well, such as email or syslog notifications and automatic unused package clean up to consider.


Step 6: Confirm it’s actually working


Timers


systemctl list-timers | grep apt

Unattended-upgrades logs


ls -lh /var/log/unattended-upgrades/
tail -n 50 /var/log/unattended-upgrades/unattended-upgrades.log

APT history


tail -n 50 /var/log/apt/history.log


Journal for last run


journalctl -u apt-daily.service -u apt-daily-upgrade.service --since "yesterday"

Troubleshooting quick hits


Timers still look random? Make sure your overrides included OnCalendar= on its own line to clear the vendor defaults, then set your new time. Restart the timers and recheck.


Times are off by an hour? You probably changed timezone but didn’t verify DST. Re‑run timedatectl and confirm EST/EDT.


No NTP sync? Ensure systemd-timesyncd is active and not replaced by chrony or ntp. Firewalls must allow UDP/123 out.


Wrapping it up


You’ve got daily updates landing at a predictable 2 AM Eastern, the OS clock locked to the US East NTP pool, and a paper trail to verify it all. Clean, consistent, and low‑maintenance.


Thanks,

Tor – your trusted network engineering uplink

 
 
 

Recent Posts

See All
Cisco VTP – To VTP, or Not to VTP

Greetings, Tech Talkers! This is Tor from Tors Tech Talk, your trusted network engineering uplink. Today, we’re tackling the ultimate...

 
 
 

Comments

Rated 0 out of 5 stars.
No ratings yet
Add a rating
bottom of page