Are Ubuntu security updates still automatic?

imc67

I noticed that my 3 Cloudron Pro servers are running already for 2 months, while before every month a reboot was needed because of security updates.

SSH tells:
21 of these updates are standard security updates.
35 of these updates are standard security updates.
29 of these updates are standard security updates.

Is Cloudron doing it's job here?

james

Hello @imc67
Can you please check if the unattended-upgrades.service is running?

systemctl status unattended-upgrades.service

imc67

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sun 2025-12-14 06:11:43 UTC; 1 month 23 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 787 (unattended-upgr)
      Tasks: 2 (limit: 38374)
     Memory: 10.1M
        CPU: 165ms
     CGroup: /system.slice/unattended-upgrades.service
             └─787 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:49:30 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 765 (unattended-upgr)
      Tasks: 2 (limit: 38375)
     Memory: 8.3M
        CPU: 91ms
     CGroup: /system.slice/unattended-upgrades.service
             └─765 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

systemctl status unattended-upgrades.service
● unattended-upgrades.service - Unattended Upgrades Shutdown
     Loaded: loaded (/lib/systemd/system/unattended-upgrades.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2025-12-13 05:57:28 UTC; 1 month 24 days ago
       Docs: man:unattended-upgrade(8)
   Main PID: 875 (unattended-upgr)
      Tasks: 2 (limit: 77023)
     Memory: 11.1M
        CPU: 112ms
     CGroup: /system.slice/unattended-upgrades.service
             └─875 /usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal

Notice: journal has been rotated since unit was started, output may be incomplete.

james

Hello @imc67

Can you please check what packages are marked as security updates?

apt list --upgradable | grep "\-security"

In the file /etc/apt/apt.conf.d/50unattended-upgrades is configured what are the allowed origins for unattended upgrades.
By default it is:

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

You can then cross-reference the pending security udpates with the Unattended-Upgrade::Allowed-Origins and this should explain why certain packages are not upgraded.

---

Run the following command to test unattended-upgrades:

unattended-upgrades --dry-run
# or
unattended-upgrades --dry-run --debug

imc67

one example (of 3), I think it includes the very high ranked issue with OpenSSL?:

apt list --upgradable | grep "\-security"

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libc-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc-dev-bin/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6-dev/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libc6/jammy-updates,jammy-security 2.35-0ubuntu3.13 amd64 [upgradable from: 2.35-0ubuntu3.11]
libssl3/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
linux-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-headers-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-image-generic/jammy-updates,jammy-security 5.15.0.168.159 amd64 [upgradable from: 5.15.0.164.159]
linux-libc-dev/jammy-updates,jammy-security 5.15.0-168.178 amd64 [upgradable from: 5.15.0-164.174]
locales/jammy-updates,jammy-security 2.35-0ubuntu3.13 all [upgradable from: 2.35-0ubuntu3.11]
mysql-client-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-client-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
mysql-server-core-8.0/jammy-updates,jammy-security 8.0.45-0ubuntu0.22.04.1 amd64 [upgradable from: 8.0.44-0ubuntu0.22.04.1]
openssl/jammy-updates,jammy-security 3.0.2-0ubuntu1.21 amd64 [upgradable from: 3.0.2-0ubuntu1.20]
screen/jammy-updates,jammy-security 4.9.0-1ubuntu0.1 amd64 [upgradable from: 4.9.0-1]

cat /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Allowed-Origins {
        "${distro_id}:${distro_codename}";
        "${distro_id}:${distro_codename}-security";
        // Extended Security Maintenance; doesn't necessarily exist for
        // every release and this system may not have it installed, but if
        // available, the policy for updates is such that unattended-upgrades
        // should also install from here by default.
        "${distro_id}ESMApps:${distro_codename}-apps-security";
        "${distro_id}ESM:${distro_codename}-infra-security";
//      "${distro_id}:${distro_codename}-updates";
//      "${distro_id}:${distro_codename}-proposed";
//      "${distro_id}:${distro_codename}-backports";
};

Unattended-Upgrade::Package-Blacklist {

};

unattended-upgrades --dry-run
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/locales_2.35-0ubuntu3.13_all.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libssl3_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libssl3:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure --recursive /tmp/apt-dpkg-install-JHk6R5 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/linux-libc-dev_5.15.0-168.178_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc6-dev_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc-dev-bin_2.35-0ubuntu3.13_amd64.deb /var/cache/apt/archives/libc6_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc6:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
Preconfiguring packages ...
Preconfiguring packages ...
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/mysql-client-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb /var/cache/apt/archives/mysql-server-core-8.0_8.0.45-0ubuntu0.22.04.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/screen_4.9.0-1ubuntu0.1_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/libc-bin_2.35-0ubuntu3.13_amd64.deb 
/usr/bin/dpkg --status-fd 10 --no-triggers --configure libc-bin:amd64 
/usr/bin/dpkg --status-fd 10 --configure --pending 
/usr/bin/dpkg --status-fd 10 --no-triggers --unpack --auto-deconfigure /var/cache/apt/archives/openssl_3.0.2-0ubuntu1.21_amd64.deb 
/usr/bin/dpkg --status-fd 10 --configure --pending 

The output of unattended-upgrades --dry-run --debug was too much but I "asked" Claude to analyse it and it discovered no issues.

ccfu

I was recently wondering exactly the same thing. Reboots previously required every few weeks and then nothing for a couple of months. Today I see an update notification.

joseph

/var/log/unattended-upgrades/unattended-upgrades.log has the ubuntu unattended upgades log

imc67

we're getting closer, this is a part of the scheduled one this morning:

2026-02-06 06:09:31,611 WARNING Could not figure out development release: Distribution data outdated. Please check for an update for distro-info-data. See /usr/share/doc/distro-info-data/README.Debian for details.
2026-02-06 06:09:31,612 INFO Starting unattended upgrades script
2026-02-06 06:09:31,612 INFO Allowed origins are: o=Ubuntu,a=jammy, o=Ubuntu,a=jammy-security, o=UbuntuESMApps,a=jammy-apps-security, o=UbuntuESM,a=jammy-infra-security
2026-02-06 06:09:31,613 INFO Initial blacklist: 
2026-02-06 06:09:31,613 INFO Initial whitelist (not strict): 
2026-02-06 06:09:46,207 INFO Packages that will be upgraded: libc-bin libc-dev-bin libc6 libc6-dev libssl3 linux-generic linux-headers-generic linux-image-generic linux-libc-dev locales mysql-client-8.0 mysql-client-core-8.0 mysql-server-8.0 mysql-server-core-8.0 openssl screen
2026-02-06 06:09:46,208 INFO Writing dpkg log to /var/log/unattended-upgrades/unattended-upgrades-dpkg.log
2026-02-06 06:09:48,505 ERROR Installing the upgrades failed!
2026-02-06 06:09:48,505 ERROR error message: installArchives() failed
2026-02-06 06:09:48,506 ERROR dpkg returned a error! See /var/log/unattended-upgrades/unattended-upgrades-dpkg.log for details
2026-02-06 06:09:48,952 INFO Package libc-bin is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,954 INFO Package libc-dev-bin is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,956 INFO Package libc6 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:48,957 INFO Package libc6-dev is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,016 INFO Package libssl3 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,037 INFO Package linux-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,044 INFO Package linux-headers-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,051 INFO Package linux-image-generic is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,058 INFO Package linux-libc-dev is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,165 INFO Package locales is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,172 INFO Package mysql-client-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,174 INFO Package mysql-client-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,175 INFO Package mysql-server-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,177 INFO Package mysql-server-core-8.0 is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,189 INFO Package openssl is kept back because a related package is kept back or due to local apt_preferences(5).
2026-02-06 06:09:49,224 INFO Package screen is kept back because a related package is kept back or due to local apt_preferences(5).

The mentioned /var/log/unattended-upgrades/unattended-upgrades-dpkg.log:

Log started: 2026-02-06  06:09:46
Preconfiguring packages ...
Preconfiguring packages ...
dpkg: unrecoverable fatal error, aborting:
 unknown system group 'netdata' in statoverride file; the system group got removed
before the override, which is most probably a packaging bug, to recover you
can remove the override manually with dpkg-statoverride
E:Sub-process /usr/bin/dpkg returned an error code (2)
Log ended: 2026-02-06  06:09:47

This is a left over of a "total" removing (2 weeks ago) of netdata installation years ago (now we have graphs in Cloudron 9 we don't need it anymore), I did:

sudo dpkg-statoverride --list | grep netdata
root netdata 755 /usr/share/netdata/www
root netdata 755 /var/lib/netdata/www
~# sudo dpkg-statoverride --remove /usr/share/netdata/www
~# sudo dpkg-statoverride --remove /var/lib/netdata/www
~# sudo dpkg-statoverride --list | grep netdata

I'll check tomorrow if the nightly unattended upgrade did work. Thanks @James for pointing the right direction!