Are Ubuntu security updates still automatic?
-
I noticed that my 3 Cloudron Pro servers are running already for 2 months, while before every month a reboot was needed because of security updates.
SSH tells:
21 of these updates are standard security updates.
35 of these updates are standard security updates.
29 of these updates are standard security updates.Is Cloudron doing it's job here?
-
systemctl status unattended-upgrades.service ● unattended-upgrades.service - Unattended Upgrades Shutdown Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled) Active: active (running) since Sun 2025-12-14 06:11:43 UTC; 1 month 23 days ago Docs: man:unattended-upgrade(8) Main PID: 787 (unattended-upgr) Tasks: 2 (limit: 38374) Memory: 10.1M CPU: 165ms CGroup: /system.slice/unattended-upgrades.service └─787 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal Notice: journal has been rotated since unit was started, output may be incomplete.systemctl status unattended-upgrades.service ● unattended-upgrades.service - Unattended Upgrades Shutdown Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2025-12-13 05:49:30 UTC; 1 month 24 days ago Docs: man:unattended-upgrade(8) Main PID: 765 (unattended-upgr) Tasks: 2 (limit: 38375) Memory: 8.3M CPU: 91ms CGroup: /system.slice/unattended-upgrades.service └─765 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal Notice: journal has been rotated since unit was started, output may be incomplete.systemctl status unattended-upgrades.service ● unattended-upgrades.service - Unattended Upgrades Shutdown Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled) Active: active (running) since Sat 2025-12-13 05:57:28 UTC; 1 month 24 days ago Docs: man:unattended-upgrade(8) Main PID: 875 (unattended-upgr) Tasks: 2 (limit: 77023) Memory: 11.1M CPU: 112ms CGroup: /system.slice/unattended-upgrades.service └─875 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal Notice: journal has been rotated since unit was started, output may be incomplete. -
Hello @imc67
Can you please check what packages are marked as security updates?
apt list --upgradable | grep "\-security"In the file
/etc/apt/apt.conf.d/50unattended-upgradesis configured what are the allowed origins for unattended upgrades.
By default it is:Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; };You can then cross-reference the pending security udpates with the
Unattended-Upgrade::Allowed-Originsand this should explain why certain packages are not upgraded.
Run the following command to test unattended-upgrades:
unattended-upgrades --dry-run # or unattended-upgrades --dry-run --debug -
one example (of 3), I think it includes the very high ranked issue with OpenSSL?:
apt list --upgradable | grep "\-security" WARNING: apt does not have a stable CLI interface. Use with caution in scripts. libc-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11] libc-dev-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11] libc6-dev/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11] libc6/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11] libssl3/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20] linux-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159] linux-headers-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159] linux-image-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159] linux-libc-dev/jammy-updates,jammy-security 5.15.0-168.178 amd64 [upgradable from: 5.15.0-164.174] locales/jammy-updates,jammy-security 2.35-0ubuntu3.13 all [upgradable from: 2.35-0ubuntu3.11] mysql-client-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1] mysql-client-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1] mysql-server-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1] mysql-server-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1] openssl/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20] screen/jammy-updates,jammy-security 4.9.0-1ubuntu0.1 amd64 [upgradable from: 4.9.0-1]cat /etc/apt/apt.conf.d/50unattended-upgrades Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}"; "${distro_id}:${distro_codename}-security"; // Extended Security Maintenance; doesn't necessarily exist for // every release and this system may not have it installed, but if // available, the policy for updates is such that unattended-upgrades // should also install from here by default. "${distro_id}ESMApps:${distro_codename}-apps-security"; "${distro_id}ESM:${distro_codename}-infra-security"; // "${distro_id}:${distro_codename}-updates"; // "${distro_id}:${distro_codename}-proposed"; // "${distro_id}:${distro_codename}-backports"; }; Unattended-Upgrade::Package-Blacklist { };unattended-upgrades --dry-run Preconfiguring packages ... Preconfiguring packages ... /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/locales_2.35-0ubuntu3.13_all.deb /usr/bin/dpkg --status-fd 10 --configure --pending Preconfiguring packages ... Preconfiguring packages ... /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libssl3_3.0.2-0ubuntu1.21_amd64.deb /usr/bin/dpkg --status-fd 10 --no-triggers --configure libssl3:amd64 /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure --recursive /tmp/apt-dpkg-install-JHk6R5 /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/linux-libc-dev_5.15.0-168.178_amd64.deb /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /usr/bin/dpkg --status-fd 10 --configure --pending Preconfiguring packages ... Preconfiguring packages ... /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc6-dev_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc-dev-bin_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc6_2.35-0ubuntu3.13_amd64.deb /usr/bin/dpkg --status-fd 10 --no-triggers --configure libc6:amd64 /usr/bin/dpkg --status-fd 10 --configure --pending Preconfiguring packages ... Preconfiguring packages ... /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/screen_4.9.0-1ubuntu0.1_amd64.deb /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc-bin_2.35-0ubuntu3.13_amd64.deb /usr/bin/dpkg --status-fd 10 --no-triggers --configure libc-bin:amd64 /usr/bin/dpkg --status-fd 10 --configure --pending /usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/openssl_3.0.2-0ubuntu1.21_amd64.deb /usr/bin/dpkg --status-fd 10 --configure --pendingThe output of
unattended-upgrades --dry-run --debugwas too much but I "asked" Claude to analyse it and it discovered no issues. -
we're getting closer, this is a part of the scheduled one this morning:
2026-02-06 06:09:31,611 WARNING Could not figure out development release: Distribution data outdated. Please check for an update for distro-info-data. See /usr/share/doc/distro-info-data/README.Debian for details. 2026-02-06 06:09:31,612 INFO Starting unattended upgrades script 2026-02-06 06:09:31,612 INFO Allowed origins are: o=Ubuntu,a=jammy, o=Ubuntu,a=jammy-security, o=UbuntuESMApps,a=jammy-apps-security, o=UbuntuESM,a=jammy-infra-security 2026-02-06 06:09:31,613 INFO Initial blacklist: 2026-02-06 06:09:31,613 INFO Initial whitelist (not strict): 2026-02-06 06:09:46,207 INFO Packages that will be upgraded: libc-bin libc-dev-bin libc6 libc6-dev libssl3 linux-generic linux-headers-generic linux-image-generic linux-libc-dev locales mysql-client-8.0 mysql-client-core-8.0 mysql-server-8.0 mysql-server-core-8.0 openssl screen 2026-02-06 06:09:46,208 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log 2026-02-06 06:09:48,505 ERROR Installing the upgrades failed! 2026-02-06 06:09:48,505 ERROR error message: installArchives() failed 2026-02-06 06:09:48,506 ERROR dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details 2026-02-06 06:09:48,952 INFO Package libc-bin is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:48,954 INFO Package libc-dev-bin is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:48,956 INFO Package libc6 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:48,957 INFO Package libc6-dev is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,016 INFO Package libssl3 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,037 INFO Package linux-generic is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,044 INFO Package linux-headers-generic is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,051 INFO Package linux-image-generic is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,058 INFO Package linux-libc-dev is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,165 INFO Package locales is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,172 INFO Package mysql-client-8.0 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,174 INFO Package mysql-client-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,175 INFO Package mysql-server-8.0 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,177 INFO Package mysql-server-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,189 INFO Package openssl is kept back because a related package is kept back or due to local apt_preferences(5). 2026-02-06 06:09:49,224 INFO Package screen is kept back because a related package is kept back or due to local apt_preferences(5).The mentioned
/var/log/unattended-upgrades/unattended-upgrades-dpkg.log:Log started: 2026-02-06 06:09:46 Preconfiguring packages ... Preconfiguring packages ... dpkg: unrecoverable fatal error, aborting: unknown system group 'netdata' in statoverride file; the system group got removed before the override, which is most probably a packaging bug, to recover you can remove the override manually with dpkg-statoverride E:Sub-process /usr/bin/dpkg returned an error code (2) Log ended: 2026-02-06 06:09:47This is a left over of a "total" removing (2 weeks ago) of
netdatainstallation years ago (now we have graphs in Cloudron 9 we don't need it anymore), I did:sudo dpkg-statoverride --list | grep netdata root netdata 755 /usr/share/netdata/www root netdata 755 /var/lib/netdata/www ~# sudo dpkg-statoverride --remove /usr/share/netdata/www ~# sudo dpkg-statoverride --remove /var/lib/netdata/www ~# sudo dpkg-statoverride --list | grep netdataI'll check tomorrow if the nightly unattended upgrade did work. Thanks @James for pointing the right direction!
-
J joseph has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login