Automating EVE-NG Updates on Ubuntu (with unattended-upgrades & Systemd timers)

Greetings, Tech Talkers! This is Tor, your trusted network engineering uplink. Today we’re making Ubuntu do the boring work for you to ensure your EVE-NG instance upgrades automatically!

Intro

EVE-NG runs on Ubuntu, which means it inherits Ubuntu’s package management system and update mechanisms. That’s a good thing — but only if they’re configured correctly.

Out of the box, Ubuntu’s automatic updates are conservative and security-focused. They do not automatically upgrade third-party repositories, including the EVE-NG repository, unless you explicitly allow them. Many EVE-NG hosts therefore stay partially updated unless the administrator intervenes manually. I can't tell you how many EVE-NG instances I've seen out there running outdated software.

This article walks through a tested and predictable method to automate both Ubuntu and EVE-NG package upgrades using:

• unattended-upgrades

• systemd timers

• explicit repository origin matching
  

The goal is simple: when a new EVE-NG release is published, it installs itself automatically without surprises based on a timer you specify. This time controls when the system checks for package updates, and a separate timer to specific when those packages will be upgraded. These timers will run everyday, meaning your Ubuntu system stays up-to-date and you get the latest EVE-NG updates, without manual intervention. What This Article Covers

• Enabling unattended upgrades properly

• Allowing the EVE-NG repository explicitly

• Scheduling updates and upgrades predictably

• Verifying that EVE-NG packages are actually eligible

• Common EVE-specific pitfalls and how to avoid them

  
  

This approach has been tested on Ubuntu 22.04 (Jammy) running EVE-NG Pro 6.4.0-13, but should apply to any EVE-NG system running Ubuntu 22.04.

Requirements

Before starting, ensure you have:

• An EVE-NG system running Ubuntu 22.04 (Jammy)

• root access via ssh

• Working internet connectivity

Step 1: Install and Enable unattended-upgrades

First, make sure Ubuntu unattended upgrades is installed.

apt update
apt install -y unattended-upgrades

Confirm the service is enabled:

systemctl is-enabled unattended-upgrades.service

If it isn’t enabled:

systemctl enable unattended-upgrades.service

Step 2: Explicitly Allow the EVE-NG Repository

Unattended-upgrades will not install packages from third-party repositories unless the repository’s origin metadata matches an allowed rule exactly.

Edit the unattended-upgrades configuration:

nano /etc/apt/apt.conf.d/50unattended-upgrades

Locate the Origins-Pattern section and update it to include EVE-NG’s repository origin. If this section doesn't exist, just paste the below into the file.

Recommended Configuration

Unattended-Upgrade::Origins-Pattern {
    "o=Ubuntu,a=jammy-security";
    "o=Ubuntu,a=jammy-updates";
    "o=www.eve-ng.net,n=jammy,l=apt repository";
};

Why This Matters

EVE-NG’s repository identifies itself as:

• Origin: www.eve-ng.net

• Suite: jammy

• Label: apt repository

  
  

If these fields don’t match exactly, unattended-upgrades will ignore EVE-NG packages even if newer versions exist.

Step 3: Configure Predictable systemd Timers

Ubuntu ships with two timers:

• apt-daily.timer → refreshes package lists

• apt-daily-upgrade.timer → installs upgrades

  
  

By default, these timers include randomized delays. That’s fine for desktops, but undesirable on lab infrastructure.

Set Fixed, Ordered Times

First, configure the daily package list refresh. Change the timer below to whatever you prefer. Use 24 hour time.

systemctl edit apt-daily.timer

Add:

[Timer]
OnCalendar=
OnCalendar=05:45
RandomizedDelaySec=0

Now configure the upgrade timer to run after the refresh.

systemctl edit apt-daily-upgrade.timer

Add:

[Timer]
OnCalendar=
OnCalendar=06:00
RandomizedDelaySec=0

This ensures:

• Package lists are refreshed first

• Upgrades run 15 minutes later

• No race conditions or apt locks

  
  

Apply changes:

systemctl daemon-reload
systemctl restart apt-daily.timer apt-daily-upgrade.timer

Verify:

systemctl list-timers apt-daily*

Step 4: Verify the EVE-NG Repository Is Eligible

Before trusting automation, confirm that EVE-NG packages are seen as upgrade candidates.

Check Package Policy

apt-cache policy eve-ng-pro

You should see something like:

• Installed: older version

• Candidate: newer version from www.eve-ng.net

  
  

Check Repository Metadata

apt-cache policy | sed -n '/www.eve-ng.net/,+6p'

Confirm the origin and label match what you configured in Origins-Pattern.

Step 5: Dry-Run unattended-upgrades

Before letting it loose, simulate a run:

unattended-upgrades --dry-run --debug

Look for:

• eve-ng-pro listed under “Packages that will be upgraded”

• No conffile prompts

• No origin rejections

  
  

Note: A dry run does not install anything. It only proves eligibility.

Step 6: Perform a Real Run (Once)

Run unattended-upgrades manually one time:

unattended-upgrades

Then verify:

apt-cache policy eve-ng-pro

If the installed version updates, automation is confirmed.

Optional: Automatic Reboots

EVE-NG hosts can run labs for long periods and updates should not require a reboot, so automatic reboots are optional, as they are disruptive.

If you choose to enable them:

Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-Time "04:00";

Only do this if your environment tolerates downtime.

Monitoring and Validation

Useful commands to confirm ongoing health:

journalctl -u unattended-upgrades.service
tail /var/log/unattended-upgrades/unattended-upgrades.log
systemctl list-timers apt-daily*

These logs will show exactly when upgrades run and what was installed.

Common EVE-NG Gotchas

• Origin matching must be exact

  • If it doesn’t match, EVE-NG upgrades will never install.

• Timers must be ordered

  • Upgrades before list refreshes often do nothing.

• APT locks can cause silent skips

  • Avoid overlapping cron jobs or manual apt usage.

• Dry-run success ≠ real install

  • Always test a real run once.

Final Thoughts

With unattended-upgrades properly configured:

• Ubuntu system updates stay current

• EVE-NG releases install automatically

• Update windows are predictable

• Manual maintenance is minimized

  
  

Let me know what you think you think about this article. Give it a test and see how it works for you. Use caution of you are working with critical systems and ensure you have adequately tested this before moving it into production!

As usual, please provide any feedback on the article or errors. Community peer reviewed articles make the world a better place, and I am human and make mistakes :) Thanks, Tory